Closed
Bug 313173
Opened 19 years ago
Closed 19 years ago
Crash with evil xul testcase, using table-caption/-moz-grid [@ nsGridRow::IsCollapsed][@ nsGrid::GetScrollBox]
Categories
(Core :: Layout, defect, P1)
Core
Layout
Tracking
()
VERIFIED
FIXED
mozilla1.8rc1
People
(Reporter: martijn.martijn, Assigned: bzbarsky)
References
Details
(4 keywords, Whiteboard: [sg:critical?])
Crash Data
Attachments
(2 files)
|
776 bytes,
application/vnd.mozilla.xul+xml
|
Details | |
|
3.39 KB,
patch
|
neil
:
review+
roc
:
superreview+
dveditz
:
approval-aviary1.0.8+
dveditz
:
approval1.7.13+
asa
:
approval1.8rc1+
|
Details | Diff | Splinter Review |
The upcoming testcase crashes Mozilla when clicking on the button.
Talkback ID: TB10392796Y
(can't see the tb id right now, but iirc, I once got appr. the same stack as the
one from bug 311710, so marking as a security bug for now)
nsGrid::GetScrollBox
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGrid.cpp,
line 1493]
nsGridRowLayout::GetParentGridPart
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridRowLayout.cpp,
line 91]
nsGridRowLayout::GetGrid
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridRowLayout.cpp,
line 176]
nsGridRowLayout::GetGrid
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridRowLayout.cpp,
line 179]
nsGridRowLayout::GetGrid
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridRowLayout.cpp,
line 124]
nsGridRowLeafLayout::GetPrefSize
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridRowLeafLayout.cpp,
line 85]
nsBoxFrame::GetPrefSize
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp,
line 948]
nsGridCell::GetPrefSize
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridCell.cpp,
line 84]
nsGrid::GetPrefRowHeight
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGrid.cpp,
line 986]
nsGrid::GetPrefRowSize
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGrid.cpp,
line 589]
nsGridRowLeafLayout::GetPrefSize
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridRowLeafLayout.cpp,
line 92]
nsBoxFrame::GetPrefSize
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp,
line 948]
nsGridCell::GetPrefSize
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridCell.cpp,
line 84]
nsGrid::GetPrefRowHeight
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGrid.cpp,
line 986]
nsGrid::GetPrefRowSize
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGrid.cpp,
line 589]
nsGridRowLeafLayout::GetPrefSize
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridRowLeafLayout.cpp,
line 92]
nsBoxFrame::GetPrefSize
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp,
line 948]
nsGridCell::GetPrefSize
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridCell.cpp,
line 84]
nsGrid::GetPrefRowHeight
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGrid.cpp,
line 986]
nsGrid::GetPrefRowSize
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGrid.cpp,
line 589]
nsGridRowLeafLayout::GetPrefSize
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridRowLeafLayout.cpp,
line 92]
nsBoxFrame::GetPrefSize
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp,
line 948]
nsGridCell::GetPrefSize
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridCell.cpp,
line 84]
nsGrid::GetPrefRowHeight
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGrid.cpp,
line 986]
nsGrid::GetPrefRowSize
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGrid.cpp,
line 589]
nsGridRowLeafLayout::GetPrefSize
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridRowLeafLayout.cpp,
line 92]
nsBoxFrame::GetPrefSize
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp,
line 948]
nsGridCell::GetPrefSize
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridCell.cpp,
line 84]
nsGrid::GetPrefRowHeight
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGrid.cpp,
line 986]
nsGrid::GetPrefRowSize
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGrid.cpp,
line 589]
nsGridRowLeafLayout::GetPrefSize
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridRowLeafLayout.cpp,
line 92]
nsBoxFrame::GetPrefSize
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp,
line 948]
nsGridCell::GetPrefSize
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridCell.cpp,
line 84]
nsGrid::GetPrefRowHeight
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGrid.cpp,
line 986]
nsGrid::GetPrefRowSize
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGrid.cpp,
line 589]
nsGridRowLeafLayout::GetPrefSize
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridRowLeafLayout.cpp,
line 92]
nsBoxFrame::GetPrefSize
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp,
line 948]
nsGridCell::GetPrefSize
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridCell.cpp,
line 84]
nsGrid::GetPrefRowHeight
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGrid.cpp,
