Closed
Bug 531284
Opened 15 years ago
Closed 14 years ago
Crash [@ PresShell::ClearFrameRefs(nsIFrame*)]
Categories
(Core :: Layout, defect)
Core
Layout
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: MatsPalmgren_bugz, Assigned: cbook)
References
(Blocks 1 open bug)
Details
(Keywords: crash, Whiteboard: [sg:critical? (mitigated by frame poisoning)] [no steps to reproduce])
Crash Data
Crash [@ PresShell::ClearFrameRefs(nsIFrame*)] It's #230 in the frame poisoning list in bug 526587: https://bugzilla.mozilla.org/attachment.cgi?id=414317 251 crashes in the past 4 weeks (130 on Windows, 121 on OSX). There are crash reports for Firefox 3.0x 3.5x 3.6x and 3.7x http://crash-stats.mozilla.com/report/list?query_search=signature&query_type=exact&query=PresShell%3A%3AClearFrameRefs%28nsIFrame*%29&date=&range_value=4&range_unit=weeks&do_query=1&signature=PresShell%3A%3AClearFrameRefs%28nsIFrame*%29 bp-0243105b-49a9-4a42-8810-1751b2091121: PresShell::ClearFrameRefs layout/base/nsPresShell.cpp:3663 nsFrame::Destroy layout/generic/nsFrame.cpp:445 nsBaseHashtable<nsStringHashKey,nsAutoPtr<nsCounterList>,nsCounterList*>::EnumerateRead obj-firefox/dist/include/nsBaseHashtable.h:189 nsContainerFrame::Destroy layout/generic/nsContainerFrame.cpp:268 nsContainerFrame::Destroy layout/generic/nsContainerFrame.cpp:268 nsContainerFrame::Destroy layout/generic/nsContainerFrame.cpp:268 nsBlockFrame::Destroy layout/generic/nsBlockFrame.cpp:301 nsTArray<unsigned int>::RemoveElementsAt obj-firefox/dist/include/nsTArray.h:680 nsFrameList::DestroyFrame layout/generic/nsFrameList.cpp:170 nsAbsoluteContainingBlock::RemoveFrame layout/generic/nsAbsoluteContainingBlock.cpp:124 ViewportFrame::RemoveFrame layout/generic/nsViewportFrame.cpp:159 nsFrameManager::RemoveFrame layout/base/nsFrameManager.cpp:736 nsCSSFrameConstructor::ContentRemoved layout/base/nsCSSFrameConstructor.cpp:7366 nsCSSFrameConstructor::RecreateFramesForContent layout/base/nsCSSFrameConstructor.cpp:9169 nsCSSFrameConstructor::ProcessRestyledFrames layout/base/nsCSSFrameConstructor.cpp:7831 PresShell::FlushPendingNotifications layout/base/nsPresShell.cpp:4897 nsDocument::FlushPendingNotifications content/base/src/nsDocument.cpp:6356 nsDocument::FlushPendingNotifications content/base/src/nsDocument.cpp:6350 nsComputedDOMStyle::GetPropertyCSSValue layout/style/nsComputedDOMStyle.cpp:473 nsComputedDOMStyle::GetPropertyValue layout/style/nsComputedDOMStyle.cpp:324 NS_InvokeByIndex_P xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:102 ... The stack crash stack varies a lot, except for the last few frames. It always crashes on line 3663 though: 3660 nsWeakFrame* weakFrame = mWeakFrames; 3661 while (weakFrame) { 3662 nsWeakFrame* prev = weakFrame->GetPreviousWeakFrame(); 3663 if (weakFrame->GetFrame() == aFrame) { 3664 // This removes weakFrame from mWeakFrames. 3665 weakFrame->Clear(this); 3666 } 3667 weakFrame = prev; 3668 }
Comment 1•14 years ago
|
||
Uh... so is the weakFrame linked list broken or something?
Updated•14 years ago
|
Whiteboard: [sg:critical? (mitigated by frame poisoning)]
Whiteboard: [sg:critical? (mitigated by frame poisoning)] → [sg:critical? (mitigated by frame poisoning)] [no steps to reproduce]
Updated•14 years ago
|
Assignee: nobody → cbook
Keywords: testcase-wanted
Assignee | ||
Comment 2•14 years ago
|
||
testing is done in the general testrun with the new url list from chofmann. Testing is ongoing.
Assignee | ||
Comment 3•14 years ago
|
||
so far no crash found, still ongoing
Assignee | ||
Comment 4•14 years ago
|
||
no reproducible so far :( some crashes in crashstats seems to be start up crashes ?
Assignee | ||
Comment 5•14 years ago
|
||
marking worksforme for now, since not reproducible currently. Will reopen if we found steps to reproduce
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → WORKSFORME
Updated•13 years ago
|
Crash Signature: [@ PresShell::ClearFrameRefs(nsIFrame*)]
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•9 years ago
|
Keywords: testcase-wanted
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•