Closed
Bug 339651
Opened 19 years ago
Closed 19 years ago
Crash [@ nsBlockFrame::DoRemoveFrame] [@ nsLineBox::RemovePlaceholderDescendantsOf] involving floats, block+inline
Categories
(Core :: Layout: Floats, defect)
Core
Layout: Floats
Tracking
()
RESOLVED
FIXED
People
(Reporter: jruderman, Assigned: MatsPalmgren_bugz)
References
Details
(4 keywords, Whiteboard: [sg:critical] fixed by 348688)
Crash Data
Attachments
(4 files)
To reproduce:
1. Load the testcase in a ***debug*** build. (I first saw the crash in a nightly, but the reduced testcase only crashes debug builds reliably.)
Result: Crash with nsBlockFrame::DoRemoveFrame second from the top. The top is frequently nsLineBox::RemovePlaceholderDescendantsOf, something near 0, or something near 0xDDDDDDDD, but I think it can be anything.
|
Reporter | |
Updated•19 years ago
|
Whiteboard: [sg:critical]
|
|
Reporter | |
Comment 1•19 years ago
|
||
|
|
Reporter | |
Comment 2•19 years ago
|
||
|
|
Reporter | |
Comment 3•19 years ago
|
||
Can't reproduce on Windows (debug).
|
|
Reporter | |
Comment 4•19 years ago
|
||
The first bit of the valgrind output makes it look like placeholder frame lifetime issues.
|
|
Reporter | |
Comment 6•19 years ago
|
||
Still crashes an hours-old Mac trunk debug build.
It scares me that Gecko crashes with such a simple float testcase. (Simple in that it only involves floats and no other special layout things, at least.)
|
||
Comment 7•19 years ago
|
||
Does it crash in a branch build, btw?
|
|
Reporter | |
Comment 8•19 years ago
|
||
No crash with my 1.8.0.x branch debug build.
|
|
Reporter | |
Updated•19 years ago
|
Flags: blocking1.9a1?
|
Assignee | |
Comment 9•19 years ago
|
||
This bug has the same underlying cause as bug 348688 and is fixed by
the patch in that bug.
|
|
Assignee | |
Updated•19 years ago
|
Assignee: nobody → mats.palmgren
OS: Mac OS X 10.4 → All
Hardware: Macintosh → All
|
|
Assignee | |
Comment 10•19 years ago
|
||
Fixed by bug 348688
Status: NEW → RESOLVED
Closed: 19 years ago
Flags: blocking1.9a1?
Resolution: --- → FIXED
|
||
Updated•19 years ago
|
Whiteboard: [sg:critical] → [sg:critical dupe 348688]
|
|
||
Updated•18 years ago
|
Keywords: fixed1.8.0.7,
fixed1.8.1
|
|
||
Updated•18 years ago
|
Whiteboard: [sg:critical dupe 348688] → [sg:critical] fixed by 348688
|
|
||
Updated•18 years ago
|
Group: security
Flags: in-testsuite?
|
||
Updated•14 years ago
|
Crash Signature: [@ nsBlockFrame::DoRemoveFrame]
[@ nsLineBox::RemovePlaceholderDescendantsOf]
You need to log in
before you can comment on or make changes to this bug.
Description
•