Closed Bug 337889 Opened 14 years ago Closed 13 years ago

crash [@ nsCSSDocumentRule::URL::URL]

Categories

(Core :: CSS Parsing and Computation, defect, critical)

1.8 Branch
x86
Windows XP
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: timeless, Assigned: dbaron)

References

()

Details

(Keywords: crash, verified1.8.0.9, verified1.8.1.1, Whiteboard: [patch])

Crash Data

Attachments

(1 file)

http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/layout/style/nsCSSRules.h&mark=187&rev=MOZILLA_1_8_0_BRANCH#187

this kinda implies that the second constructor had to deal w/ the first constructor.
  
Incident ID: 18656854
Stack Signature	nsCSSDocumentRule::URL::URL dd6b2d33
Product ID	Firefox15
Build ID	2006042618
Trigger Time	2006-05-13 16:39:07.0
Platform	Win32
Operating System	Windows NT 5.1 build 2600
Module	FIREFOX.EXE + (002b8b9c)
URL visited	
User Comments	
Since Last Crash	18512 sec
Total Uptime	637447 sec
Trigger Reason	Access violation
Source File, Line No.	c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/layout/style/nsCSSRules.h, line 187
Stack Trace 	
nsCSSDocumentRule::URL::URL  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/layout/style/nsCSSRules.h, line 187]
nsSupportsArray::EnumerateForwards  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/xpcom/ds/nsSupportsArray.cpp, line 627]
XPTC_InvokeByIndex  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp, line 102]
XPCWrappedNative::CallMethod  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2152]
XPC_WN_CallMethod  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 1444]
js_Invoke  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1177]
js_Interpret  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 3562]
js_Invoke  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1197]
nsXPCWrappedJSClass::CallMethod  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp, line 1372]
nsXPCWrappedJS::CallMethod  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappedjs.cpp, line 462]
SharedStub  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp, line 147]
nsEventListenerManager::HandleEventSubType  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/events/src/nsEventListenerManager.cpp, line 1684]
nsEventListenerManager::HandleEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/events/src/nsEventListenerManager.cpp, line 1785]
nsGlobalWindow::HandleDOMEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp, line 1601]
nsXULDocument::HandleDOMEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/xul/document/src/nsXULDocument.cpp, line 1243]
nsXULElement::HandleDOMEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2136]
nsXULElement::HandleDOMEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2133]
nsXULElement::HandleDOMEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2133]
nsXULElement::HandleDOMEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2133]
nsXULElement::HandleDOMEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2133]
nsXULElement::HandleDOMEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2133]
nsXULElement::HandleDOMEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2133]
nsXULElement::HandleDOMEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2133]
nsXULElement::HandleChromeEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2834]
nsGlobalWindow::HandleDOMEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp, line 1588]
nsDocument::HandleDOMEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/base/src/nsDocument.cpp, line 4045]
nsGenericElement::HandleDOMEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 2123]
nsXULElement::HandleDOMEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2133]
nsXULElement::HandleDOMEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2133]
nsXULElement::HandleDOMEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2133]
PresShell::HandleEventInternal  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6374]
PresShell::HandleEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6210]
nsViewManager::HandleEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 2559]
nsViewManager::DispatchEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 2246]
HandleEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/view/src/nsView.cpp, line 174]
nsWindow::DispatchEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1252]
nsWindow::DispatchMouseEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 5982]
ChildWindow::DispatchMouseEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 6233]
nsWindow::WindowProc  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1434]
USER32.dll + 0x8654 (0x77d48654)
USER32.dll + 0x8723 (0x77d48723)
USER32.dll + 0x8999 (0x77d48999)
USER32.dll + 0x8a12 (0x77d48a12)
nsAppStartup::Run  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 151]
main  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 61]
kernel32.dll + 0x2141a (0x77e8141a)
This is 100% reproducible on 2.0RC1 and WinXP with the following steps:

Install the Stylish and JSView extensions. In Stylish, create a new style with a -moz-doc rule and save. From Stylish's Manage dialog, toggle the Enabled checkbox 3 times. Crash.

I've investigated this a bit, and here's the sequence of events that I believe is causing the crash:

To get around the fact that the stylesheet service doesn't apply styles to already-opened documents, Stylish puts html:links in every document. (Note that on trunk the stylesheet service DOES apply styles to open documents, so Stylish does nothing with html:links and this crash is not reproducible with this method).

JSView places a nsIWebProgressListener on every content document and fires an action on location change and on state change. Stylish putting html:links fires the state change case. This eventually ends up calling code which tries to loop through the CSS rules of the new stylesheet. The crash occurs when trying to access stylesheet.cssRules[n] (specifically, line 797 of jsViewOverlay.js in JSView 1.1.7.)
Status: UNCONFIRMED → NEW
Ever confirmed: true
Oh, I see.  Timeless pointed out the bug in the first comment, but so cryptically that I didn't notice.
Attached patch patchSplinter Review
Attachment #241416 - Flags: superreview?(bzbarsky)
Attachment #241416 - Flags: review?(bzbarsky)
Flags: blocking1.9?
Flags: blocking1.8.1.1?
Flags: blocking1.8.0.9?
Attachment #241416 - Flags: superreview?(bzbarsky)
Attachment #241416 - Flags: superreview+
Attachment #241416 - Flags: review?(bzbarsky)
Attachment #241416 - Flags: review+
Whiteboard: [patch]
Checked in to trunk.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Comment on attachment 241416 [details] [diff] [review]
patch

too late for this, not a topcrash, moving out to 1.8.1.1 noms
Attachment #241416 - Flags: approval1.8.1?
Attachment #241416 - Flags: approval1.8.1.1?
Attachment #241416 - Flags: approval1.8.1-
Attachment #241416 - Flags: approval1.8.1.1?
Attachment #241416 - Flags: approval1.8.1.1?
Flags: blocking1.8.1.1?
Flags: blocking1.8.1.1+
Flags: blocking1.8.0.9?
Flags: blocking1.8.0.9+
Attachment #241416 - Flags: approval1.8.0.9?
Comment on attachment 241416 [details] [diff] [review]
patch

a=mconnor on behalf of drivers for 1.8.0.9 and 1.8.1.1 checkin
Attachment #241416 - Flags: approval1.8.1.1?
Attachment #241416 - Flags: approval1.8.1.1+
Attachment #241416 - Flags: approval1.8.0.9?
Attachment #241416 - Flags: approval1.8.0.9+
Checked in to MOZILLA_1_8_BRANCH and MOZILLA_1_8_0_BRANCH.
v.fixed on 1.8.0 and 1.8.1 branches with 
Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.9pre) Gecko/20061128 Firefox/1.5.0.9pre 
and 
Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.1pre) Gecko/20061128 BonEcho/2.0.0.1pre

No crash after following steps in comment #1.  It would be nice if Jason can also confirm this fix.

Jason:  Could you please try reproducing this again with a recent 1.8.0 and/or 1.8.1 nightly build?
Crash Signature: [@ nsCSSDocumentRule::URL::URL]
You need to log in before you can comment on or make changes to this bug.