Closed Bug 220464 Opened 21 years ago Closed 21 years ago

Crash on www.floppymoose.com/weblog [@ SelectorMatchesTree]

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: dev+mozilla, Assigned: jst)

References

(
URL
)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(3 files, 2 obsolete files)

New crash with the first patch applied
14.77 KB, text/plain
Details
patch
8.28 KB, patch
Details | Diff | Splinter Review
patch (diff -uw, for review)
5.64 KB, patch
bzbarsky
: review+
bzbarsky
: superreview+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6a) Gecko/20030729
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6a) Gecko/20030927

Visiting http://www.floppymoose.com/weblog instantly crashes today's Mozilla CVS
build on Linux. This crash doesn't occur on a 20030912 CVS build.

Yesterday's Nightly on WinXP doesn't crash.

Reproducible: Always

Steps to Reproduce:
1. Visit URL.
Actual Results:  
crash

Expected Results:  
no crash
Keywords: crash, regression
Obviously not a Bookmarks bug.
->B-G
Assignee: pierre_tmp → general
Component: Bookmarks → Browser-General
QA Contact: petersen → general
ok i think this is checkin from jst 
 
#0  0x40fb01f6 in SelectorMatchesTree (data=@0xbfffec90, aSelector=0x89328a0) at 
/mozilla2/mozilla/content/html/style/src/nsCSSStyleSheet.cpp:3949 
#1  0x40fb02cd in ContentEnumFunc (aRule=0x8933b80, aSelector=0x8950c18, 
aData=0xbfffec90) at 
/mozilla2/mozilla/content/html/style/src/nsCSSStyleSheet.cpp:3970 
#2  0x40fa607a in RuleHash::EnumerateAllRules(int, nsIAtom*, nsIAtom*, nsVoidArray 
const&, void (*)(nsICSSStyleRule*, nsCSSSelector*, void*), void*) (this=0x8116698, 
aNameSpace=3, aTag=0x80cebc8, aID=0x0, aClassList=@0xbfffebb0, 
aFunc=0x40fb027c <ContentEnumFunc>, aData=0xbfffec90) at 
/mozilla2/mozilla/content/html/style/src/nsCSSStyleSheet.cpp:624 
#3  0x40fb0387 in CSSRuleProcessor::RulesMatching(ElementRuleProcessorData*, 
nsIAtom*) (this=0x8a06ab0, aData=0xbfffec90, aMedium=0x80cf3b0) at 
/mozilla2/mozilla/content/html/style/src/nsCSSStyleSheet.cpp:4001 
#4  0x40e50349 in EnumRulesMatching (aProcessor=0x8a06ab0, aData=0xbfffec90) at 
/mozilla2/mozilla/content/base/src/nsStyleSet.cpp:980 
#5  0x408f4938 in nsSupportsArray::EnumerateForwards(int (*)(nsISupports*, void*), 
void*) (this=0x86f2fb0, aFunc=0x40e5031c <EnumRulesMatching>, aData=0xbfffec90) 
at /mozilla2/mozilla/xpcom/ds/nsSupportsArray.cpp:643 
#6  0x40e506be in StyleSetImpl::FileRules(int (*)(nsISupports*, void*), 
RuleProcessorData*) (this=0x882dd70, aCollectorFunc=0x40e5031c 
<EnumRulesMatching>, aData=0xbfffec90) at 
/mozilla2/mozilla/content/base/src/nsStyleSet.cpp:1074 
#7  0x40e513f4 in StyleSetImpl::ResolveStyleFor(nsIPresContext*, nsIContent*, 
nsStyleContext*) (this=0x882dd70, aPresContext=0x8a08678, aContent=0x8811f28, 
aParentContext=0x8a68b50) at /mozilla2/mozilla/content/base/src/nsStyleSet.cpp:1200 
#8  0x40da6fc9 in nsPresContext::ResolveStyleContextFor(nsIContent*, 
nsStyleContext*) (this=0x8a08678, aContent=0x8811f28, aParentContext=0x8a68b50) 
at /mozilla2/mozilla/layout/base/src/nsPresContext.cpp:926 
#9  0x40cee687 in nsCSSFrameConstructor::ResolveStyleContext(nsIPresContext*, 
nsIFrame*, nsIContent*) (this=0x8a0cc28, aPresContext=0x8a08678, 
aParentFrame=0x8a68bbc, aContent=0x8811f28) at 
/mozilla2/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp:6618 
#10 0x40cef254 in nsCSSFrameConstructor::ConstructFrame(nsIPresShell*, 
nsIPresContext*, nsFrameConstructorState&, nsIContent*, nsIFrame*, nsFrameItems&) 
(this=0x8a0cc28, aPresShell=0x8826f40, aPresContext=0x8a08678, 
aState=@0xbfffeea0, aContent=0x8811f28, aParentFrame=0x8a68bbc, 
aFrameItems=@0xbfffef78) at 
/mozilla2/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp:7066
Assignee: general → jst
Component: Browser-General → DOM Other
Summary: Crash on www.floppymoose.com/weblog → Crash on www.floppymoose.com/weblog [@SelectorMatchesTree]
*** Bug 220444 has been marked as a duplicate of this bug. ***
*** Bug 220449 has been marked as a duplicate of this bug. ***
*** Bug 220462 has been marked as a duplicate of this bug. ***
Attached patch Fix? (obsolete) — Splinter Review 
Could someone try out this patch and see if it fixes the crash?
Comment on attachment 132257 [details] [diff] [review]
Fix?

Seems to fix it for me. Also see
http://bonsai.mozilla.org/cvsview2.cgi?diff_mode=context&whitespace_mode=show&f
ile=nsCSSStyleSheet.cpp&branch=&root=/cvsroot&subdir=mozilla/content/html/style
/src&command=DIFF_FRAMESET&rev1=3.272&rev2=3.273
Attachment #132257 - Flags: superreview?(jst)
Attachment #132257 - Flags: review?(jst)
*** Bug 220481 has been marked as a duplicate of this bug. ***
*** Bug 220490 has been marked as a duplicate of this bug. ***
Yes, the patch fixes the immediate crash at the URL (and others), but there must
be more errors introduced by bug 215981, I now crash on exit instead.
At some URLs, for example http://www.johntynes.com/ the crash is still immediate
but now at nsLineLayout::VerticalAlignFrames
*** Bug 220485 has been marked as a duplicate of this bug. ***
Attachment #132257 - Attachment is obsolete: true
Attachment #132274 - Flags: superreview?(jst)
Attachment #132274 - Flags: review+
Does this affect the 1.5 branch ? If so, this should be a blocker for 1.5 since
it affects a lot of pages.
beanladen: I don't see how this can affect the 1.5 branch, as bug 215981 landed
only on the 1.6a trunk.

/be
Comment on attachment 132274 [details] [diff] [review]
Patch2

Why do we need any refcounting in this function at all, given the new APIs? 
Why not get rid of it?
jst is out for the weekend, so he won't be reviewing anything, and dbaron is
right -- all the refcounting should just be removed.

I'll be posting a patch to that effect in a few.
And for that matter, |lastContent| could be removed as well, I think.  And
perhaps some other general cleanup...
Actually, both content variables can be removed, and I'll have a patch shortly.
Attached patch patchSplinter Review 
Eliminate both content variables and thus all refcounting of them.
Attachment #132274 - Attachment is obsolete: true
Comment on attachment 132290 [details] [diff] [review]
patch (diff -uw, for review)

r+sr=bzbarsky.	Excellent.
Attachment #132290 - Flags: superreview+
Attachment #132290 - Flags: review+
*** Bug 220521 has been marked as a duplicate of this bug. ***
*** Bug 220515 has been marked as a duplicate of this bug. ***
Fix checked in, 2003-09-26 22:30 -0700.

Not marking fixed quite yet in an effort to reduce duplicates.
*** Bug 220552 has been marked as a duplicate of this bug. ***
*** Bug 220764 has been marked as a duplicate of this bug. ***
OS: Linux → All
*** Bug 220862 has been marked as a duplicate of this bug. ***
Attachment #132257 - Flags: superreview?(jst)
Attachment #132257 - Flags: review?(jst)
Attachment #132274 - Flags: superreview?(jst)
*** Bug 221192 has been marked as a duplicate of this bug. ***
*** Bug 221498 has been marked as a duplicate of this bug. ***
Summary: Crash on www.floppymoose.com/weblog [@SelectorMatchesTree] → Crash on www.floppymoose.com/weblog [@ SelectorMatchesTree]
Marking fixed as there haven't been any dupes for a week now.
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Crash Signature: [@ SelectorMatchesTree]
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: