Closed
Bug 329044
Opened 18 years ago
Closed 18 years ago
Crash [@ nsCSSFrameConstructor::WipeContainingBlock]
Categories
(Core :: Layout, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 291902
People
(Reporter: jay, Assigned: sicking)
References
Details
(Keywords: crash, testcase)
Crash Data
Despite the crash fixes in Bug 309120 and Bug 317549, I am still seeing a crash with the latest 1.8.0 builds: v.fixed on 1.8.0 branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060301 Firefox/1.5.0.1 I am seeing what appears to be a new crash when loading the testcases in both of the bugs mentioned above: Incident ID: 15807551 Stack Signature nsCSSFrameConstructor::WipeContainingBlock ea37d85e Email Address jay@mozilla.org Product ID Firefox15 Build ID 2006030105 Trigger Time 2006-03-01 17:23:39.0 Platform Win32 Operating System Windows NT 5.1 build 2600 Module firefox.exe + (001862f0) URL visited bug 309120 User Comments testcase 1: 1 nsCSSFrameConstructor ContentAppended Since Last Crash 845 sec Total Uptime 2750 sec Trigger Reason Access violation Source File, Line No. c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 13462 Stack Trace nsCSSFrameConstructor::WipeContainingBlock [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 13462] nsCSSFrameConstructor::ContentInserted [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 9471] PresShell::ContentInserted [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 5487] doInsertChildAt [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 2780] nsGenericElement::InsertChildAt [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 2719] nsGenericElement::InsertBefore [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 3019] XPCWrappedNative::CallMethod [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2152] XPC_WN_CallMethod [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 1444] js_Invoke [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1177] js_Interpret [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 3562] js_Invoke [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1197] js_InternalInvoke [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1274] JS_CallFunctionValue [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 4171] nsJSContext::CallEventHandler [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1411] nsGlobalWindow::RunTimeout [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp, line 6360] nsGlobalWindow::TimerCallback [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp, line 6723] nsAppStartup::Run [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 151] main [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 61] kernel32.dll + 0x16d4f (0x7c816d4f) --------------------- Incident ID: 15807086 Stack Signature nsCSSFrameConstructor::WipeContainingBlock ea37d85e Email Address jay@mozilla.org Product ID Firefox15 Build ID 2006030105 Trigger Time 2006-03-01 17:05:58.0 Platform Win32 Operating System Windows NT 5.1 build 2600 Module firefox.exe + (001862f0) URL visited https://bugzilla.mozilla.org/show_bug.cgi?id=317549 User Comments Since Last Crash 1859 sec Total Uptime 1859 sec Trigger Reason Access violation Source File, Line No. c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 13462 Stack Trace nsCSSFrameConstructor::WipeContainingBlock [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 13462] nsCSSFrameConstructor::ContentInserted [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 9471] PresShell::ContentInserted [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 5487] doInsertChildAt [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 2780] nsGenericElement::InsertChildAt [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 2719] nsGenericElement::InsertBefore [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 3019] XPCWrappedNative::CallMethod [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2152] XPC_WN_CallMethod [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 1444] js_Invoke [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1177] js_Interpret [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 3562] js_Invoke [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1197] js_InternalInvoke [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1274] JS_CallFunctionValue [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 4171] nsJSContext::CallEventHandler [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1411] nsGlobalWindow::RunTimeout [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp, line 6360] nsGlobalWindow::TimerCallback [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp, line 6723] nsAppStartup::Run [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 151] main [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 61] kernel32.dll + 0x16d4f (0x7c816d4f) I think Jonas knows about this from the comments from DaveL in those bugs, but the bug that he refers to showed a different stack, so just wanted to make sure we knew about this. I have not had a chance to reproduce on the Trunk or 1.0.x branches, but we need to look into this.
Reporter | ||
Comment 1•18 years ago
|
||
The bug for the other resulting crash is bug 317544, but the stack is different from the notably identical stacktraces below (from 2 different testcases?).
Reporter | ||
Comment 2•18 years ago
|
||
Nominating blocking1.8.0.2 so we can get to the bottom of this crash trail.
Flags: blocking1.8.0.2?
Comment 3•18 years ago
|
||
That looks to me like bug 291902 (fixed trunk only). It's a null-deref crash; not exploitable. I suppose we could land that patch on the branches; the fix is pretty safe, imo. Nominate as needed, please?
Depends on: 291902
Comment 4•18 years ago
|
||
If this crash is not exploitable, I'm tempted to recommend we push this to 1.5.0.3. Jay, can you please check this on the trunk?
Reporter | ||
Comment 5•18 years ago
|
||
v.fixed on Trunk with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060302 Firefox/1.6a1. No crashes with any of the testcases from the bugs I mentioned before (unpacked testcases locally): bug 309120 (https://bugzilla.mozilla.org/attachment.cgi?id=197691) - opened all 3 test pages, they did their thing and no crash by the time they were done. bug 317549 (https://bugzilla.mozilla.org/attachment.cgi?id=205811) - no crash with the test page Since this is a safe patch (according to bz), I think it would be good to get it checked in to get rid of this crasher on the 1.8.0 branch as well.
Comment 6•18 years ago
|
||
null deref, too late in 1.8.0.2 for a non-critical fix.
Flags: blocking1.8.0.3?
Flags: blocking1.8.0.2?
Flags: blocking1.8.0.2-
Comment 7•18 years ago
|
||
*** This bug has been marked as a duplicate of 291902 ***
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → DUPLICATE
Updated•18 years ago
|
Flags: blocking1.8.0.3?
Updated•13 years ago
|
Crash Signature: [@ nsCSSFrameConstructor::WipeContainingBlock]
You need to log in
before you can comment on or make changes to this bug.
Description
•