Closed Bug 336450 Opened 20 years ago Closed 19 years ago

Crash with some weird html, using display: -moz-grid-group;

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: martijn.martijn, Unassigned)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [reflow-refactor])

Attachments

(2 files)

testcase (crashes on load)
152 bytes, text/html
Details
Backtrace
12.61 KB, text/plain
Details
See upcoming testcase, which crashes in current trunk builds. This seems to have regressed between 2006-01-12 and 2006-01-13: http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2006-01-12+07&maxdate=2006-01-13+18&cvsroot=%2Fcvsroot Not really sure which one could be the cause of this crash. The testcase consists of this: <select style="display: -moz-grid-group; position: absolute;"> <meta> <option style="position: absolute;"> <html style="display: -moz-grid-group;">
Attached file Backtrace
Backtrace from a debug build: Prior to the crash I get an assertion: ###!!! ASSERTION: index out of range: '0 <= aIndex && aIndex < Count()', file .. /../dist/include/xpcom/nsVoidArray.h, line 372 The actual crash is in here: Program received signal SIGSEGV, Segmentation fault. 0x053dcb01 in nsComboboxControlFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics &, nsHTMLReflowState const&, unsigned&) (this=0x1041b1a0, aPresContext=0x10405b08, aDesiredSize=@0x22e8a8, aReflowState=@0x22e7c8, aStatus=@0x22ea20) at c:/mozilla/mozilla/layout/forms/nsComboboxControlFrame.cpp:1166 1166 if (*iter == mDropdownFrame) { Current language: auto; currently c++
Confirmed using testcase with Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9a1) Gecko/20060503 Minefield/3.0a1
>Not really sure.... bug 51767 for instance ...
(In reply to comment #4) > >Not really sure.... > bug 51767 for instance ... Ah! Now I see, the <select> uses a button for the drop down arrow.
All this code is gone on the reflow branch; if this is trunk-only then I think we should just wait for that to land.
Blocks: 51767
Flags: blocking1.9a2?
Whiteboard: [reflow-refactor]
Flags: blocking1.9a2? → blocking1.9+
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a1) Gecko/20061208 Minefield/3.0a1 ID:2006120812 [cairo] confirmed fixed after reflow branch landing
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
If you resolve bugs as fixed by reflow branch, please mark them dependent on the reflow branch bug...
Depends on: reflow-refactor
Adding in-testsuite? nomination per bz's request in m.d.t.l. Sorry for the bugspam.
Flags: in-testsuite?
verified fixed using Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9b3pre) Gecko/2008010104 Minefield/3.0b3pre ID:2008010104 and the testcase. No Crash on testcase - changing bug to verified
Status: RESOLVED → VERIFIED
Flags: in-testsuite?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: