Closed Bug 394237 Opened 17 years ago Closed 17 years ago

"ASSERTION: Creating a circular frame list" with -moz-column and height

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: jruderman, Assigned: fantasai.bugs)

References

Details

(Keywords: assertion, crash, testcase, Whiteboard: [sg:critical?])

Attachments

(1 file)

testcase
585 bytes, text/html
Details 
###!!! ASSERTION: overflow containers out of order or bad parent: '!(aOverflowCont->GetStateBits() & NS_FRAME_IS_OVERFLOW_CONTAINER)', file /Users/jruderman/trunk/mozilla/layout/generic/nsContainerFrame.cpp, line 1331

###!!! ASSERTION: Creating a circular frame list, this is very bad.: 'this != aNextSibling', file /Users/jruderman/trunk/mozilla/layout/base/../generic/nsIFrame.h, line 800

Might be related to bug 393956.  Both testcases involve -moz-column and height, and both are derived from bug 379349 reftest files.

Filing as security-sensitive because before I reduced the testcase, I was getting crashes [@ nsIFrame::GetNextSibling] dereferencing 0x80f00023.
Whiteboard: [sg:critical?]
Jesse, did you forget to attach the testcase here?
Attached file testcase 

    
    

    
  
This is really bad.
Assignee: nobody → roc
Flags: blocking1.9?

    
    

    
  
I have a fix for this in my tree. It'll be submitted as part of 154892, since the dynamic reftest I wrote for it crashes without this fix.
Assignee: roc → fantasai.bugs

    
    

    
  
Yay!  Does your patch happen to fix other -moz-column memory safety bugs as well?  (e.g. bug 393956, bug 395316, bug 397007)

    
    

    
  
Don't know. I'll check once I get my reftest to not crash. :P

    
    

    
  
Fantasai's patch in bug 154892 comment 212 fixes this bug for me.  It doesn't fix the other bugs I mentioned in comment 5, though.
Depends on: 154892

    
  
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Flags: blocking1.9? → blocking1.9+

    
  
Flags: in-testsuite?

    
    

    
  
verified fixed using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-US; rv:1.9b3pre) Gecko/2008011009 Firefox/3.0b3pre ID:2008011009
Status: RESOLVED → VERIFIED

    
    

    
  
This bug does not seem to affect branch.
Group: security
Flags: wanted1.8.1.x-

    
    

    
  
Crashtest checked in.
Flags: in-testsuite? → in-testsuite+

    
  
Flags: wanted1.8.1.x-
Flags: in-testsuite+
Flags: blocking1.9+

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: