[HTML5] Crash [@ SelectorMatches ]

RESOLVED FIXED

Status

()

Core
HTML: Parser
--
critical
RESOLVED FIXED
8 years ago
4 years ago

People

(Reporter: Ria Klaassen (not reading all bugmail), Unassigned)

Tracking

({crash, regression})

Trunk
x86
Windows XP
crash, regression
Points:
---

Firefox Tracking Flags

(blocking2.0 final+)

Details

(crash signature, URL)

Attachments

(1 attachment)

STR:

- Set html5.enable to true
- go to URL

http://crash-stats.mozilla.com/report/index/bp-3a67ce8a-bf15-4f91-94a7-4e0f42100527

0  	xul.dll  	SelectorMatches  	 layout/style/nsCSSRuleProcessor.cpp:2076
1 	xul.dll 	SelectorMatches 	layout/style/nsCSSRuleProcessor.cpp:1753
2 	xul.dll 	SelectorMatchesTree 	layout/style/nsCSSRuleProcessor.cpp:2176
3 	xul.dll 	ContentEnumFunc 	layout/style/nsCSSRuleProcessor.cpp:2228
4 	xul.dll 	RuleHash::EnumerateAllRules 	layout/style/nsCSSRuleProcessor.cpp:675
5 	xul.dll 	xul.dll@0x26ed3f 	
6 		@0x8db048f

No problem on Namoroko.
(Reporter)

Updated

8 years ago
Keywords: crash
Works: ac1df371f376
Fails: 01af306025cb
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=ac1df371f376&tochange=01af306025cb is the range.
Hrm.  My tip Linux debug build doesn't seem to show the problem... :(

Line 2076 there isn't something I would expect the html parser to affect, also.  I wonder what's going on.

Comment 5

8 years ago
Crashes on 10.6 as well.
http://crash-stats.mozilla.com/report/index/095b8045-c6be-4f0c-988f-8d2cd2100527
is pretty useless, but I got a report from Apples Crash reporter (I'll attach the full log next):

Thread 0 Crashed:  Dispatch queue: com.apple.main-thread
0   XUL                           	0x002e74b2 nsRuleNode::GetStyleData(nsStyleStructID, nsStyleContext*, int) + 18
1   XUL                           	0x002f83a3 nsStyleContext::GetStyleData(nsStyleStructID) + 83
2   XUL                           	0x002dff53 nsRuleNode::WalkRuleTree(nsStyleStructID, nsStyleContext*, nsRuleData*, nsCSSStruct*) + 1571
3   XUL                           	0x002e78d1 nsRuleNode::GetStyleData(nsStyleStructID, nsStyleContext*, int) + 1073
4   XUL                           	0x002f83a3 nsStyleContext::GetStyleData(nsStyleStructID) + 83
5   XUL                           	0x002dff53 nsRuleNode::WalkRuleTree(nsStyleStructID, nsStyleContext*, nsRuleData*, nsCSSStruct*) + 1571
6   XUL                           	0x002e78d1 nsRuleNode::GetStyleData(nsStyleStructID, nsStyleContext*, int) + 1073
7   XUL                           	0x002f83a3 nsStyleContext::GetStyleData(nsStyleStructID) + 83
8   XUL                           	0x002dff53 nsRuleNode::WalkRuleTree(nsStyleStructID, nsStyleContext*, nsRuleData*, nsCSSStruct*) + 1571

Comment 6

8 years ago
Created attachment 447869 [details]
crash log, comment 5
That looks like stack overflow.  Henri was working on the deep trees the html5 parser can produce, I think.
(Reporter)

Updated

8 years ago
Keywords: regressionwindow-wanted
Making the parser clip deep trees before they reach layout is bug 561874.
Depends on: 561874
Blocking 1.9.3 final+.  Regression.
blocking2.0: ? → final+
Bug 561874 landed. Please verify if it fixed this once the nightlies have
cycled.
Doesn't crash any more on OS X 10.6.
http://hg.mozilla.org/mozilla-central/rev/6dbc5341b490
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.3a5pre) Gecko/20100604 Minefield/3.7a5pre

Updated

8 years ago
Severity: normal → critical
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.3a5pre) Gecko/20100604 Minefield/3.7a5pre

Yes, it is fixed now. The page loads fine.
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
(Assignee)

Updated

7 years ago
Crash Signature: [@ SelectorMatches ]
You need to log in before you can comment on or make changes to this bug.