The default bug view has changed. See this FAQ.

Crash [@ nsImageFrame::SourceRectToDest] on reload and removing table-caption styles

VERIFIED FIXED

Status

()

Core
Layout: Tables
--
critical
VERIFIED FIXED
11 years ago
6 years ago

People

(Reporter: Martijn Wargers (dead), Assigned: mats)

Tracking

(4 keywords)

Trunk
crash, regression, testcase, verified1.8.1.8
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.8.1.8 +
wanted1.8.1.x +
blocking1.8.0.next +
wanted1.8.0.x +
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical] regression from bug 309322, crash signature)

Attachments

(1 attachment, 3 obsolete attachments)

(Reporter)

Description

11 years ago
See upcoming testcase, which crashes on reload in current trunk build.
This regressed between 2005-12-03 and 2005-12-04, probably a regression from bug 309322.

I guess there is a security issue here.
(Reporter)

Comment 1

11 years ago
Created attachment 232985 [details]
testcase (crashes on reload)
(Reporter)

Comment 2

11 years ago
Created attachment 232986 [details]
animated gif

Argh! I forgot about the fish.
(Reporter)

Comment 3

11 years ago
Created attachment 232987 [details]
testcase (crashes on reload)
Attachment #232985 - Attachment is obsolete: true
(Reporter)

Comment 4

11 years ago
Created attachment 232988 [details]
Finally the good testcase (crashes on reload)
Attachment #232986 - Attachment is obsolete: true
Attachment #232987 - Attachment is obsolete: true

Comment 5

11 years ago
I can reproduce on Mac trunk (debug build).

On load:

###!!! ASSERTION: unexpected child list: 'PR_FALSE', file /Users/admin/trunk/mozilla/layout/tables/nsTableOuterFrame.cpp, line 243
###!!! ASSERTION: invalid previous frame: '!aPrevFrame', file /Users/admin/trunk/mozilla/layout/tables/nsTableOuterFrame.cpp, line 266
###!!! ASSERTION: unexpected child list: 'PR_FALSE', file /Users/admin/trunk/mozilla/layout/tables/nsTableOuterFrame.cpp, line 243
###!!! ASSERTION: illegal next frame in incremental reflow.: 'PR_FALSE', file /Users/admin/trunk/mozilla/layout/tables/nsTableOuterFrame.cpp, line 1393

On reload, with the patch for bug 334514:

###!!! ASSERTION: Some frame destructors were not called.: 'mFrameCount == 0', file /Users/admin/trunk/mozilla/layout/base/nsPresShell.cpp, line 629

(One nice thing about using the patch for bug 334514 is that you can reload and see whether the assertion fires, rather than reloading an seeing whether Firefox crashes, if you take out the animated GIFs.)

Crash trying to read memory at 0xdadadaf6.

Dup of bug 337476?
Blocks: 334514
OS: Windows XP → All
Hardware: PC → All
Whiteboard: [sg:critical]
(Reporter)

Comment 6

11 years ago
Yeah, could very well be the same bug.
Depends on: 337476

Comment 7

11 years ago
fixed by the checkin for bug bug 341858 
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Flags: blocking1.8.1.4?
Flags: blocking1.8.0.12?
Whiteboard: [sg:critical] → [sg:critical] regression from bug 309322
Flags: blocking1.8.1.4?
Flags: blocking1.8.1.4+
Flags: blocking1.8.0.12?
Flags: blocking1.8.0.12+
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee: nobody → mats.palmgren
Status: REOPENED → NEW
Status: NEW → RESOLVED
Last Resolved: 11 years ago10 years ago
Resolution: --- → FIXED
Moving to 1.8.1.5 following bug 309322
Flags: blocking1.8.1.5+
Flags: blocking1.8.1.4+
Flags: blocking1.8.0.13+
Flags: blocking1.8.0.12+
Moving to 1.8.1.6 following bug 309322
Flags: blocking1.8.1.5+ → blocking1.8.1.6+
Flags: blocking1.8.0.13+ → blocking1.8.0.14?
fix checked into branch with bug 309322
Keywords: fixed1.8.1.8

Comment 11

10 years ago
Verified fix on Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.8) Gecko/20071004 Firefox/2.0.0.8: Firefox 2.0.0.8 ID:2007100415.   Testcase doesnt crash on reload. 
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.1.8 → verified1.8.1.8
Group: security
Flags: in-testsuite?
Flags: blocking1.8.0.14? → blocking1.8.0.15?
Flags: blocking1.8.0.15? → blocking1.8.0.15+

Comment 12

8 years ago
crash test landed
http://hg.mozilla.org/mozilla-central/rev/3d0c408c687c
Flags: in-testsuite? → in-testsuite+
Crash Signature: [@ nsImageFrame::SourceRectToDest]
You need to log in before you can comment on or make changes to this bug.