Closed
Bug 1484773
Opened 7 years ago
Closed 7 years ago
Crash in mozilla::dom::DocumentOrShadowRoot::RemoveSheet
Categories
(Core :: DOM: Core & HTML, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla63
| Tracking | Status | |
|---|---|---|
| thunderbird_esr60 | --- | unaffected |
| firefox-esr52 | --- | unaffected |
| firefox-esr60 | --- | unaffected |
| firefox61 | --- | unaffected |
| firefox62 | --- | unaffected |
| firefox63 | --- | fixed |
People
(Reporter: calixte, Assigned: emilio)
References
Details
(Keywords: crash, regression)
Crash Data
Attachments
(1 file)
This bug was filed from the Socorro interface and is
report bp-769d4303-40c2-4435-a994-b59cf0180819.
=============================================================
Top 10 frames of crashing thread:
0 XUL mozilla::dom::DocumentOrShadowRoot::RemoveSheet xpcom/ds/nsTArray.h:509
1 XUL mozilla::dom::ShadowRoot::RemoveSheet dom/base/ShadowRoot.cpp:395
2 XUL nsStyleLinkElement::DoUpdateStyleSheet dom/base/nsStyleLinkElement.cpp:351
3 XUL mozilla::dom::HTMLStyleElement::UnbindFromTree dom/html/HTMLStyleElement.cpp:131
4 XUL mozilla::dom::FragmentOrElement::cycleCollection::Unlink dom/base/FragmentOrElement.cpp:1471
5 XUL nsCycleCollector::CollectWhite xpcom/base/nsCycleCollector.cpp:3437
6 XUL nsCycleCollector::Collect xpcom/base/nsCycleCollector.cpp:3808
7 XUL nsCycleCollector_collectSlice xpcom/base/nsCycleCollector.cpp:4394
8 XUL nsJSContext::RunCycleCollectorSlice dom/base/nsJSEnvironment.cpp:1563
9 XUL ICCRunnerFired dom/base/nsJSEnvironment.cpp:1622
=============================================================
There are 9 crashes in nightly 63 starting with buildid 20180818100051.
:emilio, could you investigate please ?
Flags: needinfo?(emilio)
|
Assignee | |
Updated•7 years ago
|
Assignee: nobody → emilio
Flags: needinfo?(emilio)
|
|
Assignee | |
Comment 1•7 years ago
|
||
This is technically a regression from bug 1483882. But the code was making the wrong assumption before.
Blocks: 1483882
|
|
Assignee | |
Comment 2•7 years ago
|
||
Bug 1483882 removed the line that used to remove the SHADOW_TREE bit during
unbind. I missed this caller which still assumed that `IsInShadowTree() ->
GetContainingShadow()`.
That means that before that patch it was going through
nsIDocument::RemoveStyleSheet, which looks pretty wrong to me.
Fix it so that we don't remove the stylesheet (we weren't doing it before
anyway), but we don't crash.
|
||
Comment 3•7 years ago
|
||
Comment on attachment 9002589 [details]
Containing shadow could be null after unlink.
Olli Pettay [:smaug] has approved the revision.
Attachment #9002589 -
Flags: review+
Pushed by emilio@crisal.io:
https://hg.mozilla.org/integration/autoland/rev/1598dc35d16a
Containing shadow could be null after unlink. r=smaug
|
||
Updated•7 years ago
|
Priority: -- → P1
|
||
Comment 5•7 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
|
||
Updated•7 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•