Closed Bug 531284 Opened 15 years ago Closed 15 years ago

Crash [@ PresShell::ClearFrameRefs(nsIFrame*)]

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: MatsPalmgren_bugz, Assigned: cbook)

References

(Blocks 1 open bug)

Details

(Keywords: crash, Whiteboard: [sg:critical? (mitigated by frame poisoning)] [no steps to reproduce])

Crash Data

Crash [@ PresShell::ClearFrameRefs(nsIFrame*)] It's #230 in the frame poisoning list in bug 526587: https://bugzilla.mozilla.org/attachment.cgi?id=414317 251 crashes in the past 4 weeks (130 on Windows, 121 on OSX). There are crash reports for Firefox 3.0x 3.5x 3.6x and 3.7x http://crash-stats.mozilla.com/report/list?query_search=signature&query_type=exact&query=PresShell%3A%3AClearFrameRefs%28nsIFrame*%29&date=&range_value=4&range_unit=weeks&do_query=1&signature=PresShell%3A%3AClearFrameRefs%28nsIFrame*%29 bp-0243105b-49a9-4a42-8810-1751b2091121: PresShell::ClearFrameRefs layout/base/nsPresShell.cpp:3663 nsFrame::Destroy layout/generic/nsFrame.cpp:445 nsBaseHashtable<nsStringHashKey,nsAutoPtr<nsCounterList>,nsCounterList*>::EnumerateRead obj-firefox/dist/include/nsBaseHashtable.h:189 nsContainerFrame::Destroy layout/generic/nsContainerFrame.cpp:268 nsContainerFrame::Destroy layout/generic/nsContainerFrame.cpp:268 nsContainerFrame::Destroy layout/generic/nsContainerFrame.cpp:268 nsBlockFrame::Destroy layout/generic/nsBlockFrame.cpp:301 nsTArray<unsigned int>::RemoveElementsAt obj-firefox/dist/include/nsTArray.h:680 nsFrameList::DestroyFrame layout/generic/nsFrameList.cpp:170 nsAbsoluteContainingBlock::RemoveFrame layout/generic/nsAbsoluteContainingBlock.cpp:124 ViewportFrame::RemoveFrame layout/generic/nsViewportFrame.cpp:159 nsFrameManager::RemoveFrame layout/base/nsFrameManager.cpp:736 nsCSSFrameConstructor::ContentRemoved layout/base/nsCSSFrameConstructor.cpp:7366 nsCSSFrameConstructor::RecreateFramesForContent layout/base/nsCSSFrameConstructor.cpp:9169 nsCSSFrameConstructor::ProcessRestyledFrames layout/base/nsCSSFrameConstructor.cpp:7831 PresShell::FlushPendingNotifications layout/base/nsPresShell.cpp:4897 nsDocument::FlushPendingNotifications content/base/src/nsDocument.cpp:6356 nsDocument::FlushPendingNotifications content/base/src/nsDocument.cpp:6350 nsComputedDOMStyle::GetPropertyCSSValue layout/style/nsComputedDOMStyle.cpp:473 nsComputedDOMStyle::GetPropertyValue layout/style/nsComputedDOMStyle.cpp:324 NS_InvokeByIndex_P xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:102 ... The stack crash stack varies a lot, except for the last few frames. It always crashes on line 3663 though: 3660 nsWeakFrame* weakFrame = mWeakFrames; 3661 while (weakFrame) { 3662 nsWeakFrame* prev = weakFrame->GetPreviousWeakFrame(); 3663 if (weakFrame->GetFrame() == aFrame) { 3664 // This removes weakFrame from mWeakFrames. 3665 weakFrame->Clear(this); 3666 } 3667 weakFrame = prev; 3668 }
Uh... so is the weakFrame linked list broken or something?
Whiteboard: [sg:critical? (mitigated by frame poisoning)]
Whiteboard: [sg:critical? (mitigated by frame poisoning)] → [sg:critical? (mitigated by frame poisoning)] [no steps to reproduce]
Assignee: nobody → cbook
Keywords: testcase-wanted
testing is done in the general testrun with the new url list from chofmann. Testing is ongoing.
so far no crash found, still ongoing
no reproducible so far :( some crashes in crashstats seems to be start up crashes ?
marking worksforme for now, since not reproducible currently. Will reopen if we found steps to reproduce
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → WORKSFORME
Crash Signature: [@ PresShell::ClearFrameRefs(nsIFrame*)]
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.