413079 - Crash [@ nsBlockFrame::DoRemoveFrame] with -moz-column, float

Status: RESOLVED WORKSFORME

(Core :: Layout, defect, P2)

Description

[Jesse Ruderman]

Attachment: testcase (crashes Firefox when loaded)

Loading the testcase makes Firefox crash [@ nsBlockFrame::DoRemoveFrame] dereferencing 0xdddddde5 (or sometimes another address).

Before the crash, I see:

###!!! ASSERTION: unexpected flow: 'mFrames.ContainsFrame(nextInFlow)', file /Users/jruderman/trunk/mozilla/layout/generic/nsInlineFrame.cpp, line 470

Comment 1

[Martijn Wargers (dead)]

No crash on branch.

Comment 2

[Daniel Veditz [:dveditz]]

Robert: please find an owner for this security bug, thanks.

Comment 3

[Bernd]

while I do see the assert with a current nightly I do not see the crash and the assert. I see however: "nsBlockFrame::CheckFloats: Explicit float list is out of sync with float cache" where the lines do not have a float while mFloats on the block shows one element.

Comment 4

[Bernd]

s/while I do see the assert with a current nightly/
  while I do see the crash with a current nightly/

Comment 5

[Bernd]

Attachment: reduced testcase

it still triggers the warning:

WARNING: nsBlockFrame::CheckFloats: Explicit float list is out of sync with float cache: file d:/moz_src/mozilla/layout/generic/nsBlockFrame.cpp, line 6700

Comment 6

[Bernd]

Attachment: less columns another warning

WARNING: This situation currently leads to data not printing: '!NS_FRAME_IS_TRUNCATED(reflowStatus)', file d:/moz_src/mozilla/layout/generic/nsBlockReflowState.cpp, line 1084

Comment 7

[Jesse Ruderman]

This and the other -moz-column + float bugs are really getting in the way of my testing.  They keep showing up with new assertions and new crash signatures :(

Comment 8

[Jesse Ruderman]

WFM, Mac trunk debug on Tiger.

Comment 9

[Daniel Veditz [:dveditz]]

WFM on 1.9.0.5