Last Comment Bug 416461 - Crash [@ nsStyleContext::Release] on reload with mathml element and menupopup
: Crash [@ nsStyleContext::Release] on reload with mathml element and menupopup
Status: VERIFIED FIXED
: [sg:critical] post-1.8-branch [fixed ...
: crash, regression, testcase, verified1.9.0.6, verified1.9.1
Product: Core
Classification: Components
Component: Layout
: Trunk
: All All
: P3 critical (vote)
: mozilla1.9.2a1
Assigned To: Mats Palmgren [:mats]
: layout
:
: 431705
:
  Show dependency treegraph
 
Reported: 2008-02-08 16:20 PST by Martijn Wargers [:mw22] (QA - IRC nick: mw22)
Modified: 2009-02-07 21:36 PST (History)
14 users (show)
roc: blocking1.9.1+
roc: blocking1.9-
dveditz: blocking1.9.0.6+
dveditz: wanted1.9.0.x+
dveditz: wanted1.8.1.x-
asac: wanted1.8.0.x-
jruderman: in‑testsuite+
See Also:
Crash Signature:
[@ nsStyleContext::Release]


Attachments
testcase (crashes on reload) (251 bytes, application/vnd.mozilla.xul+xml)
2008-02-08 16:20 PST, Martijn Wargers [:mw22] (QA - IRC nick: mw22)
no flags Details
testcase (crashes when closed) (243 bytes, application/vnd.mozilla.xul+xml)
2008-02-08 19:56 PST, Jesse Ruderman
no flags Details

Summon comment box

Description Martijn Wargers [:mw22] (QA - IRC nick: mw22) 2008-02-08 16:20:36 PST
Created attachment 302219 [details]
testcase (crashes on reload)

See testcase, which crashes with current trunk build on reload.

This regressed on trunk between 2008-01-09 and 2008-01-10:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2008-01-09+04&maxdate=2008-01-10+06&cvsroot=%2Fcvsroot
Regression from bug 404146 or bug 404192

http://crash-stats.mozilla.com/report/index/e2985d57-d6a1-11dc-ae09-001a4bd43ef6
0  	@0x25a161f  	
1 	nsStyleContext::Release() 	nsStyleContext.h:92
2 	nsFrame::~nsFrame() 	mozilla/layout/generic/nsFrame.cpp:350
3 	nsAreaFrame::`scalar deleting destructor'(unsigned int) 	
4 	nsFrame::Destroy() 	mozilla/layout/generic/nsFrame.cpp:510
5 	nsContainerFrame::Destroy() 	mozilla/layout/generic/nsContainerFrame.cpp:299
6 	nsBlockFrame::Destroy() 	mozilla/layout/generic/nsBlockFrame.cpp:314
7 	nsFrameList::DestroyFrames() 	mozilla/layout/generic/nsFrameList.cpp:67
8 	nsContainerFrame::Destroy() 	mozilla/layout/generic/nsContainerFrame.cpp:257
9 	nsFrameList::DestroyFrames() 	mozilla/layout/generic/nsFrameList.cpp:67
10 	nsContainerFrame::Destroy() 	mozilla/layout/generic/nsContainerFrame.cpp:257
11 	nsFrameList::DestroyFrames() 	mozilla/layout/generic/nsFrameList.cpp:67
12 	nsContainerFrame::Destroy() 	mozilla/layout/generic/nsContainerFrame.cpp:257
13 	nsFrameManager::Destroy() 	mozilla/layout/base/nsFrameManager.cpp:283
14 	PresShell::Destroy() 	mozilla/layout/base/nsPresShell.cpp:1673
15 	DocumentViewerImpl::Destroy() 	mozilla/layout/base/nsDocumentViewer.cpp:1522
16 	DocumentViewerImpl::Show() 	mozilla/layout/base/nsDocumentViewer.cpp:1842
17 	nsPresContext::EnsureVisible(int) 	mozilla/layout/base/nsPresContext.cpp:1449
18 	PresShell::UnsuppressAndInvalidate() 	mozilla/layout/base/nsPresShell.cpp:4247
19 	PresShell::UnsuppressPainting() 	mozilla/layout/base/nsPresShell.cpp:4307
20 	DocumentViewerImpl::LoadComplete(unsigned int) 	mozilla/layout/base/nsDocumentViewer.cpp:1013
21 	nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, unsigned int) 	mozilla/docshell/base/nsDocShell.cpp:5031
22 	nsWebShell::EndPageLoad(nsIWebProgress*, nsIChannel*, unsigned int) 	mozilla/docshell/base/nsWebShell.cpp:1013
23 	nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, unsigned int) 	mozilla/docshell/base/nsDocShell.cpp:4931
Comment 1 Jesse Ruderman 2008-02-08 18:57:44 PST
Crashes calling 0xdddddddd for me on Mac.
Comment 2 Martijn Wargers [:mw22] (QA - IRC nick: mw22) 2008-02-08 19:01:01 PST
It doesn't crash on branch.
Comment 3 Jesse Ruderman 2008-02-08 19:56:34 PST
Created attachment 302254 [details]
testcase (crashes when closed)

I just changed "display: -moz-initial" to "display: inline" to improve clarity and compatibility.
Comment 4 David Baron [:dbaron] 2008-06-18 17:51:44 PDT
Does the patch in bug 431705 fix this?
Comment 5 Mats Palmgren [:mats] 2008-06-18 20:18:57 PDT
That seems very likely, yes.  The testcase uses -moz-box-ordinal-group
and my latest local patch makes the crash go away - I'll dig a little deeper
looking at the frame trees to be sure...
I'll have the new patch ready for review in a day or two.
Comment 6 Martijn Wargers [:mw22] (QA - IRC nick: mw22) 2008-09-08 06:10:07 PDT
Still crashes, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b1pre) Gecko/20080905031348 Minefield/3.1b1pre
Comment 7 Brandon Sterne (:bsterne) 2008-11-06 11:46:30 PST
I am adding this to our "Top Security Bugs" list.  Please treat this as a top priority.
Comment 8 Mats Palmgren [:mats] 2008-11-16 18:52:15 PST
FYI, bug 431705 contains fix + crashtest for this, will land after beta2.
Comment 9 Mats Palmgren [:mats] 2008-12-07 19:11:11 PST
Fixed by bug 431705.  Holding the crashtest until Firefox 3.0.x is fixed.
Comment 10 Daniel Veditz 2008-12-26 10:15:29 PST
Marking fixed1.9.0.6 for verification because bug 431705 has landed on cvs-trunk.
Comment 11 Alexander Sack 2009-01-04 18:30:20 PST
not for 1.8.0
Comment 12 Al Billings [:abillings] 2009-01-05 17:02:54 PST
Verified for 1.9.0.6 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.6pre) Gecko/2009010504 GranParadiso/3.0.6pre.
Comment 13 Tony Chung [:tchung] 2009-01-22 20:44:41 PST
Verified fix on Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko/20090122 Shiretoko/3.1b3pre 
and Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090122 Minefield/3.2a1pre

In the testcase, any reason why the perimeter of the box area does not stretch fully across the screen on trunk?  It's maximized on branch.

Note You need to log in before you can comment on or make changes to this bug.