Open Bug 533796 Opened 15 years ago Updated 2 years ago

frame poisoned Crash [@ nsStyleContext::Mark() ]

Categories

(Core :: CSS Parsing and Computation, defect)

Product:
Core
Component:
CSS Parsing and Computation
Platform:
x86
Windows XP
Type:
defect

Tracking

()

People

(Reporter: chofmann, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase-wanted, Whiteboard: [sg:watch])

Crash Data

http://crash-stats.mozilla.com/report/index/972ddfbb-dbdd-4695-bb22-977842091205

Frame  	Module  	Signature [Expand]  	Source
0 	xul.dll 	nsStyleContext::Mark 	layout/style/nsStyleContext.cpp:474
1 	xul.dll 	nsStyleContext::Mark 	layout/style/nsStyleContext.cpp:492
2 	xul.dll 	nsStyleContext::Mark 	layout/style/nsStyleContext.cpp:492
3 	xul.dll 	nsStyleContext::Mark 	layout/style/nsStyleContext.cpp:492
4 	xul.dll 	nsStyleContext::Mark 	layout/style/nsStyleContext.cpp:492
5 	xul.dll 	nsStyleContext::Mark 	layout/style/nsStyleContext.cpp:492
6 	xul.dll 	nsStyleContext::Mark 	layout/style/nsStyleContext.cpp:492
7 	xul.dll 	nsStyleContext::Mark 	layout/style/nsStyleContext.cpp:492
8 	xul.dll 	nsStyleContext::Mark 	layout/style/nsStyleContext.cpp:492
9 	xul.dll 	nsStyleContext::Mark 	layout/style/nsStyleContext.cpp:492
10 	xul.dll 	nsStyleContext::Mark 	layout/style/nsStyleContext.cpp:492
11 	xul.dll 	nsStyleContext::Mark 	layout/style/nsStyleContext.cpp:492
12 	xul.dll 	nsStyleContext::Mark 	layout/style/nsStyleContext.cpp:492
13 	xul.dll 	nsStyleSet::GCRuleTrees 	layout/style/nsStyleSet.cpp:915
14 	xul.dll 	nsFrameManager::ReResolveStyleContext 	layout/base/nsFrameManager.cpp:1278

more reports across all releases with a variety of different stacks at

http://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=exact&query=&date=&range_value=1&range_unit=weeks&do_query=1&signature=nsStyleContext::Mark%28%29

sort by address to get at the FP address crashes
Blocks: PoisonFrameCrash
The security team would be interested if steps-to-reproduce showed up.
Group: core-security
Whiteboard: [sg:watch]
This frame-poisoned crash still happens, and is not limited to the old Firefox 3.6 branch.
Keywords: crash, testcase-wanted
Summary: frame poisoned Firefox 3.6b4 Crash [@ nsStyleContext::Mark() ] → frame poisoned Crash [@ nsStyleContext::Mark() ]
Crash Signature: [@ nsStyleContext::Mark() ]
Crash Signature: [@ nsStyleContext::Mark() ] → [@ nsStyleContext::Mark ] [@ nsStyleContext::Mark() ]
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.