Closed Bug 460924 Opened 16 years ago Closed 16 years ago

Crash [@ nsStyleContext::FindChildWithRules] [@ nsFrame::CorrectStyleParentFrame] with -moz-column, :first-line

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: jruderman, Unassigned)

References

Details

(Keywords: crash, testcase, Whiteboard: [sg:critical?])

Crash Data

Attachments

(2 files)

testcase (crashes Firefox when loaded)
312 bytes, text/html
Details
backtrace of Linux crash in nsFrame::CorrectStyleParentFrame
7.37 KB, text/plain
Details
Loading the testcase makes Firefox crash with one of the following signatures: * [@ nsFrame::CorrectStyleParentFrame] - null deref * [@ nsStyleContext::FindChildWithRules] - 0xdddddde1 deref
Whiteboard: [sg:critical?]
I can reproduce this crash on an up-to-date mozilla-central Linux debug build. Here's the backtrace of the crash (under "CorrectStyleParentFrame"). Briefly investigating in GDB shows that at line 5826 in CorrectStyleParentFrame, we end up with "parent" pointing to a bogus nsIFrame (with almost all of its member data zeroed out). So, the call to parent->GetStyleContext()->GetPseudoType() dies. MXR reference: http://tinyurl.com/5nauon
OS: Mac OS X → All
Hardware: PC → All
This works for me on: * today's 32-bit Linux mozilla-1.9.1 nightly, and * my 64-bit Linux debug build with my patch queue.
WFM.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → WORKSFORME
Crash Signature: [@ nsStyleContext::FindChildWithRules] [@ nsFrame::CorrectStyleParentFrame]
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: