Hrm, with this testcase the first thing I hit was bug 311457. I should retest once that's fixed.

On a ff1.5 debug build I didn't crash (this time, maybe neopets changed slightly) but did eventually go brain-dead (not quite a hang, but useless; corrupted memory?). Lots and lots of assertions, eventually including like these: ###!!! ASSERTION: Don't call me!: 'Error', file c:/dev/ff15/mozilla/dom/src/base/nsDOMClassInfo.cpp, line 3100 ###!!! ASSERTION: running past end: 'mCurrent != mListLink', file c:\dev\ff15\mozilla\layout\generic\nsLineBox.h, line 5 89

(In reply to comment #1) > Hrm, with this testcase the first thing I hit was bug 311457. I should retest > once that's fixed. > Still crashes SeaMonkey 2005-12-27-00 trunk Linux. In a local debug build I get crashes in DeletingFrameSubtree(). With the proposed fix for bug 310638 it seems more stable - it runs for 15-20 minutes but crashes eventually, example crash (view->mParent == 0x5): (gdb) bt #0 0xe80cec83 in ?? () #1 0x4101f76c in nsIFrame::Invalidate(nsRect const&, int) const (this=0x8925f3c, aDamageRect=@0x8d44ea8, aImmediate=0) at nsFrame.cpp:2654 #2 0x4104288e in nsImageFrame::FrameChanged(imgIContainer*, gfxIImageFrame*, nsRect*) (this=0x8925f3c, aContainer=0x8914878, aNewFrame=0x89132b8, aDirtyRect=0xbfffe590) at nsImageFrame.cpp:670 #3 0x4104604e in nsImageListener::FrameChanged(imgIContainer*, gfxIImageFrame*, nsRect*) (this=0xbfffe3b0, aContainer=0x8914878, newframe=0x89132b8, dirtyRect=0xbfffe590) at nsImageFrame.cpp:2046 #4 0x411e7781 in nsImageLoadingContent::FrameChanged(imgIContainer*, gfxIImageFrame*, nsRect*) (this=0x8918804, aContainer=0x8914878, aFrame=0x89132b8, aDirtyRect=0xbfffe590) at nsImageLoadingContent.cpp:147 #5 0x41b5ee6c in imgRequestProxy::FrameChanged(imgIContainer*, gfxIImageFrame*, nsRect*) (this=0x8919b90, container=0x8914878, newframe=0x89132b8, dirtyRect=0xbfffe590) at imgRequestProxy.cpp:392 #6 0x41b5b29a in imgRequest::FrameChanged(imgIContainer*, gfxIImageFrame*, nsRect*) (this=0x89190b0, container=0x8914878, newframe=0x89132b8, dirtyRect=0xbfffe590) at imgRequest.cpp:401 #7 0x41b641cb in imgContainerGIF::Notify(nsITimer*) (this=0x8914878, timer=0x8918000) at imgContainerGIF.cpp:455 #8 0x4016e2ed in nsTimerImpl::Fire() (this=0x8918000) at nsTimerImpl.cpp:403 #9 0x4016e462 in handleTimerEvent (aEvent=0x88e2498) at nsTimerImpl.cpp:467 #10 0x40167551 in PL_HandleEvent (self=0x88e2498) at plevent.c:688 #11 0x4016742a in PL_ProcessPendingEvents (self=0x80d48a8) at plevent.c:623 #12 0x40169faa in nsEventQueueImpl::ProcessPendingEvents() (this=0x80daa28) at nsEventQueue.cpp:417 #13 0x41d19faa in event_processor_callback (source=0x8348d90, condition=G_IO_IN, data=0xbfffe3b0) at nsAppShell.cpp:67 #14 0x40686def in g_io_unix_dispatch () from /opt/gnome/lib/libglib-2.0.so.0 #15 0x40664148 in g_main_dispatch () from /opt/gnome/lib/libglib-2.0.so.0 #16 0x406651a8 in g_main_context_dispatch () from /opt/gnome/lib/libglib-2.0.so.0 #17 0x406655a8 in g_main_context_iterate () from /opt/gnome/lib/libglib-2.0.so.0 #18 0x40665bf7 in g_main_loop_run () from /opt/gnome/lib/libglib-2.0.so.0 #19 0x403896ff in gtk_main () from /opt/gnome/lib/libgtk-x11-2.0.so.0 #20 0x41d1a554 in nsAppShell::Run() (this=0x8164b18) at nsAppShell.cpp:139 #21 0x41c896ed in nsAppStartup::Run() (this=0x8163728) at nsAppStartup.cpp:207 #22 0x08051663 in main1 (argc=2, argv=0xbfffeae4, nativeApp=0x80b5380) at nsAppRunner.cpp:1248 #23 0x08051fe0 in main (argc=2, argv=0xbfffeae4) at nsAppRunner.cpp:1736 (gdb) fr 2 #2 0x4104288e in nsImageFrame::FrameChanged(imgIContainer*, gfxIImageFrame*, nsRect*) (this=0x8925f3c, aContainer=0x8914878, aNewFrame=0x89132b8, aDirtyRect=0xbfffe590) at nsImageFrame.cpp:670 670 Invalidate(r, PR_FALSE); (gdb) p *this $1 = {<nsSplittableFrame> = {<nsFrame> = {<nsBox> = {<nsIFrame> = {<nsISupports> = {_vptr.nsISupports = 0x415a65e8}, mRect = {x = 0, y = 0, width = 0, height = 0}, mContent = 0x89187e8, mStyleContext = 0x8c88050, mParent = 0x89214ec, mNextSibling = 0x0, mState = 9506}, static gGotTheme = 1, static gTheme = 0x8313a08}, <nsIFrameDebug> = {<nsISupports> = { _vptr.nsISupports = 0x415a6810}, <No data fields>}, <No data fields>}, mPrevInFlow = 0x0, mNextInFlow = 0x0}, <nsIImageFrame> = {<nsISupports> = {_vptr.nsISupports = 0x415a6838}, <No data fields>}, mImageMap = 0x0, mListener = { mRawPtr = 0x8bc6cb0}, mComputedSize = {width = 0, height = 0}, mIntrinsicSize = {width = 0, height = 0}, mTransform = {m00 = 1, m11 = 1, m20 = 0, m21 = 0, type = 0}, mBorderPadding = {top = 0, right = 0, bottom = 0, left = 0}, static sIOService = 0x813b828, static gIconLoad = 0x88ef310} (gdb) fr 1 #1 0x4101f76c in nsIFrame::Invalidate(nsRect const&, int) const (this=0x8925f3c, aDamageRect=@0x8d44ea8, aImmediate=0) at nsFrame.cpp:2654 2654 view->GetViewManager()->UpdateView(view, damageRect, flags); (gdb) p view $2 = (class nsIView *) 0x8d44ea8 (gdb) p *view $3 = {_vptr.nsIView = 0x1, mViewManager = 0x40b98f00, mParent = 0x5, mWindow = 0x4, mNextSibling = 0x8d0cdb8, mFirstChild = 0x1c00, mClientData = 0x0, mZIndex = 0, mVis = nsViewVisibility_kHide, mPosX = 0, mPosY = 142381560, mDimBounds = {x = 0, y = 0, width = 0, height = 0}, mOpacity = 0, mVFlags = 0} (gdb)

No sign of a fix, not realistic for 1.8.0.1

Neopets isn't a good site for getting reproducible fuzz crashes, and I don't see problems, so marking WFM.

in-testsuite- since it sounds like it's not worth the effort here given reproducibility concerns.