Closed Bug 317179 Opened 19 years ago Closed 19 years ago

Crash with evil testcase using object, embed display:table-header-group [@ nsIFrame::GetStyleData]

Categories

(Core :: Layout, defect)

x86
Windows XP
defect
Not set
critical

Tracking

()

VERIFIED FIXED

People

(Reporter: martijn.martijn, Unassigned)

References

Details

(Keywords: crash, regression, testcase)

Crash Data

Attachments

(5 files)

See upcoming testcase, which crashes for me in current trunk build.
It doesn't crash with 2005-09-21 build, but it crashes with 2005-09-22 build, so my guess is a fall-out from bug 1156.

Talkback ID: TB12061074W
You need to have js enabled to get the crash.
hm... doesn't crash here, linux seamonkey, checkout finish: Fr Nov 18 17:55:50 CET 2005

I get these warnings:
frame: Table(button)(3) (0x966c4a8) style: 0x9670fb8 :-moz-table {}
Wrong parent style context:  style: 0x9670d88 :-moz-table-outer {}
should be using:  style: 0x9670c90 :-moz-button-content {}

frame: TableOuter(button)(3) (0x9670f6c) style: 0x9670d88 :-moz-table-outer {}
Wrong parent style context:  style: 0x9670c90 :-moz-button-content {}
should be using:  style: 0x9670fb8 :-moz-table {}

frame: Table(button)(3) (0x966c4a8) style: 0x9670fb8 :-moz-table {}
Wrong parent style context:  style: 0x9670d88 :-moz-table-outer {}
should be using:  style: 0x9670c90 :-moz-button-content {}

WARNING: this reflow doesn't do anything, file ../../../../mozilla/layout/tables/nsTableFrame.cpp, line 1934
WARNING: this reflow doesn't do anything, file ../../../../mozilla/layout/tables/nsTableFrame.cpp, line 1934
frame: Table(button)(3) (0x966c4a8) style: 0x966d0b8 :-moz-table {}
Wrong parent style context:  style: 0x9670d88 :-moz-table-outer {}
should be using:  style: 0x9670c90 :-moz-button-content {}

frame: TableOuter(button)(3) (0x9670f6c) style: 0x9670d88 :-moz-table-outer {}
Wrong parent style context:  style: 0x9670c90 :-moz-button-content {}
should be using:  style: 0x966d0b8 :-moz-table {}

frame: Table(button)(3) (0x966c4a8) style: 0x966d0b8 :-moz-table {}
Wrong parent style context:  style: 0x9670d88 :-moz-table-outer {}
should be using:  style: 0x9670c90 :-moz-button-content {}

Document https://bugzilla.mozilla.org/attachment.cgi?id=203713 loaded successfully
WARNING: this reflow doesn't do anything, file ../../../../mozilla/layout/tables/nsTableFrame.cpp, line 1934
WARNING: this reflow doesn't do anything, file ../../../../mozilla/layout/tables/nsTableFrame.cpp, line 1934
This is a backtrace from my debug build of the crash.

It contains a backtrace of the assertion:
###!!! ASSERTION: Not enough frames to push: 'nsFrameList(aFrame).GetLength() >=
 pushCount', file c:/mozilla/mozilla/layout/generic/nsBlockFrame.cpp, line 4306
Break: at file c:/mozilla/mozilla/layout/generic/nsBlockFrame.cpp, line 4306

And the sigsegv:
Program received signal SIGSEGV, Segmentation fault.
0x059ab03a in nsIFrame::GetStyleData(nsStyleStructID) const (this=0x0,
    aSID=eStyleStruct_Display)
    at c:/mozilla/mozilla/layout/generic/nsIFrame.h:607
607         NS_ASSERTION(mStyleContext, "No style context found!");
Maybe I minimised the previous testcase too much, by removing too much of the text at the beginning.
odd, that doesn't crash for me either...
Hmm....  That crashes for me (seamonkey build).  biesi, are you testing in a build with any of your followup patches in it?
oh yeah... this has all my objectframe changes in it, for example.
I suggest adding some dependencies, then; chances are, one of your changes fixes this.  ;)
ok then :) dunno which of those fixes it, or if neither does and it's another one...
Depends on: 309521, 309525
the frame style warnings are https://bugzilla.mozilla.org/show_bug.cgi?id=51767#c4
they will be fixed as part of bug 316026
Summary: Crash with evil testcase using object, embed display:table-header-group → Crash with evil testcase using object, embed display:table-header-group [@ nsIFrame::GetStyleData]
Attached file reduced testcase
So is this still a problem now that bug 309525 is fixed?
None of the three testcases posted here crash for me with today's 2005-12-22-10 trunk build of SeaMonkey on Windows XP.
Yes, doesn't crash for me either anymore. Probably fixed by bug 309525.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Verified.  See comment 14 and comment 15.
Status: RESOLVED → VERIFIED
Crash Signature: [@ nsIFrame::GetStyleData]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: