Closed Bug 396750 Opened 17 years ago Closed 17 years ago

Crash [@ nsFloatCacheList::Tail] on trunk with unminimized testcase from bug 346405

Categories

(Core :: Layout, defect, P4)

Product:
Core
Component:
Layout
Platform:
x86
Windows XP
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: martijn.martijn, Assigned: roc)

References

(
URL
)

Details

(Keywords: crash, Whiteboard: [cannot reproduce][dbaron-1.9:Rs])

Crash Data

Attachments

(4 files)

unminimised testcase2
7.86 KB, text/html
Details
unminimized testcase3
4.23 KB, text/html
Details
unminimized testcase4
2.57 KB, text/html
Details
other testcase
387 bytes, text/html
Details
Trunk is still crashing with an unminimized testcase from bug 346405. Roc advised to file a new bug for this. It's very likely also crashing branch, so marking security sensitive for now. I haven't really bothered making a minimized testcase yet, I can do that if wanted. http://crash-stats.mozilla.com/report/index/8b35811c-6699-11dc-a846-001a4bd43e5c 0 nsFloatCacheList::Tail() mozilla/layout/generic/nsLineBox.cpp:849 1 nsFloatCacheFreeList::Append(nsFloatCacheList&) mozilla/layout/generic/nsLineBox.cpp:936 2 nsLineBox::FreeFloats(nsFloatCacheFreeList&) mozilla/layout/generic/nsLineBox.cpp:481 3 nsBlockFrame::DoReflowInlineFrames(nsBlockReflowState&, nsLineLayout&, nsLineList_iterator, int*, LineReflowStatus*, int) mozilla/layout/generic/nsBlockFrame.cpp:3271 4 nsBlockFrame::ReflowInlineFrames(nsBlockReflowState&, nsLineList_iterator, int*) mozilla/layout/generic/nsBlockFrame.cpp:3188 5 nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, int*) etc..
Assignee: nobody → roc
Flags: blocking1.9?
Flags: blocking1.9? → blocking1.9+
I'd love a minimized testcase here. But based on past experience with bug 346405, your minimal testcase may not reproduce for me. Worth a try though if you've got the time.
Attached file unminimised testcase2
I'll add intermediate unminimized testcase, while minimizing. You should give a beep then when those don't crash anymore.
Attached file unminimized testcase3
This is crashing directly for me and with a different stack: http://crash-stats.mozilla.com/report/index/bbac2c9e-7394-11dc-990d-001a4bd43e5c 0 nsTableOuterFrame::GetContentInsertionFrame() mozilla/layout/tables/nsTableOuterFrame.h:128 1 nsBlockFrame::RenumberListsFor(nsPresContext*, nsIFrame*, int*, int) mozilla/layout/generic/nsBlockFrame.cpp:6430 2 nsBlockFrame::RenumberListsInBlock(nsPresContext*, nsBlockFrame*, int*, int) mozilla/layout/generic/nsBlockFrame.cpp:6396 3 nsBlockFrame::RenumberLists(nsPresContext*) mozilla/layout/generic/nsBlockFrame.cpp:6376 etc...
Attached file unminimized testcase4
This is only crashing when zooming in or out.
testcase3 does not crash for me. Nor does testcase4. testcase2 does.
Attached file other testcase
This was based on a testcase that used to crash with the stacktrace in comment 0, but this resulting (reasonable) minimized testcase is crashing here: http://crash-stats.mozilla.com/report/index/244a4bc5-745c-11dc-a7e5-001a4bd43ef6 0 nsBlockFrame::DrainOverflowLines(nsBlockReflowState&) mozilla/layout/generic/nsBlockFrame.cpp:4316 1 nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) mozilla/layout/generic/nsBlockFrame.cpp:911 2 nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) mozilla/layout/generic/nsContainerFrame.cpp:722 3 nsColumnSetFrame::ReflowChildren(nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&, nsColumnSetFrame::ReflowConfig const&, int, nsCollapsingMargin*) mozilla/layout/generic/nsColumnSetFrame.cpp:520 4 nsColumnSetFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) mozilla/layout/generic/nsColumnSetFrame.cpp:749 5 nsBlockReflowContext::ReflowBlock(nsRect const&, int, nsCollapsingMargin&, int, int, nsMargin&, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) mozilla/layout/generic/nsBlockReflowContext.cpp:339 6 nsBlockFrame::ReflowFloat(nsBlockReflowState&, nsPlaceholderFrame*, nsMargin&, unsigned int&) mozilla/layout/generic/nsBlockFrame.cpp:5609 etc.. It should crash at once or after a few reloads.
Yeah, that one crashes on load...
Well, it did. Now it doesn't, probably because of bug 397007.
testcase2 no longer crashes for me. Neither does the original testcase in the URL field.
Yes, in current trunk build, unminimised testcase2 doesn't seem to crash anymore. The original url doesn't seem to crash also (although it seems to hang the browser for a long time). unminimized testcase3 is still crashing for me: http://crash-stats.mozilla.com/report/index/b6d3fe2e-75b3-11dc-87df-001a4bd43ef6 0 nsTableOuterFrame::GetContentInsertionFrame() mozilla/layout/generic/nsColumnSetFrame.cpp:76 1 nsBlockFrame::RenumberListsFor(nsPresContext*, nsIFrame*, int*, int) etc.. unminimized testcase4 doesn't crash anymore for me, but it doesn't show a vertical scrollbar, which it should. other testcase also doesn't crash anymore.
testcase 3 and testcase 4 both work fine for me.
Whiteboard: [cannot reproduce]
Whiteboard: [cannot reproduce] → [cannot reproduce][dbaron-1.9:Rs]
Martijn, any update on the testcases here?
Priority: -- → P4
None of the testcases seem to crash anymore in current trunk build. Marking worksforme.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → WORKSFORME
Flags: in-testsuite?
Crash Signature: [@ nsFloatCacheList::Tail]
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: