Closed Bug 317549 Opened 19 years ago Closed 19 years ago

Crash [@ nsCSSFrameConstructor::ContentInserted] [@ PresShell::ContentInserted] involving MathML

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: bc, Assigned: sicking)

References

Details

(Keywords: crash, fixed1.8.1, verified1.8.0.2, Whiteboard: [sg:critical] uses freed memory [rft-dl])

Crash Data

Attachments

(2 files)

assertion failures
5.77 KB, text/plain
Details
unique assertion failures
1002 bytes, text/plain
Details 
nextSibling->GetParent() appears to be returning a freed object. Confirming it happens on the 1.5 branch as well.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [sg:fix]
Flags: blocking1.8.0.1?
Summary: Crash [@ nsCSSFrameConstructor::ContentInserted] → Crash [@ nsCSSFrameConstructor::ContentInserted] [@ PresShell::ContentInserted]
Crashes Firefox 1.5 but not trunk.  No idea why it doesn't crash trunk, since it's supposed to be the same sequence of actions as running the bookmarklet.
Depends on: 309120
Attached file assertion failures 
Trunk, some extraneous stuff edited out.  (dist\bin\firefox 2> file.)
(sort assertions.txt | uniq -c | sort -n -r > unique-assertions.txt)
Whiteboard: [sg:fix] → [sg:critical] uses freed memory
Summary: Crash [@ nsCSSFrameConstructor::ContentInserted] [@ PresShell::ContentInserted] → Crash [@ nsCSSFrameConstructor::ContentInserted] [@ PresShell::ContentInserted] involving MathML
Flags: blocking1.8.0.2?
Flags: blocking1.8.0.1?
Flags: blocking1.8.0.1-
Marking fixed per bug 309120 comment 15.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Flags: blocking1.8.0.2? → blocking1.8.0.2+
Adding branch "fixed" keywords because bug 309120 has been checked in. Shouldn't this have been a dupe?
Keywords: fixed1.8.0.2, fixed1.8.1
Marking [rft-dl] (ready for testing in Firefox 1.5.0.2 release candidates)
Whiteboard: [sg:critical] uses freed memory → [sg:critical] uses freed memory [rft-dl]
v.fixed on 1.8.0 branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.8.0.1) Gecko/20060301 Firefox/1.5.0.1, no crashes with the stack
signatures in this bug, BUT a new crash with the non-reduced testcase (bug
329044).
Keywords: fixed1.8.0.2verified1.8.0.2
Flags: blocking1.7.14?
Flags: blocking-aviary1.0.9?
Group: security
Crash Signature: [@ nsCSSFrameConstructor::ContentInserted] [@ PresShell::ContentInserted]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: