Closed Bug 1735484 Opened 3 months ago Closed 3 months ago

Crash in [@ nsRefreshDriver::RemoveImageRequest]

Categories

(Core :: Layout, defect)

Unspecified
All
defect

Tracking

()

RESOLVED FIXED
95 Branch
Tracking Status
firefox-esr78 --- unaffected
firefox-esr91 --- unaffected
firefox93 --- wontfix
firefox94 --- wontfix
firefox95 --- fixed

People

(Reporter: gsvelto, Assigned: florian)

References

(Regression)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

Crash report: https://crash-stats.mozilla.org/report/index/cdbdae7c-3abe-4b43-8971-0b7ae0211013

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0 xul.dll nsRefreshDriver::RemoveImageRequest layout/base/nsRefreshDriver.cpp:1397
1 xul.dll static nsLayoutUtils::DeregisterImageRequest layout/base/nsLayoutUtils.cpp:7774
2 xul.dll nsImageLoadingContent::FrameDestroyed dom/base/nsImageLoadingContent.cpp:855
3 xul.dll nsImageFrame::DestroyFrom layout/generic/nsImageFrame.cpp:385
4 xul.dll nsBlockFrame::DestroyFrom layout/generic/nsBlockFrame.cpp:469
5 xul.dll nsBlockFrame::DestroyFrom layout/generic/nsBlockFrame.cpp:469
6 xul.dll nsBlockFrame::DestroyFrom layout/generic/nsBlockFrame.cpp:469
7 xul.dll nsContainerFrame::DestroyFrom layout/generic/nsContainerFrame.cpp:227
8 xul.dll nsBlockFrame::DestroyFrom layout/generic/nsBlockFrame.cpp:469
9 xul.dll mozilla::DetailsFrame::DestroyFrom layout/generic/DetailsFrame.cpp:81

Found this during nightly crash triage. Low volume but increasing over time. This is a NULL pointer access to something when setting the profiler marker. Given there's multiple accesses in the expression it's hard to tell which one is NULL. NI?ing myself to crack open a minidump and figure out what's going on.

Flags: needinfo?(gsvelto)

Seems like Florian added these markers in bug 1723181. aPresContext likely needs a null-check here.

Flags: needinfo?(florian)
Regressed by: 1723181
Has Regression Range: --- → yes

Cracked open a minidump and indeed this->mPresContext is null.

Flags: needinfo?(gsvelto)

Set release status flags based on info from the regressing bug 1723181

Assignee: nobody → florian
Status: NEW → ASSIGNED
Flags: needinfo?(florian)
Pushed by fqueze@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/e463a4894dbb
avoid crashing in nsRefreshDriver::RemoveImageRequest when mPresContext is null, r=emilio.
Status: ASSIGNED → RESOLVED
Closed: 3 months ago
Resolution: --- → FIXED
Target Milestone: --- → 95 Branch
You need to log in before you can comment on or make changes to this bug.