Closed Bug 348126 Opened 16 years ago Closed 15 years ago

Crash [@ nsImageFrame::SourceRectToDest] on reload and removing table-caption styles

Categories

(Core :: Layout: Tables, defect)

defect
Not set
critical

Tracking

()

VERIFIED FIXED

People

(Reporter: martijn.martijn, Assigned: MatsPalmgren_bugz)

References

Details

(4 keywords, Whiteboard: [sg:critical] regression from bug 309322)

Crash Data

Attachments

(1 file, 3 obsolete files)

See upcoming testcase, which crashes on reload in current trunk build.
This regressed between 2005-12-03 and 2005-12-04, probably a regression from bug 309322.

I guess there is a security issue here.
Attached file testcase (crashes on reload) (obsolete) —
Attached file animated gif (obsolete) —
Argh! I forgot about the fish.
Attached file testcase (crashes on reload) (obsolete) —
Attachment #232985 - Attachment is obsolete: true
Attachment #232986 - Attachment is obsolete: true
Attachment #232987 - Attachment is obsolete: true
I can reproduce on Mac trunk (debug build).

On load:

###!!! ASSERTION: unexpected child list: 'PR_FALSE', file /Users/admin/trunk/mozilla/layout/tables/nsTableOuterFrame.cpp, line 243
###!!! ASSERTION: invalid previous frame: '!aPrevFrame', file /Users/admin/trunk/mozilla/layout/tables/nsTableOuterFrame.cpp, line 266
###!!! ASSERTION: unexpected child list: 'PR_FALSE', file /Users/admin/trunk/mozilla/layout/tables/nsTableOuterFrame.cpp, line 243
###!!! ASSERTION: illegal next frame in incremental reflow.: 'PR_FALSE', file /Users/admin/trunk/mozilla/layout/tables/nsTableOuterFrame.cpp, line 1393

On reload, with the patch for bug 334514:

###!!! ASSERTION: Some frame destructors were not called.: 'mFrameCount == 0', file /Users/admin/trunk/mozilla/layout/base/nsPresShell.cpp, line 629

(One nice thing about using the patch for bug 334514 is that you can reload and see whether the assertion fires, rather than reloading an seeing whether Firefox crashes, if you take out the animated GIFs.)

Crash trying to read memory at 0xdadadaf6.

Dup of bug 337476?
Blocks: framedest
OS: Windows XP → All
Hardware: PC → All
Whiteboard: [sg:critical]
Yeah, could very well be the same bug.
Depends on: 337476
fixed by the checkin for bug bug 341858 
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Flags: blocking1.8.1.4?
Flags: blocking1.8.0.12?
Whiteboard: [sg:critical] → [sg:critical] regression from bug 309322
Flags: blocking1.8.1.4?
Flags: blocking1.8.1.4+
Flags: blocking1.8.0.12?
Flags: blocking1.8.0.12+
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee: nobody → mats.palmgren
Status: REOPENED → NEW
Status: NEW → RESOLVED
Closed: 16 years ago15 years ago
Resolution: --- → FIXED
Moving to 1.8.1.5 following bug 309322
Flags: blocking1.8.1.5+
Flags: blocking1.8.1.4+
Flags: blocking1.8.0.13+
Flags: blocking1.8.0.12+
Moving to 1.8.1.6 following bug 309322
Flags: blocking1.8.1.5+ → blocking1.8.1.6+
Flags: blocking1.8.0.13+ → blocking1.8.0.14?
fix checked into branch with bug 309322
Keywords: fixed1.8.1.8
Verified fix on Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.8) Gecko/20071004 Firefox/2.0.0.8: Firefox 2.0.0.8 ID:2007100415.   Testcase doesnt crash on reload. 
Status: RESOLVED → VERIFIED
Group: security
Flags: in-testsuite?
Flags: blocking1.8.0.14? → blocking1.8.0.15?
Flags: blocking1.8.0.15? → blocking1.8.0.15+
crash test landed
http://hg.mozilla.org/mozilla-central/rev/3d0c408c687c
Flags: in-testsuite? → in-testsuite+
Crash Signature: [@ nsImageFrame::SourceRectToDest]
You need to log in before you can comment on or make changes to this bug.