Closed
Bug 345139
Opened 18 years ago
Closed 18 years ago
Crash [@ nsHTMLReflowState::InitAbsoluteConstraints] [@ nsLineLayout::ReflowFrame] [@ nsInlineFrame::ReflowInlineFrame]
Categories
(Core :: Layout, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: jruderman, Unassigned)
References
Details
(Keywords: crash, Whiteboard: [sg:critical])
Crash Data
Attachments
(2 files)
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.9a1) Gecko/20060718 Minefield/3.0a1 This testcase makes Firefox crash, with a random address on top, and on of the following just below: * nsHTMLReflowState::InitAbsoluteConstraints * nsLineLayout::ReflowFrame * nsInlineFrame::ReflowInlineFrame Since there are random addresses on top, this is [sg:critical]. I wish I could make the testcase smaller :/
Reporter | ||
Comment 1•18 years ago
|
||
Reporter | ||
Comment 2•18 years ago
|
||
Reporter | ||
Updated•18 years ago
|
Flags: blocking1.9a1?
Whiteboard: [sg:critical]
I'm crashing here: #5 <signal handler called> #6 0x03dfab3c in nsContainerFrame::DeleteNextInFlowChild (this=0x9ecb6e4, aPresContext=0xa032488, aNextInFlow=0x9ecb6ac) at /builds/trunk/mozilla/layout/generic/nsContainerFrame.cpp:885 #7 0x03e435d6 in nsLineLayout::ReflowFrame (this=0xbfd4e700, aFrame=0xa2519dc, aReflowStatus=@0xbfd4e604, aMetrics=0x0, aPushedFrame=@0xbfd4e2f8) at /builds/trunk/mozilla/layout/generic/nsLineLayout.cpp:1166 where delFrame is an ok-looking nsInlineFrame but its parent frame pointer is a pointer to memory that's not a frame (i.e., probably deleted already). (gdb) p aNextInFlow $7 = (class nsIFrame *) 0x9ecb6ac (gdb) p aNextInFlow->mParent $8 = (nsIFrame *) 0x9ecb6e4 (gdb) x/wa aNextInFlow 0x9ecb6ac: 0x4495fc8 <_ZTV13nsInlineFrame+8> (gdb) p *(nsInlineFrame*)$7 $9 = {<nsHTMLContainerFrame> = {<nsContainerFrame> = {<nsSplittableFrame> = {<nsFrame> = {<nsBox> = {<nsIFrame> = {<nsISupports> = { _vptr.nsISupports = 0x4495fc8}, mRect = {x = 0, y = 0, width = 0, height = 0}, mContent = 0xa2acea8, mStyleContext = 0x9ecb4bc, mParent = 0x9ecb6e4, mNextSibling = 0x0, mState = 1030}, static gGotTheme = 1, static gTheme = 0x9a4ec40}, <nsIFrameDebug> = {<nsISupports> = { _vptr.nsISupports = 0x4496218}, <No data fields>}, <No data fields>}, mPrevContinuation = 0xa2519dc, mNextContinuation = 0xa24dffc}, mFrames = { mFirstChild = 0x0}}, <No data fields>}, <No data fields>} (gdb) p $9->mNextInFlow There is no member or method named mNextInFlow. (gdb) p $9->mNextContinuation $10 = (class nsIFrame *) 0xa24dffc (gdb) x/wa $10 0xa24dffc: 0x4495fc8 <_ZTV13nsInlineFrame+8> (gdb) p *(nsInlineFrame*)$ $11 = {<nsHTMLContainerFrame> = {<nsContainerFrame> = {<nsSplittableFrame> = {<nsFrame> = {<nsBox> = {<nsIFrame> = {<nsISupports> = { _vptr.nsISupports = 0x4495fc8}, mRect = {x = 0, y = 0, width = 0, height = 0}, mContent = 0xa2acea8, mStyleContext = 0xa250dd0, mParent = 0xa24e7e4, mNextSibling = 0xa24dac8, mState = 1030}, static gGotTheme = 1, static gTheme = 0x9a4ec40}, <nsIFrameDebug> = {<nsISupports> = { _vptr.nsISupports = 0x4496218}, <No data fields>}, <No data fields>}, mPrevContinuation = 0x9ecb6ac, mNextContinuation = 0x0}, mFrames = { mFirstChild = 0x0}}, <No data fields>}, <No data fields>} (gdb) x/wa $9.mParent 0x9ecb6e4: 0x4495fc8 <_ZTV13nsInlineFrame+8> (gdb) x/wa $11.mParent 0xa24e7e4: 0x0 (gdb) p frames.mImpl.mArray[0] $12 = (void *) 0xa24dffc Judging by $10 and the contents of the frames array ($12), delFrame is $11.
Comment 4•18 years ago
|
||
Iirc, I had cases which crashed with nsHTMLReflowState::InitAbsoluteConstraints stack, but when I tried to minimise further, I got a different stack. I think that was bug 330981 (that was in the time I didn't add the unminimised testcase to the bug). I still had a testcase with a nsHTMLReflowState::InitAbsoluteConstraints stack in 'stock', I filed bug 345199 for it. Maybe this bug depends on a fix for bug 330909?
Reporter | ||
Comment 5•18 years ago
|
||
WFM with a Mac nightly. Still crashes in a Mac debug build.
Reporter | ||
Comment 6•18 years ago
|
||
WFM on Mac trunk (opt and debug).
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → WORKSFORME
Updated•16 years ago
|
Group: core-security
Flags: wanted1.8.1.x-
Reporter | ||
Updated•16 years ago
|
Flags: in-testsuite+
Assignee | ||
Updated•13 years ago
|
Crash Signature: [@ nsHTMLReflowState::InitAbsoluteConstraints]
[@ nsLineLayout::ReflowFrame]
[@ nsInlineFrame::ReflowInlineFrame]
You need to log in
before you can comment on or make changes to this bug.
Description
•