Closed Bug 339651 Opened 18 years ago Closed 18 years ago

Crash [@ nsBlockFrame::DoRemoveFrame] [@ nsLineBox::RemovePlaceholderDescendantsOf] involving floats, block+inline

Categories

(Core :: Layout: Floats, defect)

Product:
Core
Component:
Layout: Floats
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jruderman, Assigned: MatsPalmgren_bugz)

References

Details

(4 keywords, Whiteboard: [sg:critical] fixed by 348688)

Crash Data

Attachments

(4 files)

testcase
542 bytes, text/html
Details
stack trace (mac debug)
4.08 KB, text/plain
Details
Valgrind log
6.30 KB, text/plain
Details
Frame dump
10.87 KB, text/html
Details 
To reproduce:
1. Load the testcase in a ***debug*** build.  (I first saw the crash in a nightly, but the reduced testcase only crashes debug builds reliably.)

Result: Crash with nsBlockFrame::DoRemoveFrame second from the top.  The top is frequently nsLineBox::RemovePlaceholderDescendantsOf, something near 0, or something near 0xDDDDDDDD, but I think it can be anything.
Whiteboard: [sg:critical]
Attached file testcase 

    
    

    
  


  

    
    

    
  
Can't reproduce on Windows (debug).

    
    

    
  

      
      
      
      

        Attached file
          
        Valgrind log
      

    


  

    
    

    
  
The first bit of the valgrind output makes it look like placeholder frame lifetime issues.

    
    

    
  
Still crashes an hours-old Mac trunk debug build.

It scares me that Gecko crashes with such a simple float testcase.  (Simple in that it only involves floats and no other special layout things, at least.)

    
    

    
  
Does it crash in a branch build, btw?

    
    

    
  
No crash with my 1.8.0.x branch debug build.

    
  
Flags: blocking1.9a1?

    
    

    
  

      
      
      
      

        Attached file
          
        Frame dump
      

    


  
This bug has the same underlying cause as bug 348688 and is fixed by
the patch in that bug.

    
  
Depends on: 348688

    
  
Assignee: nobody → mats.palmgren
OS: Mac OS X 10.4 → All
Hardware: Macintosh → All

    
    

    
  
Fixed by bug 348688
Status: NEW → RESOLVED
Closed: 18 years ago
Flags: blocking1.9a1?
Resolution: --- → FIXED
Whiteboard: [sg:critical] → [sg:critical dupe 348688]
Whiteboard: [sg:critical dupe 348688] → [sg:critical] fixed by 348688
Group: security
Flags: in-testsuite?

    
    

    
  
Crashtest checked in.
Flags: in-testsuite? → in-testsuite+
Crash Signature: [@ nsBlockFrame::DoRemoveFrame]
[@ nsLineBox::RemovePlaceholderDescendantsOf]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: