Closed Bug 430991 Opened 12 years ago Closed 11 years ago

Crash [@ nsBlockFrame::RenumberListsFor] with -moz-column, float

Categories

(Core :: Layout, defect, critical)

x86
macOS
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: jruderman, Assigned: jruderman)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, crash, testcase, Whiteboard: [sg:critical])

Crash Data

Attachments

(1 file)

Loading the testcase triggers:

###!!! ASSERTION: aFrame not the result of GetPrimaryFrameFor()?: 'aFrame == aFrame->GetFirstContinuation()', file /Users/jruderman/trunk/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 11146

Crash in one of the following functions:
* [@ nsBlockFrame::RenumberListsFor] -- this one often appears exploitable
* [@ nsPlaceholderFrame::GetRealFrameFor]
* [@ nsLineBox::DeleteLineList]
Whiteboard: [sg:critical]
Testcase in comment #0 WFM on Mac trunk Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1a2pre) Gecko/20080818150509 Minefield/3.1a2pre with mallocscribble.  No assertions / crashes at all.

Seems to leak a chunk of stuff though.
WFM with Firefox trunk on Tiger.

I'm not seeing any leaks using trace-refcnt (XPCOM_MEM_LEAK_LOG=2).  What are you seeing leak?
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WORKSFORME
Add a crashtest?
Flags: in-testsuite?
When it's time to unhide the bug, sure.
(In reply to comment #2)
> WFM with Firefox trunk on Tiger.
> 
> I'm not seeing any leaks using trace-refcnt (XPCOM_MEM_LEAK_LOG=2).  What are
> you seeing leak?

Nope, couldn't get the leak to reproduce again. Not an issue I guess.
Crash Signature: [@ nsBlockFrame::RenumberListsFor]
Landed a crashtest:
https://hg.mozilla.org/integration/mozilla-inbound/rev/dde3056ad6d7
Group: core-security
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.