Closed Bug 1888592 Opened 2 months ago Closed 2 months ago

Crash in [@ WeakFrame::operator nsIFrame*]

Categories

(Core :: Web Painting, defect)

Product:
Core
Component:
Web Painting
Platform:
Other
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
126 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox124 --- unaffected
firefox125 --- unaffected
firefox126 --- fixed

People

(Reporter: release-mgmt-account-bot, Assigned: emilio)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

Bug 1888592 - Terminate mOriginalCaret properly, and fix null crash. r=masayuki,sefeng
48 bytes, text/x-phabricator-request
Details | Review

Crash report: https://crash-stats.mozilla.org/report/index/9010b96f-ee25-4dd1-959d-781dd0240325

Reason: SIGSEGV / SEGV_MAPERR

Top 10 frames of crashing thread:

0  libxul.so  WeakFrame::operator nsIFrame*  layout/generic/nsIFrame.h:5622
0  libxul.so  nsCaret::SchedulePaint  layout/base/nsCaret.cpp:395
1  libxul.so  mozilla::PresShell::SetCaret  layout/base/PresShell.cpp:2245
2  libxul.so  mozilla::PresShell::RestoreCaret  layout/base/PresShell.cpp:2250
2  libxul.so  mozilla::EditorEventListener::CleanupDragDropCaret  editor/libeditor/EditorEventListener.cpp:976
3  libxul.so  mozilla::EditorEventListener::UninstallFromEditor  editor/libeditor/EditorEventListener.cpp:229
3  libxul.so  mozilla::EditorEventListener::Disconnect  editor/libeditor/EditorEventListener.cpp:207
4  libxul.so  mozilla::EditorBase::RemoveEventListeners  editor/libeditor/EditorBase.cpp:515
4  libxul.so  mozilla::EditorBase::PreDestroyInternal  editor/libeditor/EditorBase.cpp:611
5  libxul.so  mozilla::HTMLEditor::PreDestroy  editor/libeditor/HTMLEditor.cpp:518

By querying Nightly crashes reported within the last 2 months, here are some insights about the signature:

  • First crash report: 2024-03-25
  • Process type: Content
  • Is startup crash: No
  • Has user comments: No
  • Is null crash: Yes - all crashes happened on null or near null memory address

By analyzing the backtrace, the regression may have been introduced by a patch [1] to fix Bug 1886506.

[1] https://hg.mozilla.org/mozilla-central/rev?node=73c915ed013b

:emilio, since you are the author of the potential regressor, could you please take a look?

Flags: needinfo?(emilio)
Flags: needinfo?(emilio)

We have callers that call RestoreCaret after pres shell shut down.

Assignee: nobody → emilio
Status: NEW → ASSIGNED
Pushed by ealvarez@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/649ab0049ed7
Terminate mOriginalCaret properly, and fix null crash. r=masayuki

https://hg.mozilla.org/mozilla-central/rev/649ab0049ed7

Status: ASSIGNED → RESOLVED
Closed: 2 months ago
status-firefox126: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 126 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: