Closed Bug 413079 Opened 16 years ago Closed 16 years ago
Crash [@ ns
Block Frame::Do Remove Frame] with -moz-column, float
Loading the testcase makes Firefox crash [@ nsBlockFrame::DoRemoveFrame] dereferencing 0xdddddde5 (or sometimes another address). Before the crash, I see: ###!!! ASSERTION: unexpected flow: 'mFrames.ContainsFrame(nextInFlow)', file /Users/jruderman/trunk/mozilla/layout/generic/nsInlineFrame.cpp, line 470
Summary: Crash [@ nsBlockFrame::DoRemoveFrame] → Crash [@ nsBlockFrame::DoRemoveFrame] with -moz-column, float
No crash on branch.
16 years ago
Flags: blocking1.9? → blocking1.9+
Priority: P1 → P2
Robert: please find an owner for this security bug, thanks.
Assignee: nobody → roc
16 years ago
while I do see the assert with a current nightly I do not see the crash and the assert. I see however: "nsBlockFrame::CheckFloats: Explicit float list is out of sync with float cache" where the lines do not have a float while mFloats on the block shows one element.
s/while I do see the assert with a current nightly/ while I do see the crash with a current nightly/
it still triggers the warning: WARNING: nsBlockFrame::CheckFloats: Explicit float list is out of sync with float cache: file d:/moz_src/mozilla/layout/generic/nsBlockFrame.cpp, line 6700
WARNING: This situation currently leads to data not printing: '!NS_FRAME_IS_TRUNCATED(reflowStatus)', file d:/moz_src/mozilla/layout/generic/nsBlockReflowState.cpp, line 1084
This and the other -moz-column + float bugs are really getting in the way of my testing. They keep showing up with new assertions and new crash signatures :(
WFM, Mac trunk debug on Tiger.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → WORKSFORME
WFM on 18.104.22.168
Crash Signature: [@ nsBlockFrame::DoRemoveFrame]
You need to log in before you can comment on or make changes to this bug.