Crash [@ nsBlockFrame::CheckFloats] [@ nsFrameManager::CaptureFrameStateFor] with MathML, float

RESOLVED FIXED

Status

()

P3
critical
RESOLVED FIXED
11 years ago
4 years ago

People

(Reporter: jruderman, Unassigned)

Tracking

(Blocks: 2 bugs, {assertion, crash, testcase})

Trunk
x86
Mac OS X
assertion, crash, testcase
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.9 +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

11 years ago
Created attachment 298044 [details]
testcase (crashes Firefox when loaded)

Loading the testcase triggers:

###!!! ASSERTION: Float frame has wrong parent: 'floatFrame->GetParent() == mBlock', file /Users/jruderman/trunk/mozilla/layout/generic/nsBlockReflowState.cpp, line 748

###!!! ASSERTION: not in child list: 'found', file /Users/jruderman/trunk/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 1815

Crash at one of:
* nsBlockFrame::CheckFloats dereferencing 0xddddddfd
* nsFrameManager::CaptureFrameStateFor dereferencing 0x00000000.

Note that bug 399676 also has a testcase that triggers the first assertion.  Maybe it's related.
(Reporter)

Updated

11 years ago
Flags: blocking1.9?
Whiteboard: [sg:critical?]
No crash on branch.
Flags: blocking1.9? → blocking1.9+
Priority: -- → P2

Comment 2

11 years ago
For me, if the testcase is downloaded and opened locally, there is no crash (at least in those couple of test launches I did), but the one from bugzilla crashes reliably. body.onload timing?

Comment 3

11 years ago
Nevermind, saved the file with ".xml" extension instead of ".xhtml".

Comment 4

11 years ago
This doesn't crash for me in a newly-updated trunk build. I bet it was fixed with bug 399676. 
Depends on: 399676
Yeah, I can see that patch fixing this, since now we have our frame tree all sane.
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED
Crash Signature: [@ nsBlockFrame::CheckFloats] [@ nsFrameManager::CaptureFrameStateFor]
Group: core-security
You need to log in before you can comment on or make changes to this bug.