Closed
Bug 317549
Opened 19 years ago
Closed 19 years ago
Crash [@ nsCSSFrameConstructor::ContentInserted] [@ PresShell::ContentInserted] involving MathML
Categories
(Core :: Layout, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: bc, Assigned: sicking)
References
Details
(Keywords: crash, fixed1.8.1, verified1.8.0.2, Whiteboard: [sg:critical] uses freed memory [rft-dl])
Crash Data
Attachments
(2 files)
nextSibling->GetParent() appears to be returning a freed object. Confirming it happens on the 1.5 branch as well.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [sg:fix]
Updated•19 years ago
|
Flags: blocking1.8.0.1?
Updated•19 years ago
|
Summary: Crash [@ nsCSSFrameConstructor::ContentInserted] → Crash [@ nsCSSFrameConstructor::ContentInserted] [@ PresShell::ContentInserted]
Comment 3•19 years ago
|
||
Crashes Firefox 1.5 but not trunk. No idea why it doesn't crash trunk, since it's supposed to be the same sequence of actions as running the bookmarklet.
Comment 5•19 years ago
|
||
Trunk, some extraneous stuff edited out. (dist\bin\firefox 2> file.)
Comment 6•19 years ago
|
||
(sort assertions.txt | uniq -c | sort -n -r > unique-assertions.txt)
Assignee: nobody → bugmail
Updated•19 years ago
|
Whiteboard: [sg:fix] → [sg:critical] uses freed memory
Updated•19 years ago
|
Summary: Crash [@ nsCSSFrameConstructor::ContentInserted] [@ PresShell::ContentInserted] → Crash [@ nsCSSFrameConstructor::ContentInserted] [@ PresShell::ContentInserted] involving MathML
Updated•19 years ago
|
Flags: blocking1.8.0.2?
Flags: blocking1.8.0.1?
Flags: blocking1.8.0.1-
Marking fixed per bug 309120 comment 15.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Updated•18 years ago
|
Flags: blocking1.8.0.2? → blocking1.8.0.2+
Comment 8•18 years ago
|
||
Adding branch "fixed" keywords because bug 309120 has been checked in. Shouldn't this have been a dupe?
Keywords: fixed1.8.0.2,
fixed1.8.1
Comment 9•18 years ago
|
||
Marking [rft-dl] (ready for testing in Firefox 1.5.0.2 release candidates)
Whiteboard: [sg:critical] uses freed memory → [sg:critical] uses freed memory [rft-dl]
Comment 10•18 years ago
|
||
v.fixed on 1.8.0 branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060301 Firefox/1.5.0.1, no crashes with the stack signatures in this bug, BUT a new crash with the non-reduced testcase (bug 329044).
Keywords: fixed1.8.0.2 → verified1.8.0.2
Updated•18 years ago
|
Flags: blocking1.7.14?
Flags: blocking-aviary1.0.9?
Updated•17 years ago
|
Group: security
Updated•13 years ago
|
Crash Signature: [@ nsCSSFrameConstructor::ContentInserted]
[@ PresShell::ContentInserted]
You need to log in
before you can comment on or make changes to this bug.
Comment 1
•