Closed Bug 406485 Opened 16 years ago Closed 16 years ago

Crash [@ nsIFrame::GetNextSibling] with -moz-column, overflowing heights

Categories

(Core :: Layout, defect, P2)

Product:
Core
Component:
Layout
Platform:
x86
macOS
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: jruderman, Assigned: fantasai.bugs)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [sg:critical?])

Crash Data

Attachments

(3 files)

testcase
435 bytes, text/html
Details
patch
1.29 KB, patch
roc
: review+
roc
: superreview+
Details | Diff | Splinter Review
reftest patch
2.52 KB, patch
roc
: review+
roc
: superreview+
Details | Diff | Splinter Review
Attached file testcase 
Loading the testcase crashes Firefox.  I think this is a regression from within the last few days.


Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_INVALID_ADDRESS (0x0001) at 0xddddddfd

Thread 0 Crashed:
0   nsIFrame::GetNextSibling (nsIFrame.h:800)
1   nsOverflowContinuationTracker::StepForward (nsContainerFrame.cpp:1345)
2   nsOverflowContinuationTracker::Skip (nsContainerFrame.h:518)
3   nsBlockFrame::ReflowDirtyLines (nsBlockFrame.cpp:1943)
4   nsBlockFrame::Reflow (nsBlockFrame.cpp:942)
...
My MOZ_CO_DATE="Sat Dec 1 00:53:00 CST 2007" build (not clean, though) doesn't seem to crash...
I get the same crash loading mozilla/layout/reftests/pagination/dynamic-abspos-overflow-01-cols.xhtml.  I wonder why the Tinderboxen that run reftests aren't aflame.

Boris suspects this is a regression bug 404213, which fantasai fixed last night.
Blocks: 404213
Flags: blocking1.9?
Whiteboard: [sg:critical?]
(Boris's regression range is 2007-12-01-02 to 2007-12-02-02.)
Flags: blocking1.9? → blocking1.9+
Priority: -- → P2
Assignee: nobody → fantasai.bugs
Attached patch patchSplinter Review 
That was dumb. Sorry about that. I'll attach a patch for the reftest; it was commented out.
Attachment #291244 - Flags: superreview?(roc)
Attachment #291244 - Flags: review?(roc)
Attached patch reftest patchSplinter Review 
Figured out why the reftest was failing before. This fixes and uncomments it.
Attachment #291245 - Flags: superreview?(roc)
Attachment #291245 - Flags: review?(roc)
Status: NEW → ASSIGNED
Attachment #291244 - Flags: superreview?(roc)
Attachment #291244 - Flags: superreview+
Attachment #291244 - Flags: review?(roc)
Attachment #291244 - Flags: review+
Attachment #291245 - Flags: superreview?(roc)
Attachment #291245 - Flags: superreview+
Attachment #291245 - Flags: review?(roc)
Attachment #291245 - Flags: review+
Checked in by bzbarsky, nsContainerFrame.cpp 1.296
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
verified fixed using : Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.5; en-US; rv:1.9b2pre) Gecko/2007120504 Minefield/3.0b2pre. I verified using Jesse's testcase, no crash.
Status: RESOLVED → VERIFIED
Flags: in-testsuite?
No crash on branch.
Group: security
Flags: wanted1.8.1.x-
Crash Signature: [@ nsIFrame::GetNextSibling]
You need to log in before you can comment on or make changes to this bug.