Closed Bug 2046 Opened 26 years ago Closed 26 years ago

Crash running dom/tests/js/docfrag.html

Categories

(Core :: Layout, defect, P1)

x86
All
defect

Tracking

()

VERIFIED FIXED

People

(Reporter: akkzilla, Assigned: buster)

References

()

Details

Load the test url. Click the second link, the one that says it will replace the following two words. Crashes on win32 and on linux. Linux stack trace: #0 0x40b654a8 in main_arena () #1 0x402fe20b in nsBlockFrame::RenumberLists (this=0x81c05c8, aState=@0xbfffcaac) at ../../../../../mozilla/layout/html/base/src/nsBlockFrame.cpp:4439 #2 0x402fea72 in nsBlockFrame::PrepareFrameRemovedReflow (this=0x81c05c8, aState=@0xbfffcaac) at ../../../../../mozilla/layout/html/base/src/nsBlockFrame.cpp:4755 #3 0x402f9a86 in nsBaseIBFrame::Reflow (this=0x81c05c8, aPresContext=@0x817a160, aMetrics=@0xbfffcf60, aReflowState=@0xbfffce58, aStatus=@0xbfffcf14) at ../../../../../mozilla/layout/html/base/src/nsBlockFrame.cpp:655 #4 0x402fe0c4 in nsBlockFrame::Reflow (this=0x81c05c8, aPresContext=@0x817a160, aDesiredSize=@0xbfffcf60, aReflowState=@0xbfffce58, aStatus=@0xbfffcf14) at ../../../../../mozilla/layout/html/base/src/nsBlockFrame.cpp:4393 #5 0x402ff113 in nsBlockReflowContext::ReflowBlock (this=0xbfffcf1c, aFrame=0x81c05c8, aSpace=@0xbfffcfa0, aIsAdjacentWithTop=0, aFrameReflowStatus=@0xbfffcf14) at ../../../../../mozilla/layout/html/base/src/nsBlockReflowContext.cpp:153 #6 0x402fb3c5 in nsBaseIBFrame::ReflowBlockFrame (this=0x81ba0d0, aState=@0xbfffd6a4, aLine=0x81c2598, aKeepReflowGoing=@0xbfffd038) at ../../../../../mozilla/layout/html/base/src/nsBlockFrame.cpp:2009 #7 0x402fa976 in nsBaseIBFrame::ReflowLine (this=0x81ba0d0, aState=@0xbfffd6a4, aLine=0x81c2598, aKeepGoing=@0xbfffd038) at ../../../../../mozilla/layout/html/base/src/nsBlockFrame.cpp:1469 #8 0x402fa4a7 in nsBaseIBFrame::ReflowDirtyLines (this=0x81ba0d0, aState=@0xbfffd6a4) at ../../../../../mozilla/layout/html/base/src/nsBlockFrame.cpp:1198 #9 0x402feaae in nsBlockFrame::ReflowDirtyLines (this=0x81ba0d0, aState=@0xbfffd6a4) at ../../../../../mozilla/layout/html/base/src/nsBlockFrame.cpp:4767 #10 0x402f9af3 in nsBaseIBFrame::Reflow (this=0x81ba0d0, aPresContext=@0x817a160, aMetrics=@0xbfffdb58, aReflowState=@0xbfffda50, aStatus=@0xbfffdb0c) at ../../../../../mozilla/layout/html/base/src/nsBlockFrame.cpp:676 #11 0x402fe0c4 in nsBlockFrame::Reflow (this=0x81ba0d0, aPresContext=@0x817a160, aDesiredSize=@0xbfffdb58, aReflowState=@0xbfffda50, aStatus=@0xbfffdb0c) at ../../../../../mozilla/layout/html/base/src/nsBlockFrame.cpp:4393 #12 0x402ff113 in nsBlockReflowContext::ReflowBlock (this=0xbfffdb14, aFrame=0x81ba0d0, aSpace=@0xbfffdb98, aIsAdjacentWithTop=1, aFrameReflowStatus=@0xbfffdb0c) at ../../../../../mozilla/layout/html/base/src/nsBlockReflowContext.cpp:153 #13 0x402fb3c5 in nsBaseIBFrame::ReflowBlockFrame (this=0x81b9ac0, aState=@0xbfffe29c, aLine=0x81ba168, aKeepReflowGoing=@0xbfffdc30) at ../../../../../mozilla/layout/html/base/src/nsBlockFrame.cpp:2009 #14 0x402fa976 in nsBaseIBFrame::ReflowLine (this=0x81b9ac0, aState=@0xbfffe29c, aLine=0x81ba168, aKeepGoing=@0xbfffdc30) at ../../../../../mozilla/layout/html/base/src/nsBlockFrame.cpp:1469 #15 0x402fa4a7 in nsBaseIBFrame::ReflowDirtyLines (this=0x81b9ac0, aState=@0xbfffe29c) at ../../../../../mozilla/layout/html/base/src/nsBlockFrame.cpp:1198 #16 0x402feaae in nsBlockFrame::ReflowDirtyLines (this=0x81b9ac0, aState=@0xbfffe29c) at ../../../../../mozilla/layout/html/base/src/nsBlockFrame.cpp:4767 #17 0x402f9af3 in nsBaseIBFrame::Reflow (this=0x81b9ac0, aPresContext=@0x817a160, aMetrics=@0xbfffe728, aReflowState=@0xbfffe648, aStatus=@0xbfffe9b4) at ../../../../../mozilla/layout/html/base/src/nsBlockFrame.cpp:676 #18 0x402fe0c4 in nsBlockFrame::Reflow (this=0x81b9ac0, aPresContext=@0x817a160, aDesiredSize=@0xbfffe728, aReflowState=@0xbfffe648, aStatus=@0xbfffe9b4) at ../../../../../mozilla/layout/html/base/src/nsBlockFrame.cpp:4393 #19 0x402f8401 in nsAreaFrame::Reflow (this=0x81b9ac0, aPresContext=@0x817a160, aDesiredSize=@0xbfffe728, aReflowState=@0xbfffe754, aStatus=@0xbfffe9b4) at ../../../../../mozilla/layout/html/base/src/nsAreaFrame.cpp:259 #20 0x40300de7 in nsContainerFrame::ReflowChild (this=0x81b8108, aKidFrame=0x81b9ac0, aPresContext=@0x817a160, aDesiredSize=@0xbfffe728, aReflowState=@0xbfffe754, aStatus=@0xbfffe9b4) at ../../../../../mozilla/layout/html/base/src/nsContainerFrame.cpp:395
Status: NEW → RESOLVED
Closed: 26 years ago
Resolution: --- → FIXED
My recent fixes to making removeChild work fixed this.
I copied the test into my web area, to make it easier to get to without needing a source tree.
Note, I just tried it and it doesn't crash, but it doesn't work either -- nothing happens when I click on either link. I'll file a separate bug on that.
Status: RESOLVED → VERIFIED
Verified that the crash no longer takes place on 2.2.99 Mac OS build, as well as the 2.3.99 Win32 & Linux builds.
You need to log in before you can comment on or make changes to this bug.