Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.9a1) Gecko/20060718 Minefield/3.0a1 This testcase makes Firefox crash, with a random address on top, and on of the following just below: * nsHTMLReflowState::InitAbsoluteConstraints * nsLineLayout::ReflowFrame * nsInlineFrame::ReflowInlineFrame Since there are random addresses on top, this is [sg:critical]. I wish I could make the testcase smaller :/

I'm crashing here: #5 <signal handler called> #6 0x03dfab3c in nsContainerFrame::DeleteNextInFlowChild (this=0x9ecb6e4, aPresContext=0xa032488, aNextInFlow=0x9ecb6ac) at /builds/trunk/mozilla/layout/generic/nsContainerFrame.cpp:885 #7 0x03e435d6 in nsLineLayout::ReflowFrame (this=0xbfd4e700, aFrame=0xa2519dc, aReflowStatus=@0xbfd4e604, aMetrics=0x0, aPushedFrame=@0xbfd4e2f8) at /builds/trunk/mozilla/layout/generic/nsLineLayout.cpp:1166 where delFrame is an ok-looking nsInlineFrame but its parent frame pointer is a pointer to memory that's not a frame (i.e., probably deleted already). (gdb) p aNextInFlow $7 = (class nsIFrame *) 0x9ecb6ac (gdb) p aNextInFlow->mParent $8 = (nsIFrame *) 0x9ecb6e4 (gdb) x/wa aNextInFlow 0x9ecb6ac: 0x4495fc8 <_ZTV13nsInlineFrame+8> (gdb) p *(nsInlineFrame*)$7 $9 = {<nsHTMLContainerFrame> = {<nsContainerFrame> = {<nsSplittableFrame> = {<nsFrame> = {<nsBox> = {<nsIFrame> = {<nsISupports> = { _vptr.nsISupports = 0x4495fc8}, mRect = {x = 0, y = 0, width = 0, height = 0}, mContent = 0xa2acea8, mStyleContext = 0x9ecb4bc, mParent = 0x9ecb6e4, mNextSibling = 0x0, mState = 1030}, static gGotTheme = 1, static gTheme = 0x9a4ec40}, <nsIFrameDebug> = {<nsISupports> = { _vptr.nsISupports = 0x4496218}, <No data fields>}, <No data fields>}, mPrevContinuation = 0xa2519dc, mNextContinuation = 0xa24dffc}, mFrames = { mFirstChild = 0x0}}, <No data fields>}, <No data fields>} (gdb) p $9->mNextInFlow There is no member or method named mNextInFlow. (gdb) p $9->mNextContinuation $10 = (class nsIFrame *) 0xa24dffc (gdb) x/wa $10 0xa24dffc: 0x4495fc8 <_ZTV13nsInlineFrame+8> (gdb) p *(nsInlineFrame*)$ $11 = {<nsHTMLContainerFrame> = {<nsContainerFrame> = {<nsSplittableFrame> = {<nsFrame> = {<nsBox> = {<nsIFrame> = {<nsISupports> = { _vptr.nsISupports = 0x4495fc8}, mRect = {x = 0, y = 0, width = 0, height = 0}, mContent = 0xa2acea8, mStyleContext = 0xa250dd0, mParent = 0xa24e7e4, mNextSibling = 0xa24dac8, mState = 1030}, static gGotTheme = 1, static gTheme = 0x9a4ec40}, <nsIFrameDebug> = {<nsISupports> = { _vptr.nsISupports = 0x4496218}, <No data fields>}, <No data fields>}, mPrevContinuation = 0x9ecb6ac, mNextContinuation = 0x0}, mFrames = { mFirstChild = 0x0}}, <No data fields>}, <No data fields>} (gdb) x/wa $9.mParent 0x9ecb6e4: 0x4495fc8 <_ZTV13nsInlineFrame+8> (gdb) x/wa $11.mParent 0xa24e7e4: 0x0 (gdb) p frames.mImpl.mArray[0] $12 = (void *) 0xa24dffc Judging by $10 and the contents of the frames array ($12), delFrame is $11.

Iirc, I had cases which crashed with nsHTMLReflowState::InitAbsoluteConstraints stack, but when I tried to minimise further, I got a different stack. I think that was bug 330981 (that was in the time I didn't add the unminimised testcase to the bug). I still had a testcase with a nsHTMLReflowState::InitAbsoluteConstraints stack in 'stock', I filed bug 345199 for it. Maybe this bug depends on a fix for bug 330909?

WFM with a Mac nightly. Still crashes in a Mac debug build.

WFM on Mac trunk (opt and debug).