Closed Bug 530965 Opened 11 years ago Closed 9 years ago

Crash [@ nsFrameManager::ReResolveStyleContext(nsPresContext*, nsIFrame*, nsIContent*, nsStyleChangeList*, nsChangeHint, int)]

Categories

(Core :: Layout, defect)

1.9.2 Branch
All
Windows XP
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: jst, Unassigned)

References

(Blocks 1 open bug, )

Details

(Keywords: crash)

Crash Data

There's a new crash in Firefox 3.6b3 with the signature "nsFrameManager::ReResolveStyleContext(nsPresContext*, nsIFrame*, nsIContent*, nsStyleChangeList*, nsChangeHint, int)" that hasn't been seen in any of the versions 3\.5.*. So far we've seen 33+ of these crashes in the wild.

Please see http://crash-stats.mozilla.com/query/query?product=Firefox&version=Firefox%3A3.6b3&range_value=1&range_unit=weeks&query_search=signature&query_type=exact&query=nsFrameManager%3A%3AReResolveStyleContext%28nsPresContext%2A%2C%20nsIFrame%2A%2C%20nsIContent%2A%2C%20nsStyleChangeList%2A%2C%20nsChangeHint%2C%20int%29&do_query=1 for more crash info.
Flags: blocking1.9.2?
I think this is windows only.
OS: All → Windows XP
Some of these crashes also show up as frame poisoned crashes

187. 1 0xfffffffff0dea800 Windows NT nsFrameManager::ReResolveStyleContext(nsPresContext*, nsIFrame*, nsIContent*, nsStyleChangeList*, nsChangeHint, int)

sort this query by address

http://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=exact&query=&date=&range_value=1&range_unit=weeks&do_query=1&signature=nsFrameManager::ReResolveStyleContext%28nsPresContext*,%20nsIFrame*,%20nsIContent*,%20nsStyleChangeList*,%20nsChangeHint,%20int%29
Group: core-security
Assuming a11y poisons the frame but why does child->GetStateBits() crash instead of aFrame->GetFirstChild()? Robert, do you have any ideas?
I don't know. A minidump would help.
The only thing that's new in 3.6 about this crash is the extra ", int" at the end of the parameter list.  Crashes in this function were in 3.5.* and 3.0.*.

I don't see much reason to think this is related to the accessibility changes that were made in that function.
Blocks: fennecko
No longer blocks: fennecko
Flags: wanted1.9.2+
Flags: blocking1.9.2?
Flags: blocking1.9.2-
Topcrash #200 for Firefox 3.5.7.
Topcrash #151 for Firefox 3.6.
Group: core-security
Keywords: regressioncrash
Summary: New crash [@ nsFrameManager::ReResolveStyleContext(nsPresContext*, nsIFrame*, nsIContent*, nsStyleChangeList*, nsChangeHint, int)] in Firefox 3.6b3 → Crash [@ nsFrameManager::ReResolveStyleContext(nsPresContext*, nsIFrame*, nsIContent*, nsStyleChangeList*, nsChangeHint, int)]
Whiteboard: [sg:watch]
Keywords: testcase-wanted
Whiteboard: [sg:watch]
Crash Signature: [@ nsFrameManager::ReResolveStyleContext(nsPresContext*, nsIFrame*, nsIContent*, nsStyleChangeList*, nsChangeHint, int)]
It only happens in 3.6 over the last four weeks.
I close it as WFM.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.