Closed Bug 783228 Opened 7 years ago Closed 7 years ago

Crash zooming page with -moz-columns containing a float

Categories

(Core :: Layout, defect, critical)

14 Branch
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: dougc, Assigned: dougc)

References

Details

(Keywords: crash, reproducible, testcase)

Crash Data

Attachments

(3 files)

Attached file Backtrace of a crash.
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:14.0) Gecko/20100101 Firefox/14.0.1
Build ID: 20120717144008

Steps to reproduce:

Experimenting with -moz-columns.

Note this crash also occurs on the nightly 17 branch.


Actual results:

Sometimes crashes when zooming.
Keywords: crash
(In reply to Scoobidiver from comment #1)
> Does it happen in Safe Mode (see
> https://support.mozilla.org/kb/troubleshoot-firefox-issues-using-safe-mode)?

Yes, this crash still occurs in safe-mode.

The assertion checks in a Nightly build seem to be picking up this issue.  The last below is a null pointer which is returned by GetRealFrameForPlaceholder to nsLayoutUtils::GetFloatFromPlaceholder and causes a fault when used in the assertion outOfFlowFrame->IsFloating().

###!!! ASSERTION: frame tree not empty, but caller reported complete status: 'aSubtreeRoot->GetPrevInFlow()', file ./src/layout/base/nsLayoutUtils.cpp, line 4498
###!!! ASSERTION: frame tree not empty, but caller reported complete status: 'aSubtreeRoot->GetPrevInFlow()', file ./src/layout/base/nsLayoutUtils.cpp, line 4498
###!!! ASSERTION: frame tree not empty, but caller reported complete status: 'aSubtreeRoot->GetPrevInFlow()', file ./src/layout/base/nsLayoutUtils.cpp, line 4498
###!!! ASSERTION: frame tree not empty, but caller reported complete status: 'aSubtreeRoot->GetPrevInFlow()', file ./src/layout/base/nsLayoutUtils.cpp, line 4498
###!!! ASSERTION: frame tree not empty, but caller reported complete status: 'aSubtreeRoot->GetPrevInFlow()', file ./src/layout/base/nsLayoutUtils.cpp, line 4498
###!!! ASSERTION: frame tree not empty, but caller reported complete status: 'start == end || IsInLetterFrame(aSubtreeRoot)', file ./src/layout/base/nsLayoutUtils.cpp, line 4512
###!!! ASSERTION: frame tree not empty, but caller reported complete status: 'aSubtreeRoot->GetPrevInFlow()', file ./src/layout/base/nsLayoutUtils.cpp, line 4498
###!!! ASSERTION: frame tree not empty, but caller reported complete status: 'aSubtreeRoot->GetPrevInFlow()', file ./src/layout/base/nsLayoutUtils.cpp, line 4498
###!!! ASSERTION: frame tree not empty, but caller reported complete status: 'start == end || IsInLetterFrame(aSubtreeRoot)', file ./src/layout/base/nsLayoutUtils.cpp, line 4512
###!!! ASSERTION: frame tree not empty, but caller reported complete status: 'aSubtreeRoot->GetPrevInFlow()', file ./src/layout/base/nsLayoutUtils.cpp, line 4498
###!!! ASSERTION: frame tree not empty, but caller reported complete status: 'aSubtreeRoot->GetPrevInFlow()', file ./src/layout/base/nsLayoutUtils.cpp, line 4498
###!!! ASSERTION: frame tree not empty, but caller reported complete status: 'aSubtreeRoot->GetPrevInFlow()', file ./src/layout/base/nsLayoutUtils.cpp, line 4498
###!!! ASSERTION: frame tree not empty, but caller reported complete status: 'aSubtreeRoot->GetPrevInFlow()', file ./src/layout/base/nsLayoutUtils.cpp, line 4498
###!!! ASSERTION: frame tree not empty, but caller reported complete status: 'aSubtreeRoot->GetPrevInFlow()', file ./src/layout/base/nsLayoutUtils.cpp, line 4498
###!!! ASSERTION: frame tree not empty, but caller reported complete status: 'start == end || IsInLetterFrame(aSubtreeRoot)', file ./src/layout/base/nsLayoutUtils.cpp, line 4512
###!!! ASSERTION: frame tree not empty, but caller reported complete status: 'aSubtreeRoot->GetPrevInFlow()', file ./src/layout/base/nsLayoutUtils.cpp, line 4498
###!!! ASSERTION: frame tree not empty, but caller reported complete status: 'aSubtreeRoot->GetPrevInFlow()', file ./src/layout/base/nsLayoutUtils.cpp, line 4498
###!!! ASSERTION: frame tree not empty, but caller reported complete status: 'start == end || IsInLetterFrame(aSubtreeRoot)', file ./src/layout/base/nsLayoutUtils.cpp, line 4512
###!!! ASSERTION: Placeholder relationship should have been torn down already; this might mean we have a stray placeholder in the tree.: '!placeholder || nsLayoutUtils::IsProperAncestorFrame(aDestructRoot, placeholder)', file ./src/layout/generic/nsFrame.cpp, line 607
###!!! ASSERTION: Placeholder relationship should have been torn down already; this might mean we have a stray placeholder in the tree.: '!placeholder || nsLayoutUtils::IsProperAncestorFrame(aDestructRoot, placeholder)', file ./src/layout/generic/nsFrame.cpp, line 607
###!!! ASSERTION: Null out-of-flow for placeholder?: 'outOfFlow', file ./src/layout/base/../generic/nsPlaceholderFrame.h, line 167
This HTML along with the image.jpg file reproduce the crash.  It can be necessary to resize the window a few times to invoke a crash.
Severity: normal → critical
Status: UNCONFIRMED → NEW
Crash Signature: [@ nsIFrame::GetStyleDisplay]
Component: Untriaged → Layout
Ever confirmed: true
Product: Firefox → Core
Keywords: reproducible
FYI, it's the float:left that causes the crash.
Depends on: 772320
Keywords: testcase
OS: Linux → All
Hardware: x86_64 → All
Summary: Crash zooming page with -moz-columns → Crash zooming page with -moz-columns containing a float
WFM, m-c debug builds on Linux64 and OSX.
WFM, m-c ASan debug build on Linux64.
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: in-testsuite?
Resolution: --- → WORKSFORME
Landed the crashtest:
https://hg.mozilla.org/integration/mozilla-inbound/rev/4715e8732ef7
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.