Closed
Bug 443528
Opened 16 years ago
Closed 16 years ago
"ASSERTION: running past end" with -moz-column, pre-wrap, inline-block
Categories
(Core :: Layout, defect)
Core
Layout
Tracking
()
RESOLVED
FIXED
mozilla1.9.1b2
People
(Reporter: jruderman, Assigned: MatsPalmgren_bugz)
References
Details
(Keywords: assertion, testcase, verified1.9.0.4, Whiteboard: [sg:critical?])
Attachments
(3 files)
|
485 bytes,
text/html
|
Details | |
|
3.79 KB,
patch
|
roc
:
review+
roc
:
superreview+
dveditz
:
approval1.9.0.4+
|
Details | Diff | Splinter Review |
|
1.08 KB,
patch
|
Details | Diff | Splinter Review |
Loading the testcase triggers: ###!!! ASSERTION: Shouldn't be incomplete if availableHeight is UNCONSTRAINED.: 'aReflowState.availableHeight != NS_UNCONSTRAINEDSIZE', file mozilla/layout/generic/nsBlockFrame.cpp, line 1411 ###!!! ASSERTION: running past end: 'mCurrent != mListLink', file mozilla/layout/base/../generic/nsLineBox.h, line 611 The second assertion is usually followed by heap corruption, so I'm filing this bug as security sensitive. I have it set to abort locally.
|
Reporter | |
Updated•16 years ago
|
Whiteboard: [sg:critical?]
|
|
Reporter | |
Updated•16 years ago
|
Flags: blocking1.9.1?
Flags: blocking1.9.1? → wanted1.9.1+
|
Assignee | |
Comment 1•16 years ago
|
||
The line that we pass to MarkLineDirty() is an overflow line so the test "mLines.front()" before using "aLine.prev()" is testing the wrong line list. That is the cause of the crash. I also think the frame could be different from 'this' so we should use GetContainer(), (or should we just assert GetContainer()==this ?).
Assignee: nobody → mats.palmgren
Attachment #342011 -
Flags: superreview?(roc)
Attachment #342011 -
Flags: review?(roc)
|
|
Assignee | |
Updated•16 years ago
|
OS: Mac OS X → All
Hardware: PC → All
Attachment #342011 -
Flags: superreview?(roc)
Attachment #342011 -
Flags: superreview+
Attachment #342011 -
Flags: review?(roc)
Attachment #342011 -
Flags: review+
|
||
Updated•16 years ago
|
Flags: wanted1.9.0.x+
|
|
Assignee | |
Comment 2•16 years ago
|
||
|
|
Assignee | |
Comment 3•16 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/12083acc3286 Holding the crashtest until 1.9.0.x is released with a fix. Filed bug 459597 on the "Shouldn't be incomplete" assertion. -> FIXED
Status: NEW → RESOLVED
Closed: 16 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
|
|
Assignee | |
Updated•16 years ago
|
Target Milestone: --- → mozilla1.9.1b2
|
|
Assignee | |
Updated•16 years ago
|
Attachment #342011 -
Flags: approval1.9.0.4?
|
|
||
Updated•16 years ago
|
Attachment #342011 -
Flags: approval1.9.0.4? → approval1.9.0.4+
|
|
||
Comment 4•16 years ago
|
||
Comment on attachment 342011 [details] [diff] [review] Patch rev. 1 Approved for 1.9.0.4, a=dveditz for release-drivers
|
|
Assignee | |
Comment 5•16 years ago
|
||
Landed on CVS trunk for 1.9.0.4: mozilla/layout/generic/nsBlockFrame.cpp 3.959 mozilla/layout/generic/nsBlockFrame.h 3.273
Keywords: fixed1.9.0.4
|
||
Comment 6•16 years ago
|
||
Tomcat, can you verify that this assertion is gone with your nightly debug 1.9.0 build?
|
||
Comment 7•16 years ago
|
||
Verified fixed using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.4pre) Gecko/2008102800 Firefox/3.0.4pre and the Testcase from Mats. I see not the Assertion -> ASSERTION: running past end" with -moz-column..., so verified 1.9.0.4 But i still see ###!!! ASSERTION: Shouldn't be incomplete if availableHeight is UNCONSTRAINED.: 'aReflowState.availableHeight != NS_UNCONSTRAINEDSIZE', file /work/mozilla/builds/1.9.0/mozilla/layout/generic/nsBlockFrame.cpp, line 1405 - but this is covered in Bug 459597
Keywords: fixed1.9.0.4 → verified1.9.0.4
|
|
||
Updated•16 years ago
|
Group: core-security
|
|
Reporter | |
Updated•16 years ago
|
Flags: in-testsuite? → in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•