Closed Bug 523895 Opened 10 years ago Closed 10 years ago

Crash in [@ nsObjectFrame::ComputeWidgetGeometry]

Categories

(Core :: Layout, defect, critical)

1.9.2 Branch
x86
Windows XP
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: marcia, Unassigned)

References

Details

(Keywords: crash, Whiteboard: [3.6b1])

Crash Data

Attachments

(1 file)

Seen while running Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2b1) Gecko/20091019 Firefox/3.6b1.

STR:
1. Load http://ubiquity.mozilla.com/planet/
2. I crashed but have not been able to reproduce.

These extensions were installed:
Microsoft .NET Framework Assistant	1.0	false	{20a82645-c095-46ed-80e3-08825760534b}
Java Quick Starter	1.0	true	jqs@sun.com
Coral IE Tab	1.60.20090901	true	ietab@ip.cn
Whiteboard: [3.6b1]
(In reply to comment #0)
> Seen while running Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2b1)
> Gecko/20091019 Firefox/3.6b1.
> 
> STR:
> 1. Load http://ubiquity.mozilla.com/planet/
> 2. I crashed but have not been able to reproduce.
> 
> These extensions were installed:
> Microsoft .NET Framework Assistant    1.0    false   
> {20a82645-c095-46ed-80e3-08825760534b}
> Java Quick Starter    1.0    true    jqs@sun.com
> Coral IE Tab    1.60.20090901    true    ietab@ip.cn

from topcrash stats, seems this happend 3 times, marcia were you also able to crash without this extensions ?
Severity: normal → critical
Flags: blocking1.9.2?
So far I think I only crashed once, and I have not yet been able to reproduce this on any other machines with or without extensions.
Since this is possibly a crash that will show up like mad after we ship, we should take this very seriously, but I can't see blocking on it until we can mak it happen again, or something else significant happens.

Minusing for now, but renom if you see it again.
Flags: blocking1.9.2? → blocking1.9.2-
I am not certain, but is is possible I may have crashed when this page loaded - http://ubiquity.mozilla.com/ - note that an embedded vimeo video shows up on the page.
Marcia, have you tried to clear the cache before reloading the page? Eventually it only crashes on first load?
Group: core-security
Component: Widget: Win32 → Layout
QA Contact: win32 → layout
Summary: Crash in [nsObjectFrame::ComputeWidgetGeometry] → Crash in [@ nsObjectFrame::ComputeWidgetGeometry]
crash on load nsObjectFrame::ComputeWidgetGeometry with bp-abec7a01-0e8d-4d5a-98ac-729642091118 Mac 1.9.3 and Win 1.9.2 at least. The stack is different though and possibly requires flash. File a new bug?

http://www.tusfotoscaseras.com/2007/09/29/adolescentes-modelos-teens-tetonas-y-culonas/

maybe nsfw.
Attached file testcase
Minimized the page from comment 7 and made it SFW.

Having the stylesheet be on an external server seems to be required, as mirroring it locally never crashes. The swf can probably be local and is just a random swf from the web, so probably any swf would suffice.
It is caused by bug 371976. (Someone with access can add the dependency.)
Depends on: CVE-2009-3385
The test case doesn't crash for me on trunk, is this a 1.9.2-only bug?
Doesn't crash for me on trunk or 1.9.2 anymore. One of the checkins since then must have changed it.
(In reply to comment #12)
> A good guess would be bug 528493.
That was caused by a swf in an iframe in a document with slow CSS, which would explain why your crash never happened when the CSS was local. If you need slow CSS in the future, this is apparently a good link:

http://www.hixie.ch/tests/adhoc/html/parsing/script-style-blocking/slow-style.css
Only 1 crash this week:
bp-79857368-68cd-4beb-8f51-36d782100214

Marking fixed per comment 12.  Bug 528493 landed on 1.9.2 and 1.9.1 (we're waiting to see if we need it on 1.9.0).
Status: NEW → RESOLVED
Closed: 10 years ago
Depends on: 528493
Resolution: --- → FIXED
Crash Signature: [@ nsObjectFrame::ComputeWidgetGeometry]
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.