430991 - Crash [@ nsBlockFrame::RenumberListsFor] with -moz-column, float

Status: RESOLVED WORKSFORME

(Core :: Layout, defect)

Description

[Jesse Ruderman]

Attachment: testcase (crashes Firefox when loaded)

Loading the testcase triggers:

###!!! ASSERTION: aFrame not the result of GetPrimaryFrameFor()?: 'aFrame == aFrame->GetFirstContinuation()', file /Users/jruderman/trunk/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 11146

Crash in one of the following functions:
* [@ nsBlockFrame::RenumberListsFor] -- this one often appears exploitable
* [@ nsPlaceholderFrame::GetRealFrameFor]
* [@ nsLineBox::DeleteLineList]

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Testcase in comment #0 WFM on Mac trunk Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1a2pre) Gecko/20080818150509 Minefield/3.1a2pre with mallocscribble.  No assertions / crashes at all.

Seems to leak a chunk of stuff though.

Comment 2

[Jesse Ruderman]

WFM with Firefox trunk on Tiger.

I'm not seeing any leaks using trace-refcnt (XPCOM_MEM_LEAK_LOG=2).  What are you seeing leak?

Comment 3

[Boris Zbarsky [:bzbarsky]]

Add a crashtest?

Comment 4

[Jesse Ruderman]

When it's time to unhide the bug, sure.

Comment 5

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

(In reply to comment #2)
> WFM with Firefox trunk on Tiger.
> 
> I'm not seeing any leaks using trace-refcnt (XPCOM_MEM_LEAK_LOG=2).  What are
> you seeing leak?

Nope, couldn't get the leak to reproduce again. Not an issue I guess.

Comment 6

[Mats Palmgren (inactive)]

Landed a crashtest:
https://hg.mozilla.org/integration/mozilla-inbound/rev/dde3056ad6d7

Comment 7

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/dde3056ad6d7