If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Crash in AtomSelector_ClearEntry

UNCONFIRMED
Unassigned

Status

()

Core
CSS Parsing and Computation
--
critical
UNCONFIRMED
5 months ago
5 months ago

People

(Reporter: Robert Hartmann, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

(Reporter)

Description

5 months ago
Firefox 53.0 Crash Report [@ AtomSelector_ClearEntry ] 

Just scrolling on Microsoft Website having JavaScript activated.

This bug was filed from the Socorro interface and is 
report bp-dcd5c83a-f1b0-400a-8bde-27c040170426.
=============================================================

0 	xul.dll 	AtomSelector_ClearEntry 	layout/style/nsCSSRuleProcessor.cpp:788
1 	xul.dll 	PLDHashTable::~PLDHashTable() 	xpcom/glue/PLDHashTable.cpp:305
2 	xul.dll 	RuleCascadeData::~RuleCascadeData() 	layout/style/nsCSSRuleProcessor.cpp:872
3 	xul.dll 	RuleCascadeData::`scalar deleting destructor'(unsigned int) 	
4 	xul.dll 	nsCSSRuleProcessor::ClearRuleCascades() 	layout/style/nsCSSRuleProcessor.cpp:3148
5 	xul.dll 	nsCSSRuleProcessor::~nsCSSRuleProcessor() 	layout/style/nsCSSRuleProcessor.cpp:1029
6 	xul.dll 	nsCSSRuleProcessor::`scalar deleting destructor'(unsigned int) 	
7 	xul.dll 	mozilla::StyleSheet::DeleteCycleCollectable() 	layout/style/StyleSheet.cpp:64
8 	xul.dll 	nsJSContext::cycleCollection::DeleteCycleCollectable(void*) 	dom/base/nsJSEnvironment.h:46
9 	xul.dll 	SnowWhiteKiller::~SnowWhiteKiller() 	xpcom/base/nsCycleCollector.cpp:2664
10 	xul.dll 	nsPurpleBuffer::RemoveSkippable(nsCycleCollector*, bool, bool, void (*)(void)) 	xpcom/base/nsCycleCollector.cpp:2816
11 	xul.dll 	nsCycleCollector::ForgetSkippable(bool, bool) 	xpcom/base/nsCycleCollector.cpp:2863
12 	xul.dll 	nsCycleCollector_forgetSkippable(bool, bool) 	xpcom/base/nsCycleCollector.cpp:4096
13 	xul.dll 	FireForgetSkippable 	dom/base/nsJSEnvironment.cpp:1238
14 	xul.dll 	CCTimerFired 	dom/base/nsJSEnvironment.cpp:1811
15 	xul.dll 	nsTimerImpl::Fire(int) 	xpcom/threads/nsTimerImpl.cpp:479
16 	xul.dll 	nsTimerEvent::Run() 	xpcom/threads/TimerThread.cpp:297
17 	xul.dll 	nsThread::ProcessNextEvent(bool, bool*) 	xpcom/threads/nsThread.cpp:1240
18 	xul.dll 	mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) 	ipc/glue/MessagePump.cpp:96
19 	xul.dll 	MessageLoop::RunHandler() 	ipc/chromium/src/base/message_loop.cc:231
20 	xul.dll 	MessageLoop::Run() 	ipc/chromium/src/base/message_loop.cc:211
21 	xul.dll 	nsBaseAppShell::Run() 	widget/nsBaseAppShell.cpp:156
22 	xul.dll 	nsAppShell::Run() 	widget/windows/nsAppShell.cpp:262
23 	xul.dll 	nsAppStartup::Run() 	toolkit/components/startup/nsAppStartup.cpp:283
24 	xul.dll 	XREMain::XRE_mainRun() 	toolkit/xre/nsAppRunner.cpp:4477
25 	xul.dll 	XREMain::XRE_main(int, char** const, mozilla::BootstrapConfig const&) 	toolkit/xre/nsAppRunner.cpp:4654
26 	xul.dll 	XRE_main(int, char** const, mozilla::BootstrapConfig const&) 	toolkit/xre/nsAppRunner.cpp:4745
27 	xul.dll 	mozilla::BootstrapImpl::XRE_main(int, char** const, mozilla::BootstrapConfig const&) 	toolkit/xre/Bootstrap.cpp:45
28 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp:115
29 	firefox.exe 	__scrt_common_main_seh 	f:/dd/vctools/crt/vcstartup/src/startup/exe_common.inl:253
30 	kernel32.dll 	BaseThreadInitThunk 	
31 	ntdll.dll 	__RtlUserThreadStart 	
32 	ntdll.dll 	_RtlUserThreadStart

Updated

5 months ago
Component: General → CSS Parsing and Computation
Product: Firefox → Core
This seems to be a null-dereference crash because mSelectors.mHdr is null.  (The calls ~nsTArray_Impl calling nsTArray::Impl::Clear calling nsTArray_Impl::RemoveElementsAt are inlined, so it's part of the setup for a call to ShiftData.)

It's not clear how it would have ended up being null.
You need to log in before you can comment on or make changes to this bug.