Closed Bug 509132 Opened 15 years ago Closed 12 years ago

top crash [@ nsSubDocumentFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&)]

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Version:
1.9.0 Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: samuel.sidler+old, Unassigned)

References

Details

(Keywords: crash, Whiteboard: [sg:dos null-deref])

Crash Data

+++ This bug was initially created as a clone of Bug #482578 +++

In bug 482578, we fixed a topcrasher that was the #1 overall topcrash, by far. It typically contained 2-3 times the amount of crashes as the #2 and #3 top crashes.

The fix, however, might not be complete. We're still seeing this crash on the 1.9.0 branch. It's currently #15 overall. We need URLs to reproduce this on, however. The initial testcase has been fixed in 482578.

Bob, Tomcat: Can you provide some URLs for this signature?

Filing as security sensitive since the previous bug was.
Not until bug 507985 is fixed.
This has dropped to crash #68 in Firefox 3.0.15

Seems to be a null deref based on stacks, do we really need this hidden? Are we likely to fix it more than it currently is since it's not on newer branches?
Keywords: testcase-wanted
Whiteboard: [sg:dos null-deref]
I only made it hidden since bug 482578 was hidden. If we don't think this is a dangerous crash, then we should open it up.
Crash Signature: [@ nsSubDocumentFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&)]
This isn't very high volume. I am removing the top crash keyword.
Keywords: topcrash
According to https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=nsSubDocumentFrame%3A%3AReflow&reason_type=contains&date=03%2F09%2F2012%2020%3A18%3A00&range_value=1&range_unit=weeks&hang_type=any&process_type=any&do_query=1&signature=nsSubDocumentFrame%3A%3AReflow%28nsPresContext*%2C%20nsHTMLReflowMetrics%26%2C%20nsHTMLReflowState%20const%26%2C%20unsigned%20int%26%29

There are a bunch of 3.0.x crashes, and then a small handful of ones in recent builds (three in 9, four in 10). There are ZERO in 3.5.x or 3.6.x so I think it's safe to call whatever this bug represented as "worksforme" rather than try to keep it open to now represent the newer crash that just happens to occur at the same location (in very small numbers).
Group: core-security
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.