This is derived from bug 346405. The test case at https://bugzilla.mozilla.org/attachment.cgi?id=265625 still crashes even though the core bug for 346405. We'll need to fix this separately. Steps to Reproduce 1. Load https://bugzilla.mozilla.org/attachment.cgi?id=265625. 2. Zoom a couple of times with control++. Result: Crash Dan notes the following details for the crash: "this" is a deleted object at: nsCachedStyleData::GetStyleData() Line 210 C++ nsStyleContext::GetStyleData() Line 248 C++ nsIFrame::GetStyleData() Line 612 C++ nsIFrame::GetStyleTextReset() Line 88 C++ nsLineLayout::VerticalAlignFrames() Line 2146 C++ nsLineLayout::ReflowFrame() Line 1181 C++ nsInlineFrame::ReflowInlineFrame() Line 761 C++ nsInlineFrame::ReflowFrames() Line 596 C++ nsInlineFrame::Reflow() Line 489 C++ nsLineLayout::ReflowFrame() Line 995 C++ nsInlineFrame::ReflowInlineFrame() Line 761 C++ nsInlineFrame::ReflowFrames() Line 596 C++ nsFirstLineFrame::Reflow() Line 1151 C++ nsLineLayout::ReflowFrame() Line 995 C++ nsBlockFrame::ReflowInlineFrame() Line 4060 C++ nsBlockFrame::DoReflowInlineFrames() Line 3899 C++ nsBlockFrame::ReflowInlineFrames() Line 3780 C++ nsBlockFrame::ReflowLine() Line 2773 C++ nsBlockFrame::ReflowDirtyLines() Line 2303 C++ nsBlockFrame::Reflow() Line 904 C++ nsContainerFrame::ReflowChild() Line 909 C++ nsColumnSetFrame::ReflowChildren() Line 484 C++ nsColumnSetFrame::Reflow() Line 744 C++ nsBlockReflowContext::ReflowBlock() Line 605 C++ nsBlockFrame::ReflowBlockFrame() Line 3494 C++ nsBlockFrame::ReflowLine() Line 2653 C++ nsBlockFrame::ReflowDirtyLines() Line 2303 C++ nsBlockFrame::Reflow() Line 904 C++ nsBlockReflowContext::ReflowBlock() Line 605 C++ nsBlockFrame::ReflowBlockFrame() Line 3494 C++ nsBlockFrame::ReflowLine() Line 2653 C++ nsBlockFrame::ReflowDirtyLines() Line 2303 C++ nsBlockFrame::Reflow() Line 904 C++ nsContainerFrame::ReflowChild() Line 909 C++ CanvasFrame::Reflow() Line 536 C++ nsContainerFrame::ReflowChild() Line 909 C++ nsHTMLScrollFrame::ReflowScrolledFrame() Line 515 C++ nsHTMLScrollFrame::ReflowContents() Line 570 C++ nsHTMLScrollFrame::Reflow() Line 768 C++ nsContainerFrame::ReflowChild() Line 909 C++ ViewportFrame::Reflow() Line 239 C++ PresShell::StyleChangeReflow() Line 3549 C++ nsPresContext::ClearStyleDataAndReflow() Line 625 C++ nsPresContext::SetTextZoomInternal() Line 426 C++ nsPresContext::SetTextZoom() Line 429 C++ DocumentViewerImpl::SetTextZoom() Line 2728 C++ XPTC_InvokeByIndex() Line 102 C++ XPCWrappedNative::CallMethod() Line 2169 C++ XPCWrappedNative::SetAttribute() Line 1968 C++ XPC_WN_GetterSetter() Line 1479 C++ js_Invoke() Line 1379 C js_InternalInvoke() Line 1473 C js_InternalGetOrSet() Line 1544 C js_NativeSet() Line 3521 C js_Interpret() Line 3709 C js_Invoke() Line 1398 C js_InternalInvoke() Line 1473 C js_InternalGetOrSet() Line 1544 C js_SetProperty() Line 3715 C js_Interpret() Line 3709 C js_Invoke() Line 1398 C js_InternalInvoke() Line 1473 C JS_CallFunctionValue() Line 4353 C nsJSContext::CallEventHandler() Line 1493 C++ nsJSEventListener::HandleEvent() Line 186 C++ nsEventListenerManager::HandleEventSubType() Line 1655 C++ nsEventListenerManager::HandleEvent() Line 1762 C++ nsXULElement::HandleDOMEvent() Line 2233 C++ nsXULElement::HandleDOMEvent() Line 2038 C++ nsXBLPrototypeHandler::ExecuteHandler() Line 397 C++ nsXBLWindowHandler::WalkHandlersInternal() Line 347 C++ nsXBLWindowKeyHandler::WalkHandlers() Line 199 C++ nsXBLWindowKeyHandler::KeyPress() Line 254 C++ DispatchToInterface() Line 144 C++ nsEventListenerManager::HandleEvent() Line 1752 C++ nsXULDocument::HandleDOMEvent() Line 1241 C++ nsXULElement::HandleDOMEvent() Line 2261 C++ nsXULElement::HandleDOMEvent() Line 2255 C++ nsXULElement::HandleDOMEvent() Line 2255 C++ nsXULElement::HandleDOMEvent() Line 2255 C++ nsXULElement::HandleDOMEvent() Line 2255 C++ nsXULElement::HandleDOMEvent() Line 2255 C++ nsXULElement::HandleDOMEvent() Line 2255 C++ nsXULElement::HandleDOMEvent() Line 2255 C++ nsXULElement::HandleDOMEvent() Line 2255 C++ nsXULElement::HandleChromeEvent() Line 2899 C++ nsGlobalWindow::HandleDOMEvent() Line 1757 C++ nsDocument::HandleDOMEvent() Line 4146 C++ nsGenericElement::HandleDOMEvent() Line 2269 C++ PresShell::HandleEventInternal() Line 6574 C++ PresShell::HandleEvent() Line 6356 C++ nsViewManager::HandleEvent() Line 2519 C++ nsViewManager::DispatchEvent() Line 2253 C++ HandleEvent() Line 171 C++ nsWindow::DispatchEvent() Line 1319 C++ nsWindow::DispatchWindowEvent() Line 1339 C++ nsWindow::DispatchKeyEvent() Line 3639 C++ nsWindow::OnKeyDown() Line 3782 C++ nsWindow::ProcessMessage() Line 4777 C++ nsWindow::WindowProc() Line 1507 C++ Reproduced in Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.12) Gecko/2008020121 Firefox/2.0.0.12. Someone should give this a fancy title.

This fixes it for me. It's the first patch from bug 346405, which fixes the null-ptr crash but leaves a lot of: ###!!! ASSERTION: Float frame has wrong parent which is bug 306534, which is the second part of the patch.

Comment on attachment 301690 [details] [diff] [review] fix? approved for 1.8.1.13, a=dveditz for release-drivers

Checked in on MOZILLA_1_8_BRANCH: mozilla/layout/generic/nsInlineFrame.cpp 3.241.4.6 mozilla/layout/base/nsCSSFrameConstructor.cpp 1.1110.6.94 -> FIXED

Verified fixed, using: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13pre) Gecko/20080311 BonEcho/2.0.0.13pre While I did crash using a 2008-02-02 branch build.

Comment on attachment 301690 [details] [diff] [review] fix? applies cleanly to 1.8.0

Comment on attachment 301690 [details] [diff] [review] fix? a=caillon for 1.8.0.15