Closed Bug 397844 Opened 18 years ago Closed 18 years ago

Assertions / crash [@ nsFrameList::InsertFrame] with rtl, :first-letter, wrapping, padding

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jruderman, Assigned: dholbert)

References

Details

(5 keywords, Whiteboard: [dbaron-1.9:Rs])

Crash Data

Attachments

(4 files, 1 obsolete file)

testcase 2
799 bytes, application/xhtml+xml
Details
reftest: testcase
238 bytes, application/xhtml+xml
Details
reftest: reference
192 bytes, application/xhtml+xml
Details
testcase 3 (crashes firefox when loaded)
862 bytes, application/xhtml+xml
Details
Loading testcase 1 triggers three assertions, and a crash. ###!!! ASSERTION: child list is not empty for initial reflow: 'mFrames.IsEmpty()', file /Users/jruderman/trunk/mozilla/layout/generic/nsInlineFrame.cpp, line 318 ###!!! ASSERTION: unexpected flow: 'mFrames.ContainsFrame(nextInFlow)', file /Users/jruderman/trunk/mozilla/layout/generic/nsInlineFrame.cpp, line 462 ###!!! ASSERTION: StealFrame failure: 'NS_SUCCEEDED(rv)', file /Users/jruderman/trunk/mozilla/layout/generic/nsContainerFrame.cpp, line 1026 The crash appears to be a null dereference [@ nsFrameList::InsertFrame]. This is similar to bug 389630, which is fixed. That bug had some of the same assertions, a somewhat similar stack trace for the crash, and a testcase using most of the same features. Filing as security-sensitive for reasons that I'll make clearer in a few minutes.
Flags: blocking1.9?
Attached file testcase 2
When this testcase is reloaded, it triggers: ###!!! ASSERTION: Some objects allocated with AllocateFrame were not freed: 'mFrameCount == 0', file /Users/jruderman/trunk/mozilla/layout/base/nsPresShell.cpp, line 673
Security-sensitive for general scariness (similar to a bug with an sg:critical crash, triggers the FrameArena assertion). I haven't seen any direct evidence that this bug can lead to scary crashes.
Blocks: framedest
Summary: Assertions / crash [@ nsFrameList::InsertFrame] → Assertions / crash [@ nsFrameList::InsertFrame] with rtl, :first-letter, wrapping, padding
Attached file reftest: testcase
The incorrect-layout issue is much easier to trigger than the assertions and crash.
Attached file reftest: reference
Keywords: mlk
Flags: blocking1.9? → blocking1.9+
Severity: normal → critical
Testcase #1 and #2 work fine for me under Linux w/ a current trunk build. (I don't get the crash / assertions mentioned in Comment 1 and Comment 2) However, the reftest still doesn't match -- "bc" is wrapped to its own line.
(In reply to comment #5) Despite working on Linux, testcase #1 and #2 are still broken on current Mac trunk builds. So, those testcases are Mac-specific. The posted reftest is broken on all platforms, though.
Depends on: 399384
Let's see if switching to a monospace font and |ch| units makes the testcase cross-platform. On Mac, this has the same effect as testcase 1.
Attachment #282632 - Attachment is obsolete: true
The (approved) patch posted for Bug 399384 fixes this bug. Just waiting for the tree to re-open....
Assignee: nobody → dholbert
OS: Mac OS X → All
Status: NEW → ASSIGNED
Fixed by checkin for bug 399384.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Flags: in-testsuite?
These testcases don't seem to cause any real problems on the 1.8 branch.
Group: security
Flags: wanted1.8.1.x-
I checked in "testcase 2" and "testcase 3" as crashtests. I also checked in the reftest.
Flags: in-testsuite? → in-testsuite+
Mass-assigning the new rtl keyword to RTL-related (see bug 349193).
Keywords: rtl
Crash Signature: [@ nsFrameList::InsertFrame]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: