Closed
Bug 629908
Opened 13 years ago
Closed 13 years ago
crash in [@ nsCSSFrameConstructor::RecreateFramesForContent]
Categories
(Core :: Layout, defect, P1)
Core
Layout
Tracking
()
RESOLVED
FIXED
mozilla2.0b12
People
(Reporter: eherokles, Assigned: bzbarsky)
Details
(Keywords: crash)
Crash Data
Attachments
(2 files)
20.85 KB,
text/plain
|
Details | |
1.92 KB,
patch
|
dbaron
:
review+
dbaron
:
approval2.0+
|
Details | Diff | Splinter Review |
a crash provovated by a fuzzer in firefox 3.13
I´v you want there is a whole .dump file from VisualSudio2008. To big to post here. Write me a message if you want.
Summary: Crash in xul.dll!nsCSSFrameConstructor::RecreateFramesForContent() → crash in [@nsCSSFrameConstructor::RecreateFramesForContent]
https://developer.mozilla.org/en/How_to_get_a_stacktrace_with_WinDbg generally speaking it helps to have <dv> (locals) and something which usefully pairs line numbers to lines in the source.
Component: XUL → Layout
Keywords: crash
Summary: crash in [@nsCSSFrameConstructor::RecreateFramesForContent] → crash in [@ nsCSSFrameConstructor::RecreateFramesForContent]
Updated•13 years ago
|
QA Contact: xptoolkit.widgets → layout
Assignee | ||
Comment 4•13 years ago
|
||
Nah, no need for that. This is an obvious null-deref issue. Fix + test coming up.
Assignee: nobody → bzbarsky
OS: Windows XP → All
Priority: -- → P1
Hardware: x86 → All
Whiteboard: [need review]
Assignee | ||
Comment 5•13 years ago
|
||
Attachment #508434 -
Flags: review?(dbaron)
Comment on attachment 508434 [details] [diff] [review] Don't blindly try to reconstruct the root element; we might not have one. Is there any possibility that ReconstructDocElementHierarchy will be the only thing called when the root element is removed? If so, we'd need to make sure to destroy frames in that case? r=dbaron
Attachment #508434 -
Flags: review?(dbaron) → review+
Assignee | ||
Comment 7•13 years ago
|
||
> Is there any possibility that ReconstructDocElementHierarchy will be the only
> thing called when the root element is removed?
No, doesn't look like it. Which is good, since it would have crashed without this patch. ;)
Whiteboard: [need review] → [need approval]
Assignee | ||
Updated•13 years ago
|
Attachment #508434 -
Flags: approval2.0?
Attachment #508434 -
Flags: approval2.0? → approval2.0+
Assignee | ||
Updated•13 years ago
|
Whiteboard: [need approval] → [need landing]
Assignee | ||
Comment 8•13 years ago
|
||
Pushed http://hg.mozilla.org/mozilla-central/rev/8c89810ed6da
Status: NEW → RESOLVED
Closed: 13 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Whiteboard: [need landing]
Target Milestone: --- → mozilla2.0b12
Updated•13 years ago
|
Crash Signature: [@ nsCSSFrameConstructor::RecreateFramesForContent]
You need to log in
before you can comment on or make changes to this bug.
Description
•