Closed
Bug 397844
Opened 17 years ago
Closed 17 years ago
Assertions / crash [@ nsFrameList::InsertFrame] with rtl, :first-letter, wrapping, padding
Categories
(Core :: Layout, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: jruderman, Assigned: dholbert)
References
Details
(5 keywords, Whiteboard: [dbaron-1.9:Rs])
Crash Data
Attachments
(4 files, 1 obsolete file)
Loading testcase 1 triggers three assertions, and a crash. ###!!! ASSERTION: child list is not empty for initial reflow: 'mFrames.IsEmpty()', file /Users/jruderman/trunk/mozilla/layout/generic/nsInlineFrame.cpp, line 318 ###!!! ASSERTION: unexpected flow: 'mFrames.ContainsFrame(nextInFlow)', file /Users/jruderman/trunk/mozilla/layout/generic/nsInlineFrame.cpp, line 462 ###!!! ASSERTION: StealFrame failure: 'NS_SUCCEEDED(rv)', file /Users/jruderman/trunk/mozilla/layout/generic/nsContainerFrame.cpp, line 1026 The crash appears to be a null dereference [@ nsFrameList::InsertFrame]. This is similar to bug 389630, which is fixed. That bug had some of the same assertions, a somewhat similar stack trace for the crash, and a testcase using most of the same features. Filing as security-sensitive for reasons that I'll make clearer in a few minutes.
Flags: blocking1.9?
Reporter | ||
Comment 1•17 years ago
|
||
When this testcase is reloaded, it triggers: ###!!! ASSERTION: Some objects allocated with AllocateFrame were not freed: 'mFrameCount == 0', file /Users/jruderman/trunk/mozilla/layout/base/nsPresShell.cpp, line 673
Reporter | ||
Comment 2•17 years ago
|
||
Security-sensitive for general scariness (similar to a bug with an sg:critical crash, triggers the FrameArena assertion). I haven't seen any direct evidence that this bug can lead to scary crashes.
Blocks: framedest
Summary: Assertions / crash [@ nsFrameList::InsertFrame] → Assertions / crash [@ nsFrameList::InsertFrame] with rtl, :first-letter, wrapping, padding
Reporter | ||
Comment 3•17 years ago
|
||
The incorrect-layout issue is much easier to trigger than the assertions and crash.
Reporter | ||
Comment 4•17 years ago
|
||
Flags: blocking1.9? → blocking1.9+
Reporter | ||
Updated•17 years ago
|
Severity: normal → critical
Assignee | ||
Comment 5•17 years ago
|
||
Testcase #1 and #2 work fine for me under Linux w/ a current trunk build. (I don't get the crash / assertions mentioned in Comment 1 and Comment 2) However, the reftest still doesn't match -- "bc" is wrapped to its own line.
Assignee | ||
Comment 6•17 years ago
|
||
(In reply to comment #5) Despite working on Linux, testcase #1 and #2 are still broken on current Mac trunk builds. So, those testcases are Mac-specific. The posted reftest is broken on all platforms, though.
Reporter | ||
Comment 7•17 years ago
|
||
Let's see if switching to a monospace font and |ch| units makes the testcase cross-platform. On Mac, this has the same effect as testcase 1.
Attachment #282632 -
Attachment is obsolete: true
Assignee | ||
Comment 8•17 years ago
|
||
The (approved) patch posted for Bug 399384 fixes this bug. Just waiting for the tree to re-open....
Assignee: nobody → dholbert
OS: Mac OS X → All
Assignee | ||
Updated•17 years ago
|
Status: NEW → ASSIGNED
Whiteboard: [dbaron-1.9:Rs]
Assignee | ||
Comment 9•17 years ago
|
||
Fixed by checkin for bug 399384.
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Updated•17 years ago
|
Flags: in-testsuite?
Reporter | ||
Comment 10•16 years ago
|
||
These testcases don't seem to cause any real problems on the 1.8 branch.
Group: security
Flags: wanted1.8.1.x-
Reporter | ||
Comment 11•16 years ago
|
||
I checked in "testcase 2" and "testcase 3" as crashtests. I also checked in the reftest.
Flags: in-testsuite? → in-testsuite+
Comment 12•16 years ago
|
||
Mass-assigning the new rtl keyword to RTL-related (see bug 349193).
Keywords: rtl
Updated•13 years ago
|
Crash Signature: [@ nsFrameList::InsertFrame]
You need to log in
before you can comment on or make changes to this bug.
Description
•