Closed Bug 489675 Opened 16 years ago Closed 15 years ago

Crash [@ nsAbsoluteContainingBlock::RemoveFrame] with tooltip, -moz-column-count and position: absolute

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: martijn.martijn, Unassigned)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [sg:critical?])

Crash Data

Attachments

(2 files)

testcase
348 bytes, application/xhtml+xml
Details
testcase2
684 bytes, application/xhtml+xml
Details
Attached file testcase
See testcase, which crashes current trunk build after 100ms. http://crash-stats.mozilla.com/report/index/009a6950-e8ea-4a14-81a8-886342090422?p=1 0 xul.dll nsAbsoluteContainingBlock::RemoveFrame layout/generic/nsAbsoluteContainingBlock.cpp:116 1 xul.dll ViewportFrame::RemoveFrame layout/generic/nsViewportFrame.cpp:156 2 xul.dll nsFrameManager::RemoveFrame layout/base/nsFrameManager.cpp:714 3 xul.dll xul.dll@0x39f20a
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → WORKSFORME
Attached file testcase2
Ok, this one still crashes with this stacktrace.
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
Flags: blocking1.9.2?
For me, on mozilla-central and Mac, testcase2 crashes [@ GetChildListNameFor] dereferencing 0xdddddddd. This is the same crash as in bug 468563, which also involves -moz-column and position:absolute.
Group: core-security
Depends on: 468563
Whiteboard: [sg:critical?]
Status: REOPENED → RESOLVED
Closed: 16 years ago16 years ago
Resolution: --- → DUPLICATE
No longer depends on: 468563
On the Mac, I get this stack: http://crash-stats.mozilla.com/report/index/c85bce9e-7cc3-4b1b-8c77-98b4a2090806?p=1 0 XUL nsAbsoluteContainingBlock::RemoveFrame layout/generic/nsIFrame.h:1178 1 XUL ViewportFrame::RemoveFrame layout/generic/nsViewportFrame.cpp:157 2 XUL nsFrameManager::RemoveFrame layout/base/nsFrameManager.cpp:717 3 XUL DeletingFrameSubtree layout/base/nsCSSFrameConstructor.cpp:7040 4 XUL nsCSSFrameConstructor::ContentRemoved layout/base/nsCSSFrameConstructor.cpp:7271 5 XUL PresShell::ContentRemoved layout/base/nsPresShell.cpp:5076 6 XUL nsNodeUtils::ContentRemoved content/base/src/nsNodeUtils.cpp:179 7 XUL nsGenericElement::doRemoveChildAt content/base/src/nsGenericElement.cpp:3320 8 XUL nsDocument::RemoveChildAt content/base/src/nsDocument.cpp:3251 9 XUL nsGenericElement::doRemoveChild content/base/src/nsGenericElement.cpp:3966 10 XUL nsDocument::RemoveChild content/base/src/nsDocument.cpp:5501 11 XUL nsIDOMNode_RemoveChild dom_quickstubs.cpp:4193 12 libmozjs.dylib js_Interpret js/src/jsinterp.cpp:5197 13 libmozjs.dylib js_Invoke js/src/jsinterp.cpp:1379 14 libmozjs.dylib js_InternalInvoke js/src/jsinterp.cpp:1451 15 libmozjs.dylib JS_CallFunctionValue js/src/jsapi.cpp:5176 16 XUL nsJSContext::CallEventHandler dom/base/nsJSEnvironment.cpp:2097 17 XUL nsGlobalWindow::RunTimeout dom/base/nsGlobalWindow.cpp:7935 18 XUL nsGlobalWindow::TimerCallback dom/base/nsGlobalWindow.cpp:8269 19 XUL nsTimerImpl::Fire xpcom/threads/nsTimerImpl.cpp:427 20 XUL nsTimerEvent::Run xpcom/threads/nsTimerImpl.cpp:519 21 XUL nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:527 22 XUL NS_ProcessPendingEvents_P nsThreadUtils.cpp:180 23 XUL nsBaseAppShell::NativeEventCallback widget/src/xpwidgets/nsBaseAppShell.cpp:121 24 XUL nsAppShell::ProcessGeckoEvents widget/src/cocoa/nsAppShell.mm:413 25 CoreFoundation CFRunLoopRunSpecific 26 CoreFoundation CFRunLoopRunInMode 27 HIToolbox RunCurrentEventLoopInMode 28 HIToolbox ReceiveNextEventCommon ..which is different than the [@ GetChildListNameFor] crash. So I'm reopening this bug for now and adding a dependancy on bug 468563.
Status: RESOLVED → REOPENED
Depends on: 468563
Resolution: DUPLICATE → ---
Hey roc, can we get someone to take a look at this one?
Looks like a virtual call on a deleted frame, should be covered by frame poisoning. Martijn, can you confirm that on trunk we crash with a dereference of 0xF0DEA7FF?
I'm getting this crash stacktrace with current trunk build on the 2nd testcase: http://crash-stats.mozilla.com/report/index/52074d40-4567-4420-ae3b-6b2912091012 0 XUL nsFrameManager::RemoveFrame layout/base/nsFrameManager.cpp:736 1 XUL DeletingFrameSubtree layout/base/nsCSSFrameConstructor.cpp:7048 2 XUL nsCSSFrameConstructor::ContentRemoved layout/base/nsCSSFrameConstructor.cpp:7276 3 XUL PresShell::ContentRemoved layout/base/nsPresShell.cpp:5083 4 XUL nsNodeUtils::ContentRemoved content/base/src/nsNodeUtils.cpp:181 5 XUL nsGenericElement::doRemoveChildAt content/base/src/nsGenericElement.cpp:3393 6 XUL nsDocument::RemoveChildAt content/base/src/nsDocument.cpp:3319 7 XUL nsGenericElement::doRemoveChild content/base/src/nsGenericElement.cpp:4039 8 XUL nsDocument::RemoveChild content/base/src/nsDocument.cpp:5571 9 XUL nsIDOMNode_RemoveChild dom_quickstubs.cpp:4427 10 libmozjs.dylib js_Interpret js/src/jsops.cpp:2269 11 libmozjs.dylib js_Invoke js/src/jsinterp.cpp:1373 12 libmozjs.dylib js_InternalInvoke js/src/jsinterp.cpp:1428 13 libmozjs.dylib JS_CallFunctionValue js/src/jsapi.cpp:5096 14 XUL nsJSContext::CallEventHandler dom/base/nsJSEnvironment.cpp:2092 15 XUL nsGlobalWindow::RunTimeout dom/base/nsGlobalWindow.cpp:8032 16 XUL nsGlobalWindow::TimerCallback dom/base/nsGlobalWindow.cpp:8366 17 XUL nsTimerImpl::Fire xpcom/threads/nsTimerImpl.cpp:427 18 XUL nsTimerEvent::Run xpcom/threads/nsTimerImpl.cpp:519 19 XUL nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:527 20 XUL NS_ProcessPendingEvents_P nsThreadUtils.cpp:180 21 XUL nsBaseAppShell::NativeEventCallback widget/src/xpwidgets/nsBaseAppShell.cpp:121 22 XUL nsAppShell::ProcessGeckoEvents widget/src/cocoa/nsAppShell.mm:417
WFM on trunk (mozilla-central, Mac). I bet this got fixed along with bug 468563.
Status: REOPENED → RESOLVED
Closed: 16 years ago15 years ago
Resolution: --- → WORKSFORME
Crash Signature: [@ nsAbsoluteContainingBlock::RemoveFrame]
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: