Crash [@ nsStyleContext::Release] on reload with mathml element and menupopup

VERIFIED FIXED in mozilla1.9.2a1



11 years ago
8 years ago


(Reporter: martijn.martijn, Assigned: mats)


(5 keywords)

crash, regression, testcase, verified1.9.0.6, verified1.9.1
Bug Flags:
blocking1.9.1 +
blocking1.9 -
blocking1.9.0.6 +
wanted1.9.0.x +
wanted1.8.1.x -
wanted1.8.0.x -
in-testsuite +

Firefox Tracking Flags

(Not tracked)


(Whiteboard: [sg:critical] post-1.8-branch [fixed by 431705], crash signature)


(1 attachment, 1 obsolete attachment)

243 bytes, application/vnd.mozilla.xul+xml


11 years ago
Posted file testcase (crashes on reload) (obsolete) —
See testcase, which crashes with current trunk build on reload.

This regressed on trunk between 2008-01-09 and 2008-01-10:
Regression from bug 404146 or bug 404192
0  	@0x25a161f  	
1 	nsStyleContext::Release() 	nsStyleContext.h:92
2 	nsFrame::~nsFrame() 	mozilla/layout/generic/nsFrame.cpp:350
3 	nsAreaFrame::`scalar deleting destructor'(unsigned int) 	
4 	nsFrame::Destroy() 	mozilla/layout/generic/nsFrame.cpp:510
5 	nsContainerFrame::Destroy() 	mozilla/layout/generic/nsContainerFrame.cpp:299
6 	nsBlockFrame::Destroy() 	mozilla/layout/generic/nsBlockFrame.cpp:314
7 	nsFrameList::DestroyFrames() 	mozilla/layout/generic/nsFrameList.cpp:67
8 	nsContainerFrame::Destroy() 	mozilla/layout/generic/nsContainerFrame.cpp:257
9 	nsFrameList::DestroyFrames() 	mozilla/layout/generic/nsFrameList.cpp:67
10 	nsContainerFrame::Destroy() 	mozilla/layout/generic/nsContainerFrame.cpp:257
11 	nsFrameList::DestroyFrames() 	mozilla/layout/generic/nsFrameList.cpp:67
12 	nsContainerFrame::Destroy() 	mozilla/layout/generic/nsContainerFrame.cpp:257
13 	nsFrameManager::Destroy() 	mozilla/layout/base/nsFrameManager.cpp:283
14 	PresShell::Destroy() 	mozilla/layout/base/nsPresShell.cpp:1673
15 	DocumentViewerImpl::Destroy() 	mozilla/layout/base/nsDocumentViewer.cpp:1522
16 	DocumentViewerImpl::Show() 	mozilla/layout/base/nsDocumentViewer.cpp:1842
17 	nsPresContext::EnsureVisible(int) 	mozilla/layout/base/nsPresContext.cpp:1449
18 	PresShell::UnsuppressAndInvalidate() 	mozilla/layout/base/nsPresShell.cpp:4247
19 	PresShell::UnsuppressPainting() 	mozilla/layout/base/nsPresShell.cpp:4307
20 	DocumentViewerImpl::LoadComplete(unsigned int) 	mozilla/layout/base/nsDocumentViewer.cpp:1013
21 	nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, unsigned int) 	mozilla/docshell/base/nsDocShell.cpp:5031
22 	nsWebShell::EndPageLoad(nsIWebProgress*, nsIChannel*, unsigned int) 	mozilla/docshell/base/nsWebShell.cpp:1013
23 	nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, unsigned int) 	mozilla/docshell/base/nsDocShell.cpp:4931

Comment 1

11 years ago
Crashes calling 0xdddddddd for me on Mac.
Group: security
Flags: blocking1.9?
Whiteboard: [sg:critical]


11 years ago
OS: Windows XP → All
Hardware: PC → All

Comment 2

11 years ago
It doesn't crash on branch.


11 years ago
Whiteboard: [sg:critical] → [sg:critical] post-1.8-branch

Comment 3

11 years ago
I just changed "display: -moz-initial" to "display: inline" to improve clarity and compatibility.
Attachment #302219 - Attachment is obsolete: true
Flags: blocking1.9? → blocking1.9+
Priority: -- → P4
Flags: wanted1.9.0.x+
Flags: blocking1.9-
Flags: tracking1.9+
Flags: wanted1.8.1.x-

Comment 5

11 years ago
That seems very likely, yes.  The testcase uses -moz-box-ordinal-group
and my latest local patch makes the crash go away - I'll dig a little deeper
looking at the frame trees to be sure...
I'll have the new patch ready for review in a day or two.
Assignee: nobody → mats.palmgren
Depends on: 431705

Comment 6

11 years ago
Still crashes, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b1pre) Gecko/20080905031348 Minefield/3.1b1pre
Flags: blocking1.9.1?
Flags: blocking1.9.1? → blocking1.9.1+
Priority: P4 → P3
I am adding this to our "Top Security Bugs" list.  Please treat this as a top priority.

Comment 8

11 years ago
FYI, bug 431705 contains fix + crashtest for this, will land after beta2.
Whiteboard: [sg:critical] post-1.8-branch → [sg:critical] post-1.8-branch [fixed by 431705]

Comment 9

10 years ago
Fixed by bug 431705.  Holding the crashtest until Firefox 3.0.x is fixed.
Last Resolved: 10 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9.2a1


10 years ago
Keywords: fixed1.9.1
Flags: wanted1.9.0.x+
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.6?
Marking fixed1.9.0.6 for verification because bug 431705 has landed on cvs-trunk.
Flags: blocking1.9.0.6? → blocking1.9.0.6+
Keywords: fixed1.9.0.6

Comment 11

10 years ago
not for 1.8.0
Flags: wanted1.8.0.x-
Verified for with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv: Gecko/2009010504 GranParadiso/3.0.6pre.
Keywords: fixed1.9.0.6 → verified1.9.0.6
Verified fix on Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko/20090122 Shiretoko/3.1b3pre 
and Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090122 Minefield/3.2a1pre

In the testcase, any reason why the perimeter of the box area does not stretch fully across the screen on trunk?  It's maximized on branch.
Keywords: fixed1.9.1 → verified1.9.1
Group: core-security


10 years ago
Flags: in-testsuite? → in-testsuite+
Crash Signature: [@ nsStyleContext::Release]
You need to log in before you can comment on or make changes to this bug.