Bugzilla@Mozilla – Bug 475136
Crash [@ nsCSSStyleSheet::GetOwnerNode] after GC
Last modified: 2009-03-05 03:13:35 PST
Summon comment box
Created attachment 358552 [details] testcase (crashes Firefox when loaded, if Quitter is installed) Loading the testcase causes nsCSSStyleSheet::GetOwnerNode to call some random address. The testcase assumes you have http://www.squarefree.com/extensions/quitter.xpi installed, and uses it to trigger a GC at the right moment.
Created attachment 358557 [details] valgrind's explanation of crash Not as helpful as I was hoping.
Created attachment 358561 [details] [review] patch Thoughts on this approach vs. a DropStyleSheet method that just does the setting to null (and would also be called by SetStyleSheet)?
Created attachment 358562 [details] [review] patch Oops, forgot to qrefresh after my last edit.
And to be clear: what's fixing the bug is that we're now calling SetOwningNode(nsnull) at the two places in nsStyleLinkElement::DoUpdateStyleSheet that used to just do mStyleSheet = nsnull.
Comment on attachment 358562 [details] [review] patch Good catch. Can we possibly write a mochitest for this?
http://hg.mozilla.org/mozilla-central/rev/014fe552d77a
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/94fded227f9e
Comment on attachment 358562 [details] [review] patch Approved for 1.9.0.7, a=dveditz for release-drivers.
Commited to CVS trunk (for 1.9.0.* releases), 2009-02-02 20:13 -0800.
dbaron: Is this needed for the 1.8 branch? The testcase doesn't crash because Quitter fails to GC (Components.utils.forceGC is not a function), but the 1.8 version of nsStyleLinkElement::UpdateStyleSheet has code identical to that which you patched.
I don't know any reason that it wouldn't be needed... so it's probably needed.
Verified that the testcase here crashes 1.9.0.6 but doesn't crash 1.9.0.7 (with quitter extension). Used Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.7pre) Gecko/2009021204 GranParadiso/3.0.7pre.
Created attachment 363095 [details] [review] 1.8 version
Comment on attachment 363095 [details] [review] 1.8 version >--- mozilla/content/base/src/nsStyleLinkElement.h.475136 2004-09-09 19:32:34.000000000 +0200 >+++ mozilla/content/base/src/nsStyleLinkElement.h 2009-02-17 18:12:08.000000000 +0100 >@@ -72,6 +72,7 @@ public: > > static void ParseLinkTypes(const nsAString& aTypes, nsStringArray& aResult); > >+ > protected: > virtual void GetStyleSheetURL(PRBool* aIsInline, > nsIURI** aURI) = 0; What's this added whitespace for? Otherwise than that nit, this is probably good for checkin.
Comment on attachment 363095 [details] [review] 1.8 version Approved for 1.8.1.21, a=dveditz for release-drivers In the future please use the same diff options as the patch you're porting (context lines, etc). that makes comparing them much easier
Committed the backported patch to MOZILLA_1_8_BRANCH, 2009-02-23 09:57 -0800. Thanks for doing the backport.
Comment on attachment 363095 [details] [review] 1.8 version a=asac for 1.8.0