Created attachment 530821 [details] testcase ###!!! ASSERTION: aPrevFrame must be the last continuation in its chain!: '!aPrevFrame || (!aPrevFrame->GetNextContinuation() || IS_TRUE_OVERFLOW_CONTAINER(aPrevFrame->GetNextContinuation())) && !IS_TRUE_OVERFLOW_CONTAINER(aPrevFrame)', file layout/base/nsFrameManager.cpp, line 499 Might be a regression from today's cedar merge: http://hg.mozilla.org/mozilla-central/pushloghtml?changeset=62941612320d
tracking-, since even *if* this were a sign of worse problems to come, they'd be problems that would be mitigated by frame poisoning. Also, what do you mean by "Might be a regression"?
> tracking-, since even *if* this were a sign of worse problems to come, they'd > be problems that would be mitigated by frame poisoning. And web sites don't use columns with abs pos, so this shouldn't be a stability problem. Fair enough. > Also, what do you mean by "Might be a regression"? I got several reports from the fuzzer soon after the merge, which makes me think it's not a long-standing bug.
Caused by part 1/2 of bug 10209 (14fe8a6cfd45 or b5c0b85194d6). Ehsan, hopefully one of your followup patches fixes this.
My followup patches do seem to fix this.
Created attachment 563581 [details] [diff] [review] Crashtest The crash has been fixed. Here's the crashtest.