Closed
Bug 364427
Opened 18 years ago
Closed 18 years ago
Crash [@ nsCachedStyleData::GetStyleDisplay] [@ nsFrameManager::RemoveFrame] with float, -moz-groupbox, abs pos
Categories
(Core :: Layout, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: jruderman, Assigned: bernd_mozilla)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [sg:critical] post 1.8-branch)
Crash Data
Attachments
(1 file)
(deleted),
text/html
|
Details |
Steps to reproduce:
1. Load the testcase.
Result:
* Debug: crash [@ nsCachedStyleData::GetStyleDisplay] accessing 0xddddddfd.
* Opt: crash [@ nsFrameManager::RemoveFrame] with a random address on top.
Partial debug stack:
EXC_BAD_ACCESS (0x0001)
KERN_INVALID_ADDRESS (0x0001) at 0xddddddfd
Thread 0 Crashed:
0 nsCachedStyleData::GetStyleDisplay() + 20 (nsStyleStructList.h:95)
1 nsStyleContext::GetStyleDisplay() + 40 (nsStyleStructList.h:95)
2 nsIFrame::GetStyleDisplay() const + 100 (nsStyleStructList.h:95)
3 GetChildListNameFor(nsIFrame*) + 68 (nsCSSFrameConstructor.cpp:1803)
4 DeletingFrameSubtree(nsFrameManager*, nsIFrame*) + 376 (nsCSSFrameConstructor.cpp:9667)
5 nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, int, int) + 1140 (nsCSSFrameConstructor.cpp:9817)
6 PresShell::ContentRemoved(nsIDocument*, nsIContent*, nsIContent*, int) + 356 (nsPresShell.cpp:4981)
Reporter | ||
Comment 1•18 years ago
|
||
Reporter | ||
Updated•18 years ago
|
Flags: blocking1.9?
Whiteboard: [sg:critical]
Reporter | ||
Comment 2•18 years ago
|
||
Before the crash, I see:
###!!! ASSERTION: out-of-flow is already in the destroy queue: 'aDestroyQueue.IndexOf(outOfFlowFrame) == kNotFound', file /Users/admin/trunk/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 9597
Comment 3•18 years ago
|
||
This regressed between 2006-12-07 and 2006-12-08, so likely to be a regression from the reflow branch landing.
Blocks: reflow-refactor
Updated•18 years ago
|
Keywords: regression
Comment 4•18 years ago
|
||
Critical security bugs must have owners. If you can't work on this bug please help us find another active owner for it.
Assignee: nobody → roc
Comment 6•18 years ago
|
||
This is worksforme, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a2pre) Gecko/20070123 Minefield/3.0a2pre
Comment 7•18 years ago
|
||
Fixed between Linux nightlies 2007-01-02-04-trunk and 2007-01-03-04-trunk.
Comment 8•18 years ago
|
||
Also fixed in 2006-12-28-04-trunk which confirms my suspicion that it was fixed by bug 243159.
Depends on: 243159
Updated•18 years ago
|
Assignee: dbaron → bernd_mozilla
Updated•18 years ago
|
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Updated•18 years ago
|
Flags: blocking1.9?
Reporter | ||
Comment 9•18 years ago
|
||
Similar assertion and stack in bug 372237, which still occurs on trunk.
Comment 10•18 years ago
|
||
I don't see this problem on the branch (Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.4pre) Gecko/20070322 BonEcho/2.0.0.4pre). Looks like it's trunk-only.
Whiteboard: [sg:critical] → [sg:critical] post 1.8-branch
Updated•18 years ago
|
Group: security
Flags: wanted1.8.1.x-
Updated•18 years ago
|
Flags: in-testsuite?
Updated•14 years ago
|
Crash Signature: [@ nsCachedStyleData::GetStyleDisplay]
[@ nsFrameManager::RemoveFrame]
You need to log in
before you can comment on or make changes to this bug.
Description
•