Closed
Bug 552663
Opened 14 years ago
Closed 14 years ago
Crash [@ nsContentUtils::ComparePosition]
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: timeless, Assigned: smaug)
References
()
Details
(Keywords: crash, topcrash, Whiteboard: [sg:dos][qa-examined-192][qa-needs-STR])
Crash Data
Attachments
(1 file, 1 obsolete file)
1.70 KB,
patch
|
jst
:
review+
dveditz
:
approval1.9.2.18-
dveditz
:
approval1.9.2.20+
christian
:
approval1.9.2.7-
|
Details | Diff | Splinter Review |
Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000000 0x000000010068db2f in nsContentUtils::ComparePosition (aNode1=0x132491d00, aNode2=0x0) at /Users/timeless/devel/mozilla.org/mozilla-central/content/base/src/nsContentUtils.cpp:1575 1575 if (aNode2->IsNodeOfType(nsINode::eATTRIBUTE)) { (gdb) bt 10 #0 nsContentUtils::ComparePosition (aNode1=0x132491d00, aNode2=0x0) at nsContentUtils.cpp:1575 #1 nsContentUtils::PositionIsBefore (aNode1=0x132491d00, aNode2=0x0) at nsContentUtils.h:284 #2 nsContentList::ContentAppended (this=0x12efad510, aDocument=0x138994e00, aContainer=0x131664830, aNewIndexInContainer=27) at nsContentList.cpp:672 #3 nsNodeUtils::ContentAppended (aContainer=0x131664830, aNewIndexInContainer=27) at nsNodeUtils.cpp:135 #4 nsGenericElement::doInsertChildAt (aKid=0x12f047140, aIndex=27, aNotify=1, aParent=0x131664830, aDocument=0x138994e00, aChildArray=@0x131664870) at nsGenericElement.cpp:3304 #5 nsGenericElement::InsertChildAt (this=0x131664830, aKid=0x12f047140, aIndex=27, aNotify=1) at nsGenericElement.cpp:3235 #6 nsGenericElement::doReplaceOrInsertBefore (aReplace=0, aNewChild=0x12f047188, aRefChild=0x0, aParent=0x131664830, aDocument=0x138994e00, aReturn=0x7fff5fbfbcc0) at nsGenericElement.cpp:3993 #7 nsGenericElement::InsertBefore (this=0x131664830, aNewChild=0x12f047188, aRefChild=0x0, aReturn=0x7fff5fbfbcc0) at nsGenericElement.cpp:3529 #8 nsHTMLHeadElement::InsertBefore (this=0x131664830, newChild=0x12f047188, refChild=0x0, _retval=0x7fff5fbfbcc0) at nsHTMLHeadElement.cpp:56 #9 nsGenericElement::AppendChild (this=0x131664830, aNewChild=0x12f047188, aReturn=0x7fff5fbfbcc0) at nsGenericElement.h:503
so. i have the following extensions: DOM Inspector Google Gears [incompatible, disabled] NoScript Nightly Tester Tools Evernote Web Clipper [incompatible?, disabled] JavaScript Debugger javascript debugger is set to debug chrome, and trace exceptions. I suspect the exception it's hitting comes from noscript, because smaug can't trigger this w/ just venkman. all i do is: open Minefield, open Venkman, restore my session (maps.google.com), and drag the map content around a bit (or a lot), sometimes double clicking. my map view starts in USA, but i generally drag to just west of France/England.
Assignee | ||
Comment 2•14 years ago
|
||
This was a bit tricky to debug. So this is caused by the fact that JSD enabled scripts at unexpected time, and even so that JS timeouts get run. The other cases when the method is used, the latter parameter is PR_FALSE. Note, SetScriptsEnabled isn't used this ways elsewhere except in JSD.
Assignee | ||
Comment 3•14 years ago
|
||
Comment on attachment 434225 [details] [diff] [review] patch Oops, wrong patch
Attachment #434225 -
Attachment is obsolete: true
Attachment #434225 -
Flags: review?
Assignee | ||
Comment 4•14 years ago
|
||
Attachment #434226 -
Flags: review?
Assignee | ||
Comment 5•14 years ago
|
||
Note, ::RunTimeout is safe for GlobalWindow being frozen etc.
Assignee | ||
Updated•14 years ago
|
Attachment #434226 -
Flags: review? → review?(jst)
Assignee | ||
Comment 6•14 years ago
|
||
The whole SetScriptsEnabled is a bit strange method and should be probably removed. But in a different bug.
