The default bug view has changed. See this FAQ.

Status

()

Core
Layout
--
critical
VERIFIED FIXED
9 years ago
9 years ago

People

(Reporter: abillings, Assigned: roc)

Tracking

({crash, verified1.8.1.13})

1.8 Branch
x86
Windows XP
crash, verified1.8.1.13
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.8.1.13 +
wanted1.8.1.x +
blocking1.8.0.next +
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?], URL)

Attachments

(1 attachment)

3.23 KB, patch
roc
: review+
Christopher Aillon (sabbatical, not receiving bugmail)
: approval1.8.0.next+
Details | Diff | Splinter Review
(Reporter)

Description

9 years ago
This is derived from bug 346405. The test case at https://bugzilla.mozilla.org/attachment.cgi?id=265625 still crashes even though the core bug for 346405.

We'll need to fix this separately.

Steps to Reproduce 
1. Load https://bugzilla.mozilla.org/attachment.cgi?id=265625.
2. Zoom a couple of times with control++.

Result: Crash

Dan notes the following details for the crash:

"this" is a deleted object at:
        nsCachedStyleData::GetStyleData() Line 210      C++
        nsStyleContext::GetStyleData() Line 248 C++
        nsIFrame::GetStyleData() Line 612       C++
        nsIFrame::GetStyleTextReset() Line 88   C++
        nsLineLayout::VerticalAlignFrames() Line 2146   C++
        nsLineLayout::ReflowFrame() Line 1181   C++
        nsInlineFrame::ReflowInlineFrame() Line 761     C++
        nsInlineFrame::ReflowFrames() Line 596  C++
        nsInlineFrame::Reflow() Line 489        C++
        nsLineLayout::ReflowFrame() Line 995    C++
        nsInlineFrame::ReflowInlineFrame() Line 761     C++
        nsInlineFrame::ReflowFrames() Line 596  C++
        nsFirstLineFrame::Reflow() Line 1151    C++
        nsLineLayout::ReflowFrame() Line 995    C++
        nsBlockFrame::ReflowInlineFrame() Line 4060     C++
        nsBlockFrame::DoReflowInlineFrames() Line 3899  C++
        nsBlockFrame::ReflowInlineFrames() Line 3780    C++
        nsBlockFrame::ReflowLine() Line 2773    C++
        nsBlockFrame::ReflowDirtyLines() Line 2303      C++
        nsBlockFrame::Reflow() Line 904 C++
        nsContainerFrame::ReflowChild() Line 909        C++
        nsColumnSetFrame::ReflowChildren() Line 484     C++
        nsColumnSetFrame::Reflow() Line 744     C++
        nsBlockReflowContext::ReflowBlock() Line 605    C++
        nsBlockFrame::ReflowBlockFrame() Line 3494      C++
        nsBlockFrame::ReflowLine() Line 2653    C++
        nsBlockFrame::ReflowDirtyLines() Line 2303      C++
        nsBlockFrame::Reflow() Line 904 C++
        nsBlockReflowContext::ReflowBlock() Line 605    C++
        nsBlockFrame::ReflowBlockFrame() Line 3494      C++
        nsBlockFrame::ReflowLine() Line 2653    C++
        nsBlockFrame::ReflowDirtyLines() Line 2303      C++
        nsBlockFrame::Reflow() Line 904 C++
        nsContainerFrame::ReflowChild() Line 909        C++
        CanvasFrame::Reflow() Line 536  C++
        nsContainerFrame::ReflowChild() Line 909        C++
        nsHTMLScrollFrame::ReflowScrolledFrame() Line 515       C++
        nsHTMLScrollFrame::ReflowContents() Line 570    C++
        nsHTMLScrollFrame::Reflow() Line 768    C++
        nsContainerFrame::ReflowChild() Line 909        C++
        ViewportFrame::Reflow() Line 239        C++
        PresShell::StyleChangeReflow() Line 3549        C++
        nsPresContext::ClearStyleDataAndReflow() Line 625       C++
        nsPresContext::SetTextZoomInternal() Line 426   C++
        nsPresContext::SetTextZoom() Line 429   C++
        DocumentViewerImpl::SetTextZoom() Line 2728     C++
        XPTC_InvokeByIndex() Line 102   C++
        XPCWrappedNative::CallMethod() Line 2169        C++
        XPCWrappedNative::SetAttribute() Line 1968      C++
        XPC_WN_GetterSetter() Line 1479 C++
        js_Invoke() Line 1379   C
        js_InternalInvoke() Line 1473   C
        js_InternalGetOrSet() Line 1544 C
        js_NativeSet() Line 3521        C
        js_Interpret() Line 3709        C
        js_Invoke() Line 1398   C
        js_InternalInvoke() Line 1473   C
        js_InternalGetOrSet() Line 1544 C
        js_SetProperty() Line 3715      C
        js_Interpret() Line 3709        C
        js_Invoke() Line 1398   C
        js_InternalInvoke() Line 1473   C
        JS_CallFunctionValue() Line 4353        C
        nsJSContext::CallEventHandler() Line 1493       C++
        nsJSEventListener::HandleEvent() Line 186       C++
        nsEventListenerManager::HandleEventSubType() Line 1655  C++
        nsEventListenerManager::HandleEvent() Line 1762 C++
        nsXULElement::HandleDOMEvent() Line 2233        C++
        nsXULElement::HandleDOMEvent() Line 2038        C++
        nsXBLPrototypeHandler::ExecuteHandler() Line 397        C++
        nsXBLWindowHandler::WalkHandlersInternal() Line 347     C++
        nsXBLWindowKeyHandler::WalkHandlers() Line 199  C++
        nsXBLWindowKeyHandler::KeyPress() Line 254      C++
        DispatchToInterface() Line 144  C++
        nsEventListenerManager::HandleEvent() Line 1752 C++
        nsXULDocument::HandleDOMEvent() Line 1241       C++
        nsXULElement::HandleDOMEvent() Line 2261        C++
        nsXULElement::HandleDOMEvent() Line 2255        C++
        nsXULElement::HandleDOMEvent() Line 2255        C++
        nsXULElement::HandleDOMEvent() Line 2255        C++
        nsXULElement::HandleDOMEvent() Line 2255        C++
        nsXULElement::HandleDOMEvent() Line 2255        C++
        nsXULElement::HandleDOMEvent() Line 2255        C++
        nsXULElement::HandleDOMEvent() Line 2255        C++
        nsXULElement::HandleDOMEvent() Line 2255        C++
        nsXULElement::HandleChromeEvent() Line 2899     C++
        nsGlobalWindow::HandleDOMEvent() Line 1757      C++
        nsDocument::HandleDOMEvent() Line 4146  C++
        nsGenericElement::HandleDOMEvent() Line 2269    C++
        PresShell::HandleEventInternal() Line 6574      C++
        PresShell::HandleEvent() Line 6356      C++
        nsViewManager::HandleEvent() Line 2519  C++
        nsViewManager::DispatchEvent() Line 2253        C++
        HandleEvent() Line 171  C++
        nsWindow::DispatchEvent() Line 1319     C++
        nsWindow::DispatchWindowEvent() Line 1339       C++
        nsWindow::DispatchKeyEvent() Line 3639  C++
        nsWindow::OnKeyDown() Line 3782 C++
        nsWindow::ProcessMessage() Line 4777    C++
        nsWindow::WindowProc() Line 1507        C++

Reproduced in Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.12) Gecko/2008020121 Firefox/2.0.0.12.

Someone should give this a fancy title.
Created attachment 301690 [details] [diff] [review]
fix?

This fixes it for me.  It's the first patch from bug 346405, which fixes
the null-ptr crash but leaves a lot of:
###!!! ASSERTION: Float frame has wrong parent
which is bug 306534, which is the second part of the patch.
Attachment #301690 - Flags: superreview+
Attachment #301690 - Flags: review+

Updated

9 years ago
Attachment #301690 - Flags: approval1.8.1.13?
Whiteboard: [sg:critical?
Group: security
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.13?
Whiteboard: [sg:critical? → [sg:critical?]
Severity: normal → critical
Keywords: crash
Depends on: 306534
Depends on: 346405
Comment on attachment 301690 [details] [diff] [review]
fix?

approved for 1.8.1.13, a=dveditz for release-drivers
Attachment #301690 - Flags: approval1.8.1.13? → approval1.8.1.13+
Checked in on MOZILLA_1_8_BRANCH:
mozilla/layout/generic/nsInlineFrame.cpp 	3.241.4.6 	
mozilla/layout/base/nsCSSFrameConstructor.cpp 	1.1110.6.94

-> FIXED
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Flags: blocking1.8.1.13?
Keywords: fixed1.8.1.13
Resolution: --- → FIXED
Flags: blocking1.8.1.13+
Verified fixed, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13pre) Gecko/20080311 BonEcho/2.0.0.13pre
While I did crash using a 2008-02-02 branch build.
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.1.13 → verified1.8.1.13

Updated

9 years ago
Flags: blocking1.8.0.15+

Comment 5

9 years ago
Comment on attachment 301690 [details] [diff] [review]
fix?

applies cleanly to 1.8.0
Attachment #301690 - Flags: approval1.8.0.15?
Group: security
Flags: in-testsuite?
Comment on attachment 301690 [details] [diff] [review]
fix?

a=caillon for 1.8.0.15
Attachment #301690 - Flags: approval1.8.0.15? → approval1.8.0.15+
You need to log in before you can comment on or make changes to this bug.