Closed Bug 415503 Opened 13 years ago Closed 13 years ago

Crash [@ nsIFrame::HasView] [@ nsCSSFrameConstructor::ContentAppended] with <xul:popupgroup>, display:table, position:absolute

Categories

(Core :: XUL, defect, P3)

x86
macOS
defect

Tracking

()

RESOLVED FIXED

People

(Reporter: jruderman, Assigned: enndeakin)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase, Whiteboard: [sg:critical])

Crash Data

Attachments

(2 files)

Loading the testcase crashes Firefox.  It either crashes [@ nsCSSFrameConstructor::ContentAppended] calling a random address, or [@ nsIFrame::HasView] dereferencing 0xddddde01.

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_INVALID_ADDRESS (0x0001) at 0xddddde01

Thread 0 Crashed:
0   libgklayout.dylib        	0x185465e9 nsIFrame::HasView() const + 9 (nsIFrame.h:1472)
1   libgklayout.dylib        	0x17ed10c1 nsIFrame::GetOffsetTo(nsIFrame const*) const + 167 (nsFrame.cpp:3399)
2   libgklayout.dylib        	0x17ef9c10 nsHTMLReflowState::CalculateHypotheticalBox(nsPresContext*, nsIFrame*, nsIFrame*, int, int, nsHTMLReflowState const*, nsHypotheticalBox&) + 1314 (nsHTMLReflowState.cpp:1055)
...
Flags: blocking1.9?
Whiteboard: [sg:critical]
Severity: normal → critical
Flags: blocking1.9? → blocking1.9+
Priority: -- → P3
Assignee: nobody → enndeakin
Status: NEW → ASSIGNED
Attachment #303352 - Flags: superreview?(bzbarsky)
Attachment #303352 - Flags: review?(bzbarsky)
Comment on attachment 303352 [details] [diff] [review]
followup fix for bug 400185

Doh!  Good catch!
Attachment #303352 - Flags: superreview?(bzbarsky)
Attachment #303352 - Flags: superreview+
Attachment #303352 - Flags: review?(bzbarsky)
Attachment #303352 - Flags: review+
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Flags: in-testsuite?
Component: XP Toolkit/Widgets: XUL → XUL
QA Contact: xptoolkit.xul → xptoolkit.widgets
Crash Signature: [@ nsIFrame::HasView] [@ nsCSSFrameConstructor::ContentAppended]
Landed the crashtest:
https://hg.mozilla.org/integration/mozilla-inbound/rev/df421341a894
Group: core-security
Crash Signature: [@ nsIFrame::HasView] [@ nsCSSFrameConstructor::ContentAppended] → [@ nsIFrame::HasView] [@ nsCSSFrameConstructor::ContentAppended]
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.