Crash [@ nsCSSStyleSheet::SetDisabled]

RESOLVED FIXED

Status

()

RESOLVED FIXED
10 years ago
6 years ago

People

(Reporter: smaug, Unassigned)

Tracking

Trunk
x86
Linux
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?])

When running crashtests I occasionally get this crash.
I'm not sure, but just guessing that nsCSSStyleSheet::mDocument is dead.
I wonder why mDocument and mOwningNode are weak.

#0  0x00000032d7097581 in nanosleep () from /lib64/libc.so.6
#1  0x00000032d70973a4 in sleep () from /lib64/libc.so.6
#2  0x00002aaaaaaf4d99 in ah_crap_handler (signum=11)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/toolkit/xre/nsSigHandlers.cpp:149
#3  0x00002aaaaaaf5958 in nsProfileLock::FatalSignalHandler (signo=11) at nsProfileLock.cpp:216
#4  <signal handler called>
#5  PresShell::Paint (this=0x2d630b0, aView=0x2, aRenderingContext=0x32d734c930, aDirtyRegion=@0x0)
    at ../../dist/include/view/nsIView.h:313
#6  0x00002aaab46467da in nsCSSStyleSheet::SetDisabled (this=0x3218180, aDisabled=0)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/layout/style/nsCSSStyleSheet.cpp:1660
#7  0x00002aaab4abe8f2 in nsHTMLEditor::EnableExistingStyleSheet (this=<value optimized out>, aURL=@0x7fffc46d4560)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/editor/libeditor/html/nsHTMLEditor.cpp:3704
#8  0x00002aaab4ac18b3 in nsHTMLEditor::AddOverrideStyleSheet (this=0x7fffc46d4340, aURL=@0x2)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/editor/libeditor/html/nsHTMLEditor.cpp:3586
#9  0x00002aaab48126cc in nsHTMLDocument::EditingStateChanged (this=0x2b4b340)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/html/document/src/nsHTMLDocument.cpp:3395
#10 0x00002aaab45a0a89 in ~mozAutoDocUpdate (this=<value optimized out>)
    at ../../../dist/include/content/mozAutoDocUpdate.h:66
#11 0x00002aaab473b77a in nsGenericElement::doInsertChildAt (aKid=0x327db40, aIndex=1, aNotify=1, aParent=0x0, 
    aDocument=0x2b4b340, aChildArray=@0x2b4b518)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsGenericElement.cpp:3295
#12 0x00002aaab4829515 in nsXMLContentSink::SetDocElement (this=0x2e2e060, aNameSpaceID=3, aTagName=0xb45e50, 
    aContent=0x327db40) at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/xml/document/src/nsXMLContentSink.cpp:997
#13 0x00002aaab4828c0a in nsXMLContentSink::HandleStartElement (this=0x2e2e060, aName=<value optimized out>, 
    aAtts=0x196b710, aAttsCount=<value optimized out>, aIndex=-1, aLineNumber=2, aInterruptable=1)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/xml/document/src/nsXMLContentSink.cpp:1097
#14 0x00002aaab4828fd2 in nsXMLContentSink::HandleStartElement (this=0x7fffc46d4340, aName=0x2, aAtts=0x33073a0, 
    aAttsCount=0, aIndex=-1412034288, aLineNumber=774778670)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/xml/document/src/nsXMLContentSink.cpp:1020
#15 0x00002aaab6d87b09 in nsExpatDriver::HandleStartElement (this=0x196b290, aValue=0x327da50, aAtts=0x196b710)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/parser/htmlparser/src/nsExpatDriver.cpp:435
#16 0x00002aaab6daac5a in doContent (parser=0x196b360, startTagLevel=0, enc=0x2aaab6fda6c0, s=0x196b07a "<", 
    end=0x196b204 "����", nextPtr=0x7fffc46d4b10, haveMore=1 '\001')
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/parser/expat/lib/xmlparse.c:2438
#17 0x00002aaab6dabd6c in contentProcessor (parser=0x196b360, start=0x0, end=0x2aaaabd61110 "\020\021֫�*", 
    endPtr=0x7369642f2e2e2f2e) at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/parser/expat/lib/xmlparse.c:2095
#18 0x00002aaab6da9abd in doProlog (parser=0x196b360, enc=0x2aaab6fda6c0, s=0x196b07a "<", end=0x196b204 "����", 
    tok=<value optimized out>, next=0x196b07a "<", nextPtr=0x7fffc46d4b10, haveMore=1 '\001')
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/parser/expat/lib/xmlparse.c:4075
#19 0x00002aaab6dabe7f in prologProcessor (parser=0x196b360, s=0x196b020 "<", end=0x196b204 "����", nextPtr=0x7fffc46d4b10)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/parser/expat/lib/xmlparse.c:3809
#20 0x00002aaab6da5052 in MOZ_XML_Parse (parser=0x7fffc46d4340, s=0x196b020 "<", len=53506976, isFinal=0)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/parser/expat/lib/xmlparse.c:1528
#21 0x00002aaab6d84e96 in nsExpatDriver::ParseBuffer (this=0x196b290, aBuffer=0x196b020, aLength=242, aIsFinal=0, 
    aConsumed=0x7fffc46d4e9c) at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/parser/htmlparser/src/nsExpatDriver.cpp:1025
#22 0x00002aaab6d871d6 in nsExpatDriver::ConsumeToken (this=0x196b290, aScanner=@0x15faa10, 
    aFlushTokens=<value optimized out>)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/parser/htmlparser/src/nsExpatDriver.cpp:1128
Or perhaps this is an editor bug.
nsHTMLEditor::AddOverrideStyleSheet sets stylesheet's owning document, but
I have no idea what keeps that document alive or clears the owning document.
Is this fixed by the patch in bug 432114?
Seems like that might help. Not 100% sure though, because I can't 
always reproduce this.
If the crash happens, it is when running 214/1064.
Depends on: 432114
Yeah, this sounds a lot like bug 432114 and bug 476975.  The fundamental problem there is that editor calls nsIStyleSheet::SetOwningDocument() with a document that doesn't own the style sheet.
Whiteboard: [sg:critical?]
Can't reproduce this anymore.
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED
Group: core-security
You need to log in before you can comment on or make changes to this bug.