Created attachment 723165 [details] testcase (crashes Firefox when loaded) Nightly: Null deref [@ nsOverflowContinuationTracker::Insert] bp-2c5476fa-1e72-4ff1-8521-b90672130310 ASan: Use-after-poison [@ nsOverflowContinuationTracker::Insert] Debug: Assertion failure: !aFrame->GetPrevSibling() || !aFrame->GetNextSibling() (Forgot to call StartRemoveFrame?), at layout/generic/nsIFrame.h:3267
On Windows: bp-23ec460d-ce6a-40dc-811e-8ebd72130310.
Crash Signature: [@ nsOverflowContinuationTracker::StepForward() ] [@ nsOverflowContinuationTracker::Insert(nsIFrame*, unsigned int&) ]
OS: Mac OS X → All
Hardware: x86_64 → All
Assignee: nobody → matspal
Component: DOM → Layout: Block and Inline
Created attachment 725210 [details] [diff] [review] fix+test There's a logic error in the way I wrote the TryRemoveFrame helper for StealFrame. If the first list (OverflowContainers) does not exist then there will be no call to StartRemoveFrame, but for the second list (ExcessOverflowContainers) we'll use ContinueRemoveFrame unconditionally but that *requires* a prior call to StartRemoveFrame. For now, it's simpler to just use StartRemoveFrame for both calls; the ContinueRemoveFrame optimization isn't worth it in this case. (I'll try to simplify this code further in an upcoming patch, after some other changes I have in my queue.) https://tbpl.mozilla.org/?tree=Try&rev=c465ec67befb
Attachment #725210 - Flags: review?(bzbarsky)
Comment on attachment 725210 [details] [diff] [review] fix+test r=me
Attachment #725210 - Flags: review?(bzbarsky) → review+
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
You need to log in before you can comment on or make changes to this bug.