Closed Bug 324936 Opened 14 years ago Closed 14 years ago

Crash after reload with evil testcase, using animated gif, display: -moz-inline-box, etc [@ nsIFrame::GetScreenRect]

Categories

(Core :: Layout, defect, critical)

x86
Windows XP
defect
Not set
critical

Tracking

()

VERIFIED FIXED

People

(Reporter: martijn.martijn, Unassigned)

References

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(3 files)

See upcoming testcase, which crashes Mozilla after reloading the page.
Also happens in Mozilla1.7, so no recent regression.

Talkback ID: TB14464204Y
Attached file testcase
From talkback ID:
nsIFrame::GetScreenRect  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsFrame.cpp, line 2998]
HaveFixedSize  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsImageFrame.cpp, line 144]
nsImageFrame::LoadIcons  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsImageFrame.cpp, line 1899]
imgRequest::AddProxy  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/modules/libpr0n/src/imgRequest.cpp, line 136]
imgContainerGIF::AppendFrame  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/modules/libpr0n/decoders/gif/imgContainerGIF.cpp, line 157]
nsTimerImpl::Fire  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/xpcom/threads/nsTimerImpl.cpp, line 413]
nsAppStartup::Quit  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 287]
main  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 61]
kernel32.dll + 0x1eb69 (0x77e5eb69)
The real problem is probably that we lose the image frame.  What does the frame dump look like when that testcase is loaded, if I might ask?
Attached file logfile
You want this, I guess?
This is the reflow log of the testcase.
Summary: Crash after reload with evil testcase, using animated gif, display: -moz-iniline-box, etc → Crash after reload with evil testcase, using animated gif, display: -moz-iniline-box, etc [@ nsIFrame::GetScreenRect]
Attached file Frame dump
No, I meant a frame dump like this (build the "layoutdebug" extension, start with -layoutdebug and in the Dump menu select the Frames option).

Note that there is no image frame in the frame tree in this case.  In fact, there is no float either.
Fixing bug 282173 should fix this, I bet...
Depends on: 282173
Summary: Crash after reload with evil testcase, using animated gif, display: -moz-iniline-box, etc [@ nsIFrame::GetScreenRect] → Crash after reload with evil testcase, using animated gif, display: -moz-inline-box, etc [@ nsIFrame::GetScreenRect]
2006-04-08 mac trunk build: crashes
2006-04-10 mac trunk build: does not crash

-> FIXED by BuildFloatList removal.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Verified FIXED using https://bugzilla.mozilla.org/attachment.cgi?id=209835&action=view as the testcase with trunk SeaMonkey 1.5a;Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060410 SeaMonkey/1.5a.

No crash.
Status: RESOLVED → VERIFIED
Crash Signature: [@ nsIFrame::GetScreenRect]
You need to log in before you can comment on or make changes to this bug.