Closed
Bug 526217
Opened 15 years ago
Closed 15 years ago
Crash [@ nsFrameManager::RemoveFrame] with position:fixed and -moz-column-count
Categories
(Core :: Layout, defect)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
status1.9.2 | --- | .13-fixed |
status1.9.1 | --- | unaffected |
People
(Reporter: martijn.martijn, Assigned: martijn.martijn)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [sg:dos frame-poisoned crash] regressed from 411835, fixed by 508473)
Crash Data
Attachments
(1 file)
306 bytes,
text/html
|
Details |
See testcase, which crashes current trunk build. This regressed between 2008-12-07 and 2008-12-08, I guess a regression from bug 411835: http://hg.mozilla.org/mozilla-central/pushloghtml?startdate=2008-12-07+05%3A00%3A00&enddate=2008-12-08+07%3A00%3A00 http://crash-stats.mozilla.com/report/index/bf590f70-34d5-4edd-bbf0-9a7da2091103?p=1 0 xul.dll nsFrameManager::RemoveFrame layout/base/nsFrameManager.cpp:736 1 xul.dll DeletingFrameSubtree layout/base/nsCSSFrameConstructor.cpp:7028 2 xul.dll nsCSSFrameConstructor::ContentRemoved layout/base/nsCSSFrameConstructor.cpp:7256 3 xul.dll nsCSSFrameConstructor::RecreateFramesForContent layout/base/nsCSSFrameConstructor.cpp:9071 4 xul.dll nsCSSFrameConstructor::ProcessRestyledFrames layout/base/nsCSSFrameConstructor.cpp:7738 5 xul.dll PresShell::FlushPendingNotifications layout/base/nsPresShell.cpp:4879 6 nspr4.dll _MD_CURRENT_THREAD nsprpub/pr/src/md/windows/w95thred.c:308 7 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:527 8 xul.dll nsBaseAppShell::Run widget/src/xpwidgets/nsBaseAppShell.cpp:170 9 nspr4.dll PR_GetEnv 10 firefox.exe wmain toolkit/xre/nsWindowsWMain.cpp:110 11 firefox.exe __tmainCRTStartup obj-firefox/memory/jemalloc/crtsrc/crtexe.c:591 12 kernel32.dll BaseProcessStart It doesn't crash Firefox3.5.4, but still marking security sensitive, since related bugs are also security sensitive.
Updated•15 years ago
|
Whiteboard: [sg:critical?]
Comment 1•15 years ago
|
||
fantasai, does your frame destruction work have any effect on this?
Assignee | ||
Comment 3•15 years ago
|
||
Which bug is that?
Comment 4•15 years ago
|
||
Bug 508473 - Clean up and reorganize frame destruction
Assignee | ||
Updated•15 years ago
|
Updated•15 years ago
|
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Updated•14 years ago
|
status1.9.1:
--- → unaffected
status1.9.2:
--- → wanted
Whiteboard: [sg:critical?] → [sg:critical?] fixed by bug 508473
Updated•14 years ago
|
Whiteboard: [sg:critical?] fixed by bug 508473 → [sg:critical?] regressed from 411835, fixed by 508473
Updated•14 years ago
|
Whiteboard: [sg:critical?] regressed from 411835, fixed by 508473 → [sg:dos frame-poisoned crash] regressed from 411835, fixed by 508473
Updated•14 years ago
|
Updated•13 years ago
|
Group: core-security
Updated•13 years ago
|
Flags: in-testsuite?
Updated•13 years ago
|
Crash Signature: [@ nsFrameManager::RemoveFrame]
Comment 6•11 years ago
|
||
Crash test: https://hg.mozilla.org/integration/mozilla-inbound/rev/e88ae04a6447
Flags: in-testsuite? → in-testsuite+
Comment 7•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/e88ae04a6447
Assignee: nobody → martijn.martijn
You need to log in
before you can comment on or make changes to this bug.
Description
•