crash in inDOMUtils::GetRuleNodeForContent @ nsINode::IsElement with Inspector

RESOLVED FIXED in Firefox 15

Status

()

Core
Layout
--
critical
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: Scoobidiver (away), Assigned: bz)

Tracking

({crash, regression})

15 Branch
mozilla16
All
Windows 7
crash, regression
Points:
---
Bug Flags:
in-testsuite ?

Firefox Tracking Flags

(firefox15+ fixed)

Details

(Whiteboard: [qa?], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
It first appeared in 15.0a1/20120507. The regression range might be (discontinuous):
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=94ce5f33a9ea&tochange=448f554f6acb

All comments talk about the element inspector.

Signature 	nsINode::IsElement() More Reports Search
UUID	19681c62-263f-4e27-8682-709602120604
Date Processed	2012-06-04 03:47:37
Uptime	32012
Last Crash	3.6 days before submission
Install Age	13.7 hours since version was first installed.
Install Time	2012-06-03 14:03:57
Product	Firefox
Version	15.0a1
Build ID	20120603030523
Release Channel	nightly
OS	Windows NT
OS Version	6.1.7601 Service Pack 1
Build Architecture	x86
Build Architecture Info	GenuineIntel family 6 model 37 stepping 2
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0x18
App Notes 	
AdapterVendorID: 0x8086, AdapterDeviceID: 0x0046, AdapterSubsysID: 215a17aa, AdapterDriverVersion: 8.15.10.2401
D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ WebGL? EGL? EGL+ GL Context? GL Context+ WebGL+ 
EMCheckCompatibility	True	
Total Virtual Memory	4294836224
Available Virtual Memory	3044982784
System Memory Use Percentage	58
Available Page File	3805892608
Available Physical Memory	1676779520

Frame 	Module 	Signature 	Source
0 	xul.dll 	nsINode::IsElement 	obj-firefox/dist/include/nsINode.h:368
1 	xul.dll 	inDOMUtils::GetRuleNodeForContent 	layout/inspector/src/inDOMUtils.cpp:295
2 	xul.dll 	inDOMUtils::GetCSSStyleRules 	layout/inspector/src/inDOMUtils.cpp:170
3 	xul.dll 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:70
4 	xul.dll 	XPCWrappedNative::CallMethod 	js/xpconnect/src/XPCWrappedNative.cpp:2356
5 	xul.dll 	XPC_WN_CallMethod 	js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1500
6 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:310
7 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:2512
8 	mozjs.dll 	js::CallObject::createForFunction 	js/src/vm/ScopeObject.cpp:199
9 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:358
...

More reports at:
https://crash-stats.mozilla.com/report/list?signature=nsINode%3A%3AIsElement%28%29
I can (and should) certainly fix this on the layout end by null-checking the element in inDOMUtils::GetCSSStyleRules and throwing when null, but why is the element inspector passing in null, exactly?  Throwing will likely break whatever element inspector code is passing null.

I guess it's also possible that the element inspector is passing some random non-DOM JS object, not null.
Paul: this is something related to the Inspector. Can you please take a look? Thanks!
Created attachment 630416 [details] [diff] [review]
Fix

Well, let's just throw instead of crashing
Attachment #630416 - Flags: review?(bugs)
Assignee: nobody → bzbarsky
tracking-firefox15: --- → ?
Whiteboard: [need review]

Updated

5 years ago
Attachment #630416 - Flags: review?(bugs) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/41838b80cb57
Flags: in-testsuite?
Whiteboard: [need review]
Target Milestone: --- → mozilla16
Comment on attachment 630416 [details] [diff] [review]
Fix

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Probably landing of some inspector
   changes
User impact if declined: Crashes in some circumstances that I don't understand
Testing completed (on m-c, etc.):  None.  The patch just adds a null-check on the   crashing codepath.
Risk to taking this patch (and alternatives if risky): Low risk: just a
   null-check.  Might replace crashes with the inspector tool not working right
   in some edge case, perhaps.
String or UUID changes made by this patch: None.
Attachment #630416 - Flags: approval-mozilla-aurora?

Updated

5 years ago
tracking-firefox15: ? → +

Comment 6

5 years ago
https://hg.mozilla.org/mozilla-central/rev/41838b80cb57
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED

Comment 7

5 years ago
Comment on attachment 630416 [details] [diff] [review]
Fix

[Triage Comment]
Low risk null check. Approved for Aurora 15.
Attachment #630416 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
http://hg.mozilla.org/releases/mozilla-aurora/rev/cef26a492426
status-firefox15: --- → fixed

Comment 9

5 years ago
Verified the crash stats on the Socorro interface 
https://crash-stats.mozilla.com/report/list?query_search=signature&query_type=contains&reason_type=contains&range_value=1&range_unit=weeks&hang_type=any&process_type=any&signature=nsINode%3A%3AIsElement%28%29.

It seems that crashes with this signature are still happening, but they are also associated to bug 772459 (which has not been fixed yet). Are there any STR/guidelines QA can verify this fix with?

Updated

5 years ago
Whiteboard: [qa?]
You need to log in before you can comment on or make changes to this bug.