Closed
Bug 415503
Opened 16 years ago
Closed 16 years ago
Crash [@ nsIFrame::HasView] [@ nsCSSFrameConstructor::ContentAppended] with <xul:popupgroup>, display:table, position:absolute
Categories
(Core :: XUL, defect, P3)
Tracking
()
RESOLVED
FIXED
People
(Reporter: jruderman, Assigned: enndeakin)
References
Details
(Keywords: crash, testcase, Whiteboard: [sg:critical])
Crash Data
Attachments
(2 files)
455 bytes,
application/xhtml+xml
|
Details | |
1.13 KB,
patch
|
bzbarsky
:
review+
bzbarsky
:
superreview+
|
Details | Diff | Splinter Review |
Loading the testcase crashes Firefox. It either crashes [@ nsCSSFrameConstructor::ContentAppended] calling a random address, or [@ nsIFrame::HasView] dereferencing 0xddddde01. Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_INVALID_ADDRESS (0x0001) at 0xddddde01 Thread 0 Crashed: 0 libgklayout.dylib 0x185465e9 nsIFrame::HasView() const + 9 (nsIFrame.h:1472) 1 libgklayout.dylib 0x17ed10c1 nsIFrame::GetOffsetTo(nsIFrame const*) const + 167 (nsFrame.cpp:3399) 2 libgklayout.dylib 0x17ef9c10 nsHTMLReflowState::CalculateHypotheticalBox(nsPresContext*, nsIFrame*, nsIFrame*, int, int, nsHTMLReflowState const*, nsHypotheticalBox&) + 1314 (nsHTMLReflowState.cpp:1055) ...
Reporter | ||
Updated•16 years ago
|
Flags: blocking1.9?
Whiteboard: [sg:critical]
Reporter | ||
Updated•16 years ago
|
Severity: normal → critical
Flags: blocking1.9? → blocking1.9+
Priority: -- → P3
Assignee | ||
Comment 1•16 years ago
|
||
Assignee: nobody → enndeakin
Status: NEW → ASSIGNED
Attachment #303352 -
Flags: superreview?(bzbarsky)
Attachment #303352 -
Flags: review?(bzbarsky)
Comment 2•16 years ago
|
||
Comment on attachment 303352 [details] [diff] [review] followup fix for bug 400185 Doh! Good catch!
Attachment #303352 -
Flags: superreview?(bzbarsky)
Attachment #303352 -
Flags: superreview+
Attachment #303352 -
Flags: review?(bzbarsky)
Attachment #303352 -
Flags: review+
Assignee | ||
Updated•16 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Updated•16 years ago
|
Flags: in-testsuite?
Component: XP Toolkit/Widgets: XUL → XUL
QA Contact: xptoolkit.xul → xptoolkit.widgets
Updated•13 years ago
|
Crash Signature: [@ nsIFrame::HasView]
[@ nsCSSFrameConstructor::ContentAppended]
Comment 3•10 years ago
|
||
Landed the crashtest: https://hg.mozilla.org/integration/mozilla-inbound/rev/df421341a894
Group: core-security
Crash Signature: [@ nsIFrame::HasView]
[@ nsCSSFrameConstructor::ContentAppended] → [@ nsIFrame::HasView]
[@ nsCSSFrameConstructor::ContentAppended]
Flags: in-testsuite? → in-testsuite+
Comment 4•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/df421341a894
You need to log in
before you can comment on or make changes to this bug.
Description
•