Closed Bug 344058 Opened 19 years ago Closed 16 years ago

Crash [@ nsHTMLFramesetFrame::Reflow] with 1.8.0.5RC3 and 1.8.1 build

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Version:
1.8 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: martijn.martijn, Unassigned)

References

Details

(Keywords: crash, testcase, Whiteboard: [sg:nse null-deref])

Crash Data

Attachments

(2 files)

testcase
2.51 KB, application/xhtml+xml
Details
Another testcase that crashes with the same stacktrace
2.87 KB, application/xhtml+xml
Details
See upcoming testcase, it crashes on load. I can reduce the testcase, if asked. It doesn't crash current trunk builds, it crashes 1.8.1 builds and 1.8.0.5RC3. Talkback ID: TB20765380Z nsHTMLFramesetFrame::Reflow [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/layout/generic/nsFrameSetFrame.cpp, line 1132] nsFrame::BoxReflow [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/layout/generic/nsFrame.cpp, line 5429] nsFrame::RefreshSizeCache [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/layout/generic/nsFrame.cpp, line 4933] nsFrame::GetPrefSize [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/layout/generic/nsFrame.cpp, line 5027] nsSprocketLayout::PopulateBoxSizes [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsSprocketLayout.cpp, line 822] nsSprocketLayout::Layout [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsSprocketLayout.cpp, line 265] nsBoxFrame::DoLayout [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 1106] nsBoxFrame::DoLayout [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 1106] nsRootBoxFrame::Reflow [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsRootBoxFrame.cpp, line 227] nsContainerFrame::ReflowChild [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/layout/generic/nsContainerFrame.cpp, line 905] ViewportFrame::Reflow [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/layout/generic/nsViewportFrame.cpp, line 240] PresShell::InitialReflow [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 2871] nsContentSink::StartLayout [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/content/base/src/nsContentSink.cpp, line 924] nsXMLContentSink::StartLayout [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/content/xml/document/src/nsXMLContentSink.cpp, line 815] nsXMLContentSink::DidBuildModel [c:/builds/tinderbox/Fx-Mozilla1.8.0-Release/WINNT_5.2_Depend/mozilla/content/xml/document/src/nsXMLContentSink.cpp, line 283]
Attached file testcase
Severity: normal → critical
Version: Trunk → 1.8 Branch
Looks like a null-dereference, but if it's been fixed on the trunk then it's probably part of the cleanup of exploitable crashes Bernd has been doing.
Flags: blocking1.8.1?
Flags: blocking1.8.0.6?
Whiteboard: [sg:nse null-deref]
There is bug 324318 on trunk happening, which has the same stack.
Not a 1.8.1 blocker, but we'd take a patch.
Flags: blocking1.8.1? → blocking1.8.1-
Flags: blocking1.8.0.6? → blocking1.8.0.6-
Marking resolved worksforme, as this is only a problem in the 1.8 branch and not in later builds and the 1.8 branch is not maintained anymore by Mozilla.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → WORKSFORME
Crash Signature: [@ nsHTMLFramesetFrame::Reflow]
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: