Crash [@ nsAttrAndChildArray::GetAttr(nsIAtom*, int) ]

VERIFIED FIXED in Firefox 27

Status

()

--
critical
VERIFIED FIXED
5 years ago
5 years ago

People

(Reporter: bc, Assigned: smaug)

Tracking

(Blocks: 1 bug, {crash, regression})

27 Branch
mozilla28
crash, regression
Points:
---

Firefox Tracking Flags

(firefox25 unaffected, firefox26 unaffected, firefox27 verified, firefox28 verified)

Details

(Whiteboard: [bugday-20131204] , crash signature, URL)

Attachments

(1 attachment)

(Assignee)

Comment 1

5 years ago
Probably a regression from bug 916945. The patch for that at least missed null checks for
GetFrameElementInternal() even though the method indicates that it may return null.
And the stack trace hints that it is null + offset crash.

I can't reproduce the crash though.
(Assignee)

Comment 3

5 years ago
bc, could you test a tryserver build.
Look for 5bbb02dd567d in http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/?C=M;O=D .
Takes probably couple of hours before the builds are ready.
(Assignee)

Updated

5 years ago
Flags: needinfo?(bclary)
(Reporter)

Comment 4

5 years ago
(In reply to Olli Pettay [:smaug] from comment #3)
> bc, could you test a tryserver build.
> Look for 5bbb02dd567d in
> http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/?C=M;O=D .
> Takes probably couple of hours before the builds are ready.

With today's nightly on fedora 19 x86_64 I got:
bp-83c10a26-dbfe-4c3e-94fe-663772131111

With the try server build I couldn't reproduce with 10 tries.
Flags: needinfo?(bclary)
(Assignee)

Updated

5 years ago
Attachment #830150 - Flags: review?(bobbyholley+bmo)
Comment on attachment 830150 [details] [diff] [review]
possible patch

Review of attachment 830150 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks. r=bholley

We should get this on aurora too.
Attachment #830150 - Flags: review?(bobbyholley+bmo) → review+
(Assignee)

Comment 7

5 years ago
Comment on attachment 830150 [details] [diff] [review]
possible patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 916945
User impact if declined: null+offset crashes
Testing completed (on m-c, etc.): just landed to m-i
Risk to taking this patch (and alternatives if risky): it is just a null pointer check 
String or IDL/UUID changes made by this patch: NA
Attachment #830150 - Flags: approval-mozilla-aurora?
https://hg.mozilla.org/mozilla-central/rev/ca6ea866bc47
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla28
Comment on attachment 830150 [details] [diff] [review]
possible patch

patch helps with a crash regression and is low risk, null check ; looks good to land
Attachment #830150 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
https://hg.mozilla.org/releases/mozilla-aurora/rev/8a8ece0bcb6c
Assignee: nobody → bugs
status-firefox27: affected → fixed
status-firefox28: affected → fixed

Updated

5 years ago
Keywords: verifyme
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:27.0) Gecko/20100101 Firefox/27.0
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0
Mozilla/5.0 (X11; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0

Verified as fixed on latest Aurora 27.0a2 (buildID: 20131128004001).
status-firefox27: fixed → verified

Comment 12

5 years ago
verified on nightly 28.0a1 20131130030209.
Status: RESOLVED → VERIFIED
status-firefox28: fixed → verified
Keywords: verifyme
Whiteboard: [bugday-20131204]
You need to log in before you can comment on or make changes to this bug.