Closed
Bug 416461
Opened 17 years ago
Closed 16 years ago
Crash [@ nsStyleContext::Release] on reload with mathml element and menupopup
Categories
(Core :: Layout, defect, P3)
Core
Layout
Tracking
()
VERIFIED
FIXED
mozilla1.9.2a1
People
(Reporter: martijn.martijn, Assigned: MatsPalmgren_bugz)
References
Details
(5 keywords, Whiteboard: [sg:critical] post-1.8-branch [fixed by 431705])
Crash Data
Attachments
(1 file, 1 obsolete file)
|
243 bytes,
application/vnd.mozilla.xul+xml
|
Details |
See testcase, which crashes with current trunk build on reload. This regressed on trunk between 2008-01-09 and 2008-01-10: http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2008-01-09+04&maxdate=2008-01-10+06&cvsroot=%2Fcvsroot Regression from bug 404146 or bug 404192 http://crash-stats.mozilla.com/report/index/e2985d57-d6a1-11dc-ae09-001a4bd43ef6 0 @0x25a161f 1 nsStyleContext::Release() nsStyleContext.h:92 2 nsFrame::~nsFrame() mozilla/layout/generic/nsFrame.cpp:350 3 nsAreaFrame::`scalar deleting destructor'(unsigned int) 4 nsFrame::Destroy() mozilla/layout/generic/nsFrame.cpp:510 5 nsContainerFrame::Destroy() mozilla/layout/generic/nsContainerFrame.cpp:299 6 nsBlockFrame::Destroy() mozilla/layout/generic/nsBlockFrame.cpp:314 7 nsFrameList::DestroyFrames() mozilla/layout/generic/nsFrameList.cpp:67 8 nsContainerFrame::Destroy() mozilla/layout/generic/nsContainerFrame.cpp:257 9 nsFrameList::DestroyFrames() mozilla/layout/generic/nsFrameList.cpp:67 10 nsContainerFrame::Destroy() mozilla/layout/generic/nsContainerFrame.cpp:257 11 nsFrameList::DestroyFrames() mozilla/layout/generic/nsFrameList.cpp:67 12 nsContainerFrame::Destroy() mozilla/layout/generic/nsContainerFrame.cpp:257 13 nsFrameManager::Destroy() mozilla/layout/base/nsFrameManager.cpp:283 14 PresShell::Destroy() mozilla/layout/base/nsPresShell.cpp:1673 15 DocumentViewerImpl::Destroy() mozilla/layout/base/nsDocumentViewer.cpp:1522 16 DocumentViewerImpl::Show() mozilla/layout/base/nsDocumentViewer.cpp:1842 17 nsPresContext::EnsureVisible(int) mozilla/layout/base/nsPresContext.cpp:1449 18 PresShell::UnsuppressAndInvalidate() mozilla/layout/base/nsPresShell.cpp:4247 19 PresShell::UnsuppressPainting() mozilla/layout/base/nsPresShell.cpp:4307 20 DocumentViewerImpl::LoadComplete(unsigned int) mozilla/layout/base/nsDocumentViewer.cpp:1013 21 nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, unsigned int) mozilla/docshell/base/nsDocShell.cpp:5031 22 nsWebShell::EndPageLoad(nsIWebProgress*, nsIChannel*, unsigned int) mozilla/docshell/base/nsWebShell.cpp:1013 23 nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, unsigned int) mozilla/docshell/base/nsDocShell.cpp:4931
|
||
Comment 1•17 years ago
|
||
Crashes calling 0xdddddddd for me on Mac.
Group: security
Flags: blocking1.9?
Whiteboard: [sg:critical]
|
|
||
Updated•17 years ago
|
OS: Windows XP → All
Hardware: PC → All
|
Reporter | |
Comment 2•17 years ago
|
||
It doesn't crash on branch.
|
|
||
Updated•17 years ago
|
Whiteboard: [sg:critical] → [sg:critical] post-1.8-branch
|
|
||
Comment 3•17 years ago
|
||
I just changed "display: -moz-initial" to "display: inline" to improve clarity and compatibility.
Attachment #302219 -
Attachment is obsolete: true
Flags: blocking1.9? → blocking1.9+
Priority: -- → P4
Flags: wanted1.9.0.x+
Flags: blocking1.9-
|
||
Updated•17 years ago
|
Flags: tracking1.9+
|
||
Updated•17 years ago
|
Flags: wanted1.8.1.x-
Does the patch in bug 431705 fix this?
|
Assignee | |
Comment 5•16 years ago
|
||
That seems very likely, yes. The testcase uses -moz-box-ordinal-group and my latest local patch makes the crash go away - I'll dig a little deeper looking at the frame trees to be sure... I'll have the new patch ready for review in a day or two.
Assignee: nobody → mats.palmgren
Depends on: 431705
|
|
Reporter | |
Comment 6•16 years ago
|
||
Still crashes, using: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b1pre) Gecko/20080905031348 Minefield/3.1b1pre
Flags: blocking1.9.1?
Flags: blocking1.9.1? → blocking1.9.1+
Priority: P4 → P3
|
||
Comment 7•16 years ago
|
||
I am adding this to our "Top Security Bugs" list. Please treat this as a top priority.
|
|
Assignee | |
Comment 8•16 years ago
|
||
FYI, bug 431705 contains fix + crashtest for this, will land after beta2.
Whiteboard: [sg:critical] post-1.8-branch → [sg:critical] post-1.8-branch [fixed by 431705]
|
|
Assignee | |
Comment 9•16 years ago
|
||
Fixed by bug 431705. Holding the crashtest until Firefox 3.0.x is fixed.
Status: NEW → RESOLVED
Closed: 16 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9.2a1
|
|
Assignee | |
Updated•16 years ago
|
Keywords: fixed1.9.1
|
|
||
Updated•16 years ago
|
Flags: wanted1.9.0.x+
|
|
||
Updated•16 years ago
|
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.6?
|
|
||
Comment 10•16 years ago
|
||
Marking fixed1.9.0.6 for verification because bug 431705 has landed on cvs-trunk.
Flags: blocking1.9.0.6? → blocking1.9.0.6+
Keywords: fixed1.9.0.6
|
||
Comment 12•16 years ago
|
||
Verified for 1.9.0.6 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.6pre) Gecko/2009010504 GranParadiso/3.0.6pre.
Keywords: fixed1.9.0.6 → verified1.9.0.6
|
||
Comment 13•16 years ago
|
||
Verified fix on Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko/20090122 Shiretoko/3.1b3pre and Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090122 Minefield/3.2a1pre In the testcase, any reason why the perimeter of the box area does not stretch fully across the screen on trunk? It's maximized on branch.
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1 → verified1.9.1
|
|
||
Updated•16 years ago
|
Group: core-security
|
|
||
Updated•16 years ago
|
Flags: in-testsuite? → in-testsuite+
|
||
Updated•13 years ago
|
Crash Signature: [@ nsStyleContext::Release]
You need to log in
before you can comment on or make changes to this bug.
Description
•