Closed Bug 629908 Opened 9 years ago Closed 9 years ago

crash in [@ nsCSSFrameConstructor::RecreateFramesForContent]

Categories

(Core :: Layout, defect, P1, critical)

defect

Tracking

()

RESOLVED FIXED
mozilla2.0b12

People

(Reporter: eherokles, Assigned: bzbarsky)

Details

(Keywords: crash)

Crash Data

Attachments

(2 files)

a crash provovated by a fuzzer in firefox 3.13
I´v you want there is a whole .dump file from VisualSudio2008. To big to post here.
Write me a message if you want.
Summary: Crash in xul.dll!nsCSSFrameConstructor::RecreateFramesForContent() → crash in [@nsCSSFrameConstructor::RecreateFramesForContent]
https://developer.mozilla.org/en/How_to_get_a_stacktrace_with_WinDbg

generally speaking it helps to have <dv> (locals) and something which usefully pairs line numbers to lines in the source.
Component: XUL → Layout
Keywords: crash
Summary: crash in [@nsCSSFrameConstructor::RecreateFramesForContent] → crash in [@ nsCSSFrameConstructor::RecreateFramesForContent]
QA Contact: xptoolkit.widgets → layout
Nah, no need for that.  This is an obvious null-deref issue.  Fix + test coming up.
Assignee: nobody → bzbarsky
OS: Windows XP → All
Priority: -- → P1
Hardware: x86 → All
Whiteboard: [need review]
Comment on attachment 508434 [details] [diff] [review]
Don't blindly try to reconstruct the root element; we might not have one.

Is there any possibility that ReconstructDocElementHierarchy will be the only thing called when the root element is removed?  If so, we'd need to make sure to destroy frames in that case?

r=dbaron
Attachment #508434 - Flags: review?(dbaron) → review+
> Is there any possibility that ReconstructDocElementHierarchy will be the only
> thing called when the root element is removed?

No, doesn't look like it.  Which is good, since it would have crashed without this patch.  ;)
Whiteboard: [need review] → [need approval]
Attachment #508434 - Flags: approval2.0?
Attachment #508434 - Flags: approval2.0? → approval2.0+
Whiteboard: [need approval] → [need landing]
Pushed http://hg.mozilla.org/mozilla-central/rev/8c89810ed6da
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Whiteboard: [need landing]
Target Milestone: --- → mozilla2.0b12
Crash Signature: [@ nsCSSFrameConstructor::RecreateFramesForContent]
You need to log in before you can comment on or make changes to this bug.