We have some code (definitely in nsObjectLoadingContent, but I've seen some
elsewhere, I'm pretty sure) that looks like this:
nsIFrame* frame = shell->GetPrimaryFrameFor(content);
// Do something that might cause the frame to be destroyed
if (frame == shell->GetPrimaryFrameFor(content)) {
// Frame didn't change
}
The problem is that the frame _might_ have changed. That is, |frame| might be
pointing to deallocated and then reallocated memory which happens to coincide
with the memory where a new frame for |content| got allocated.
Since we allocate frames from an arena with a freelist, and the freelist is
bucketed by size, getting the test above testing true is quite likely for frame
classes that have a size that no other frame class has.
We probably need to go through our GetPrimaryFrameFor() consumers and see which
ones look like this...
-Boris
_______________________________________________
dev-tech-layout mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-layout
