Crash [@ nsFrame::CorrectStyleParentFrame] with -moz-column, <spacer>, <keygen>

RESOLVED WORKSFORME

Status

()

Core
Layout
--
critical
RESOLVED WORKSFORME
9 years ago
2 years ago

People

(Reporter: Jesse Ruderman, Unassigned)

Tracking

(Blocks: 1 bug, {crash, testcase})

Trunk
x86
All
crash, testcase
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?], crash signature)

Attachments

(4 attachments)

(Reporter)

Description

9 years ago
Created attachment 385463 [details]
testcase (crashes Firefox when loaded)

Crash [@ nsFrame::CorrectStyleParentFrame] reading from 0xddddddf1.
(Reporter)

Comment 1

9 years ago
Created attachment 385464 [details]
stack trace
(Reporter)

Updated

9 years ago
Whiteboard: [sg:critical?]
Created attachment 392168 [details]
valgrind's explanation for crash (with DEBUG_TRACEMALLOC_FRAMEARENA)
dbaron, do you have any time to take this bug or should we look for another owner?
Created attachment 406083 [details]
testcase 2

Here's a somewhat reduced testcase.  Removed a few tags and some of the styling, and replaced the <keygen> and the script-created-<area> both with <span>s.
Attachment #406083 - Attachment is patch: false
Attachment #406083 - Attachment mime type: text/plain → application/xhtml+xml
OS: Mac OS X → All
A Twitter user reported http://crash-stats.mozilla.com/report/index/2852b26c-bb56-4ce5-96a2-6762d2091103 which contains this stack. He said he crashed after a session restore.
(Reporter)

Comment 6

8 years ago
WFM on trunk.  fantasai's frame destruction patches in bug 508473 fixed several
-moz-column bugs, so they might have fixed this as well.
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → WORKSFORME
(Assignee)

Updated

7 years ago
Crash Signature: [@ nsFrame::CorrectStyleParentFrame]

Updated

2 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.