Closed Bug 337889 Opened 18 years ago Closed 18 years ago

crash [@ nsCSSDocumentRule::URL::URL]

Categories

(Core :: CSS Parsing and Computation, defect)

1.8 Branch
x86
Windows XP
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: timeless, Assigned: dbaron)

References

()

Details

(Keywords: crash, verified1.8.0.9, verified1.8.1.1, Whiteboard: [patch])

Crash Data

Attachments

(1 file)

http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/layout/style/nsCSSRules.h&mark=187&rev=MOZILLA_1_8_0_BRANCH#187 this kinda implies that the second constructor had to deal w/ the first constructor. Incident ID: 18656854 Stack Signature nsCSSDocumentRule::URL::URL dd6b2d33 Product ID Firefox15 Build ID 2006042618 Trigger Time 2006-05-13 16:39:07.0 Platform Win32 Operating System Windows NT 5.1 build 2600 Module FIREFOX.EXE + (002b8b9c) URL visited User Comments Since Last Crash 18512 sec Total Uptime 637447 sec Trigger Reason Access violation Source File, Line No. c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/layout/style/nsCSSRules.h, line 187 Stack Trace nsCSSDocumentRule::URL::URL [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/layout/style/nsCSSRules.h, line 187] nsSupportsArray::EnumerateForwards [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/xpcom/ds/nsSupportsArray.cpp, line 627] XPTC_InvokeByIndex [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp, line 102] XPCWrappedNative::CallMethod [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2152] XPC_WN_CallMethod [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 1444] js_Invoke [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1177] js_Interpret [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 3562] js_Invoke [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1197] nsXPCWrappedJSClass::CallMethod [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp, line 1372] nsXPCWrappedJS::CallMethod [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappedjs.cpp, line 462] SharedStub [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp, line 147] nsEventListenerManager::HandleEventSubType [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/events/src/nsEventListenerManager.cpp, line 1684] nsEventListenerManager::HandleEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/events/src/nsEventListenerManager.cpp, line 1785] nsGlobalWindow::HandleDOMEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp, line 1601] nsXULDocument::HandleDOMEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/xul/document/src/nsXULDocument.cpp, line 1243] nsXULElement::HandleDOMEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2136] nsXULElement::HandleDOMEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2133] nsXULElement::HandleDOMEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2133] nsXULElement::HandleDOMEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2133] nsXULElement::HandleDOMEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2133] nsXULElement::HandleDOMEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2133] nsXULElement::HandleDOMEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2133] nsXULElement::HandleDOMEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2133] nsXULElement::HandleChromeEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2834] nsGlobalWindow::HandleDOMEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp, line 1588] nsDocument::HandleDOMEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/base/src/nsDocument.cpp, line 4045] nsGenericElement::HandleDOMEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 2123] nsXULElement::HandleDOMEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2133] nsXULElement::HandleDOMEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2133] nsXULElement::HandleDOMEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2133] PresShell::HandleEventInternal [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6374] PresShell::HandleEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6210] nsViewManager::HandleEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 2559] nsViewManager::DispatchEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 2246] HandleEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/view/src/nsView.cpp, line 174] nsWindow::DispatchEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1252] nsWindow::DispatchMouseEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 5982] ChildWindow::DispatchMouseEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 6233] nsWindow::WindowProc [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1434] USER32.dll + 0x8654 (0x77d48654) USER32.dll + 0x8723 (0x77d48723) USER32.dll + 0x8999 (0x77d48999) USER32.dll + 0x8a12 (0x77d48a12) nsAppStartup::Run [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 151] main [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 61] kernel32.dll + 0x2141a (0x77e8141a)
This is 100% reproducible on 2.0RC1 and WinXP with the following steps: Install the Stylish and JSView extensions. In Stylish, create a new style with a -moz-doc rule and save. From Stylish's Manage dialog, toggle the Enabled checkbox 3 times. Crash. I've investigated this a bit, and here's the sequence of events that I believe is causing the crash: To get around the fact that the stylesheet service doesn't apply styles to already-opened documents, Stylish puts html:links in every document. (Note that on trunk the stylesheet service DOES apply styles to open documents, so Stylish does nothing with html:links and this crash is not reproducible with this method). JSView places a nsIWebProgressListener on every content document and fires an action on location change and on state change. Stylish putting html:links fires the state change case. This eventually ends up calling code which tries to loop through the CSS rules of the new stylesheet. The crash occurs when trying to access stylesheet.cssRules[n] (specifically, line 797 of jsViewOverlay.js in JSView 1.1.7.)
Status: UNCONFIRMED → NEW
Ever confirmed: true
Oh, I see. Timeless pointed out the bug in the first comment, but so cryptically that I didn't notice.
Attached patch patchSplinter Review
Attachment #241416 - Flags: superreview?(bzbarsky)
Attachment #241416 - Flags: review?(bzbarsky)
Flags: blocking1.9?
Flags: blocking1.8.1.1?
Flags: blocking1.8.0.9?
Attachment #241416 - Flags: superreview?(bzbarsky)
Attachment #241416 - Flags: superreview+
Attachment #241416 - Flags: review?(bzbarsky)
Attachment #241416 - Flags: review+
Checked in to trunk.
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Comment on attachment 241416 [details] [diff] [review] patch too late for this, not a topcrash, moving out to 1.8.1.1 noms
Attachment #241416 - Flags: approval1.8.1?
Attachment #241416 - Flags: approval1.8.1.1?
Attachment #241416 - Flags: approval1.8.1-
Flags: blocking1.8.1.1?
Flags: blocking1.8.1.1+
Flags: blocking1.8.0.9?
Flags: blocking1.8.0.9+
Comment on attachment 241416 [details] [diff] [review] patch a=mconnor on behalf of drivers for 1.8.0.9 and 1.8.1.1 checkin
Attachment #241416 - Flags: approval1.8.1.1?
Attachment #241416 - Flags: approval1.8.1.1+
Attachment #241416 - Flags: approval1.8.0.9?
Attachment #241416 - Flags: approval1.8.0.9+
Checked in to MOZILLA_1_8_BRANCH and MOZILLA_1_8_0_BRANCH.
v.fixed on 1.8.0 and 1.8.1 branches with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.9pre) Gecko/20061128 Firefox/1.5.0.9pre and Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.1pre) Gecko/20061128 BonEcho/2.0.0.1pre No crash after following steps in comment #1. It would be nice if Jason can also confirm this fix. Jason: Could you please try reproducing this again with a recent 1.8.0 and/or 1.8.1 nightly build?
Crash Signature: [@ nsCSSDocumentRule::URL::URL]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: