Closed Bug 531284 Opened 15 years ago Closed 14 years ago

Crash [@ PresShell::ClearFrameRefs(nsIFrame*)]

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: MatsPalmgren_bugz, Assigned: cbook)

References

(Blocks 1 open bug)

Details

(Keywords: crash, Whiteboard: [sg:critical? (mitigated by frame poisoning)] [no steps to reproduce])

Crash Data

Crash [@ PresShell::ClearFrameRefs(nsIFrame*)]
It's #230 in the frame poisoning list in bug 526587:
https://bugzilla.mozilla.org/attachment.cgi?id=414317

251 crashes in the past 4 weeks (130 on Windows, 121 on OSX).
There are crash reports for Firefox 3.0x 3.5x 3.6x and 3.7x

http://crash-stats.mozilla.com/report/list?query_search=signature&query_type=exact&query=PresShell%3A%3AClearFrameRefs%28nsIFrame*%29&date=&range_value=4&range_unit=weeks&do_query=1&signature=PresShell%3A%3AClearFrameRefs%28nsIFrame*%29

bp-0243105b-49a9-4a42-8810-1751b2091121:
PresShell::ClearFrameRefs	 layout/base/nsPresShell.cpp:3663
nsFrame::Destroy	layout/generic/nsFrame.cpp:445
nsBaseHashtable<nsStringHashKey,nsAutoPtr<nsCounterList>,nsCounterList*>::EnumerateRead	obj-firefox/dist/include/nsBaseHashtable.h:189
nsContainerFrame::Destroy	layout/generic/nsContainerFrame.cpp:268
nsContainerFrame::Destroy	layout/generic/nsContainerFrame.cpp:268
nsContainerFrame::Destroy	layout/generic/nsContainerFrame.cpp:268
nsBlockFrame::Destroy	layout/generic/nsBlockFrame.cpp:301
nsTArray<unsigned int>::RemoveElementsAt	obj-firefox/dist/include/nsTArray.h:680
nsFrameList::DestroyFrame	layout/generic/nsFrameList.cpp:170
nsAbsoluteContainingBlock::RemoveFrame	layout/generic/nsAbsoluteContainingBlock.cpp:124
ViewportFrame::RemoveFrame	layout/generic/nsViewportFrame.cpp:159
nsFrameManager::RemoveFrame	layout/base/nsFrameManager.cpp:736
nsCSSFrameConstructor::ContentRemoved	layout/base/nsCSSFrameConstructor.cpp:7366
nsCSSFrameConstructor::RecreateFramesForContent	layout/base/nsCSSFrameConstructor.cpp:9169
nsCSSFrameConstructor::ProcessRestyledFrames	layout/base/nsCSSFrameConstructor.cpp:7831
PresShell::FlushPendingNotifications	layout/base/nsPresShell.cpp:4897
nsDocument::FlushPendingNotifications	content/base/src/nsDocument.cpp:6356
nsDocument::FlushPendingNotifications	content/base/src/nsDocument.cpp:6350
nsComputedDOMStyle::GetPropertyCSSValue	layout/style/nsComputedDOMStyle.cpp:473
nsComputedDOMStyle::GetPropertyValue	layout/style/nsComputedDOMStyle.cpp:324
NS_InvokeByIndex_P	xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:102 
...

The stack crash stack varies a lot, except for the last few frames.
It always crashes on line 3663 though:

3660 nsWeakFrame* weakFrame = mWeakFrames;
3661 while (weakFrame) {
3662   nsWeakFrame* prev = weakFrame->GetPreviousWeakFrame();
3663   if (weakFrame->GetFrame() == aFrame) {
3664     // This removes weakFrame from mWeakFrames.
3665     weakFrame->Clear(this);
3666   }
3667   weakFrame = prev;
3668 }
Uh... so is the weakFrame linked list broken or something?
Whiteboard: [sg:critical? (mitigated by frame poisoning)]
Whiteboard: [sg:critical? (mitigated by frame poisoning)] → [sg:critical? (mitigated by frame poisoning)] [no steps to reproduce]
Assignee: nobody → cbook
Keywords: testcase-wanted
testing is done in the general testrun with the new url list from chofmann. Testing is ongoing.
so far no crash found, still ongoing
no reproducible so far :( some crashes in crashstats seems to be start up crashes ?
marking worksforme for now, since not reproducible currently. Will reopen if we found steps to reproduce
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → WORKSFORME
Crash Signature: [@ PresShell::ClearFrameRefs(nsIFrame*)]
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.