Closed
Bug 1484773
Opened 6 years ago
Closed 6 years ago
Crash in mozilla::dom::DocumentOrShadowRoot::RemoveSheet
Categories
(Core :: DOM: Core & HTML, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla63
| Tracking | Status | |
|---|---|---|
| thunderbird_esr60 | --- | unaffected |
| firefox-esr52 | --- | unaffected |
| firefox-esr60 | --- | unaffected |
| firefox61 | --- | unaffected |
| firefox62 | --- | unaffected |
| firefox63 | --- | fixed |
People
(Reporter: calixte, Assigned: emilio)
References
Details
(Keywords: crash, regression)
Crash Data
Attachments
(1 file)
This bug was filed from the Socorro interface and is report bp-769d4303-40c2-4435-a994-b59cf0180819. ============================================================= Top 10 frames of crashing thread: 0 XUL mozilla::dom::DocumentOrShadowRoot::RemoveSheet xpcom/ds/nsTArray.h:509 1 XUL mozilla::dom::ShadowRoot::RemoveSheet dom/base/ShadowRoot.cpp:395 2 XUL nsStyleLinkElement::DoUpdateStyleSheet dom/base/nsStyleLinkElement.cpp:351 3 XUL mozilla::dom::HTMLStyleElement::UnbindFromTree dom/html/HTMLStyleElement.cpp:131 4 XUL mozilla::dom::FragmentOrElement::cycleCollection::Unlink dom/base/FragmentOrElement.cpp:1471 5 XUL nsCycleCollector::CollectWhite xpcom/base/nsCycleCollector.cpp:3437 6 XUL nsCycleCollector::Collect xpcom/base/nsCycleCollector.cpp:3808 7 XUL nsCycleCollector_collectSlice xpcom/base/nsCycleCollector.cpp:4394 8 XUL nsJSContext::RunCycleCollectorSlice dom/base/nsJSEnvironment.cpp:1563 9 XUL ICCRunnerFired dom/base/nsJSEnvironment.cpp:1622 ============================================================= There are 9 crashes in nightly 63 starting with buildid 20180818100051. :emilio, could you investigate please ?
Flags: needinfo?(emilio)
|
Assignee | |
Updated•6 years ago
|
Assignee: nobody → emilio
Flags: needinfo?(emilio)
|
|
Assignee | |
Comment 1•6 years ago
|
||
This is technically a regression from bug 1483882. But the code was making the wrong assumption before.
Blocks: 1483882
|
|
Assignee | |
Comment 2•6 years ago
|
||
Bug 1483882 removed the line that used to remove the SHADOW_TREE bit during unbind. I missed this caller which still assumed that `IsInShadowTree() -> GetContainingShadow()`. That means that before that patch it was going through nsIDocument::RemoveStyleSheet, which looks pretty wrong to me. Fix it so that we don't remove the stylesheet (we weren't doing it before anyway), but we don't crash.
|
||
Comment 3•6 years ago
|
||
Comment on attachment 9002589 [details]
Containing shadow could be null after unlink.
Olli Pettay [:smaug] has approved the revision.
Attachment #9002589 -
Flags: review+
Pushed by emilio@crisal.io: https://hg.mozilla.org/integration/autoland/rev/1598dc35d16a Containing shadow could be null after unlink. r=smaug
|
||
Updated•6 years ago
|
Priority: -- → P1
|
||
Comment 5•6 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/1598dc35d16a
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
|
||
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•