Steps to reproduce: 1. Load the testcase. Result: * Debug: crash [@ nsCachedStyleData::GetStyleDisplay] accessing 0xddddddfd. * Opt: crash [@ nsFrameManager::RemoveFrame] with a random address on top. Partial debug stack: EXC_BAD_ACCESS (0x0001) KERN_INVALID_ADDRESS (0x0001) at 0xddddddfd Thread 0 Crashed: 0 nsCachedStyleData::GetStyleDisplay() + 20 (nsStyleStructList.h:95) 1 nsStyleContext::GetStyleDisplay() + 40 (nsStyleStructList.h:95) 2 nsIFrame::GetStyleDisplay() const + 100 (nsStyleStructList.h:95) 3 GetChildListNameFor(nsIFrame*) + 68 (nsCSSFrameConstructor.cpp:1803) 4 DeletingFrameSubtree(nsFrameManager*, nsIFrame*) + 376 (nsCSSFrameConstructor.cpp:9667) 5 nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, int, int) + 1140 (nsCSSFrameConstructor.cpp:9817) 6 PresShell::ContentRemoved(nsIDocument*, nsIContent*, nsIContent*, int) + 356 (nsPresShell.cpp:4981)

Before the crash, I see: ###!!! ASSERTION: out-of-flow is already in the destroy queue: 'aDestroyQueue.IndexOf(outOfFlowFrame) == kNotFound', file /Users/admin/trunk/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 9597

This regressed between 2006-12-07 and 2006-12-08, so likely to be a regression from the reflow branch landing.

Critical security bugs must have owners. If you can't work on this bug please help us find another active owner for it.

->dbaron based on comment 3

This is worksforme, using: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a2pre) Gecko/20070123 Minefield/3.0a2pre

Fixed between Linux nightlies 2007-01-02-04-trunk and 2007-01-03-04-trunk.

Also fixed in 2006-12-28-04-trunk which confirms my suspicion that it was fixed by bug 243159.

Similar assertion and stack in bug 372237, which still occurs on trunk.

I don't see this problem on the branch (Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.4pre) Gecko/20070322 BonEcho/2.0.0.4pre). Looks like it's trunk-only.

Crashtest checked in.