Closed Bug 667025 Opened 13 years ago Closed 13 years ago

Crash [@ nsTextFrame::ClearTextRun] with rtl

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla7

People

(Reporter: jruderman, Assigned: MatsPalmgren_bugz)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [inbound])

Crash Data

Attachments

(3 files)

testcase (crashes Firefox when loaded)
396 bytes, text/html
Details
stack trace
13.25 KB, text/plain
Details
Frame dump + stack
12.17 KB, text/html
Details
bp-4b872138-932e-4dbf-b72b-134d42110624 Regression between Jun 23 and Jun 24 nightly builds, I think.
Attached file stack trace
With nsContainerFrame::RemoveFrame on stack, bug 654002 is the likely culprit.
Confirmed - reverting bug 654002 in a local build makes the crash go away.
Assignee: nobody → matspal
Blocks: 654002
OS: Mac OS X → All
Hardware: x86_64 → All
I suspect that it's the "!mPrevContinuation" on line 3837 that is now true in cases where it didn't use to be... http://mxr.mozilla.org/mozilla-central/source/layout/generic/nsTextFrameThebes.cpp#3823
Attached file Frame dump + stack
The problem is that ClearAllTextRunReferences() depends on an intact next-continuation in order to clear mTextRun on the frames. I think this is worse than the problem bug 654002 was trying to solve, so I'll just back that out for now.
http://hg.mozilla.org/mozilla-central/rev/12b5e82f6ffd http://hg.mozilla.org/mozilla-central/rev/25c5fc68db1f Someone please mark bug 654002 as backed out on central since I can't access it.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla7
Crash Signature: [@ nsTextFrame::ClearTextRun ]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: