Note: There are a few cases of duplicates in user autocompletion which are being worked on.

Crash [@ nsAbsoluteContainingBlock::GetChildListName] with null this | ASSERTION: The frame is marked as an abspos container but doesn't have the property: 'absCB'

RESOLVED FIXED in Firefox 7

Status

()

Core
Layout
--
critical
RESOLVED FIXED
6 years ago
4 years ago

People

(Reporter: bc, Assigned: Ehsan)

Tracking

(Blocks: 1 bug, 5 keywords)

Trunk
mozilla10
x86
All
assertion, crash, regression, reproducible, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox5 unaffected, firefox6 unaffected, firefox7+ fixed)

Details

(crash signature, URL)

Attachments

(2 attachments)

(Reporter)

Description

6 years ago
1. http://decalcom.com.br/parede/carrinho.htm
2. Crash Nightly Windows, Mac, Linux but not Aurora or Beta on Mac at least.

From Mac.

###!!! ASSERTION: The frame is not marked as an abspos container correctly: 'IsAbsoluteContainer()', file /work/mozilla/builds/nightly/mozilla/layout/generic/nsFrame.cpp, line 272
###!!! ASSERTION: The frame is marked as an abspos container but doesn't have the property: 'absCB', file /work/mozilla/builds/nightly/mozilla/layout/generic/nsFrame.cpp, line 275

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000008
0x050844f1 in nsAbsoluteContainingBlock::GetChildListName (this=0x0) at nsAbsoluteContainingBlock.h:84
84	  nsIAtom* GetChildListName() const { return mChildListName; }
#0  0x050844f1 in nsAbsoluteContainingBlock::GetChildListName (this=0x0) at nsAbsoluteContainingBlock.h:84
#1  0x050841bc in nsAbsoluteContainingBlock::SetInitialChildList (this=0x0, aDelegatingFrame=0xe91e88, aListName=0x1624d0, aChildList=@0xbfffc740) at /work/mozilla/builds/nightly/mozilla/layout/generic/nsAbsoluteContainingBlock.cpp:62
#2  0x04fa7c90 in nsFrameConstructorState::ProcessFrameInsertions (this=0xbfffc71c, aFrameItems=@0xbfffc740, aChildListName=0x1624d0) at /work/mozilla/builds/nightly/mozilla/layout/base/nsCSSFrameConstructor.cpp:1226
#3  0x04faa21d in nsFrameConstructorState::~nsFrameConstructorState (this=0xbfffc71c) at /work/mozilla/builds/nightly/mozilla/layout/base/nsCSSFrameConstructor.cpp:969
#4  0x04fb95b7 in nsCSSFrameConstructor::ContentAppended (this=0x25003fa0, aContainer=0x250cbe60, aFirstNewContent=0x25017900, aAllowLazyConstruction=0) at /work/mozilla/builds/nightly/mozilla/layout/base/nsCSSFrameConstructor.cpp:6720
#5  0x04fb9ec6 in nsCSSFrameConstructor::CreateNeededFrames (this=0x25003fa0, aContent=0x250cbe60) at /work/mozilla/builds/nightly/mozilla/layout/base/nsCSSFrameConstructor.cpp:6308

from Windows bp-19c29705-163c-4ced-9354-c52da2110621

Comment 1

6 years ago
Ehsan?
tracking-firefox7: --- → ?
Assignee: nobody → ehsan
Created attachment 540834 [details]
Reduced test case
So this is fixed by one of the thousands of patches I have sitting in my tree.  I'll add a crashtest for it here.
Depends on: 10209
Keywords: testcase-wanted → testcase
Created attachment 540838 [details] [diff] [review]
Crashtest
Attachment #540838 - Flags: review?(bzbarsky)

Comment 5

6 years ago
Comment on attachment 540838 [details] [diff] [review]
Crashtest

r=me
Attachment #540838 - Flags: review?(bzbarsky) → review+

Comment 6

6 years ago
I see this is a regression but I don't see anything about the frequency or ranking of this compared to other crashes. What is the purpose of the request for the release drivers to track this?

Comment 7

6 years ago
I believe that this was backed out on m-c, so isn't an issue on aurora 7, but Ehsan should confirm when he gets back in a week.

Asa, the purpose of tracking this was to make sure that the patch causing this (which was sort of half-baked) is backed out so we don't ship the crash.

Updated

6 years ago
tracking-firefox7: ? → +
Yes, this is fixed by backing out bug 10209 on m-c.
status-firefox7: affected → fixed
This was fixed by my patches in bug 10209.  Here's the test case:

https://hg.mozilla.org/mozilla-central/rev/11345fd3f662
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla10
You need to log in before you can comment on or make changes to this bug.