Crash [@ nsImageFrame::SourceRectToDest] on reload and removing table-caption styles

VERIFIED FIXED

Status

()

defect
--
critical
VERIFIED FIXED
13 years ago
8 years ago

People

(Reporter: martijn.martijn, Assigned: mats)

Tracking

(4 keywords)

Trunk
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.8.1.8 +
wanted1.8.1.x +
blocking1.8.0.next +
wanted1.8.0.x +
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical] regression from bug 309322, crash signature)

Attachments

(1 attachment, 3 obsolete attachments)

(Reporter)

Description

13 years ago
See upcoming testcase, which crashes on reload in current trunk build.
This regressed between 2005-12-03 and 2005-12-04, probably a regression from bug 309322.

I guess there is a security issue here.
(Reporter)

Comment 1

13 years ago
Posted file testcase (crashes on reload) (obsolete) —
(Reporter)

Comment 2

13 years ago
Posted file animated gif (obsolete) —
Argh! I forgot about the fish.
(Reporter)

Comment 3

13 years ago
Posted file testcase (crashes on reload) (obsolete) —
Attachment #232985 - Attachment is obsolete: true
(Reporter)

Comment 4

13 years ago
Attachment #232986 - Attachment is obsolete: true
Attachment #232987 - Attachment is obsolete: true

Comment 5

13 years ago
I can reproduce on Mac trunk (debug build).

On load:

###!!! ASSERTION: unexpected child list: 'PR_FALSE', file /Users/admin/trunk/mozilla/layout/tables/nsTableOuterFrame.cpp, line 243
###!!! ASSERTION: invalid previous frame: '!aPrevFrame', file /Users/admin/trunk/mozilla/layout/tables/nsTableOuterFrame.cpp, line 266
###!!! ASSERTION: unexpected child list: 'PR_FALSE', file /Users/admin/trunk/mozilla/layout/tables/nsTableOuterFrame.cpp, line 243
###!!! ASSERTION: illegal next frame in incremental reflow.: 'PR_FALSE', file /Users/admin/trunk/mozilla/layout/tables/nsTableOuterFrame.cpp, line 1393

On reload, with the patch for bug 334514:

###!!! ASSERTION: Some frame destructors were not called.: 'mFrameCount == 0', file /Users/admin/trunk/mozilla/layout/base/nsPresShell.cpp, line 629

(One nice thing about using the patch for bug 334514 is that you can reload and see whether the assertion fires, rather than reloading an seeing whether Firefox crashes, if you take out the animated GIFs.)

Crash trying to read memory at 0xdadadaf6.

Dup of bug 337476?
Blocks: framedest
OS: Windows XP → All
Hardware: PC → All
Whiteboard: [sg:critical]
(Reporter)

Comment 6

13 years ago
Yeah, could very well be the same bug.
Depends on: 337476

Comment 7

13 years ago
fixed by the checkin for bug bug 341858 
Status: NEW → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → FIXED
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Flags: blocking1.8.1.4?
Flags: blocking1.8.0.12?
Whiteboard: [sg:critical] → [sg:critical] regression from bug 309322
Flags: blocking1.8.1.4?
Flags: blocking1.8.1.4+
Flags: blocking1.8.0.12?
Flags: blocking1.8.0.12+
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee: nobody → mats.palmgren
Status: REOPENED → NEW
Status: NEW → RESOLVED
Last Resolved: 13 years ago12 years ago
Resolution: --- → FIXED
Moving to 1.8.1.5 following bug 309322
Flags: blocking1.8.1.5+
Flags: blocking1.8.1.4+
Flags: blocking1.8.0.13+
Flags: blocking1.8.0.12+
Moving to 1.8.1.6 following bug 309322
Flags: blocking1.8.1.5+ → blocking1.8.1.6+
Flags: blocking1.8.0.13+ → blocking1.8.0.14?
fix checked into branch with bug 309322
Keywords: fixed1.8.1.8
Verified fix on Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.8) Gecko/20071004 Firefox/2.0.0.8: Firefox 2.0.0.8 ID:2007100415.   Testcase doesnt crash on reload. 
Status: RESOLVED → VERIFIED
Group: security

Updated

12 years ago
Flags: in-testsuite?
Flags: blocking1.8.0.14? → blocking1.8.0.15?
Flags: blocking1.8.0.15? → blocking1.8.0.15+

Comment 12

10 years ago
crash test landed
http://hg.mozilla.org/mozilla-central/rev/3d0c408c687c
Flags: in-testsuite? → in-testsuite+
Crash Signature: [@ nsImageFrame::SourceRectToDest]
You need to log in before you can comment on or make changes to this bug.