Closed Bug 828180 Opened 12 years ago Closed 12 years ago

crash in nsIContent::IsHTML

Categories

(Core :: DOM: Core & HTML, defect)

20 Branch
All
Windows 7
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla21
Tracking Status
firefox20 --- verified
firefox21 --- verified

People

(Reporter: scoobidiver, Assigned: peterv)

References

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

It first showed up in 20.0a1/20130106. The regression range is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=d8ca3e1c469e&tochange=20d1a5916ef6 I suspect bug 824907. Signature nsIContent::IsHTML(nsIAtom*) More Reports Search UUID 4b217ab7-4816-494e-b648-7580a2130109 Date Processed 2013-01-09 07:08:17 Uptime 142 Last Crash 2.5 minutes before submission Install Age 5.0 minutes since version was first installed. Install Time 2013-01-09 07:03:25 Product Firefox Version 21.0a1 Build ID 20130108033457 Release Channel nightly OS Windows NT OS Version 5.1.2600 Service Pack 3 Build Architecture x86 Build Architecture Info GenuineIntel family 15 model 4 stepping 1 Crash Reason EXCEPTION_ACCESS_VIOLATION_READ Crash Address 0xc App Notes AdapterVendorID: 0x8086, AdapterDeviceID: 0x2562, AdapterSubsysID: 25628086, AdapterDriverVersion: 6.14.10.4020 D3D10 Layers? D3D10 Layers- D3D9 Layers? D3D9 Layers- EMCheckCompatibility True Adapter Vendor ID 0x8086 Adapter Device ID 0x2562 Total Virtual Memory 2147352576 Available Virtual Memory 1822892032 System Memory Use Percentage 57 Available Page File 1947811840 Available Physical Memory 452120576 Frame Module Signature Source 0 xul.dll nsIContent::IsHTML obj-firefox/dist/include/nsIContent.h:281 1 xul.dll mozilla::dom::HTMLTableElement::SetTHead obj-firefox/dist/include/mozilla/dom/HTMLTableElement.h:65 2 xul.dll mozilla::dom::HTMLTableElementBinding::set_tHead obj-firefox/dom/bindings/HTMLTableElementBinding.cpp:174 3 xul.dll mozilla::dom::HTMLTableElementBinding::genericSetter obj-firefox/dom/bindings/HTMLTableElementBinding.cpp:989 4 mozjs.dll js::InvokeKernel js/src/jsinterp.cpp:391 5 mozjs.dll js::Invoke js/src/jsinterp.cpp:439 6 mozjs.dll js::Shape::set js/src/jsscopeinlines.h:315 7 mozjs.dll js::baseops::SetPropertyHelper js/src/jsobj.cpp:3686 8 mozjs.dll js::Interpret js/src/jsinterp.cpp:2307 9 mozjs.dll js::RunScript js/src/jsinterp.cpp:340 10 mozjs.dll js::InvokeKernel js/src/jsinterp.cpp:406 11 mozjs.dll js::Invoke js/src/jsinterp.cpp:439 12 mozjs.dll JS_CallFunctionValue js/src/jsapi.cpp:5806 13 xul.dll nsXPCWrappedJSClass::CallMethod js/xpconnect/src/XPCWrappedJSClass.cpp:1432 14 xul.dll nsXPCWrappedJS::CallMethod js/xpconnect/src/XPCWrappedJS.cpp:580 ... More reports at: https://crash-stats.mozilla.com/report/list?signature=nsIContent%3A%3AIsHTML%28nsIAtom*%29
Attached patch v1Splinter Review
Bleh.
Assignee: nobody → peterv
Status: NEW → ASSIGNED
Attachment #699639 - Flags: review?(bzbarsky)
Blocks: 824907
Comment on attachment 699639 [details] [diff] [review] v1 r=me We need to get this on Aurora too, right?
Attachment #699639 - Flags: review?(bzbarsky) → review+
Comment on attachment 699639 [details] [diff] [review] v1 https://hg.mozilla.org/integration/mozilla-inbound/rev/68c146972e78 [Approval Request Comment] Bug caused by (feature/regressing bug #): 824907 User impact if declined: null crash Testing completed (on m-c, etc.): on inbound, has crashtest Risk to taking this patch (and alternatives if risky): low-risk, just adding null-check String or UUID changes made by this patch: none
Attachment #699639 - Flags: approval-mozilla-aurora?
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla21
Comment on attachment 699639 [details] [diff] [review] v1 Null check crash fix, approving for Aurora 20.
Attachment #699639 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
There are a few crashes after the fix from 2013-01-10, with this signature, [@ nsIContent::IsHTML(nsIAtom*)], in the Socorro reports from last month: https://crash-stats.mozilla.com/report/list?query_search=signature&query_type=contains&reason_type=contains&range_value=4&range_unit=weeks&hang_type=any&process_type=any&signature=nsIContent%3A%3AIsHTML%28nsIAtom%2A%29 - 14 crashes on 19.0.2 - a few crashes on Firefox 20 beta: 1, 2, 4 and 5 Any suggestions?
Totally different stacks on those, as far as I can tell.
In this case, marking this as verified fixed on Firefox 20, based on comment 9.
In the Socorro reports from last month, there are some crashes with [@ nsIContent::IsHTML(nsIAtom*)] signature on Firefox 21: - beta 6: 8 crashes; - beta 4: 2 crashes; - beta 3: 3 crashes; - beta 1: 1 crash. Could anyone please verify if those are related with this issue?
Scoobidiver, could you please look into whether the crashes Alexandra is seeing in crash-stats for Firefox 21 are related to this bug?
Flags: needinfo?(scoobidiver)
(In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #12) > Scoobidiver, could you please look into whether the crashes Alexandra is > seeing in crash-stats for Firefox 21 are related to this bug? None of crashes in 20.0.1 and 21.0 have mozilla::dom::HTMLTableElement::SetTHead in the stack trace so they are a different issue.
Status: RESOLVED → VERIFIED
Flags: needinfo?(scoobidiver)
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: