Closed Bug 1423250 Opened 3 years ago Closed 3 years ago

Crash in nsCSSFrameConstructor::ShouldCreateItemsForChild


(Core :: DOM: Core & HTML, defect, P1)




Tracking Status
firefox59 + fixed


(Reporter: marcia, Unassigned)



(Keywords: crash, regression, reproducible, Whiteboard: [adv-main59-])

Crash Data

This bug was filed from the Socorro interface and is
report bp-9371923b-d41a-4005-b54d-33b300171205.

Seen while looking at nightly crash stats - crashes started using 20171204220337: Appears to be Mac only crash.

Possible regression range based on build ID:

Top 10 frames of crashing thread:

0 XUL nsCSSFrameConstructor::ShouldCreateItemsForChild dom/base/nsWrapperCache.h:290
1 XUL nsCSSFrameConstructor::AddFrameConstructionItemsInternal layout/base/nsCSSFrameConstructor.cpp:6093
2 XUL nsCSSFrameConstructor::AddFrameConstructionItems layout/base/nsCSSFrameConstructor.cpp:5804
3 XUL nsCSSFrameConstructor::ProcessChildren layout/base/nsCSSFrameConstructor.cpp:11172
4 XUL nsCSSFrameConstructor::ConstructBlock layout/base/nsCSSFrameConstructor.cpp:12132
5 XUL nsCSSFrameConstructor::ConstructNonScrollableBlockWithConstructor layout/base/nsCSSFrameConstructor.cpp:5089
6 XUL nsCSSFrameConstructor::ConstructNonScrollableBlock layout/base/nsCSSFrameConstructor.cpp:5053
7 XUL nsCSSFrameConstructor::ConstructFrameFromItemInternal layout/base/nsCSSFrameConstructor.cpp:4000
8 XUL nsCSSFrameConstructor::ConstructFramesFromItem layout/base/nsCSSFrameConstructor.cpp:6339
9 XUL nsCSSFrameConstructor::ProcessChildren layout/base/nsCSSFrameConstructor.cpp:10876

Changing Platform to all since this affects Window and Linux as well.
OS: Mac OS X → All
Hardware: Unspecified → All
I can reproduce this reliably on a private web app using Nightly. I can provide access if needed.
Last good revision: 08e8c61d3c5a85a9fae9f993092133dbe904abc2
First bad revision: 3fa14b7a60a4b258884725a128403a6d7a2a69a8

which is bug 1409975
Blocks: 1409975
Has Regression Range: --- → yes
Flags: needinfo?(jjong)
Keywords: reproducible
Crash Signature: [@ nsCSSFrameConstructor::ShouldCreateItemsForChild] → [@ nsCSSFrameConstructor::ShouldCreateItemsForChild] [@ mozilla::dom::ExplicitChildIterator::GetNextChild]
This is probably same as Bug 1422931. We can see if there are still crashes after Bug 1422931 lands. Keep the NI for tracking.
Crash Signature: [@ nsCSSFrameConstructor::ShouldCreateItemsForChild] [@ mozilla::dom::ExplicitChildIterator::GetNextChild] → [@ nsCSSFrameConstructor::ShouldCreateItemsForChild] [@ mozilla::dom::ExplicitChildIterator::GetNextChild] [@ nsCSSFrameConstructor::ProcessChildren]
[Tracking Requested - why for this release]:

Guess what Google put on their home page today:

"Skydive with Santa and boogie with elves in Santa’s Village" unless you're in Nightly where it crashes every time. :-(
Priority: -- → P1
I enabled dom.webcomponents.enabled and it does not crash anymore (but it does not render correctly either), so it should be related to bug 1422931. It should be fixed soon, sorry for the incovenience. :(
Flags: needinfo?(jjong)
Tracking 59+ due to high volume in nightly on at least one signature.
Closed: 3 years ago
Resolution: --- → DUPLICATE
See Also: 1422931
Duplicate of bug: 1422931
Group: core-security → layout-core-security
Group: layout-core-security → dom-core-security
Component: Layout → DOM
Just to mention one other set of STR here: a few of the crash reports mention , and I was able to reproduce by using that add-on in a fresh Nightly profile.

(Specifically: I installed the addon, and then logged into gmail with a throwaway Gmail account (to be on the safe side), and then clicked the add-on in my toolbar, and then clicked an email message in the addon's dropdown menu. That crashed: bp-87167118-6188-438b-9556-bba8e0171207 )
I tested '' now that Bug 1422931 has landed and I don't see the crash anymore.
Whiteboard: [adv-main59-]
Group: dom-core-security
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.