Closed Bug 849603 Opened 11 years ago Closed 11 years ago

Crash [@ nsOverflowContinuationTracker::Insert] with CSS columns

Categories

(Core :: Layout: Block and Inline, defect)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla22

People

(Reporter: jruderman, Assigned: MatsPalmgren_bugz)

References

Details

(4 keywords)

Crash Data

Attachments

(3 files)

Nightly:
Null deref [@ nsOverflowContinuationTracker::Insert]
bp-2c5476fa-1e72-4ff1-8521-b90672130310

ASan:
Use-after-poison [@ nsOverflowContinuationTracker::Insert]

Debug:
Assertion failure: !aFrame->GetPrevSibling() || !aFrame->GetNextSibling() (Forgot to call StartRemoveFrame?), at layout/generic/nsIFrame.h:3267
Attached file stack for assert
On Windows: bp-23ec460d-ce6a-40dc-811e-8ebd72130310.
Crash Signature: [@ nsOverflowContinuationTracker::StepForward() ] [@ nsOverflowContinuationTracker::Insert(nsIFrame*, unsigned int&) ]
OS: Mac OS X → All
Hardware: x86_64 → All
Assignee: nobody → matspal
Component: DOM → Layout: Block and Inline
Keywords: testcase
Attached patch fix+testSplinter Review
There's a logic error in the way I wrote the TryRemoveFrame helper for
StealFrame.  If the first list (OverflowContainers) does not exist then
there will be no call to StartRemoveFrame, but for the second list
(ExcessOverflowContainers) we'll use ContinueRemoveFrame unconditionally
but that *requires* a prior call to StartRemoveFrame.

For now, it's simpler to just use StartRemoveFrame for both calls; the
ContinueRemoveFrame optimization isn't worth it in this case.

(I'll try to simplify this code further in an upcoming patch, after some
other changes I have in my queue.)

https://tbpl.mozilla.org/?tree=Try&rev=c465ec67befb
Attachment #725210 - Flags: review?(bzbarsky)
Comment on attachment 725210 [details] [diff] [review]
fix+test

r=me
Attachment #725210 - Flags: review?(bzbarsky) → review+
https://hg.mozilla.org/mozilla-central/rev/fb7e2b6eef1b
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: