Closed Bug 526217 Opened 15 years ago Closed 15 years ago

Crash [@ nsFrameManager::RemoveFrame] with position:fixed and -moz-column-count

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
status1.9.2 --- .13-fixed
status1.9.1 --- unaffected

People

(Reporter: martijn.martijn, Assigned: martijn.martijn)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [sg:dos frame-poisoned crash] regressed from 411835, fixed by 508473)

Crash Data

Attachments

(1 file)

testcase
(deleted), text/html
Details
Attached file testcase (deleted) —
See testcase, which crashes current trunk build. This regressed between 2008-12-07 and 2008-12-08, I guess a regression from bug 411835: http://hg.mozilla.org/mozilla-central/pushloghtml?startdate=2008-12-07+05%3A00%3A00&enddate=2008-12-08+07%3A00%3A00 http://crash-stats.mozilla.com/report/index/bf590f70-34d5-4edd-bbf0-9a7da2091103?p=1 0 xul.dll nsFrameManager::RemoveFrame layout/base/nsFrameManager.cpp:736 1 xul.dll DeletingFrameSubtree layout/base/nsCSSFrameConstructor.cpp:7028 2 xul.dll nsCSSFrameConstructor::ContentRemoved layout/base/nsCSSFrameConstructor.cpp:7256 3 xul.dll nsCSSFrameConstructor::RecreateFramesForContent layout/base/nsCSSFrameConstructor.cpp:9071 4 xul.dll nsCSSFrameConstructor::ProcessRestyledFrames layout/base/nsCSSFrameConstructor.cpp:7738 5 xul.dll PresShell::FlushPendingNotifications layout/base/nsPresShell.cpp:4879 6 nspr4.dll _MD_CURRENT_THREAD nsprpub/pr/src/md/windows/w95thred.c:308 7 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:527 8 xul.dll nsBaseAppShell::Run widget/src/xpwidgets/nsBaseAppShell.cpp:170 9 nspr4.dll PR_GetEnv 10 firefox.exe wmain toolkit/xre/nsWindowsWMain.cpp:110 11 firefox.exe __tmainCRTStartup obj-firefox/memory/jemalloc/crtsrc/crtexe.c:591 12 kernel32.dll BaseProcessStart It doesn't crash Firefox3.5.4, but still marking security sensitive, since related bugs are also security sensitive.
Whiteboard: [sg:critical?]
fantasai, does your frame destruction work have any effect on this?
Seems like it; I'm not crashing on the testcase.
Which bug is that?
Bug 508473 - Clean up and reorganize frame destruction
No longer blocks: 411835
Depends on: 508473
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
status1.9.1: --- → unaffected
status1.9.2: --- → wanted
Whiteboard: [sg:critical?] → [sg:critical?] fixed by bug 508473
Whiteboard: [sg:critical?] fixed by bug 508473 → [sg:critical?] regressed from 411835, fixed by 508473
Whiteboard: [sg:critical?] regressed from 411835, fixed by 508473 → [sg:dos frame-poisoned crash] regressed from 411835, fixed by 508473
For 1.9.2, it will be fixed by bug 468563.
Depends on: 468563
Group: core-security
Flags: in-testsuite?
Crash Signature: [@ nsFrameManager::RemoveFrame]
Crash test: https://hg.mozilla.org/integration/mozilla-inbound/rev/e88ae04a6447
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: