Closed Bug 486428 Opened 16 years ago Closed 16 years ago

Crash [@ InlineBackgroundData::GetNextContinuation] with -moz-column, float

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: jruderman, Unassigned)

References

Details

(Keywords: assertion, crash, testcase, Whiteboard: [sg:critical?])

Crash Data

Attachments

(2 files)

testcase A (triggers null deref)
563 bytes, application/xhtml+xml
Details
testcase B (triggers assertion and scary crash)
580 bytes, application/xhtml+xml
Details
No description provided.
###!!! ASSERTION: frame was not removed from primary frame map before destruction or was readded to map after being removed: 'Not Reached', file /Users/jruderman/central/layout/base/nsFrameManager.cpp, line 732 + touches 0xddddddf5
Whiteboard: [sg:critical?]
(In reply to comment #1) > ###!!! ASSERTION: frame was not removed from primary frame map before > destruction or was readded to map after being removed: 'Not Reached', file > /Users/jruderman/central/layout/base/nsFrameManager.cpp, line 732 The stack for this assertion makes it look like another duplicate of bug 463350. (It goes through DeleteNextInFlowChild.) However, the first testcase seems like it could be different.
Depends on: 463350
WFM on mozilla-central. No assertions, no crashes.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → WORKSFORME
Crash Signature: [@ InlineBackgroundData::GetNextContinuation]
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: