322820 - Crash [@ nsCSSFrameConstructor::RemoveFirstLetterFrames] with evil testcase, using float:right; and .u::first-letter

Status: VERIFIED FIXED

(Core :: Layout, defect)

Description

[Martijn Wargers (dead)]

This is split of from bug 318592, see bug 318592, comment 10 and further.

The url makes Mozilla crash on load.
Doesn't crash in 2005-03-22 build, crashes in 2005-02-23 build.
Maybe regression from bug 263825?

Talkback data from TB12496055E:
nsCSSFrameConstructor::RemoveFirstLetterFrames 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 12779]
nsCSSFrameConstructor::RemoveLetterFrames 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 12845]
nsCSSFrameConstructor::ContentRemoved 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 9814]
nsCSSFrameConstructor::ReinsertContent 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 9492]
PresShell::CharacterDataChanged 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp,
line 5398]
nsGenericDOMDataNode::SetData 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericDOMDataNode.cpp,
line 354]
nsCommentNode::SetData 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsCommentNode.cpp,
line 59]
nsHTMLFormElement::AddRef
0xf9a8e918

Comment 1

[Boris Zbarsky [:bzbarsky]]

This is actually fixed by the patch in bug 317275

Comment 2

[Boris Zbarsky [:bzbarsky]]

Fixed by checkin for bug 317275

Comment 3

[Martijn Wargers (dead)]

Verified fixed, using latest nightly trunk build.