I'm still not sure how this crash is caused by the change of bug 1820290 though... In that case, `nsIFrame::GetFrameFromDirection` starts scanning from `nsTextFrame` containing "1". The frame ancestors are: - `nsTableFrame` - `nsTableRowGroupFrame` - `nsBlcokFrame` - `nsTextFrame` Then, [first `nsFrameIterator::GetPrevSibling()` call in `nsFrameIterator::Prev()`](https://searchfox.org/mozilla-central/rev/6321fb8f7533456a62dfa2aa68ee0477a6c8f693/layout/base/nsFrameTraversal.cpp#141) returns `nullptr` because no previous sibling of the text frame. Then, second call of it with `nsBlockFrame` hits the crash. During the second call, `nsFrameList::GetPrevVisualFor()` is called by [here](https://searchfox.org/mozilla-central/rev/6321fb8f7533456a62dfa2aa68ee0477a6c8f693/layout/base/nsFrameTraversal.cpp#277). `aFrame` is the `nsBlockFrame` and the `mFirstChild` is `nsTableRowFrame`. They have same `nsTableRowGroupFrame` as parent. Then, [the line iterator](https://searchfox.org/mozilla-central/rev/6321fb8f7533456a62dfa2aa68ee0477a6c8f693/layout/generic/nsFrameList.cpp#252) is [the `nsTableRowGroupFrame` itself](https://searchfox.org/mozilla-central/rev/6321fb8f7533456a62dfa2aa68ee0477a6c8f693/layout/tables/nsTableRowGroupFrame.h#274). Finally, `nsTableRowGroupFrame::FindLineContaining()` is called with the `nsBlockFrame`. Therefore, [the query frame](https://searchfox.org/mozilla-central/rev/6321fb8f7533456a62dfa2aa68ee0477a6c8f693/layout/tables/nsTableRowGroupFrame.cpp#1677) returns `nullptr` and crash. So I believe that this is not a bug of `nsFrameIterator`, but a bug of `nsFrameList::GetPrevVisualFor` (and `nsFrameList::GetNextVisualFor`). What do you think, Emilio? And which part should I fix?
Bug 1872410 Comment 5 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
I'm still not sure how this crash is caused by the change of bug 1820290 though... In that case, `nsIFrame::GetFrameFromDirection` starts scanning from `nsTextFrame` containing "1". The frame ancestors are: - `nsTableFrame` - `nsTableRowGroupFrame` - `nsBlockFrame` - `nsTextFrame` Then, [first `nsFrameIterator::GetPrevSibling()` call in `nsFrameIterator::Prev()`](https://searchfox.org/mozilla-central/rev/6321fb8f7533456a62dfa2aa68ee0477a6c8f693/layout/base/nsFrameTraversal.cpp#141) returns `nullptr` because no previous sibling of the text frame. Then, second call of it with `nsBlockFrame` hits the crash. During the second call, `nsFrameList::GetPrevVisualFor()` is called by [here](https://searchfox.org/mozilla-central/rev/6321fb8f7533456a62dfa2aa68ee0477a6c8f693/layout/base/nsFrameTraversal.cpp#277). `aFrame` is the `nsBlockFrame` and the `mFirstChild` is `nsTableRowFrame`. They have same `nsTableRowGroupFrame` as parent. Then, [the line iterator](https://searchfox.org/mozilla-central/rev/6321fb8f7533456a62dfa2aa68ee0477a6c8f693/layout/generic/nsFrameList.cpp#252) is [the `nsTableRowGroupFrame` itself](https://searchfox.org/mozilla-central/rev/6321fb8f7533456a62dfa2aa68ee0477a6c8f693/layout/tables/nsTableRowGroupFrame.h#274). Finally, `nsTableRowGroupFrame::FindLineContaining()` is called with the `nsBlockFrame`. Therefore, [the query frame](https://searchfox.org/mozilla-central/rev/6321fb8f7533456a62dfa2aa68ee0477a6c8f693/layout/tables/nsTableRowGroupFrame.cpp#1677) returns `nullptr` and crash. So I believe that this is not a bug of `nsFrameIterator`, but a bug of `nsFrameList::GetPrevVisualFor` (and `nsFrameList::GetNextVisualFor`). What do you think, Emilio? And which part should I fix?