Assignee | ||
Comment 7•14 years ago
|
||
And note, JSD doesn't seem to suspend timeouts properly even without the patch, so nothing should break there. I could file a followup to make SetScriptsEnabled actually suspend timeouts when needed.
afaict that code was introduced or broken by bug 116834. rginda was around in the bug but it doesn't look like he reviewed the jsd stuff. oh well. let's fix that in a new bug.
Assignee | ||
Comment 9•14 years ago
|
||
The code isn't broken after all. It is just a bit strange. RunTimeout stops running timeouts if scripts are disabled.
Updated•14 years ago
|
Attachment #434226 -
Flags: review?(jst) → review+
Assignee | ||
Comment 10•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/fbe66466ad9e
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Comment 11•14 years ago
|
||
bp-66ee1ec2-0502-435f-804b-2bccb2100520 might be this bug. Brian Krebs hit it while using the facebook privacy bookmarklet. Should we backport this patch to 1.9.2?
Assignee | ||
Comment 12•14 years ago
|
||
Comment on attachment 434226 [details] [diff] [review] patch We could take the patch to 1.9.2, but I'm not at all sure it fixes bp-66ee1ec2-0502-435f-804b-2bccb2100520
Attachment #434226 -
Flags: approval1.9.2.5?
Comment 13•14 years ago
|
||
Comment on attachment 434226 [details] [diff] [review] patch We will not be taking this for 3.6.6. Moving approval request forward. If you disagree, send me an email.
Attachment #434226 -
Flags: approval1.9.2.7?
Attachment #434226 -
Flags: approval1.9.2.6-
Attachment #434226 -
Flags: approval1.9.2.5?
Updated•14 years ago
|
Whiteboard: [sg:dos]
Comment 14•13 years ago
|
||
Comment on attachment 434226 [details] [diff] [review] patch Is this likely to help the topcrash? I don't see much venkman in the current crashes, but a large correlation with 95% (200/211) vs. 0% (270/65663) {3DF533F5-FB3C-4c4c-A1D7-99717F8C3038} I think that's the webroot malicious URL filtering extension. Seems unlikely to be using debug apis but who knows?
Attachment #434226 -
Flags: approval1.9.2.9? → approval1.9.2.18?
Comment 15•13 years ago
|
||
This is still the #28 topcrash on 3.6.17, no crashes on mozilla-2.0. maybe this patch worked?
blocking1.9.2: --- → ?
status1.9.1:
--- → wanted
status1.9.2:
--- → wanted
Keywords: testcase-wanted,
topcrash
OS: Mac OS X → All
Version: Trunk → 1.9.2 Branch
Comment 16•13 years ago
|
||
Comment on attachment 434226 [details] [diff] [review] patch Approved for 1.9.2.18, a=dveditz for release-drivers
Attachment #434226 -
Flags: approval1.9.2.18? → approval1.9.2.18+
Comment 17•13 years ago
|
||
Not blocking, but worth landing to see if it helps the topcrash.
blocking1.9.2: ? → -
Updated•13 years ago
|
Crash Signature: [@ nsContentUtils::ComparePosition]
Comment 18•13 years ago
|
||
Comment on attachment 434226 [details] [diff] [review] patch Didn't make 3.6.18
Attachment #434226 -
Flags: approval1.9.2.19+
Attachment #434226 -
Flags: approval1.9.2.18-
Attachment #434226 -
Flags: approval1.9.2.18+
Comment 19•13 years ago
|
||
Olli, can you land this on 1.9.2, please?
Assignee | ||
Comment 20•13 years ago
|
||
Seems like 1.9.2 doesn't compile on this machine. I need to find someone else to make sure the patch compiles etc.
Assignee | ||
Comment 21•13 years ago
|
||
Haven't found anyone yet who could compile and land the patch. Perhaps I'll just land and hope it compiles.
Assignee | ||
Comment 22•13 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/5d9164417ba7
Comment 23•13 years ago
|
||
Can someone please post some steps to reproduce or a test case in order to get this bug verified? Thanks!
Comment 24•13 years ago
|
||
(In reply to Simona B from comment #23) > Can someone please post some steps to reproduce or a test case in order to > get this bug verified? QA needs this as well.
Whiteboard: [sg:dos] → [sg:dos][qa-examined-192][qa-needs-STR]
Updated•9 years ago
|
Keywords: testcase-wanted
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•