Crash [@ nsFrameManager::ReResolveStyleContext(nsPresContext*, nsIFrame*, nsIContent*, nsStyleChangeList*, nsChangeHint, int)]

RESOLVED WORKSFORME

Status

()

--
critical
RESOLVED WORKSFORME
9 years ago
3 years ago

People

(Reporter: jst, Unassigned)

Tracking

(Blocks: 1 bug, {crash})

1.9.2 Branch
All
Windows XP
crash
Points:
---
Bug Flags:
blocking1.9.2 -
wanted1.9.2 +

Firefox Tracking Flags

(Not tracked)

Details

(crash signature, URL)

(Reporter)

Description

9 years ago
There's a new crash in Firefox 3.6b3 with the signature "nsFrameManager::ReResolveStyleContext(nsPresContext*, nsIFrame*, nsIContent*, nsStyleChangeList*, nsChangeHint, int)" that hasn't been seen in any of the versions 3\.5.*. So far we've seen 33+ of these crashes in the wild.

Please see http://crash-stats.mozilla.com/query/query?product=Firefox&version=Firefox%3A3.6b3&range_value=1&range_unit=weeks&query_search=signature&query_type=exact&query=nsFrameManager%3A%3AReResolveStyleContext%28nsPresContext%2A%2C%20nsIFrame%2A%2C%20nsIContent%2A%2C%20nsStyleChangeList%2A%2C%20nsChangeHint%2C%20int%29&do_query=1 for more crash info.
Flags: blocking1.9.2?
(Reporter)

Comment 1

9 years ago
I think this is windows only.
OS: All → Windows XP

Comment 3

9 years ago
Some of these crashes also show up as frame poisoned crashes

187. 1 0xfffffffff0dea800 Windows NT nsFrameManager::ReResolveStyleContext(nsPresContext*, nsIFrame*, nsIContent*, nsStyleChangeList*, nsChangeHint, int)

sort this query by address

http://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=exact&query=&date=&range_value=1&range_unit=weeks&do_query=1&signature=nsFrameManager::ReResolveStyleContext%28nsPresContext*,%20nsIFrame*,%20nsIContent*,%20nsStyleChangeList*,%20nsChangeHint,%20int%29
Blocks: 526587
Group: core-security
Assuming a11y poisons the frame but why does child->GetStateBits() crash instead of aFrame->GetFirstChild()? Robert, do you have any ideas?
I don't know. A minidump would help.
The only thing that's new in 3.6 about this crash is the extra ", int" at the end of the parameter list.  Crashes in this function were in 3.5.* and 3.0.*.

I don't see much reason to think this is related to the accessibility changes that were made in that function.

Updated

9 years ago
Blocks: 516730

Updated

9 years ago
No longer blocks: 516730
Flags: wanted1.9.2+
Flags: blocking1.9.2?
Flags: blocking1.9.2-

Comment 7

9 years ago
Topcrash #200 for Firefox 3.5.7.
Topcrash #151 for Firefox 3.6.
Group: core-security
Keywords: regression → crash
Summary: New crash [@ nsFrameManager::ReResolveStyleContext(nsPresContext*, nsIFrame*, nsIContent*, nsStyleChangeList*, nsChangeHint, int)] in Firefox 3.6b3 → Crash [@ nsFrameManager::ReResolveStyleContext(nsPresContext*, nsIFrame*, nsIContent*, nsStyleChangeList*, nsChangeHint, int)]
Whiteboard: [sg:watch]
Keywords: testcase-wanted
Whiteboard: [sg:watch]
(Assignee)

Updated

8 years ago
Crash Signature: [@ nsFrameManager::ReResolveStyleContext(nsPresContext*, nsIFrame*, nsIContent*, nsStyleChangeList*, nsChangeHint, int)]

Comment 8

7 years ago
It only happens in 3.6 over the last four weeks.
I close it as WFM.
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → WORKSFORME
Keywords: testcase-wanted
You need to log in before you can comment on or make changes to this bug.