Closed Bug 936969 Opened 6 years ago Closed 6 years ago

Crash [@ nsAttrAndChildArray::GetAttr(nsIAtom*, int) ]

Categories

(Core :: DOM: Core & HTML, defect, critical)

27 Branch
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla28
Tracking Status
firefox25 --- unaffected
firefox26 --- unaffected
firefox27 --- verified
firefox28 --- verified

People

(Reporter: bc, Assigned: smaug)

References

(Blocks 1 open bug, )

Details

(Keywords: crash, regression, Whiteboard: [bugday-20131204] )

Crash Data

Attachments

(1 file)

Probably a regression from bug 916945. The patch for that at least missed null checks for
GetFrameElementInternal() even though the method indicates that it may return null.
And the stack trace hints that it is null + offset crash.

I can't reproduce the crash though.
bc, could you test a tryserver build.
Look for 5bbb02dd567d in http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/?C=M;O=D .
Takes probably couple of hours before the builds are ready.
Flags: needinfo?(bclary)
(In reply to Olli Pettay [:smaug] from comment #3)
> bc, could you test a tryserver build.
> Look for 5bbb02dd567d in
> http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/?C=M;O=D .
> Takes probably couple of hours before the builds are ready.

With today's nightly on fedora 19 x86_64 I got:
bp-83c10a26-dbfe-4c3e-94fe-663772131111

With the try server build I couldn't reproduce with 10 tries.
Flags: needinfo?(bclary)
Attachment #830150 - Flags: review?(bobbyholley+bmo)
Comment on attachment 830150 [details] [diff] [review]
possible patch

Review of attachment 830150 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks. r=bholley

We should get this on aurora too.
Attachment #830150 - Flags: review?(bobbyholley+bmo) → review+
Comment on attachment 830150 [details] [diff] [review]
possible patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 916945
User impact if declined: null+offset crashes
Testing completed (on m-c, etc.): just landed to m-i
Risk to taking this patch (and alternatives if risky): it is just a null pointer check 
String or IDL/UUID changes made by this patch: NA
Attachment #830150 - Flags: approval-mozilla-aurora?
https://hg.mozilla.org/mozilla-central/rev/ca6ea866bc47
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla28
Comment on attachment 830150 [details] [diff] [review]
possible patch

patch helps with a crash regression and is low risk, null check ; looks good to land
Attachment #830150 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Keywords: verifyme
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:27.0) Gecko/20100101 Firefox/27.0
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0
Mozilla/5.0 (X11; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0

Verified as fixed on latest Aurora 27.0a2 (buildID: 20131128004001).
verified on nightly 28.0a1 20131130030209.
Status: RESOLVED → VERIFIED
Keywords: verifyme
Whiteboard: [bugday-20131204]
You need to log in before you can comment on or make changes to this bug.