Closed
Bug 530965
Opened 15 years ago
Closed 13 years ago
Crash [@ nsFrameManager::ReResolveStyleContext(nsPresContext*, nsIFrame*, nsIContent*, nsStyleChangeList*, nsChangeHint, int)]
Categories
(Core :: Layout, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: jst, Unassigned)
References
(Blocks 1 open bug, )
Details
(Keywords: crash)
Crash Data
There's a new crash in Firefox 3.6b3 with the signature "nsFrameManager::ReResolveStyleContext(nsPresContext*, nsIFrame*, nsIContent*, nsStyleChangeList*, nsChangeHint, int)" that hasn't been seen in any of the versions 3\.5.*. So far we've seen 33+ of these crashes in the wild.
Please see http://crash-stats.mozilla.com/query/query?product=Firefox&version=Firefox%3A3.6b3&range_value=1&range_unit=weeks&query_search=signature&query_type=exact&query=nsFrameManager%3A%3AReResolveStyleContext%28nsPresContext%2A%2C%20nsIFrame%2A%2C%20nsIContent%2A%2C%20nsStyleChangeList%2A%2C%20nsChangeHint%2C%20int%29&do_query=1 for more crash info.
Flags: blocking1.9.2?
|
||
Comment 2•15 years ago
|
||
second frame on the stack has a source file that changed during 3.6 development
http://crash-stats.mozilla.com/report/index/a9803b87-b42e-4bae-b765-5d7e32091124
http://hg.mozilla.org/releases/mozilla-1.9.2/annotate/35bb84e06502/layout/base/nsFrameManager.cpp#l1495
|
|
||
Comment 3•15 years ago
|
||
Some of these crashes also show up as frame poisoned crashes
187. 1 0xfffffffff0dea800 Windows NT nsFrameManager::ReResolveStyleContext(nsPresContext*, nsIFrame*, nsIContent*, nsStyleChangeList*, nsChangeHint, int)
sort this query by address
http://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=exact&query=&date=&range_value=1&range_unit=weeks&do_query=1&signature=nsFrameManager::ReResolveStyleContext%28nsPresContext*,%20nsIFrame*,%20nsIContent*,%20nsStyleChangeList*,%20nsChangeHint,%20int%29
Blocks: PoisonFrameCrash
Group: core-security
|
||
Comment 4•15 years ago
|
||
Assuming a11y poisons the frame but why does child->GetStateBits() crash instead of aFrame->GetFirstChild()? Robert, do you have any ideas?
I don't know. A minidump would help.
The only thing that's new in 3.6 about this crash is the extra ", int" at the end of the parameter list. Crashes in this function were in 3.5.* and 3.0.*.
I don't see much reason to think this is related to the accessibility changes that were made in that function.
Flags: wanted1.9.2+
Flags: blocking1.9.2?
Flags: blocking1.9.2-
|
||
Comment 7•15 years ago
|
||
Topcrash #200 for Firefox 3.5.7.
Topcrash #151 for Firefox 3.6.
Group: core-security
Keywords: regression → crash
Summary: New crash [@ nsFrameManager::ReResolveStyleContext(nsPresContext*, nsIFrame*, nsIContent*, nsStyleChangeList*, nsChangeHint, int)] in Firefox 3.6b3 → Crash [@ nsFrameManager::ReResolveStyleContext(nsPresContext*, nsIFrame*, nsIContent*, nsStyleChangeList*, nsChangeHint, int)]
Whiteboard: [sg:watch]
|
||
Updated•15 years ago
|
Keywords: testcase-wanted
Whiteboard: [sg:watch]
|
Assignee | |
Updated•14 years ago
|
Crash Signature: [@ nsFrameManager::ReResolveStyleContext(nsPresContext*, nsIFrame*, nsIContent*, nsStyleChangeList*, nsChangeHint, int)]
|
||
Comment 8•13 years ago
|
||
It only happens in 3.6 over the last four weeks.
I close it as WFM.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → WORKSFORME
|
||
Updated•9 years ago
|
Keywords: testcase-wanted
You need to log in
before you can comment on or make changes to this bug.
Description
•