367360 - Crash [@ nsHTMLButtonControlFrame::GetContentInsertionFrame] with -moz-column-count and display: list-item

Status: RESOLVED WORKSFORME

(Core :: Layout, defect)

Description

[Martijn Wargers (dead)]

Attachment: testcase

See testcase, which crashes in current Mozilla trunk build on load.
Talkback ID: TB28472686W
nsHTMLButtonControlFrame::GetContentInsertionFrame  [mozilla\layout\forms\nshtmlbuttoncontrolframe.h, line 131]
nsBlockFrame::RenumberListsInBlock  [mozilla\layout\generic\nsblockframe.cpp, line 6095]
nsBlockFrame::RenumberLists  [mozilla\layout\generic\nsblockframe.cpp, line 6073]
nsBlockFrame::Reflow  [mozilla\layout\generic\nsblockframe.cpp, line 872]

It doesn't crash a 2006-12-07 build, but it does crash a 2006-12-08 build, so I guess this is a regression somehow from the reflow branch landing.

Comment 1

[David Baron :dbaron: (⌚️UTC-5, no longer working on Mozilla)]

I'm seeing the crash in nsColumnSetFrame::GetContentInsertionFrame (but stack below that matching).

Comment 2

[David Baron :dbaron: (⌚️UTC-5, no longer working on Mozilla)]

So are column set frames allowed to not have a child?  If so, GetContentInsertionFrame probably needs some work (not sure how, exactly).  But the crash I'm seeing here is a null dereference in GetContentInsertionFrame for the outer span in the testcase.  (That seems rather odd to me.)

Comment 3

[Robert O'Callahan (:roc) (email my personal email if necessary)]

It's always supposed to have a child.

Comment 4

[Jesse Ruderman]

WFM (Mac trunk nightly).

Comment 5

[Martijn Wargers (dead)]

Testcase also wfm, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a4pre) Gecko/20070423 Minefield/3.0a4pre

Comment 6

[Mats Palmgren (inactive)]

Crash test:
https://hg.mozilla.org/integration/mozilla-inbound/rev/b83cbc51f7f3

Comment 7

[Phil Ringnalda (:philor)]

https://hg.mozilla.org/mozilla-central/rev/b83cbc51f7f3