While regressing the fix for bug #762280, we ran into a different crash. The ASan log is below. Use the bug files provided from the related bug #762280 to recreate this crash. This was reproduced with an ASan build, built from trunk 2012-12-12. ###!!! ABORT: negative lengths and percents should be rejected by parser: 'sizeValue->IsCalcUnit()', file /Users/mwobensmith/asan_moz_central/layout/style/nsRuleNode.cpp, line 2920 ASAN:SIGSEGV ================================================================= ==883== ERROR: AddressSanitizer crashed on unknown address 0x000000000000 (pc 0x00010274272f sp 0x7fff5fbe7a60 bp 0x7fff5fbe7a70 T0) AddressSanitizer can not provide additional info. #0 0x10274272e in mozalloc_abort mozalloc_abort.cpp:23 #1 0x109c2e5e5 in Abort nsDebugImpl.cpp:423 #2 0x109c2dea7 in NS_DebugBreak_P nsDebugImpl.cpp:410 #3 0x106123809 in nsRuleNode::SetFontSize nsRuleNode.cpp:2918 #4 0x106127657 in nsRuleNode::SetFont nsRuleNode.cpp:3285 #5 0x1060d85ea in nsRuleNode::ComputeFontData nsRuleNode.cpp:3540 #6 0x1060d673d in nsRuleNode::WalkRuleTree nsStyleStructList.h:47 #7 0x1060d7f5f in nsRuleNode::ComputeFontData nsStyleStructList.h:47 #8 0x1060d673d in nsRuleNode::WalkRuleTree nsStyleStructList.h:47 #9 0x10612fcd4 in nsRuleNode::GetStyleData nsRuleNode.cpp:7640 #10 0x1060d628b in nsRuleNode::WalkRuleTree nsRuleNode.cpp:2049 #11 0x10612fcd4 in nsRuleNode::GetStyleData nsRuleNode.cpp:7640 #12 0x1060d628b in nsRuleNode::WalkRuleTree nsRuleNode.cpp:2049 #13 0x10612fcd4 in nsRuleNode::GetStyleData nsRuleNode.cpp:7640 #14 0x1060d628b in nsRuleNode::WalkRuleTree nsRuleNode.cpp:2049 #15 0x10612fcd4 in nsRuleNode::GetStyleData nsRuleNode.cpp:7640 #16 0x1060d628b in nsRuleNode::WalkRuleTree nsRuleNode.cpp:2049 #17 0x10612fcd4 in nsRuleNode::GetStyleData nsRuleNode.cpp:7640 #18 0x1060d628b in nsRuleNode::WalkRuleTree nsRuleNode.cpp:2049 #19 0x10612fcd4 in nsRuleNode::GetStyleData nsRuleNode.cpp:7640 #20 0x1060d628b in nsRuleNode::WalkRuleTree nsRuleNode.cpp:2049 #21 0x10612fdd9 in nsRuleNode::GetStyleFont nsStyleStructList.h:47 #22 0x105b48b67 in nsLayoutUtils::GetFontMetricsForStyleContext nsStyleStructList.h:47 #23 0x105dfa1e8 in nsHTMLReflowState::CalcLineHeight nsHTMLReflowState.cpp:2389 #24 0x105ce77e1 in nsBlockReflowState::nsBlockReflowState nsBlockReflowState.cpp:113 #25 0x105ce6aa1 in nsBlockReflowState::nsBlockReflowState nsBlockReflowState.cpp:114 #26 0x105ca547f in nsBlockFrame::Reflow nsBlockFrame.cpp:994 #27 0x105d78225 in nsFrame::BoxReflow nsFrame.cpp:8034 #28 0x105d767fa in nsFrame::RefreshSizeCache nsFrame.cpp:7584 #29 0x105d78baf in nsFrame::GetPrefSize nsFrame.cpp:7661 #30 0x106287700 in nsSprocketLayout::GetPrefSize nsSprocketLayout.cpp:1318 #31 0x1062756f7 in nsBoxFrame::GetPrefSize nsBoxFrame.cpp:757 #32 0x106287700 in nsSprocketLayout::GetPrefSize nsSprocketLayout.cpp:1318 #33 0x1062756f7 in nsBoxFrame::GetPrefSize nsBoxFrame.cpp:757 #34 0x106287700 in nsSprocketLayout::GetPrefSize nsSprocketLayout.cpp:1318 #35 0x1062756f7 in nsBoxFrame::GetPrefSize nsBoxFrame.cpp:757 #36 0x106287700 in nsSprocketLayout::GetPrefSize nsSprocketLayout.cpp:1318 #37 0x1062756f7 in nsBoxFrame::GetPrefSize nsBoxFrame.cpp:757 #38 0x10628a98c in nsStackLayout::GetPrefSize nsStackLayout.cpp:69 #39 0x1062756f7 in nsBoxFrame::GetPrefSize nsBoxFrame.cpp:757 #40 0x106285709 in nsSprocketLayout::PopulateBoxSizes nsSprocketLayout.cpp:737 #41 0x10627dc1a in nsSprocketLayout::Layout nsSprocketLayout.cpp:215 #42 0x106276795 in nsBoxFrame::DoLayout nsBoxFrame.cpp:900 #43 0x10626fb90 in nsIFrame::Layout nsBox.cpp:510 #44 0x10627a86b in nsBoxFrame::LayoutChildAt nsBoxFrame.cpp:1928 #45 0x105f4150c in nsVideoFrame::Reflow nsVideoFrame.cpp:296 #46 0x105e3707a in nsLineLayout::ReflowFrame nsLineLayout.cpp:840 #47 0x105cc84c8 in nsBlockFrame::ReflowInlineFrame nsBlockFrame.cpp:3723 #48 0x105cc6262 in nsBlockFrame::DoReflowInlineFrames nsBlockFrame.cpp:3520 #49 0x105cc15a9 in nsBlockFrame::ReflowInlineFrames nsBlockFrame.cpp:3374 #50 0x105caf54e in nsBlockFrame::ReflowDirtyLines nsBlockFrame.cpp:1998 #51 0x105ca58f7 in nsBlockFrame::Reflow nsBlockFrame.cpp:1041 #52 0x105ce4eb4 in nsBlockReflowContext::ReflowBlock nsBlockReflowContext.cpp:268 #53 0x105cbe1b4 in nsBlockFrame::ReflowBlockFrame nsBlockFrame.cpp:3099 #54 0x105caf54e in nsBlockFrame::ReflowDirtyLines nsBlockFrame.cpp:1998 #55 0x105ca58f7 in nsBlockFrame::Reflow nsBlockFrame.cpp:1041 #56 0x105d0adfc in nsContainerFrame::ReflowChild nsContainerFrame.cpp:952 #57 0x105de22e1 in nsCanvasFrame::Reflow nsCanvasFrame.cpp:472 #58 0x105d0adfc in nsContainerFrame::ReflowChild nsContainerFrame.cpp:952 #59 0x105dad4e9 in nsHTMLScrollFrame::ReflowScrolledFrame nsGfxScrollFrame.cpp:433 #60 0x105dadd22 in nsHTMLScrollFrame::ReflowContents nsGfxScrollFrame.cpp:533 #61 0x105db0ec1 in nsHTMLScrollFrame::Reflow nsGfxScrollFrame.cpp:774 #62 0x105d0adfc in nsContainerFrame::ReflowChild nsContainerFrame.cpp:952 #63 0x105f2c593 in ViewportFrame::Reflow nsViewportFrame.cpp:202 #64 0x105ba0e9e in PresShell::DoReflow nsPresShell.cpp:7554 #65 0x105bb69aa in PresShell::ProcessReflowCommands nsPresShell.cpp:7695 #66 0x105bb5d14 in PresShell::FlushPendingNotifications nsPresShell.cpp:3907 #67 0x105bb4e97 in PresShell::FlushPendingNotifications nsPresShell.cpp:3757 #68 0x10655541f in nsDocument::FlushPendingNotifications nsDocument.cpp:6099 #69 0x1065ea39a in mozilla::dom::Element::GetScrollFrame Element.cpp:1630 #70 0x1065eb240 in mozilla::dom::Element::GetClientAreaRect Element.cpp:633 #71 0x1098f451e in mozilla::dom::ElementBinding::get_clientWidth Element.h:677 #72 0x1098f1ead in mozilla::dom::ElementBinding::genericGetter ElementBinding.cpp:1623 #73 0x10b2a77fa in js::CallJSNative, JS::CallArgs const&) jscntxtinlines.h:364 #74 0x10b29810a in js::InvokeKernel jsinterp.cpp:382 #75 0x10b299a3d in js::Invoke jsinterp.h:112 #76 0x10b29af00 in js::InvokeGetterOrSetter jsinterp.cpp:510 #77 0x10b33fc3e in js::Shape::get jsscopeinlines.h:295 #78 0x10b326f26 in js_NativeGetInline jsobj.cpp:4208 #79 0x10b3280df in js_GetPropertyHelperInline Root.h:706 #80 0x10b3c29d7 in js::DirectProxyHandler::get jsobjinlines.h:173 #81 0x10b5a0a83 in js::Wrapper::get jswrapper.cpp:268 #82 0x10b3e30d1 in js::Proxy::get jsproxy.cpp:2353 #83 0x10b3e7ad8 in proxy_GetGeneric jsproxy.cpp:2619 #84 0x10b2b3acb in js::GetPropertyGenericMaybeCallXML jsobjinlines.h:170 #85 0x10b2a9c96 in js::GetPropertyOperation jsinterpinlines.h:286 #86 0x10b276cec in js::Interpret jsinterp.cpp:2227 #87 0x10b873f20 in js::mjit::EnterMethodJIT MethodJIT.cpp:1066 #88 0x10b874d42 in CheckStackAndEnterMethodJIT MethodJIT.cpp:1097 #89 0x10b87490b in js::mjit::JaegerShot MethodJIT.cpp:1115 #90 0x10b26ec09 in