Closed Bug 361389 Opened 18 years ago Closed 18 years ago

Crash [@ nsCachedStyleData::GetStyleData] with xul testcase that uses display: -moz-popup

Categories

(Core :: Layout, defect)

x86
Windows XP
defect
Not set
critical

Tracking

()

VERIFIED FIXED

People

(Reporter: martijn.martijn, Assigned: roc)

References

()

Details

(Keywords: arch, crash, Whiteboard: [sg:critical] deleted frame. post 1.8 branch)

Crash Data

Attachments

(2 files)

1.76 KB, application/vnd.mozilla.xul+xml
Details
55.88 KB, application/vnd.mozilla.xul+xml
Details
This crashes with current trunk build, talkback ID: TB26304361M nsCachedStyleData::GetStyleData [mozilla\layout\style\nsrulenode.h, line 222] nsIFrame::BuildDisplayListForChild [mozilla\layout\generic\nsframe.cpp, line 1338] nsSprocketLayout::Layout [mozilla\layout\xul\base\src\nssprocketlayout.cpp, line 221] nsBoxFrame::BuildDisplayList [mozilla\layout\xul\base\src\nsboxframe.cpp, line 1439] BuildDisplayListWithOverflowClip [mozilla\layout\generic\nsframe.cpp, line 1155] nsIFrame::BuildDisplayListForChild [mozilla\layout\generic\nsframe.cpp, line 1422] I haven't tested with branch, but it probably crashes there as well. It isn't an minimised testcase, if desired I can minimise it further. I sort of hope/expect this will be fixed when bug 324721 gets fixed.
Attached file testcase
Attached file Original testcase
This crashes in different code, talkback ID: TB26298806W kCSSOMFactoryCID nsHTMLReflowState::InitAbsoluteConstraints [mozilla\layout\generic\nshtmlreflowstate.cpp, line 1059] nsHTMLReflowState::InitConstraints [mozilla\layout\generic\nshtmlreflowstate.cpp, line 1965] nsHTMLReflowState::Init [mozilla\layout\generic\nshtmlreflowstate.cpp, line 344] nsHTMLReflowState::nsHTMLReflowState [mozilla\layout\generic\nshtmlreflowstate.cpp, line 318] nsAbsoluteContainingBlock::ReflowAbsoluteFrame [mozilla\layout\generic\nsabsolutecontainingblock.cpp, line 514] While trying to minimise, I got all kinds of different backtraces.
References deleted memory. FF1.5.0.10pre and FF2.0.0.2pre are not affected
Whiteboard: [sg:critical] deleted frame. Not 1.8 branch
Critical security bugs must have owners. If you can't work on this bug please help us find another active owner for it.
Assignee: nobody → roc
is this still a problem on the trunk? would narrowing the regression window down help any? what are the next steps to figure out bug 324721 (Make popups more sane) looks like progress is slowed there on what to do?
Keywords: arch
The simple testcase is still crashing trunk. I don't know whether finding a regression window would help. I could look for that, if wanted.
My fix for bug 356325 fixes the crashes here. The original testcase asserts like *crazy*, apparently in an infinite loop, but doesn't crash and still responds to events.
No longer blocks: 324721
Depends on: 356325
Flags: wanted1.8.1.x-
Flags: wanted1.8.0.x-
Whiteboard: [sg:critical] deleted frame. Not 1.8 branch → [sg:critical] deleted frame. post 1.8 branch
Flags: blocking1.9+
Blocks: 377938
Fixed by the patch in bug 356325. I was able to reproduce this crash before updating (using the testcase in comment 1), and now I can't.
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
No longer blocks: 377938
Verified fixed, using: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a6pre) Gecko/20070607 Minefield/3.0a6pre
Status: RESOLVED → VERIFIED
Group: security
Flags: in-testsuite?
Crash Signature: [@ nsCachedStyleData::GetStyleData]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: