Closed Bug 1356755 Opened 3 years ago Closed 3 years ago

Crash in nsINode::Slots with NotifyDocumentTree on the stack

Categories

(Core :: DOM: Core & HTML, defect, critical)

x86
Windows 7
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla55
Tracking Status
firefox52 --- wontfix
firefox-esr52 --- fixed
firefox53 - wontfix
firefox54 + fixed
firefox55 + fixed

People

(Reporter: ehsan, Assigned: ehsan)

References

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

[Tracking Requested - why for this release]: crasher.

This bug was filed from the Socorro interface and is 
report bp-0e97692b-eb36-43f4-811c-592340170414.
=============================================================

Missing null check.  mDoc can be null, and we can crash in a few different ways every once in a while: <https://crash-stats.mozilla.com/signature/?product=Firefox&signature=nsINode%3A%3ASlots&date=%3E%3D2017-04-08T04%3A45%3A00.000Z&date=%3C2017-04-15T04%3A45%3A00.000Z&_columns=date&_columns=product&_columns=version&_columns=build_id&_columns=platform&_columns=reason&_columns=address&_columns=install_time&_sort=-date&page=1#reports>
Blocks: 508482
Keywords: regression
Attachment #8858477 - Flags: review?(kyle) → review+
Pushed by eakhgari@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/7c9e059fe6da
Don't pass a null pointer to NotifyDocumentTree(); r=qdot
Comment on attachment 8858477 [details] [diff] [review]
Don't pass a null pointer to NotifyDocumentTree()

Approval Request Comment
[Feature/Bug causing the regression]: Bug 508482
[User impact if declined]: Crash
[Is this code covered by automated tests?]: No, there is no test case for the crash.
[Has the fix been verified in Nightly?]: No, but it's a simple null check.
[Needs manual test from QE? If yes, steps to reproduce]: No.
[List of other uplifts needed for the feature/fix]: None.
[Is the change risky?]: No.
[Why is the change risky/not risky?]: Simple null check.
[String changes made/needed]: None.
Attachment #8858477 - Flags: approval-mozilla-esr45?
Attachment #8858477 - Flags: approval-mozilla-beta?
Attachment #8858477 - Flags: approval-mozilla-aurora?
https://hg.mozilla.org/mozilla-central/rev/7c9e059fe6da
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Track 54+ as crash.
Comment on attachment 8858477 [details] [diff] [review]
Don't pass a null pointer to NotifyDocumentTree()

Fix a crash. Aurora54+.
Attachment #8858477 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Tracking 55+. I assume this will be a won't fix for 53 as we are already well in RC.
Comment on attachment 8858477 [details] [diff] [review]
Don't pass a null pointer to NotifyDocumentTree()

I'm going to go out on a limb that the ESR45 request was actually meant for ESR52.
Attachment #8858477 - Flags: approval-mozilla-esr45? → approval-mozilla-esr52?
Too late to land this in 53. This is also a very low frequency crash, 3 crashes each on release and ESR in a week.
Comment on attachment 8858477 [details] [diff] [review]
Don't pass a null pointer to NotifyDocumentTree()

Per comment 10.
Attachment #8858477 - Flags: approval-mozilla-beta?
Comment on attachment 8858477 [details] [diff] [review]
Don't pass a null pointer to NotifyDocumentTree()

There were 0 instances of this crash on ESR52 in the past 7 days, however since the patch is super simple, it doesn't hurt to uplift it. ESR52.2+
Attachment #8858477 - Flags: approval-mozilla-esr52? → approval-mozilla-esr52+
Crash Signature: [@ nsINode::Slots] → [@ nsINode::Slots | mozilla::dom::Element::SetSMILOverrideStyleDeclaration]
The signature changed because of bug 1356756.
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.