Crash [@ nsCSSFrameConstructor::RemoveFirstLetterFrames] with evil testcase, using float:right; and .u::first-letter

VERIFIED FIXED in mozilla1.9alpha1

Status

()

--
critical
VERIFIED FIXED
13 years ago
8 years ago

People

(Reporter: martijn.martijn, Assigned: bzbarsky)

Tracking

({crash, regression, testcase})

Trunk
mozilla1.9alpha1
x86
Windows XP
crash, regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(crash signature, URL)

(Reporter)

Description

13 years ago
This is split of from bug 318592, see bug 318592, comment 10 and further.

The url makes Mozilla crash on load.
Doesn't crash in 2005-03-22 build, crashes in 2005-02-23 build.
Maybe regression from bug 263825?

Talkback data from TB12496055E:
nsCSSFrameConstructor::RemoveFirstLetterFrames 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 12779]
nsCSSFrameConstructor::RemoveLetterFrames 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 12845]
nsCSSFrameConstructor::ContentRemoved 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 9814]
nsCSSFrameConstructor::ReinsertContent 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 9492]
PresShell::CharacterDataChanged 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp,
line 5398]
nsGenericDOMDataNode::SetData 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericDOMDataNode.cpp,
line 354]
nsCommentNode::SetData 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsCommentNode.cpp,
line 59]
nsHTMLFormElement::AddRef
0xf9a8e918
This is actually fixed by the patch in bug 317275
Depends on: 317275
(Assignee)

Updated

13 years ago
Assignee: nobody → bzbarsky
Fixed by checkin for bug 317275
Status: NEW → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9alpha
(Reporter)

Comment 3

13 years ago
Verified fixed, using latest nightly trunk build.
Status: RESOLVED → VERIFIED
Crash Signature: [@ nsCSSFrameConstructor::RemoveFirstLetterFrames]
You need to log in before you can comment on or make changes to this bug.