Closed Bug 413185 Opened 17 years ago Closed 17 years ago

Crash [@ nsBlockFrame::CheckFloats] [@ nsFrameManager::CaptureFrameStateFor] with MathML, float

Categories

(Core :: MathML, defect, P3)

Product:
Core
Component:
MathML
Platform:
x86
macOS
Type:
defect

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jruderman, Unassigned)

References

Details

(Keywords: assertion, crash, testcase, Whiteboard: [sg:critical?])

Crash Data

Attachments

(1 file)

testcase (crashes Firefox when loaded)
509 bytes, application/xhtml+xml
Details
Loading the testcase triggers: ###!!! ASSERTION: Float frame has wrong parent: 'floatFrame->GetParent() == mBlock', file /Users/jruderman/trunk/mozilla/layout/generic/nsBlockReflowState.cpp, line 748 ###!!! ASSERTION: not in child list: 'found', file /Users/jruderman/trunk/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 1815 Crash at one of: * nsBlockFrame::CheckFloats dereferencing 0xddddddfd * nsFrameManager::CaptureFrameStateFor dereferencing 0x00000000. Note that bug 399676 also has a testcase that triggers the first assertion. Maybe it's related.
Flags: blocking1.9?
Whiteboard: [sg:critical?]
No crash on branch.
Flags: blocking1.9? → blocking1.9+
Priority: -- → P2
For me, if the testcase is downloaded and opened locally, there is no crash (at least in those couple of test launches I did), but the one from bugzilla crashes reliably. body.onload timing?
Nevermind, saved the file with ".xml" extension instead of ".xhtml".
This doesn't crash for me in a newly-updated trunk build. I bet it was fixed with bug 399676.
Depends on: 399676
Yeah, I can see that patch fixing this, since now we have our frame tree all sane.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Crash Signature: [@ nsBlockFrame::CheckFloats] [@ nsFrameManager::CaptureFrameStateFor]
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: