Closed
Bug 833309
Opened 11 years ago
Closed 11 years ago
SEGV in nsIFrame::GetNextInFlow
Categories
(Core :: Layout, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 830192
| Tracking | Status | |
|---|---|---|
| firefox19 | --- | unaffected |
| firefox20 | --- | fixed |
| firefox21 | --- | fixed |
| firefox-esr17 | --- | unaffected |
| b2g18 | --- | unaffected |
People
(Reporter: attekett, Unassigned)
Details
(4 keywords, Whiteboard: [sg:dupe 830192])
Attachments
(1 file)
|
746 bytes,
text/plain
|
Details |
Repro-file as attachment.
Tested on Ubuntu 12.04
ASAN-report(from m-c opt asan build):
==5511== ERROR: AddressSanitizer crashed on unknown address 0x120000000000 (pc 0x7f732092fe92 sp 0x7fff079ac740 bp 0x7fff079ac890 T0)
AddressSanitizer can not provide additional info.
#0 0x7f732092fe91 in nsIFrame::GetNextInFlow() const /home/attekett/firefox/src/layout/generic/nsIFrame.h:1511
#1 0x7f7320c3654b in nsCellMap::GetRowSpanForNewCell(nsTableCellFrame*, int, bool&) const /home/attekett/firefox/src/layout/tables/nsCellMap.cpp:2083
#2 0x7f7320c36364 in nsTableCellMap::AppendCell(nsTableCellFrame&, int, bool, nsIntRect&) /home/attekett/firefox/src/layout/tables/nsCellMap.cpp:563
#3 0x7f7320c841c1 in nsTableRowFrame::AppendFrames(mozilla::layout::FrameChildListID, nsFrameList&) /home/attekett/firefox/src/layout/tables/nsTableRowFrame.cpp:185
#4 0x7f7320751f4f in ~nsFrameConstructorState /home/attekett/firefox/src/layout/base/nsCSSFrameConstructor.cpp:997
#5 0x7f7320775ccc in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsIContent*, nsILayoutHistoryState*, bool) /home/attekett/firefox/src/layout/base/nsCSSFrameConstructor.cpp:7402
#6 0x7f732076e29e in nsCOMPtr<nsILayoutHistoryState>::operator nsILayoutHistoryState*() const /home/attekett/firefox/src/layout/base/nsCSSFrameConstructor.cpp:6850
#7 0x7f732077d58a in nsCSSFrameConstructor::ProcessRestyledFrames(nsStyleChangeList&, mozilla::css::OverflowChangedTracker&) /home/attekett/firefox/src/layout/base/nsCSSFrameConstructor.cpp:8214
#8 0x7f732074d504 in mozilla::css::RestyleTracker::ProcessOneRestyle(mozilla::dom::Element*, nsRestyleHint, nsChangeHint, mozilla::css::OverflowChangedTracker&) /home/attekett/firefox/src/layout/base/RestyleTracker.cpp:133
#9 0x7f732078a9f5 in mozilla::css::RestyleTracker::ProcessRestyles() /home/attekett/firefox/src/layout/base/RestyleTracker.h:225
Stats: 87M malloced (125M for red zones) by 338193 calls
Stats: 4M realloced by 18470 calls
Stats: 55M freed by 208300 calls
Stats: 0M really freed by 0 calls
Stats: 252M (64545 full pages) mmaped in 63 calls
mmaps by size class: 8:311277; 9:32764; 10:12285; 11:8188; 12:3072; 13:1536; 14:768; 15:384; 16:896; 17:96; 18:32; 19:8; 20:4;
mallocs by size class: 8:296607; 9:22365; 10:8148; 11:6078; 12:2014; 13:1141; 14:589; 15:264; 16:879; 17:83; 18:17; 19:4; 20:4;
frees by size class: 8:184151; 9:12575; 10:4659; 11:3832; 12:994; 13:910; 14:427; 15:152; 16:513; 17:73; 18:9; 19:2; 20:3;
rfrees by size class:
Stats: malloc large: 108 small slow: 1603
==5511== ABORTING
|
||
Updated•11 years ago
|
Component: General → Layout
Product: Firefox → Core
|
||
Comment 1•11 years ago
|
||
This is identical to bug 830192, down to the testcase and stack...
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
|
||
Updated•11 years ago
|
Group: core-security
status-b2g18:
--- → unaffected
status-firefox19:
--- → unaffected
status-firefox20:
--- → fixed
status-firefox21:
--- → fixed
status-firefox-esr17:
--- → unaffected
Flags: sec-bounty-
Whiteboard: [sg:dupe 830192]
You need to log in
before you can comment on or make changes to this bug.
Description
•