Closed Bug 394237 Opened 17 years ago Closed 17 years ago

"ASSERTION: Creating a circular frame list" with -moz-column and height

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: jruderman, Assigned: fantasai.bugs)

References

Details

(Keywords: assertion, crash, testcase, Whiteboard: [sg:critical?])

Attachments

(1 file)

testcase
585 bytes, text/html
Details
###!!! ASSERTION: overflow containers out of order or bad parent: '!(aOverflowCont->GetStateBits() & NS_FRAME_IS_OVERFLOW_CONTAINER)', file /Users/jruderman/trunk/mozilla/layout/generic/nsContainerFrame.cpp, line 1331 ###!!! ASSERTION: Creating a circular frame list, this is very bad.: 'this != aNextSibling', file /Users/jruderman/trunk/mozilla/layout/base/../generic/nsIFrame.h, line 800 Might be related to bug 393956. Both testcases involve -moz-column and height, and both are derived from bug 379349 reftest files. Filing as security-sensitive because before I reduced the testcase, I was getting crashes [@ nsIFrame::GetNextSibling] dereferencing 0x80f00023.
Whiteboard: [sg:critical?]
Jesse, did you forget to attach the testcase here?
Attached file testcase
This is really bad.
Assignee: nobody → roc
Flags: blocking1.9?
I have a fix for this in my tree. It'll be submitted as part of 154892, since the dynamic reftest I wrote for it crashes without this fix.
Assignee: roc → fantasai.bugs
Yay! Does your patch happen to fix other -moz-column memory safety bugs as well? (e.g. bug 393956, bug 395316, bug 397007)
Don't know. I'll check once I get my reftest to not crash. :P
Fantasai's patch in bug 154892 comment 212 fixes this bug for me. It doesn't fix the other bugs I mentioned in comment 5, though.
Depends on: 154892
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Flags: blocking1.9? → blocking1.9+
Flags: in-testsuite?
verified fixed using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-US; rv:1.9b3pre) Gecko/2008011009 Firefox/3.0b3pre ID:2008011009
Status: RESOLVED → VERIFIED
This bug does not seem to affect branch.
Group: security
Flags: wanted1.8.1.x-
Crashtest checked in.
Flags: in-testsuite? → in-testsuite+
Flags: wanted1.8.1.x-
Flags: in-testsuite+
Flags: blocking1.9+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: