Closed
Bug 849603
Opened 11 years ago
Closed 11 years ago
Crash [@ nsOverflowContinuationTracker::Insert] with CSS columns
Categories
(Core :: Layout: Block and Inline, defect)
Core
Layout: Block and Inline
Tracking
()
RESOLVED
FIXED
mozilla22
People
(Reporter: jruderman, Assigned: MatsPalmgren_bugz)
References
Details
(4 keywords)
Crash Data
Attachments
(3 files)
Nightly: Null deref [@ nsOverflowContinuationTracker::Insert] bp-2c5476fa-1e72-4ff1-8521-b90672130310 ASan: Use-after-poison [@ nsOverflowContinuationTracker::Insert] Debug: Assertion failure: !aFrame->GetPrevSibling() || !aFrame->GetNextSibling() (Forgot to call StartRemoveFrame?), at layout/generic/nsIFrame.h:3267
Reporter | ||
Comment 1•11 years ago
|
||
Comment 2•11 years ago
|
||
On Windows: bp-23ec460d-ce6a-40dc-811e-8ebd72130310.
Crash Signature: [@ nsOverflowContinuationTracker::StepForward() ]
[@ nsOverflowContinuationTracker::Insert(nsIFrame*, unsigned int&) ]
OS: Mac OS X → All
Hardware: x86_64 → All
Assignee | ||
Updated•11 years ago
|
Assignee | ||
Comment 3•11 years ago
|
||
There's a logic error in the way I wrote the TryRemoveFrame helper for StealFrame. If the first list (OverflowContainers) does not exist then there will be no call to StartRemoveFrame, but for the second list (ExcessOverflowContainers) we'll use ContinueRemoveFrame unconditionally but that *requires* a prior call to StartRemoveFrame. For now, it's simpler to just use StartRemoveFrame for both calls; the ContinueRemoveFrame optimization isn't worth it in this case. (I'll try to simplify this code further in an upcoming patch, after some other changes I have in my queue.) https://tbpl.mozilla.org/?tree=Try&rev=c465ec67befb
Attachment #725210 -
Flags: review?(bzbarsky)
Comment 4•11 years ago
|
||
Comment on attachment 725210 [details] [diff] [review] fix+test r=me
Attachment #725210 -
Flags: review?(bzbarsky) → review+
Assignee | ||
Comment 5•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/fb7e2b6eef1b
Flags: in-testsuite+
Comment 6•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/fb7e2b6eef1b
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
You need to log in
before you can comment on or make changes to this bug.
Description
•