Closed
Bug 400069
Opened 17 years ago
Closed 17 years ago
Crash [@ nsFrameList::DestroyFrame][@ nsTextFrame::ClearTextRun()] with position: absolute; unicode-bidi: bidi-override; ime-mode: active; and ::first-letter
Categories
(Core :: Layout: Text and Fonts, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: martijn.martijn, Assigned: smontagu)
Details
(Keywords: crash, regression, testcase, Whiteboard: [sg:critical][dbaron-1.9:RsCt])
Crash Data
Attachments
(2 files)
See testcase, which crashes current trunk build directly, or after a reload. This seems to have regressed between 2007-09-05 and 2007-09-06: http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2007-09-05+04&maxdate=2007-09-06+09&cvsroot=%2Fcvsroot Regression from bug 392435 or bug 393923? I guess bug 393923 is more likely. http://crash-stats.mozilla.com/report/index/a573bf4a-7c2d-11dc-ae43-001a4bd43e5c 0 @0x26f3198 1 nsFrameList::DestroyFrame(nsIFrame*) mozilla/layout/generic/nsFrameList.cpp:162 2 nsContainerFrame::RemoveFrame(nsIAtom*, nsIFrame*) mozilla/layout/generic/nsContainerFrame.cpp:228 3 nsFrameManager::RemoveFrame(nsIFrame*, nsIAtom*, nsIFrame*) mozilla/layout/base/nsFrameManager.cpp:690 4 nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, int, int) mozilla/layout/base/nsCSSFrameConstructor.cpp:9669 5 nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*) mozilla/layout/base/nsCSSFrameConstructor.cpp:11259 6 nsCSSFrameConstructor::RestyleElement(nsIContent*, nsIFrame*, nsChangeHint) mozilla/layout/base/nsCSSFrameConstructor.cpp:10094 7 nsCSSFrameConstructor::ProcessOneRestyle(nsIContent*, nsReStyleHint, nsChangeHint) mozilla/layout/base/nsCSSFrameConstructor.cpp:13135 8 nsCSSFrameConstructor::ProcessPendingRestyles() mozilla/layout/base/nsCSSFrameConstructor.cpp:13188 9 PresShell::DoFlushPendingNotifications(mozFlushType, int) mozilla/layout/base/nsPresShell.cpp:4443 10 PresShell::WillPaint() etc..
Flags: blocking1.9?
Comment 1•17 years ago
|
||
Is the long string of 'm's necessary? If so, is it necessary due to wrapping, and did you try forcing wrapping in a different way (e.g. "font-family: monospace; width: 1ch")?
Whiteboard: [sg:critical]
Assignee: nobody → roc
Reporter | ||
Comment 2•17 years ago
|
||
This testcase might be a bit simpler to look at. It has the same regression range, so I presume it suffers from the same issue. This crashes directly on first load/shift->reload. http://crash-stats.mozilla.com/report/index/a5de2c70-7cd7-11dc-a252-001a4bd43e5c 0 nsTextFrame::ClearTextRun() mozilla/layout/generic/nsTextFrameThebes.cpp:3297 1 BuildTextRunsScanner::AssignTextRun(gfxTextRun*) mozilla/layout/generic/nsTextFrameThebes.cpp:1699 2 BuildTextRunsScanner::BuildTextRunForFrames(void*) mozilla/layout/generic/nsTextFrameThebes.cpp:1573 3 BuildTextRunsScanner::FlushFrames(int) mozilla/layout/generic/nsTextFrameThebes.cpp:1008 4 BuildTextRunsScanner::ScanFrame(nsIFrame*) mozilla/layout/generic/nsTextFrameThebes.cpp:1123 5 BuildTextRunsScanner::ScanFrame(nsIFrame*) mozilla/layout/generic/nsTextFrameThebes.cpp:1164 6 BuildTextRuns mozilla/layout/generic/nsTextFrameThebes.cpp:942 7 nsTextFrame::EnsureTextRun(gfxContext*, nsIFrame*, nsLineList_iterator const*, unsigned int*) mozilla/layout/generic/nsTextFrameThebes.cpp:1723 8 nsTextFrame::AddInlineMinWidthForFlow(nsIRenderingContext*, nsIFrame::InlineMinWidthData*) mozilla/layout/generic/nsTextFrameThebes.cpp:4769 9 nsTextFrame::AddInlineMinWidth(nsIRenderingContext*, nsIFrame::InlineMinWidthData*) mozilla/layout/generic/nsTextFrameThebes.cpp:4855 10 nsContainerFrame::DoInlineIntrinsicWidth(nsIRenderingContext*, nsIFrame::InlineIntrinsicWidthData*, nsLayoutUtils::IntrinsicWidthType) mozilla/layout/generic/nsContainerFrame.cpp:650 etc...
Reporter | ||
Updated•17 years ago
|
Summary: Crash [@ nsFrameList::DestroyFrame] with position: absolute; unicode-bidi: bidi-override; ime-mode: active; and ::first-letter → Crash [@ nsFrameList::DestroyFrame][@ nsTextFrame::ClearTextRun()] with position: absolute; unicode-bidi: bidi-override; ime-mode: active; and ::first-letter
Flags: blocking1.9? → blocking1.9+
Assignee | ||
Updated•17 years ago
|
Assignee: roc → smontagu
Updated•17 years ago
|
Group: security
Whiteboard: [sg:critical] → [sg:critical][dbaron-1.9:RsCt]
Assignee | ||
Comment 3•17 years ago
|
||
I can reproduce this with a 2007-10-18 build but not a 2007-10-19 one. Fixed by bug 393758?
Assignee | ||
Comment 4•17 years ago
|
||
Yup, the crash is fixed, but there still seems to be a bug with the rendering of testcase2
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
You mean content duplication? Perhaps you could file a new bug about that and take it? :-)
Assignee | ||
Comment 6•17 years ago
|
||
Filed bug 401621
Comment 7•17 years ago
|
||
verified fixed using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b3pre) Gecko/2008010221 Minefield/3.0b3pre - no crash on testcase
Status: RESOLVED → VERIFIED
Updated•13 years ago
|
Crash Signature: [@ nsFrameList::DestroyFrame]
[@ nsTextFrame::ClearTextRun()]
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•