Closed
Bug 329044
Opened 19 years ago
Closed 19 years ago
Crash [@ nsCSSFrameConstructor::WipeContainingBlock]
Categories
(Core :: Layout, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 291902
People
(Reporter: jay, Assigned: sicking)
References
Details
(Keywords: crash, testcase)
Crash Data
Despite the crash fixes in Bug 309120 and Bug 317549, I am still seeing a crash with the latest 1.8.0 builds: v.fixed on 1.8.0 branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060301 Firefox/1.5.0.1
I am seeing what appears to be a new crash when loading the testcases in both of the bugs mentioned above:
Incident ID: 15807551
Stack Signature nsCSSFrameConstructor::WipeContainingBlock ea37d85e
Email Address jay@mozilla.org
Product ID Firefox15
Build ID 2006030105
Trigger Time 2006-03-01 17:23:39.0
Platform Win32
Operating System Windows NT 5.1 build 2600
Module firefox.exe + (001862f0)
URL visited bug 309120
User Comments testcase 1: 1 nsCSSFrameConstructor ContentAppended
Since Last Crash 845 sec
Total Uptime 2750 sec
Trigger Reason Access violation
Source File, Line No. c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 13462
Stack Trace
nsCSSFrameConstructor::WipeContainingBlock [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 13462]
nsCSSFrameConstructor::ContentInserted [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 9471]
PresShell::ContentInserted [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 5487]
doInsertChildAt [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 2780]
nsGenericElement::InsertChildAt [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 2719]
nsGenericElement::InsertBefore [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 3019]
XPCWrappedNative::CallMethod [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2152]
XPC_WN_CallMethod [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 1444]
js_Invoke [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1177]
js_Interpret [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 3562]
js_Invoke [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1197]
js_InternalInvoke [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1274]
JS_CallFunctionValue [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 4171]
nsJSContext::CallEventHandler [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1411]
nsGlobalWindow::RunTimeout [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp, line 6360]
nsGlobalWindow::TimerCallback [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp, line 6723]
nsAppStartup::Run [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 151]
main [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 61]
kernel32.dll + 0x16d4f (0x7c816d4f)
---------------------
Incident ID: 15807086
Stack Signature nsCSSFrameConstructor::WipeContainingBlock ea37d85e
Email Address jay@mozilla.org
Product ID Firefox15
Build ID 2006030105
Trigger Time 2006-03-01 17:05:58.0
Platform Win32
Operating System Windows NT 5.1 build 2600
Module firefox.exe + (001862f0)
URL visited https://bugzilla.mozilla.org/show_bug.cgi?id=317549
User Comments
Since Last Crash 1859 sec
Total Uptime 1859 sec
Trigger Reason Access violation
Source File, Line No. c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 13462
Stack Trace
nsCSSFrameConstructor::WipeContainingBlock [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 13462]
nsCSSFrameConstructor::ContentInserted [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp, line 9471]
PresShell::ContentInserted [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 5487]
doInsertChildAt [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 2780]
nsGenericElement::InsertChildAt [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 2719]
nsGenericElement::InsertBefore [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 3019]
XPCWrappedNative::CallMethod [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2152]
XPC_WN_CallMethod [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 1444]
js_Invoke [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1177]
js_Interpret [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 3562]
js_Invoke [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1197]
js_InternalInvoke [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1274]
JS_CallFunctionValue [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 4171]
nsJSContext::CallEventHandler [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1411]
nsGlobalWindow::RunTimeout [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp, line 6360]
nsGlobalWindow::TimerCallback [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp, line 6723]
nsAppStartup::Run [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 151]
main [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 61]
kernel32.dll + 0x16d4f (0x7c816d4f)
I think Jonas knows about this from the comments from DaveL in those bugs, but the bug that he refers to showed a different stack, so just wanted to make sure we knew about this.
I have not had a chance to reproduce on the Trunk or 1.0.x branches, but we need to look into this.
Reporter | ||
Comment 1•19 years ago
|
||
The bug for the other resulting crash is bug 317544, but the stack is different from the notably identical stacktraces below (from 2 different testcases?).
Reporter | ||
Comment 2•19 years ago
|
||
Nominating blocking1.8.0.2 so we can get to the bottom of this crash trail.
Flags: blocking1.8.0.2?
Comment 3•19 years ago
|
||
That looks to me like bug 291902 (fixed trunk only). It's a null-deref crash; not exploitable.
I suppose we could land that patch on the branches; the fix is pretty safe, imo. Nominate as needed, please?
Depends on: 291902
Comment 4•19 years ago
|
||
If this crash is not exploitable, I'm tempted to recommend we push this to 1.5.0.3. Jay, can you please check this on the trunk?
Reporter | ||
Comment 5•19 years ago
|
||
v.fixed on Trunk with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060302 Firefox/1.6a1. No crashes with any of the testcases from the bugs I mentioned before (unpacked testcases locally):
bug 309120 (https://bugzilla.mozilla.org/attachment.cgi?id=197691) - opened all 3 test pages, they did their thing and no crash by the time they were done.
bug 317549 (https://bugzilla.mozilla.org/attachment.cgi?id=205811) - no crash with the test page
Since this is a safe patch (according to bz), I think it would be good to get it checked in to get rid of this crasher on the 1.8.0 branch as well.
Comment 6•19 years ago
|
||
null deref, too late in 1.8.0.2 for a non-critical fix.
Flags: blocking1.8.0.3?
Flags: blocking1.8.0.2?
Flags: blocking1.8.0.2-
Comment 7•19 years ago
|
||
*** This bug has been marked as a duplicate of 291902 ***
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
Updated•19 years ago
|
Flags: blocking1.8.0.3?
Updated•14 years ago
|
Crash Signature: [@ nsCSSFrameConstructor::WipeContainingBlock]
You need to log in
before you can comment on or make changes to this bug.
Description
•