Closed Bug 364427 Opened 18 years ago Closed 18 years ago

Crash [@ nsCachedStyleData::GetStyleDisplay] [@ nsFrameManager::RemoveFrame] with float, -moz-groupbox, abs pos

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
PowerPC
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jruderman, Assigned: bernd_mozilla)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [sg:critical] post 1.8-branch)

Crash Data

Attachments

(1 file)

testcase (crashes on load)
434 bytes, text/html
Details 
Steps to reproduce:
1. Load the testcase.

Result:
* Debug: crash [@ nsCachedStyleData::GetStyleDisplay] accessing 0xddddddfd.
* Opt: crash [@ nsFrameManager::RemoveFrame] with a random address on top.

Partial debug stack:

EXC_BAD_ACCESS (0x0001)
KERN_INVALID_ADDRESS (0x0001) at 0xddddddfd

Thread 0 Crashed:
0    nsCachedStyleData::GetStyleDisplay() + 20 (nsStyleStructList.h:95)
1    nsStyleContext::GetStyleDisplay() + 40 (nsStyleStructList.h:95)
2    nsIFrame::GetStyleDisplay() const + 100 (nsStyleStructList.h:95)
3    GetChildListNameFor(nsIFrame*) + 68 (nsCSSFrameConstructor.cpp:1803)
4    DeletingFrameSubtree(nsFrameManager*, nsIFrame*) + 376 (nsCSSFrameConstructor.cpp:9667)
5    nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, int, int) + 1140 (nsCSSFrameConstructor.cpp:9817)
6    PresShell::ContentRemoved(nsIDocument*, nsIContent*, nsIContent*, int) + 356 (nsPresShell.cpp:4981)

    
  
Flags: blocking1.9?
Whiteboard: [sg:critical]

    
    

    
  
Before the crash, I see:

###!!! ASSERTION: out-of-flow is already in the destroy queue: 'aDestroyQueue.IndexOf(outOfFlowFrame) == kNotFound', file /Users/admin/trunk/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 9597


    
    

    
  
This regressed between 2006-12-07 and 2006-12-08, so likely to be a regression from the reflow branch landing.
Blocks: reflow-refactor
Keywords: regression

    
    

    
  
Critical security bugs must have owners. If you can't work on this bug please help us find another active owner for it.
Assignee: nobody → roc

    
    

    
  
->dbaron based on comment 3
Assignee: roc → dbaron

    
    

    
  
This is worksforme, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a2pre) Gecko/20070123 Minefield/3.0a2pre

    
    

    
  
Fixed between Linux nightlies 2007-01-02-04-trunk and 2007-01-03-04-trunk.

    
    

    
  
Also fixed in 2006-12-28-04-trunk which confirms my suspicion that it was fixed by bug 243159.
Depends on: 243159
Assignee: dbaron → bernd_mozilla
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Flags: blocking1.9?

    
    

    
  
Similar assertion and stack in bug 372237, which still occurs on trunk.

    
    

    
  
I don't see this problem on the branch (Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.4pre) Gecko/20070322 BonEcho/2.0.0.4pre).  Looks like it's trunk-only.
Whiteboard: [sg:critical] → [sg:critical] post 1.8-branch
Group: security
Flags: wanted1.8.1.x-

    
  
Flags: in-testsuite?

    
    

    
  
Crashtest checked in.
Flags: in-testsuite? → in-testsuite+
Crash Signature: [@ nsCachedStyleData::GetStyleDisplay]
[@ nsFrameManager::RemoveFrame]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: