Closed Bug 830948 Opened 7 years ago Closed 7 years ago

Crash [@ nsGlobalWindow::GetInnerHeight(int*)] while clicking View -> Zoom -> Zoom In on Firefox Aurora 20

Categories

(Core :: DOM: Core & HTML, defect, critical)

x86_64
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla21
Tracking Status
firefox19 + verified
firefox20 + verified
firefox21 + verified
firefox-esr17 - wontfix
b2g18 + wontfix

People

(Reporter: gkw, Assigned: smaug)

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

Crash signature: bp-9e55cde4-113e-4441-b673-3bcbf2130115

I was using Aurora 20 build ID 20130115042018. In a new private browsing window, I was doing a Google search, opening 4 tabs, and closing 3 after I finished reading them. Using a mouse, I then clicked on View -> Zoom -> Zoom In and it immediately crashed.

The crashing line is at http://hg.mozilla.org/releases/mozilla-aurora/annotate/57fc7a3fcd2b/dom/base/nsGlobalWindow.cpp#l3704

Jesse suggests that something might have messed up mDocShell in line 3704, but we are not entirely sure if EnsureSizeUpToDate() might have been the culprit.
Indeed, EnsureSizeUpToDate flushes, which may cause scripts to run, which may end up
closing the window so mDocShell may be null.
Assignee: nobody → bugs
Attached patch patchSplinter Review
Attachment #702500 - Flags: review?(bzbarsky)
Nominating for tracking, this is easy to hit from the end-user side. I'm not sure how far back this affects though.
(In reply to Olli Pettay [:smaug] from comment #2)
> Created attachment 702500 [details] [diff] [review]
> patch
Note, as far as I see, EnsureSizeUpToDate doesn't actually do anything if there isn't mDocshell.
Comment on attachment 702500 [details] [diff] [review]
patch

r=me
Attachment #702500 - Flags: review?(bzbarsky) → review+
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/43135307225f
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Keywords: checkin-needed
Target Milestone: --- → mozilla21
I poked at the source and it seems that this bug is present across all branches.
Comment on attachment 702500 [details] [diff] [review]
patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): old stuff
User impact if declined: crashes
Testing completed (on m-c, etc.): landed to m-c yesterday 
Risk to taking this patch (and alternatives if risky): null check
String or UUID changes made by this patch: NA

The patch seems to apply cleanly everywhere.
Attachment #702500 - Flags: approval-mozilla-esr17?
Attachment #702500 - Flags: approval-mozilla-beta?
Attachment #702500 - Flags: approval-mozilla-aurora?
Attachment #702500 - Flags: approval-mozilla-b2g18?
Crash Signature: [@ nsGlobalWindow::GetInnerHeight(int*)] → [@ nsGlobalWindow::GetInnerHeight(int*)] [@ nsGlobalWindow::GetInnerHeight] [@ nsGlobalWindow::GetInnerWidth(int*)] [@ nsGlobalWindow::GetInnerWidth]
This doesn't qualify for esr landing, but will track for 19 and approve for branches.
Attachment #702500 - Flags: approval-mozilla-esr17?
Attachment #702500 - Flags: approval-mozilla-esr17-
Attachment #702500 - Flags: approval-mozilla-beta?
Attachment #702500 - Flags: approval-mozilla-beta+
Attachment #702500 - Flags: approval-mozilla-aurora?
Attachment #702500 - Flags: approval-mozilla-aurora+
Keywords: checkin-needed
Comment on attachment 702500 [details] [diff] [review]
patch

This doesn't seem to fix any obvious problems on b2g18, so minus for landing there. If that's not a correct assessment, please re-nominate.
Attachment #702500 - Flags: approval-mozilla-b2g18? → approval-mozilla-b2g18-
I couldn't reproduce the issue in comment 0. Checking the crash stats, this looks good in general, but I see 1 crash on FF 19b3 - https://crash-stats.mozilla.com/report/index/5338111a-d778-47d1-a2a4-7e7dc2130129. Any thoughts?
(In reply to Paul Silaghi [QA] from comment #13)
> I couldn't reproduce the issue in comment 0. Checking the crash stats, this
> looks good in general, but I see 1 crash on FF 19b3 -
> https://crash-stats.mozilla.com/report/index/5338111a-d778-47d1-a2a4-
> 7e7dc2130129. Any thoughts?

That crash crashes at a different line, at http://hg.mozilla.org/releases/mozilla-beta/annotate/8848df2565b6/dom/base/nsGlobalWindow.cpp#l3634 - I've filed bug 838806 for this.

Since crash-stats does not seem to show anymore related crashes -> VERIFIED
Status: RESOLVED → VERIFIED
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.