Closed
Bug 400069
Opened 18 years ago
Closed 18 years ago
Crash [@ nsFrameList::DestroyFrame][@ nsTextFrame::ClearTextRun()] with position: absolute; unicode-bidi: bidi-override; ime-mode: active; and ::first-letter
Categories
(Core :: Layout: Text and Fonts, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: martijn.martijn, Assigned: smontagu)
Details
(Keywords: crash, regression, testcase, Whiteboard: [sg:critical][dbaron-1.9:RsCt])
Crash Data
Attachments
(2 files)
See testcase, which crashes current trunk build directly, or after a reload.
This seems to have regressed between 2007-09-05 and 2007-09-06:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2007-09-05+04&maxdate=2007-09-06+09&cvsroot=%2Fcvsroot
Regression from bug 392435 or bug 393923? I guess bug 393923 is more likely.
http://crash-stats.mozilla.com/report/index/a573bf4a-7c2d-11dc-ae43-001a4bd43e5c
0 @0x26f3198
1 nsFrameList::DestroyFrame(nsIFrame*) mozilla/layout/generic/nsFrameList.cpp:162
2 nsContainerFrame::RemoveFrame(nsIAtom*, nsIFrame*) mozilla/layout/generic/nsContainerFrame.cpp:228
3 nsFrameManager::RemoveFrame(nsIFrame*, nsIAtom*, nsIFrame*) mozilla/layout/base/nsFrameManager.cpp:690
4 nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, int, int) mozilla/layout/base/nsCSSFrameConstructor.cpp:9669
5 nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*) mozilla/layout/base/nsCSSFrameConstructor.cpp:11259
6 nsCSSFrameConstructor::RestyleElement(nsIContent*, nsIFrame*, nsChangeHint) mozilla/layout/base/nsCSSFrameConstructor.cpp:10094
7 nsCSSFrameConstructor::ProcessOneRestyle(nsIContent*, nsReStyleHint, nsChangeHint) mozilla/layout/base/nsCSSFrameConstructor.cpp:13135
8 nsCSSFrameConstructor::ProcessPendingRestyles() mozilla/layout/base/nsCSSFrameConstructor.cpp:13188
9 PresShell::DoFlushPendingNotifications(mozFlushType, int) mozilla/layout/base/nsPresShell.cpp:4443
10 PresShell::WillPaint()
etc..
Flags: blocking1.9?
|
||
Comment 1•18 years ago
|
||
Is the long string of 'm's necessary? If so, is it necessary due to wrapping, and did you try forcing wrapping in a different way (e.g. "font-family: monospace; width: 1ch")?
Whiteboard: [sg:critical]
Assignee: nobody → roc
|
Reporter | |
Comment 2•18 years ago
|
||
This testcase might be a bit simpler to look at. It has the same regression range, so I presume it suffers from the same issue.
This crashes directly on first load/shift->reload.
http://crash-stats.mozilla.com/report/index/a5de2c70-7cd7-11dc-a252-001a4bd43e5c
0 nsTextFrame::ClearTextRun() mozilla/layout/generic/nsTextFrameThebes.cpp:3297
1 BuildTextRunsScanner::AssignTextRun(gfxTextRun*) mozilla/layout/generic/nsTextFrameThebes.cpp:1699
2 BuildTextRunsScanner::BuildTextRunForFrames(void*) mozilla/layout/generic/nsTextFrameThebes.cpp:1573
3 BuildTextRunsScanner::FlushFrames(int) mozilla/layout/generic/nsTextFrameThebes.cpp:1008
4 BuildTextRunsScanner::ScanFrame(nsIFrame*) mozilla/layout/generic/nsTextFrameThebes.cpp:1123
5 BuildTextRunsScanner::ScanFrame(nsIFrame*) mozilla/layout/generic/nsTextFrameThebes.cpp:1164
6 BuildTextRuns mozilla/layout/generic/nsTextFrameThebes.cpp:942
7 nsTextFrame::EnsureTextRun(gfxContext*, nsIFrame*, nsLineList_iterator const*, unsigned int*) mozilla/layout/generic/nsTextFrameThebes.cpp:1723
8 nsTextFrame::AddInlineMinWidthForFlow(nsIRenderingContext*, nsIFrame::InlineMinWidthData*) mozilla/layout/generic/nsTextFrameThebes.cpp:4769
9 nsTextFrame::AddInlineMinWidth(nsIRenderingContext*, nsIFrame::InlineMinWidthData*) mozilla/layout/generic/nsTextFrameThebes.cpp:4855
10 nsContainerFrame::DoInlineIntrinsicWidth(nsIRenderingContext*, nsIFrame::InlineIntrinsicWidthData*, nsLayoutUtils::IntrinsicWidthType) mozilla/layout/generic/nsContainerFrame.cpp:650
etc...
|
|
Reporter | |
Updated•18 years ago
|
Summary: Crash [@ nsFrameList::DestroyFrame] with position: absolute; unicode-bidi: bidi-override; ime-mode: active; and ::first-letter → Crash [@ nsFrameList::DestroyFrame][@ nsTextFrame::ClearTextRun()] with position: absolute; unicode-bidi: bidi-override; ime-mode: active; and ::first-letter
Flags: blocking1.9? → blocking1.9+
|
Assignee | |
Updated•18 years ago
|
Assignee: roc → smontagu
|
||
Updated•18 years ago
|
Group: security
Whiteboard: [sg:critical] → [sg:critical][dbaron-1.9:RsCt]
|
|
Assignee | |
Comment 3•18 years ago
|
||
I can reproduce this with a 2007-10-18 build but not a 2007-10-19 one. Fixed by bug 393758?
|
|
Assignee | |
Comment 4•18 years ago
|
||
Yup, the crash is fixed, but there still seems to be a bug with the rendering of testcase2
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
You mean content duplication? Perhaps you could file a new bug about that and take it? :-)
|
|
Assignee | |
Comment 6•18 years ago
|
||
Filed bug 401621
|
|
||
Comment 7•17 years ago
|
||
verified fixed using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b3pre) Gecko/2008010221 Minefield/3.0b3pre - no crash on testcase
Status: RESOLVED → VERIFIED
|
||
Updated•14 years ago
|
Crash Signature: [@ nsFrameList::DestroyFrame]
[@ nsTextFrame::ClearTextRun()]
|
||
Updated•10 years ago
|
Group: core-security → core-security-release
|
|
||
Updated•10 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•