424629 - "ASSERTION: child list is not empty for initial reflow" with RLO, wrapping

Status: RESOLVED FIXED

(Core :: Layout: Text and Fonts, defect)

Description

[Jesse Ruderman]

Attachment: testcase for the assertions

Loading the testcase triggers:

###!!! ASSERTION: child list is not empty for initial reflow: 'mFrames.IsEmpty()', file /Users/jruderman/trunk/mozilla/layout/generic/nsInlineFrame.cpp, line 326

Closing (e.g. reloading) the testcase triggers:

###!!! ASSERTION: Some objects allocated with AllocateFrame were not freed: 'mFrameCount == 0', file /Users/jruderman/trunk/mozilla/layout/base/nsPresShell.cpp, line 673

This bug appears to be exploitable.

Comment 1

[Jesse Ruderman]

I filed bug 424631 on an inconsistent-rendering issue that I noticed while making the testcase for this bug.  Is it related to the reason the testcase in this bug triggers assertion failures?

Comment 2

[Brandon Sterne (:bsterne)]

sg:critical bugs _should_ block the 1.9 release, although some have been moved to 1.9.0.x.

Comment 3

[Mike Schroepfer]

Moving to tracking - we'll take a fix as soon as we have one...

Comment 4

[Jesse Ruderman]

The testcase no longer triggers assertions now that bug 424631 is fixed.  Uri, does it make sense that the fix for bug 424631 could have fixed the memory-safety bug (as opposed to just making it go away for this testcase)?

Comment 5

[Uri Bernstein]

Yes, I think it makes sense. That bug was about inconsistent inline continuation chains, which might very well have led to problems when freeing them.

Comment 6

[Mats Palmgren (inactive)]

https://hg.mozilla.org/integration/mozilla-inbound/rev/4cee281ad011

Comment 7

[Gregory Szorc [:gps]]

https://hg.mozilla.org/mozilla-central/rev/4cee281ad011