Closed Bug 475136 Opened 11 years ago Closed 11 years ago
Crash [@ ns
CSSStyle Sheet::Get Owner Node] after GC
544 bytes, text/html
3.89 KB, text/plain; charset=UTF-8
6.48 KB, patch
|Details | Diff | Splinter Review|
4.11 KB, patch
|Details | Diff | Splinter Review|
Loading the testcase causes nsCSSStyleSheet::GetOwnerNode to call some random address. The testcase assumes you have http://www.squarefree.com/extensions/quitter.xpi installed, and uses it to trigger a GC at the right moment.
Not as helpful as I was hoping.
Thoughts on this approach vs. a DropStyleSheet method that just does the setting to null (and would also be called by SetStyleSheet)?
Oops, forgot to qrefresh after my last edit.
And to be clear: what's fixing the bug is that we're now calling SetOwningNode(nsnull) at the two places in nsStyleLinkElement::DoUpdateStyleSheet that used to just do mStyleSheet = nsnull.
Comment on attachment 358562 [details] [diff] [review] patch Good catch. Can we possibly write a mochitest for this?
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P3
Attachment #358562 - Flags: approval1.9.1+
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
OS: Mac OS X → All
Hardware: x86 → All
Resolution: --- → FIXED
Whiteboard: [sg:critical] → [sg:critical][needs 1.9.1 landing][needs 1.9.0.* landing]
Target Milestone: --- → mozilla1.9.2a1
Whiteboard: [sg:critical][needs 1.9.1 landing][needs 1.9.0.* landing] → [sg:critical][needs 1.9.0.* landing]
Target Milestone: mozilla1.9.2a1 → mozilla1.9.1b3
Attachment #358562 - Flags: approval126.96.36.199?
Attachment #358562 - Flags: approval188.8.131.52? → approval184.108.40.206+
Comment on attachment 358562 [details] [diff] [review] patch Approved for 220.127.116.11, a=dveditz for release-drivers.
Commited to CVS trunk (for 1.9.0.* releases), 2009-02-02 20:13 -0800.
Whiteboard: [sg:critical][needs 1.9.0.* landing] → [sg:critical]
dbaron: Is this needed for the 1.8 branch? The testcase doesn't crash because Quitter fails to GC (Components.utils.forceGC is not a function), but the 1.8 version of nsStyleLinkElement::UpdateStyleSheet has code identical to that which you patched.
I don't know any reason that it wouldn't be needed... so it's probably needed.
Verified that the testcase here crashes 18.104.22.168 but doesn't crash 22.214.171.124 (with quitter extension). Used Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:126.96.36.199pre) Gecko/2009021204 GranParadiso/3.0.7pre.
Comment on attachment 363095 [details] [diff] [review] 1.8 version >--- mozilla/content/base/src/nsStyleLinkElement.h.475136 2004-09-09 19:32:34.000000000 +0200 >+++ mozilla/content/base/src/nsStyleLinkElement.h 2009-02-17 18:12:08.000000000 +0100 >@@ -72,6 +72,7 @@ public: > > static void ParseLinkTypes(const nsAString& aTypes, nsStringArray& aResult); > >+ > protected: > virtual void GetStyleSheetURL(PRBool* aIsInline, > nsIURI** aURI) = 0; What's this added whitespace for? Otherwise than that nit, this is probably good for checkin.
Attachment #363095 - Flags: approval1.8.1.next?
Comment on attachment 363095 [details] [diff] [review] 1.8 version Approved for 188.8.131.52, a=dveditz for release-drivers In the future please use the same diff options as the patch you're porting (context lines, etc). that makes comparing them much easier
Attachment #363095 - Flags: approval1.8.1.next? → approval1.8.1.next+
Committed the backported patch to MOZILLA_1_8_BRANCH, 2009-02-23 09:57 -0800. Thanks for doing the backport.
Comment on attachment 363095 [details] [diff] [review] 1.8 version a=asac for 1.8.0
Attachment #363095 - Flags: approval1.8.0.next+
Crash Signature: [@ nsCSSStyleSheet::GetOwnerNode]
You need to log in before you can comment on or make changes to this bug.