Here's the relevant stack: #11 0x03227a17 in nsDocument::FlushPendingNotifications (this=0x152bc00, aType=Flush_Style) at /Users/bzbarsky/mozilla/profile/mozilla/content/base/src/nsDocument.cpp:6221 #12 0x0d7b9fc6 in nsEditingSession::SetupEditorOnWindow (this=0xd86a600, aWindow=0xd85dce0) at /Users/bzbarsky/mozilla/profile/mozilla/editor/composer/src/nsEditingSession.cpp:375 #13 0x0d7bace2 in nsEditingSession::MakeWindowEditable (this=0xd86a600, aWindow=0xd85dce0, aEditorType=0x3853f10 "html", aDoAfterUriLoad=0, aMakeWholeDocumentEditable=0, aInteractive=1) at /Users/bzbarsky/mozilla/profile/mozilla/editor/composer/src/nsEditingSession.cpp:208 #14 0x0339fb31 in nsHTMLDocument::EditingStateChanged (this=0x152bc00) at /Users/bzbarsky/mozilla/profile/mozilla/content/html/document/src/nsHTMLDocument.cpp:3378 15 0x033a0729 in nsHTMLDocument::SetDesignMode (this=0x152bc00, aDesignMode=@0xbfffb650) at /Users/bzbarsky/mozilla/profile/mozilla/content/html/document/src/nsHTMLDocument.cpp:3491 #16 0x02fe7ee7 in nsSubDocumentFrame::ShowDocShell (this=0x1535284) at /Users/bzbarsky/mozilla/profile/mozilla/layout/generic/nsFrameFrame.cpp:990 #17 0x02fe7f9f in nsSubDocumentFrame::ShowViewer (this=0x1535284) at /Users/bzbarsky/mozilla/profile/mozilla/layout/generic/nsFrameFrame.cpp:327 #18 0x02fe82e1 in nsSubDocumentFrame::Init (this=0x1535284, aContent=0xd85d350, aParent=0x1528810, aPrevInFlow=0x0) at /Users/bzbarsky/mozilla/profile/mozilla/layout/generic/nsFrameFrame.cpp:312 The SetDesignMode call was added to fix bug 284245. The flush was added to fix bug 262998. The combination is just bad. Can we possibly do the designMode munging in ShowDocshell off an event? Or at the end of the update or something?
The "reflowing in the middle of frame construction" assertion also showed up in bug 455623 and bug 393936. Are they related?
The latter might be; this particular way of hitting it is definitely designMode specific.
Jesse, what are your thoughts on the severity rating for this one?
I'm going to assume that when Boris says a bug is "bad" in this context he means "dangerous".
Yeah, I mean "can destroy objects further up the stack that we'll then unwind to and make virtual function calls on". For trunk/1.9.1, can we do the designmode stuff off a script runner?
This bug could use an owner and some love. Adding to the Top Security Bugs list...
This is fixed, I think. I just need to find in which bug.
Ah, right, bug 466057 prevents flushing when it is not safe.
Bz, do you think there is still something else to fix here?
Well, presumably the flush call there is for a reason, not just for fun. What's broken due to the flush not being allowed?
bug 284245 nor bug 262998 is regressed. Filed bug 482677. Marking this fixed.