665853 - Crash [@ nsAbsoluteContainingBlock::GetChildListName] with null this | ASSERTION: The frame is marked as an abspos container but doesn't have the property: 'absCB'

Status: RESOLVED FIXED

(Core :: Layout, defect)

Description

[Bob Clary [:bc] (inactive)]

1. http://decalcom.com.br/parede/carrinho.htm
2. Crash Nightly Windows, Mac, Linux but not Aurora or Beta on Mac at least.

From Mac.

###!!! ASSERTION: The frame is not marked as an abspos container correctly: 'IsAbsoluteContainer()', file /work/mozilla/builds/nightly/mozilla/layout/generic/nsFrame.cpp, line 272
###!!! ASSERTION: The frame is marked as an abspos container but doesn't have the property: 'absCB', file /work/mozilla/builds/nightly/mozilla/layout/generic/nsFrame.cpp, line 275

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000008
0x050844f1 in nsAbsoluteContainingBlock::GetChildListName (this=0x0) at nsAbsoluteContainingBlock.h:84
84	  nsIAtom* GetChildListName() const { return mChildListName; }
#0  0x050844f1 in nsAbsoluteContainingBlock::GetChildListName (this=0x0) at nsAbsoluteContainingBlock.h:84
#1  0x050841bc in nsAbsoluteContainingBlock::SetInitialChildList (this=0x0, aDelegatingFrame=0xe91e88, aListName=0x1624d0, aChildList=@0xbfffc740) at /work/mozilla/builds/nightly/mozilla/layout/generic/nsAbsoluteContainingBlock.cpp:62
#2  0x04fa7c90 in nsFrameConstructorState::ProcessFrameInsertions (this=0xbfffc71c, aFrameItems=@0xbfffc740, aChildListName=0x1624d0) at /work/mozilla/builds/nightly/mozilla/layout/base/nsCSSFrameConstructor.cpp:1226
#3  0x04faa21d in nsFrameConstructorState::~nsFrameConstructorState (this=0xbfffc71c) at /work/mozilla/builds/nightly/mozilla/layout/base/nsCSSFrameConstructor.cpp:969
#4  0x04fb95b7 in nsCSSFrameConstructor::ContentAppended (this=0x25003fa0, aContainer=0x250cbe60, aFirstNewContent=0x25017900, aAllowLazyConstruction=0) at /work/mozilla/builds/nightly/mozilla/layout/base/nsCSSFrameConstructor.cpp:6720
#5  0x04fb9ec6 in nsCSSFrameConstructor::CreateNeededFrames (this=0x25003fa0, aContent=0x250cbe60) at /work/mozilla/builds/nightly/mozilla/layout/base/nsCSSFrameConstructor.cpp:6308

from Windows bp-19c29705-163c-4ced-9354-c52da2110621

Comment 1

[Boris Zbarsky [:bzbarsky]]

Ehsan?

Comment 2

[(no longer active)]

Attachment: Reduced test case

Comment 3

[(no longer active)]

So this is fixed by one of the thousands of patches I have sitting in my tree.  I'll add a crashtest for it here.

Comment 4

[(no longer active)]

Attachment: Crashtest

Comment 5

[Boris Zbarsky [:bzbarsky]]

Comment on attachment 540838 [details] [diff] [review]
Crashtest

r=me

Comment 6

[Asa Dotzler [:asa]]

I see this is a regression but I don't see anything about the frequency or ranking of this compared to other crashes. What is the purpose of the request for the release drivers to track this?

Comment 7

[Boris Zbarsky [:bzbarsky]]

I believe that this was backed out on m-c, so isn't an issue on aurora 7, but Ehsan should confirm when he gets back in a week.

Asa, the purpose of tracking this was to make sure that the patch causing this (which was sort of half-baked) is backed out so we don't ship the crash.

Comment 8

[(no longer active)]

Yes, this is fixed by backing out bug 10209 on m-c.

Comment 9

[(no longer active)]

This was fixed by my patches in bug 10209.  Here's the test case:

https://hg.mozilla.org/mozilla-central/rev/11345fd3f662