Closed Bug 834569 Opened 13 years ago Closed 11 years ago

Crash [@ nsIFrame::GetStyleDisplay] from nsBlockFrame::RenumberListsFor

Categories

(Core :: Layout: Block and Inline, defect)

Product:
Core
Component:
Layout: Block and Inline
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: MatsPalmgren_bugz, Unassigned)

References

(
URL
)

Details

(5 keywords)

Attachments

(1 file)

Crash stack
19.89 KB, text/plain
Details
Attached file Crash stack
The "Original testcase" in bug 344557 still crashes. That bug was once a security bug so making this the same just in case. Sometimes it just hangs. Try loading the file in multiple tabs from the command line (just repeat the file name). ###!!! ASSERTION: value should always be stored and non-empty when state set: 'prop && !prop->mLines.empty() && prop->mLines.front()->GetChildCount() == 0 ? prop->mFrames.IsEmpty() : prop->mLines.front()->mFirstChild == prop->mFrames.FirstChild()', file layout/generic/nsBlockFrame.cpp, line 4557 ###!!! ASSERTION: frame tree not empty, but caller reported complete status: 'aSubtreeRoot->GetPrevInFlow()', file layout/base/nsLayoutUtils.cpp, line 4739 ###!!! ASSERTION: frame tree not empty, but caller reported complete status: 'start == end || IsInLetterFrame(aSubtreeRoot)', file layout/base/nsLayoutUtils.cpp, line 4753 ###!!! ASSERTION: Placeholder relationship should have been torn down already; this might mean we have a stray placeholder in the tree.: '!placeholder || nsLayoutUtils::IsProperAncestorFrame(aDestructRoot, placeholder)', file layout/generic/nsFrame.cpp, line 621 ###!!! ASSERTION: Null out-of-flow for placeholder?: 'outOfFlow', file layout/base/../generic/nsPlaceholderFrame.h, line 168
"Original testcase" is attachment 229116 [details] (adding link for convenience) The crash is a null ptr deref -- nsIFrame::GetStyleDisplay (this=0x0) -- and the testcase is public. We don't need to hide this one unless we see evidence of worse badness.
URL: https://bugzilla.mozilla.org/attachme...
Group: core-security
Keywords: csec-nullptr
I only see one assertion (repeated many times) ###!!! ASSERTION: overflow containers must be zero-height: 'aMetrics.height == 0', file layout/generic/nsBlockFrame.cpp, line 1471
WFM? crash-stats has no crashes containing nsIFrame::GetStyleDisplay newer than version 17.0.9esr
Flags: needinfo?(mats)
No crash using a local debug build on Linux64. I do see the assertions below, but that's likely a dupe of bug 574889 (I'll add a note there so this test isn't missed). frame: ColumnSet(dt)(0) (0x7fffa6032a00) style: 0x7fffa63f95f8 {} ASSERTION: Wrong parent style context: 'Error', file ../../../../../../src/inbound/layout/base/RestyleManager.cpp, line 1732 Wrong parent style context: style: 0x7fffa64d4ca8 {} should be using: style: 0x7fffa63f5970 {} ASSERTION: overflow containers must be zero-block-size: 'finalSize.BSize(wm) == 0', file layout/generic/nsBlockFrame.cpp, line 1517
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: needinfo?(mats)
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: