681135 - crash in RuleHash::EnumerateAllRules @ nsAttrValue::GetAtomCount

Status: RESOLVED WORKSFORME

(Core :: DOM: Core & HTML, defect, P5)

Description

[Naoki Hirata :nhirata (please use needinfo instead of cc)]

This bug was filed from the Socorro interface and is 
report bp-d5dcfc49-4ee9-4481-8d46-4aa3f2110822 .
============================================================= 
Crashing Thread
Frame 	Module 	Signature [Expand] 	Source
0 	libxul.so 	nsAttrValue::GetAtomCount 	nsTArray.h:170
1 	libxul.so 	RuleHash::EnumerateAllRules 	layout/style/nsCSSRuleProcessor.cpp:616
2 	libxul.so 	nsCSSRuleProcessor::RulesMatching 	layout/style/nsCSSRuleProcessor.cpp:2256
3 	libxul.so 	EnumRulesMatching<PseudoElementRuleProcessorData> 	layout/style/nsStyleSet.cpp:432
4 	libxul.so 	nsStyleSet::FileRules 	layout/style/nsRuleWalker.h:53
5 	libxul.so 	nsStyleSet::ProbePseudoElementStyle 	layout/style/nsRuleWalker.h:53
6 	libxul.so 	nsStyleSet::ProbePseudoElementStyle 	layout/style/nsStyleSet.cpp:1072
7 	libxul.so 	nsLayoutUtils::HasPseudoStyle 	nsAutoPtr.h:1402
8 	libxul.so 	AdjustAppendParentForAfterContent 	layout/base/nsCSSFrameConstructor.cpp:5579
9 	libxul.so 	nsCSSFrameConstructor::ContentAppended 	layout/base/nsCSSFrameConstructor.cpp:6556
10 	libxul.so 	nsCSSFrameConstructor::CreateNeededFrames 	layout/base/nsCSSFrameConstructor.cpp:6295
11 	libxul.so 	nsCSSFrameConstructor::CreateNeededFrames 	layout/base/nsChildIterator.h:175
12 	libxul.so 	nsCSSFrameConstructor::CreateNeededFrames 	layout/base/nsChildIterator.h:175
13 	libxul.so 	nsCSSFrameConstructor::CreateNeededFrames 	layout/base/nsChildIterator.h:175
14 	libxul.so 	nsCSSFrameConstructor::CreateNeededFrames 	layout/base/nsChildIterator.h:175
15 	libxul.so 	nsCSSFrameConstructor::CreateNeededFrames 	layout/base/nsChildIterator.h:175
16 	libxul.so 	nsCSSFrameConstructor::CreateNeededFrames 	layout/base/nsChildIterator.h:175
17 	libxul.so 	nsCSSFrameConstructor::CreateNeededFrames 	layout/base/nsChildIterator.h:175
18 	libxul.so 	nsCSSFrameConstructor::CreateNeededFrames 	layout/base/nsCSSFrameConstructor.cpp:6316
19 	libxul.so 	PresShell::FlushPendingNotifications 	layout/base/nsPresShell.cpp:4761
20 	libxul.so 	nsDocument::FlushPendingNotifications 	nsCOMPtr.h:492
21 	libxul.so 	nsDocument::FlushPendingNotifications 	nsIDocument.h:491
22 	libxul.so 	nsDocLoader::DocLoaderIsEmpty 	uriloader/base/nsDocLoader.cpp:778
23 	libxul.so 	nsDocLoader::OnStopRequest 	uriloader/base/nsDocLoader.cpp:711
24 	libxul.so 	nsLoadGroup::RemoveRequest 	netwerk/base/src/nsLoadGroup.cpp:734
25 	libxul.so 	nsDocument::DoUnblockOnload 	nsCOMPtr.h:492
26 	libxul.so 	nsDocument::UnblockOnload 	content/base/src/nsDocument.cpp:7171
27 	libxul.so 	nsLoadBlockingPLDOMEvent::~nsLoadBlockingPLDOMEvent 	nsCOMPtr.h:492
28 	libxul.so 	nsLoadBlockingPLDOMEvent::~nsLoadBlockingPLDOMEvent 	mozalloc.h:253
29 	libxul.so 	nsRunnable::Release 	obj-firefox/xpcom/build/nsThreadUtils.cpp:55
30 	libxul.so 	nsCOMPtr_base::~nsCOMPtr_base 	obj-firefox/xpcom/build/nsCOMPtr.cpp:82
31 	libxul.so 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:639
32 	libxul.so 	NS_ProcessNextEvent_P 	obj-firefox/xpcom/build/nsThreadUtils.cpp:245
33 	libxul.so 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:111
34 	libxul.so 	mozilla::ipc::MessagePumpForChildProcess::Run 	ipc/glue/MessagePump.cpp:230
35 	libxul.so 	MessageLoop::RunInternal 	ipc/chromium/src/base/message_loop.cc:222
36 	libxul.so 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:514
37 	libxul.so 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:191
38 	libxul.so 	XRE_RunAppShell 	toolkit/xre/nsEmbedFunctions.cpp:673
39 	libxul.so 	mozilla::ipc::MessagePumpForChildProcess::Run 	ipc/glue/MessagePump.cpp:222
40 	libxul.so 	MessageLoop::RunInternal 	ipc/chromium/src/base/message_loop.cc:222
41 	libxul.so 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:514
42 	libxul.so 	XRE_InitChildProcess 	nsAutoPtr.h:155
43 	libmozutils.so 	ChildProcessInit 	other-licenses/android/APKOpen.cpp:796
44 	plugin-container 	main 	ipc/app/MozillaRuntimeMainAndroid.cpp:69
45 	libc.so 	libc.so@0x14e10 	

More signatures:
https://crash-stats.mozilla.com/report/list?range_value=7&range_unit=days&date=2011-08-22%2014%3A00%3A00&signature=nsAttrValue%3A%3AGetAtomCount&version=Fennec%3A9.0a1

Comment 1

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

URL that gives current crashes:
https://crash-stats.mozilla.com/report/list?query_search=signature&query_type=contains&reason_type=contains&range_value=28&range_unit=days&hang_type=any&process_type=any&signature=nsAttrValue%3A%3AGetAtomCount

Comment 2

[Boris Zbarsky [:bzbarsky]]

The crashes seem to mostly be null-derefs.  But in the style code the relevant thing (the nsAttrValue*) is null-checked before being dereferenced.  

The most likely failure mode would then be that either the attr value's mAtomArray is null or its mHdr is null.... but the latter should never happen for an nsTArray, and the former should never happen because we have infallible new _and_ a null-check on the return value.

Comment 3

[Boris Zbarsky [:bzbarsky]]

And in particular, the crash in the current crashes on beta happens on line 224 of nsTArray.h, which looks like this:

223  size_type Length() const {
224    return mHdr->mLength;
225  }

If |this| is null, then mHdr would be being read at 0.  If mHdr is null, then mLength would be being read at 0 as well.  So it's not quite obvious which is null.

In any case, this is not a CSS issue...

Comment 4

[Boris Zbarsky [:bzbarsky]]

And in particular, if we're ending up in this code then the nsAttrValue is definitely of type eAtomArray...

Comment 5

[Firefox Bug Husbandry Bot]

https://bugzilla.mozilla.org/show_bug.cgi?id=1472046

Move all DOM bugs that haven't been updated in more than 3 years and has no one currently assigned to P5.

If you have questions, please contact :mdaly.

Comment 6

[BugBot [:suhaib / :marco/ :calixte]]

Closing because no crashes reported for 12 weeks.