line 986]
nsGrid::GetPrefRowSize
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGrid.cpp,
line 589]
nsGridRowLeafLayout::GetPrefSize
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridRowLeafLayout.cpp,
line 92]
nsBoxFrame::GetPrefSize
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp,
line 948]
nsGridCell::GetPrefSize
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridCell.cpp,
line 84]
nsGrid::GetPrefRowHeight
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGrid.cpp,
line 986]
nsGrid::GetPrefRowSize
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGrid.cpp,
line 589]
nsGridRowLeafLayout::GetPrefSize
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridRowLeafLayout.cpp,
line 92]
nsBoxFrame::GetPrefSize
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp,
line 948]
nsGridCell::GetPrefSize
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridCell.cpp,
line 84]
nsGrid::GetPrefRowHeight
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGrid.cpp,
line 986]
nsGrid::GetPrefRowSize
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGrid.cpp,
line 589]
nsGridRowLeafLayout::GetPrefSize
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridRowLeafLayout.cpp,
line 92]
nsBoxFrame::GetPrefSize
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp,
line 948]
nsGridCell::GetPrefSize
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridCell.cpp,
line 84]
nsGrid::GetPrefRowHeight
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGrid.cpp,
line 986]
nsGrid::GetPrefRowSize
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGrid.cpp,
line 589]
nsGridRowLeafLayout::GetPrefSize
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridRowLeafLayout.cpp,
line 92]
nsBoxFrame::GetPrefSize
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp,
line 948]
nsGridCell::GetPrefSize
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridCell.cpp,
line 84]
nsGrid::GetPrefRowHeight
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGrid.cpp,
line 986]
nsGrid::GetPrefRowSize
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGrid.cpp,
line 589]
nsGridRowLeafLayout::GetPrefSize
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridRowLeafLayout.cpp,
line 92]
nsBoxFrame::GetPrefSize
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp,
line 948]
nsGridCell::GetPrefSize
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridCell.cpp,
line 84]
nsGrid::GetPrefRowHeight
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGrid.cpp,
line 986]
|
Reporter | |
Comment 1•19 years ago
|
||
|
Assignee | |
Comment 2•19 years ago
|
||
Yep. Calling methods on a deleted box... :( Gotta love grids. :( Is there
any way we can disable them for this release? Or are they too widely used?
Flags: blocking1.8rc1?
OS: Windows XP → All
Hardware: PC → All
|
|
Assignee | |
Updated•19 years ago
|
Summary: Crash with evil xul testcase, using table-caption/-moz-grid → Crash with evil xul testcase, using table-caption/-moz-grid [@ nsGridRow::IsCollapsed]
|
|
Assignee | |
Updated•19 years ago
|
Summary: Crash with evil xul testcase, using table-caption/-moz-grid [@ nsGridRow::IsCollapsed] → Crash with evil xul testcase, using table-caption/-moz-grid [@ nsGridRow::IsCollapsed][@ nsGrid::GetScrollBox]
|
||
Comment 3•19 years ago
|
||
So the issue is that a GridRowLayout has a ChildrenRemoved override but a
GridLayout2 does not?
|
|
Assignee | |
Comment 4•19 years ago
|
||
Hmm.. Yeah, that seems to be it. The same issue in bug 312784, in fact.
Blocks: 312784
|
|
Assignee | |
Comment 5•19 years ago
|
||
This fixes this bug and bug 312784. We still assert in
nsGrid::GetMin/Pref/MaxRowSize because we have no columns and someone passes a
column index of 0, but the code there also bails out safely in addition to
asserting, so we're sorta ok.
Attachment #200288 -
Flags: superreview?(roc)
Attachment #200288 -
Flags: review?(neil.parkwaycc.co.uk)
Attachment #200288 -
Flags: superreview?(roc) → superreview+
|
||
Updated•19 years ago
|
Flags: blocking1.8rc1? → blocking1.8rc1+
|
|
Assignee | |
Comment 6•19 years ago
|
||
Comment on attachment 200288 [details] [diff] [review]
Proposed patch
I think we should just get this in on trunk so we can verify and maybe get this
on branch in time for freeze. I talked to Neil on IRC and he seemed happy with
the patch; I assume he'll mark review once he wakes up...
Attachment #200288 -
Flags: review?(roc)
|
|
||
Comment 7•19 years ago
|
||
Comment on attachment 200288 [details] [diff] [review]
Proposed patch
Are the assertions in nsGrid.cpp "normal"? I also wonder whether the
mMarkingDirty member is relevant to the rebuild.
Attachment #200288 -
Flags: review?(neil.parkwaycc.co.uk) → review+
|
|
Assignee | |
Comment 8•19 years ago
|
||
> Are the assertions in nsGrid.cpp "normal"?
No; I will file a followup bug on them.
|
|
Assignee | |
Updated•19 years ago
|
Assignee: nobody → bzbarsky
Priority: -- → P1
Target Milestone: --- → mozilla1.8rc1
|
|
Assignee | |
Updated•19 years ago
|
Attachment #200288 -
Flags: review?(roc)
|
|
||
Comment 9•19 years ago
|
||
Comment on attachment 200288 [details] [diff] [review]
Proposed patch
Please land on the trunk, ASAP. We'll evaluate it for the branch once it's been
landed and verified on the trunk. Thanks.
Attachment #200288 -
Flags: approval1.8rc1?
|
|
Assignee | |
Comment 10•19 years ago
|
||
Fixed on trunk a few hours ago.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Comment 11•19 years ago
|
||
Filed bug 313303 on the assert.
|
||
Comment 13•19 years ago
|
||
jesse, care to do an hourly build based verification on the trunk for this bug?
|
||
Comment 14•19 years ago
|
||
The atlantia tinderbox is on fire, so I can't get an hourly build, but I'll test
with my own debug build in a bit.
|
|
||
Comment 15•19 years ago
|
||
WFM with the Mac build from
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2005-10-21-15-trunk/. I
was able to reproduce this crash in a build from yesterday (before the patch
went in). I'm not sure I should mark this bug as verified, because Martijn
originally reported this bug on Windows.
|
|
||
Comment 16•19 years ago
|
||
OK. I've verified that the testcase does crash me with yesterday's build and
does not crash me with the latest hourly build on windows.
Status: RESOLVED → VERIFIED
|
|
||
Updated•19 years ago
|
Attachment #200288 -
Flags: approval1.8rc1? → approval1.8rc1+
|
||
Updated•19 years ago
|
Flags: blocking1.7.13+
Flags: blocking-aviary1.0.8+
|
||
Updated•19 years ago
|
Flags: testcase+
|
|
||
Comment 19•19 years ago
|
||
Comment on attachment 200288 [details] [diff] [review]
Proposed patch
aviary101/moz17 landing approval: a=dveditz for drivers. Please add the fixed1.7.13 and fixed-aviary1.0.8 keywords when landed.
Attachment #200288 -
Flags: approval1.7.13+
Attachment #200288 -
Flags: approval-aviary1.0.8+
|
|
Assignee | |
Comment 20•19 years ago
|
||
Fixed on 1.7 and aviary 1.0.x branches.
Keywords: fixed-aviary1.0.8,
fixed1.7.13
|
||
Comment 21•19 years ago
|
||
The testcase is still crashing for me with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20060209 Firefox/1.0.7. Will post my Talkback stack once it's processed to see if we're crashing somewhere else now.
Can anyone else confirm this is still a problem on the Aviary branch, even with the checkin from 2/6?
|
|
Assignee | |
Comment 22•19 years ago
|
||
Jay, this worksforme with my aviary branch build.... Did that talkback ID ever materialize?
|
|
||
Comment 23•19 years ago
|
||
Here's my recent Aviary crash (looks similar):
Incident ID: 14972347
Stack Signature nsGrid::GetScrollBox f0a28047
Email Address jay@mozilla.org
Product ID Firefox10
Build ID 2006020905
Trigger Time 2006-02-09 14:50:09.0
Platform Win32
Operating System Windows NT 5.1 build 2600
Module firefox.exe + (002d9c14)
URL visited https://bugzilla.mozilla.org/show_bug.cgi?id=313173
User Comments crash with evil xul testcae with 1.0.8 .. might not be the same bug, but still a problem.
Since Last Crash 547 sec
Total Uptime 547 sec
Trigger Reason Access violation
Source File, Line No. c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGrid.cpp, line 1489
Stack Trace
nsGrid::GetScrollBox [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGrid.cpp, line 1489]
nsGridRowLeafLayout::ComputeChildSizes [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/grid/nsGridRowLeafLayout.cpp, line 321]
nsSprocketLayout::Layout [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsSprocketLayout.cpp, line 285]
nsContainerBox::DoLayout [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsContainerBox.cpp, line 610]
nsBox::Layout [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBox.cpp, line 1016]
nsLineLayout::ReflowFrame [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsLineLayout.cpp, line 993]
nsBlockFrame::ReflowInlineFrame [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3748]
nsBlockFrame::DoReflowInlineFrames [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3446]
nsBlockFrame::DoReflowInlineFramesAuto [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3347]
nsBlockFrame::ReflowInlineFrames [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 3292]
nsBlockFrame::ReflowLine [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 2456]
nsBlockFrame::ReflowDirtyLines [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 2098]
nsBlockFrame::Reflow [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsBlockFrame.cpp, line 817]
nsTableOuterFrame::Reflow [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/table/src/nsTableOuterFrame.cpp, line 1974]
nsBoxToBlockAdaptor::Reflow [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxToBlockAdaptor.cpp, line 884]
nsBoxToBlockAdaptor::RefreshSizeCache [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxToBlockAdaptor.cpp, line 385]
nsBoxToBlockAdaptor::GetAscent [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxToBlockAdaptor.cpp, line 590]
nsStackLayout::GetAscent [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsStackLayout.cpp, line 178]
nsContainerBox::GetAscent [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsContainerBox.cpp, line 595]
nsBoxFrame::GetAscent [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 955]
nsContainerBox::GetAscent [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsContainerBox.cpp, line 595]
nsBoxFrame::GetAscent [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 955]
nsContainerBox::DoLayout [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsContainerBox.cpp, line 610]
nsBox::Layout [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBox.cpp, line 1016]
nsContainerBox::DoLayout [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsContainerBox.cpp, line 610]
nsBox::Layout [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBox.cpp, line 1016]
nsRootBoxFrame::Reflow [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsRootBoxFrame.cpp, line 240]
nsContainerFrame::ReflowChild [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 982]
ViewportFrame::Reflow [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsViewportFrame.cpp, line 249]
IncrementalReflow::Dispatch [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsPresShell.cpp, line 904]
PresShell::ProcessReflowCommands [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsPresShell.cpp, line 6401]
ReflowEvent::HandleEvent [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsPresShell.cpp, line 6226]
PL_HandleEvent [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/xpcom/threads/plevent.c, line 674]
0x778b0c24
PreferredFontEnumCallback [c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/mathml/base/src/nsMathMLChar.cpp, line 983]
0xc03302eb
|
|
Assignee | |
Comment 24•19 years ago
|
||
Hmm... That crashes in a different place, but _possibly_ related. Is it reliably reproducible?
|
|
||
Comment 25•19 years ago
|
||
bz: I just crashed again with today's 1.0.8 build using the testcase in this bug, so it appears to be easily reproducible. Let me know if we need to reopen this bug or log a new one.
|
|
Assignee | |
Comment 26•19 years ago
|
||
New one, I guess? And note that "easily" and "reliably" are not the same thing. "easily" would be "crashes once out of every three loads or so" while "reliably" is crashes every load. Which one is it?
|
|
||
Comment 27•19 years ago
|
||
bz: It is reliably reproducible for me... I have crashed 4 out of 4 times on loading the testcase with 2 recent builds. Are you able to reproduce? I will log a bug as soon as my most recent crash is processed and I can confirm the stack is the same as the one I posted.
|
||
Comment 28•19 years ago
|
||
jay, did you file a new bug?
I reliably crash on windows, mac and linux:
Windows:
Moz - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060214
Fx - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060214
Firefox/1.0.8
Macintosh:
Moz - Mozilla/5.0 (Macintosh; U;PPC Mac OS X Mach-O; en-US; rv:1.7.13)
Gecko/20060214 Firefox/1.0.8
Fx - Mozilla/5.0 (Macintosh; U;PPC Mac OS X Mach-O; en-US; rv:1.7.13)
Gecko/20060214 Firefox/1.0.8
Linux
Moz - Mozilla/5.0 (X11; U;Linux i686; en-US; rv:1.7.13) Gecko/20060214
Fx - Mozilla/5.0 (X11; U;Linux i686; en-US; rv:1.7.13) Gecko/20060214
Firefox/1.0.8
|
|
Assignee | |
Comment 29•19 years ago
|
||
So I finally managed to reproduce Jay's crash. That's bug 275896 (landed on trunk about a year ago, so it's in 1.8, but it never made it to 1.7).
Not sure whether we care for 1.7, since it's a null pointer dereference, not a deleted pointer dereference...
|
|
||
Comment 30•19 years ago
|
||
Tracy: Nope, haven't logged a bug yet, but looks like bz found an existing one. I'll leave it up to the devs to decide what needs to be done about that one.
I'm just going to mark this verified on 1.0.8 since my crash is different than the one that was fixed here. I'll nominate bug 275896 for 1.0.9 in case we want to take the null pointer checks for the next release.
Thanks bz for digging that bug up.
Keywords: fixed-aviary1.0.8 → verified-aviary1.0.8
|
|
||
Updated•19 years ago
|
Group: security
|
|
||
Updated•18 years ago
|
Flags: in-testsuite+ → in-testsuite?
|
|
||
Comment 31•16 years ago
|
||
crash test landed
http://hg.mozilla.org/mozilla-central/rev/811d3a773dc0
Flags: in-testsuite? → in-testsuite+
|
||
Updated•14 years ago
|
Crash Signature: [@ nsGridRow::IsCollapsed]
[@ nsGrid::GetScrollBox]
You need to log in
before you can comment on or make changes to this bug.
Description
•