See upcoming testcase, which crashes current trunk Mozilla builds on load for me. It seems a regression, doesn't crash in 2005-09-18 build, crashes in 2005-09-19 build: http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2005-09-18+06%3A00%3A00&maxdate=2005-09-19+09%3A00%3A00&cvsroot=%2Fcvsroot Christian, do you see the crash also, in your build with all your objectframe changes in it?

Talkback ID: TB12099660Y

Before the crash, I get a lot of assertions first: I've only made a backtrace of the crash itself. Program received signal SIGSEGV, Segmentation fault. 0x0f9cd1d4 in ?? () (gdb) bt #0 0x0f9cd1d4 in ?? () #1 0x00000212 in ?? () #2 0x0537debb in GetNifOrSpecialSibling(nsFrameManager*, nsIFrame*) ( aFrameManager=0xfa1c984, aFrame=0xfa93ac0) at c:/mozilla/mozilla/layout/base/nsCSSFrameConstructor.cpp:491 #3 0x053994f7 in nsCSSFrameConstructor::FindFrameWithContent(nsFrameManager*, n

I get some exciting asserts; the relevant ones (I think) are: ###!!! ASSERTION: huh?: 'pfd->mFrame == aFrame', file ../../../mozilla/layout/generic/nsLineLayout.cpp, line 521 !!! ASSERTION: bad status: 'NS_FRAME_IS_COMPLETE(aStatus)', file ../../../mozilla/layout/generic/nsFrame.cpp, line 5306 ###!!! ASSERTION: overflow list is not empty for initial reflow: '!overflowFrames', file ../../../mozilla/layout/generic/nsInlineFrame.cpp, line 375 At the second assert, the inline box has pushed everything after the BRFrame on its overflow list, per the then-current frame dump. That includes the absolute placeholder. So I suspect this is basically the same issue as bug 315850.

I seem to get the same assertions as bz, but no crash. still linux.

So is this still a problem now that bug 309525 is fixed?

Doesn't crash here with build 2005-12-22-10 of SeaMonkey trunk under Windows XP.

Yes, doesn't crash for me either anymore, resolving as fixed, probably fixed by bug 309525.

Verified; see comment 6 and comment 7.