js::RunScript jsinterp.cpp:343 #91 0x10b298024 in js::InvokeKernel jsinterp.cpp:404 #92 0x10b299a3d in js::Invoke jsinterp.h:112 #93 0x10b0b099e in JS_CallFunctionValue jsapi.cpp:5789 #94 0x106ff2413 in nsXBLProtoImplAnonymousMethod::Execute nsXBLProtoImplMethod.cpp:330 #95 0x10702630e in nsBindingManager::ProcessAttachedQueue nsBindingManager.cpp:1004 #96 0x105bb5afe in PresShell::FlushPendingNotifications nsPresShell.cpp:3882 #97 0x105bfbfd1 in nsRefreshDriver::Tick nsRefreshDriver.cpp:877 #98 0x105c00931 in mozilla::RefreshDriverTimer::Tick nsRefreshDriver.cpp:164 #99 0x109c1bdbe in nsTimerImpl::Fire nsTimerImpl.cpp:482 #100 0x109c1c95e in nsTimerEvent::Run nsTimerImpl.cpp:565 #101 0x109c09f3e in nsThread::ProcessNextEvent nsThread.cpp:627 #102 0x109af8918 in NS_ProcessPendingEvents_P nsThreadUtils.cpp:171 #103 0x109013f1e in nsBaseAppShell::NativeEventCallback nsBaseAppShell.cpp:97 #104 0x108f57b0c in nsAppShell::ProcessGeckoEvents nsAppShell.mm:387 #105 0x7fff91b4e100 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (in CoreFoundation) + 16 #106 0x7fff91b4da24 in __CFRunLoopDoSources0 (in CoreFoundation) + 244 #107 0x7fff91b70dc4 in __CFRunLoopRun (in CoreFoundation) + 788 #108 0x7fff91b706b1 in CFRunLoopRunSpecific (in CoreFoundation) + 289 #109 0x7fff8b5140a3 in RunCurrentEventLoopInMode (in HIToolbox) + 208 #110 0x7fff8b513d83 in ReceiveNextEventCommon (in HIToolbox) + 165 #111 0x7fff8b513cd2 in BlockUntilNextEventMatchingListInMode (in HIToolbox) + 61 #112 0x7fff8d811612 in _DPSNextEvent (in AppKit) + 684 #113 0x7fff8d810ed1 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (in AppKit) + 127 #114 0x108f55bd7 in -[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] nsAppShell.mm:164 #115 0x7fff8d808282 in -[NSApplication run] (in AppKit) + 516 #116 0x108f588a9 in nsAppShell::Run nsAppShell.mm:741 #117 0x10887b2b0 in nsAppStartup::Run nsAppStartup.cpp:291 #118 0x1050c56ae in XREMain::XRE_mainRun nsAppRunner.cpp:3824 #119 0x1050c6cdc in XREMain::XRE_main nsAppRunner.cpp:3891 #120 0x1050c76ca in XRE_main nsAppRunner.cpp:4089 #121 0x10000294f in main nsBrowserApp.cpp:174 #122 0x100001553 in start (in firefox-bin) + 51 #123 0x0 in 0x0000000100000000 (in firefox-bin) Stats: 918M malloced (761M for red zones) by 1301900 calls Stats: 118M realloced by 51626 calls Stats: 843M freed by 1067789 calls Stats: 711M really freed by 722662 calls Stats: 860M (220301 full pages) mmaped in 199 calls mmaps by size class: 8:524256; 9:90101; 10:24570; 11:18423; 12:7168; 13:3584; 14:1792; 15:1920; 16:1408; 17:1312; 18:64; 19:48; 20:24; 21:18; 22:7; 23:7; 24:3; mallocs by size class: 8:983250; 9:162680; 10:64109; 11:49856; 12:16763; 13:10532; 14:4987; 15:4661; 16:2496; 17:2231; 18:151; 19:90; 20:41; 21:25; 22:13; 23:9; 24:6; frees by size class: 8:790756; 9:137172; 10:55162; 11:46746; 12:14831; 13:9440; 14:4582; 15:4454; 16:2164; 17:2200; 18:124; 19:73; 20:35; 21:23; 22:13; 23:8; 24:6; rfrees by size class: 8:502841; 9:101422; 10:46980; 11:41539; 12:10784; 13:7647; 14:4058; 15:3877; 16:1215; 17:2040; 18:114; 19:63; 20:34; 21:23; 22:12; 23:8; 24:5; Stats: malloc large: 2655 small slow: 8246

dupe of bug 576927 or bug 585185 ?

Fwiw, the testcase in bug 762280 no longer asserts (on Linux). nsRuleNode is gone so it's not worth tracking these signatures anymore. Please file new bugs as appropriate.