Closed
Bug 475136
Opened 16 years ago
Closed 16 years ago
Crash [@ nsCSSStyleSheet::GetOwnerNode] after GC
Categories
(Core :: CSS Parsing and Computation, defect, P3)
Core
CSS Parsing and Computation
Tracking
()
RESOLVED
FIXED
mozilla1.9.1b3
People
(Reporter: jruderman, Assigned: dbaron)
References
Details
(5 keywords, Whiteboard: [sg:critical])
Crash Data
Attachments
(4 files, 1 obsolete file)
|
544 bytes,
text/html
|
Details | |
|
3.89 KB,
text/plain; charset=UTF-8
|
Details | |
|
6.48 KB,
patch
|
bzbarsky
:
review+
bzbarsky
:
superreview+
roc
:
approval1.9.1+
dveditz
:
approval1.9.0.7+
|
Details | Diff | Splinter Review |
|
4.11 KB,
patch
|
dveditz
:
approval1.8.1.next+
asac
:
approval1.8.0.next+
|
Details | Diff | Splinter Review |
Loading the testcase causes nsCSSStyleSheet::GetOwnerNode to call some random address.
The testcase assumes you have http://www.squarefree.com/extensions/quitter.xpi installed, and uses it to trigger a GC at the right moment.
|
Reporter | |
Updated•16 years ago
|
Whiteboard: [sg:critical]
|
Assignee | |
Comment 1•16 years ago
|
||
Not as helpful as I was hoping.
|
|
Assignee | |
Comment 2•16 years ago
|
||
Thoughts on this approach vs. a DropStyleSheet method that just does the setting to null (and would also be called by SetStyleSheet)?
Assignee: nobody → dbaron
Status: NEW → ASSIGNED
Attachment #358561 -
Flags: superreview?(bzbarsky)
Attachment #358561 -
Flags: review?(bzbarsky)
|
|
Assignee | |
Updated•16 years ago
|
Flags: blocking1.9.1?
|
|
Assignee | |
Comment 3•16 years ago
|
||
Oops, forgot to qrefresh after my last edit.
Attachment #358561 -
Attachment is obsolete: true
Attachment #358562 -
Flags: superreview?(bzbarsky)
Attachment #358562 -
Flags: review?(bzbarsky)
Attachment #358561 -
Flags: superreview?(bzbarsky)
Attachment #358561 -
Flags: review?(bzbarsky)
|
|
Assignee | |
Comment 4•16 years ago
|
||
And to be clear: what's fixing the bug is that we're now calling SetOwningNode(nsnull) at the two places in nsStyleLinkElement::DoUpdateStyleSheet that used to just do mStyleSheet = nsnull.
|
||
Comment 5•16 years ago
|
||
Comment on attachment 358562 [details] [diff] [review]
patch
Good catch. Can we possibly write a mochitest for this?
Attachment #358562 -
Flags: superreview?(bzbarsky)
Attachment #358562 -
Flags: superreview+
Attachment #358562 -
Flags: review?(bzbarsky)
Attachment #358562 -
Flags: review+
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P3
Flags: wanted1.9.1+
Flags: blocking1.9.1-
Flags: blocking1.9.1+
Attachment #358562 -
Flags: approval1.9.1+
|
|
Assignee | |
Comment 6•16 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Flags: in-testsuite?
OS: Mac OS X → All
Hardware: x86 → All
Resolution: --- → FIXED
Whiteboard: [sg:critical] → [sg:critical][needs 1.9.1 landing][needs 1.9.0.* landing]
Target Milestone: --- → mozilla1.9.2a1
|
|
Assignee | |
Comment 7•16 years ago
|
||
Keywords: fixed1.9.1
Whiteboard: [sg:critical][needs 1.9.1 landing][needs 1.9.0.* landing] → [sg:critical][needs 1.9.0.* landing]
Target Milestone: mozilla1.9.2a1 → mozilla1.9.1b3
|
|
Assignee | |
Updated•16 years ago
|
Attachment #358562 -
Flags: approval1.9.0.7?
|
||
Updated•16 years ago
|
Attachment #358562 -
Flags: approval1.9.0.7? → approval1.9.0.7+
|
|
||
Comment 8•16 years ago
|
||
Comment on attachment 358562 [details] [diff] [review]
patch
Approved for 1.9.0.7, a=dveditz for release-drivers.
|
|
||
Updated•16 years ago
|
Flags: wanted1.9.0.x+
|
|
Assignee | |
Comment 9•16 years ago
|
||
Commited to CVS trunk (for 1.9.0.* releases), 2009-02-02 20:13 -0800.
Keywords: fixed1.9.0.7
Whiteboard: [sg:critical][needs 1.9.0.* landing] → [sg:critical]
|
|
||
Comment 10•16 years ago
|
||
dbaron: Is this needed for the 1.8 branch? The testcase doesn't crash because Quitter fails to GC (Components.utils.forceGC is not a function), but the 1.8 version of nsStyleLinkElement::UpdateStyleSheet has code identical to that which you patched.
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.next+
|
|
Assignee | |
Comment 11•16 years ago
|
||
I don't know any reason that it wouldn't be needed... so it's probably needed.
|
||
Comment 12•16 years ago
|
||
Verified that the testcase here crashes 1.9.0.6 but doesn't crash 1.9.0.7 (with quitter extension). Used Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.7pre) Gecko/2009021204 GranParadiso/3.0.7pre.
Keywords: fixed1.9.0.7 → verified1.9.0.7
|
||
Comment 13•16 years ago
|
||
|
||
Comment 14•16 years ago
|
||
Comment on attachment 363095 [details] [diff] [review]
1.8 version
>--- mozilla/content/base/src/nsStyleLinkElement.h.475136 2004-09-09 19:32:34.000000000 +0200
>+++ mozilla/content/base/src/nsStyleLinkElement.h 2009-02-17 18:12:08.000000000 +0100
>@@ -72,6 +72,7 @@ public:
>
> static void ParseLinkTypes(const nsAString& aTypes, nsStringArray& aResult);
>
>+
> protected:
> virtual void GetStyleSheetURL(PRBool* aIsInline,
> nsIURI** aURI) = 0;
What's this added whitespace for?
Otherwise than that nit, this is probably good for checkin.
Attachment #363095 -
Flags: approval1.8.1.next?
|
|
||
Comment 15•16 years ago
|
||
Comment on attachment 363095 [details] [diff] [review]
1.8 version
Approved for 1.8.1.21, a=dveditz for release-drivers
In the future please use the same diff options as the patch you're porting (context lines, etc). that makes comparing them much easier
Attachment #363095 -
Flags: approval1.8.1.next? → approval1.8.1.next+
|
|
Assignee | |
Comment 16•16 years ago
|
||
Committed the backported patch to MOZILLA_1_8_BRANCH, 2009-02-23 09:57 -0800. Thanks for doing the backport.
|
|
Assignee | |
Updated•16 years ago
|
Keywords: fixed1.8.1.21
|
|
||
Updated•16 years ago
|
Group: core-security
|
||
Comment 17•16 years ago
|
||
Comment on attachment 363095 [details] [diff] [review]
1.8 version
a=asac for 1.8.0
Attachment #363095 -
Flags: approval1.8.0.next+
|
|
||
Updated•16 years ago
|
Flags: blocking1.8.0.next+
|
||
Updated•13 years ago
|
Crash Signature: [@ nsCSSStyleSheet::GetOwnerNode]
You need to log in
before you can comment on or make changes to this bug.
Description
•