Crash [@ InlineBackgroundData::GetNextContinuation] with -moz-column, float

RESOLVED WORKSFORME

Status

()

--
critical
RESOLVED WORKSFORME
10 years ago
3 years ago

People

(Reporter: jruderman, Unassigned)

Tracking

(Blocks: 1 bug, {assertion, crash, testcase})

Trunk
x86
Mac OS X
assertion, crash, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?], crash signature)

Attachments

(2 attachments)

(Reporter)

Description

10 years ago
Created attachment 370537 [details]
testcase A (triggers null deref)
(Reporter)

Comment 1

10 years ago
Created attachment 370538 [details]
testcase B (triggers assertion and scary crash)

###!!! ASSERTION: frame was not removed from primary frame map before destruction or was readded to map after being removed: 'Not Reached', file /Users/jruderman/central/layout/base/nsFrameManager.cpp, line 732

+ touches 0xddddddf5
(Reporter)

Updated

10 years ago
Whiteboard: [sg:critical?]
(In reply to comment #1)
> ###!!! ASSERTION: frame was not removed from primary frame map before
> destruction or was readded to map after being removed: 'Not Reached', file
> /Users/jruderman/central/layout/base/nsFrameManager.cpp, line 732

The stack for this assertion makes it look like another duplicate of bug 463350.  (It goes through DeleteNextInFlowChild.)  However, the first testcase seems like it could be different.
Depends on: 463350
(Reporter)

Comment 3

10 years ago
WFM on mozilla-central.  No assertions, no crashes.
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → WORKSFORME
Crash Signature: [@ InlineBackgroundData::GetNextContinuation]

Updated

3 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.