384477 - Crash [@ nsIFrame:GetParent] with wrapping, grid, float

Status: RESOLVED FIXED

(Core :: Web Painting, defect)

Description

[Paul Nickerson]

Attachment: testcase

I'm not sure whether or not this is a security-sensitive bug, but it was showing very inconsistent behavior on my machine so I marked it as such.

Here is the crash info for the reduced testcase:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1223681392 (LWP 5171)]
0x0838c59a in nsIFrame::GetParent (this=0x0)
    at ../../../dist/include/layout/nsIFrame.h:652
652       nsIFrame* GetParent() const { return mParent; }
(gdb) print mParent
Cannot access memory at address 0x0
(gdb) bt
#0  0x0838c59a in nsIFrame::GetParent (this=0x0)
    at ../../../dist/include/layout/nsIFrame.h:652
#1  0x0842c1d4 in nsCSSFrameConstructor::RecreateFramesForContent (
    this=0xb115b138, aContent=0xb116e0e0)
    at /home/pvnick/Desktop/mozilla/layout/base/nsCSSFrameConstructor.cpp:12087
#2  0x0842c753 in nsCSSFrameConstructor::RestyleElement (this=0xb115b138, 
    aContent=0xb116e0e0, aPrimaryFrame=0xb0bf5718, aMinHint=0)
    at /home/pvnick/Desktop/mozilla/layout/base/nsCSSFrameConstructor.cpp:10590
#3  0x0842c9d2 in nsCSSFrameConstructor::ProcessOneRestyle (this=0xb115b138, 
    aContent=0xb116e0e0, aRestyleHint=eReStyle_Self, aChangeHint=0)
    at /home/pvnick/Desktop/mozilla/layout/base/nsCSSFrameConstructor.cpp:14137
#4  0x0842cbde in nsCSSFrameConstructor::ProcessPendingRestyles (
    this=0xb115b138)
    at /home/pvnick/Desktop/mozilla/layout/base/nsCSSFrameConstructor.cpp:14191
#5  0x0842cd1c in nsCSSFrameConstructor::RestyleEvent::HandleEvent (
    this=0xb0e2a5d0)
    at /home/pvnick/Desktop/mozilla/layout/base/nsCSSFrameConstructor.cpp:14255
#6  0x0842cd51 in HandleRestyleEvent (aEvent=0xb0e2a5d0)
    at /home/pvnick/Desktop/mozilla/layout/base/nsCSSFrameConstructor.cpp:14264
#7  0xb7e2672f in PL_HandleEvent (self=0xb0e2a5d0)
    at /home/pvnick/Desktop/mozilla/xpcom/threads/plevent.c:688
#8  0xb7e265d2 in PL_ProcessPendingEvents (self=0x921ac08)
    at /home/pvnick/Desktop/mozilla/xpcom/threads/plevent.c:623
#9  0xb7e29ed2 in nsEventQueueImpl::ProcessPendingEvents (this=0x91fe310)
    at /home/pvnick/Desktop/mozilla/xpcom/threads/nsEventQueue.cpp:417
#10 0x08403f58 in event_processor_callback (source=0x9723e28, 
    condition=G_IO_IN, data=0x91fe310)
    at /home/pvnick/Desktop/mozilla/widget/src/gtk2/nsAppShell.cpp:67
#11 0xb76c2c8d in g_io_channel_unix_get_fd () from /usr/lib/libglib-2.0.so.0
#12 0xb7699802 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#13 0xb769c7df in g_main_context_check () from /usr/lib/libglib-2.0.so.0
#14 0xb769cb89 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
#15 0xb7af9574 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
#16 0x084045fe in nsAppShell::Run (this=0x92a0f60)
    at /home/pvnick/Desktop/mozilla/widget/src/gtk2/nsAppShell.cpp:139
#17 0x08b7602a in nsAppStartup::Run (this=0x92a0f18)
    at /home/pvnick/Desktop/mozilla/toolkit/components/startup/src/nsAppStartup.cpp:151
#18 0x0807ea29 in XRE_main (argc=2, argv=0xbfdc5f04, aAppData=0x8e37ee0)
    at /home/pvnick/Desktop/mozilla/toolkit/xre/nsAppRunner.cpp:2642
#19 0x08077cfe in main (argc=Cannot access memory at address 0x0)
    at /home/pvnick/Desktop/mozilla/browser/app/nsBrowserApp.cpp:61

Comment 1

[Robert O'Callahan (:roc) (email my personal email if necessary)]

This is fixed on trunk, probably by yesterday's checkin for bug 366128.

Comment 2

[Samuel Sidler (old account; do not CC)]

This looks like it's fixed on branch too by the same checkin.

Paul, using the latest branch build, can you confirm that this no longer crashes?

http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-mozilla1.8/

Comment 3

[Paul Nickerson]

Sorry I took so long - confirmed fixed