Crash [@ nsIFrame::HasView] [@ nsCSSFrameConstructor::ContentAppended] with <xul:popupgroup>, display:table, position:absolute

RESOLVED FIXED

Status

()

defect
P3
critical
RESOLVED FIXED
12 years ago
5 years ago

People

(Reporter: jruderman, Assigned: enndeakin)

Tracking

(Blocks 1 bug, {crash, testcase})

Trunk
x86
macOS
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.9 +
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical], crash signature)

Attachments

(2 attachments)

Loading the testcase crashes Firefox.  It either crashes [@ nsCSSFrameConstructor::ContentAppended] calling a random address, or [@ nsIFrame::HasView] dereferencing 0xddddde01.

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_INVALID_ADDRESS (0x0001) at 0xddddde01

Thread 0 Crashed:
0   libgklayout.dylib        	0x185465e9 nsIFrame::HasView() const + 9 (nsIFrame.h:1472)
1   libgklayout.dylib        	0x17ed10c1 nsIFrame::GetOffsetTo(nsIFrame const*) const + 167 (nsFrame.cpp:3399)
2   libgklayout.dylib        	0x17ef9c10 nsHTMLReflowState::CalculateHypotheticalBox(nsPresContext*, nsIFrame*, nsIFrame*, int, int, nsHTMLReflowState const*, nsHypotheticalBox&) + 1314 (nsHTMLReflowState.cpp:1055)
...
Flags: blocking1.9?
Whiteboard: [sg:critical]
Severity: normal → critical
Flags: blocking1.9? → blocking1.9+
Priority: -- → P3
Assignee: nobody → enndeakin
Status: NEW → ASSIGNED
Attachment #303352 - Flags: superreview?(bzbarsky)
Attachment #303352 - Flags: review?(bzbarsky)
Comment on attachment 303352 [details] [diff] [review]
followup fix for bug 400185

Doh!  Good catch!
Attachment #303352 - Flags: superreview?(bzbarsky)
Attachment #303352 - Flags: superreview+
Attachment #303352 - Flags: review?(bzbarsky)
Attachment #303352 - Flags: review+
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Flags: in-testsuite?
Component: XP Toolkit/Widgets: XUL → XUL
QA Contact: xptoolkit.xul → xptoolkit.widgets
Crash Signature: [@ nsIFrame::HasView] [@ nsCSSFrameConstructor::ContentAppended]
Landed the crashtest:
https://hg.mozilla.org/integration/mozilla-inbound/rev/df421341a894
Group: core-security
Crash Signature: [@ nsIFrame::HasView] [@ nsCSSFrameConstructor::ContentAppended] → [@ nsIFrame::HasView] [@ nsCSSFrameConstructor::ContentAppended]
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.