Open Bug 531952 Opened 15 years ago Updated 2 years ago

Frame Poisoned Crash [@nsIFrame::GetView() ]

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86
Windows XP
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox47 --- affected
firefox48 --- affected
firefox-esr45 --- affected

People

(Reporter: chofmann, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase-wanted)

Crash Data

spin off of frame poisoning bug 526587 #20. ranked with 48 crashes @ 0xfffffffff0dea7ff nsIFrame::GetView() there is another bug with the same signature -- " Bug 376193 - Print Preview crashes Firefox [@ nsIFrame::GetView] " but the stacks listed there don't appear to be frame poisoned and that might be a separate problem. no comments indicate the crashes with fp signatures are related to print preview. here is an example of the frame poisoned report http://crash-stats.mozilla.com/report/index/75f379f4-6c8c-46e5-8974-491e72091130 Frame Module Signature [Expand] Source 0 xul.dll nsIFrame::GetView layout/generic/nsFrame.cpp:3449 1 xul.dll nsContainerFrame::Destroy layout/generic/nsContainerFrame.cpp:264 2 xul.dll nsFrameManager::Destroy layout/base/nsFrameManager.cpp:290 3 xul.dll PresShell::Destroy layout/base/nsPresShell.cpp:1933 4 xul.dll PresShell::`scalar deleting destructor' 5 xul.dll PresShell::Release layout/base/nsPresShell.cpp:1637 6 xul.dll nsCOMPtr<nsISupports>::~nsCOMPtr<nsISupports> 7 xul.dll nsTHashtable<nsObserverList>::s_ClearEntry obj-firefox/dist/include/nsTHashtable.h:397 8 xul.dll PL_DHashTableRawRemove obj-firefox/xpcom/build/pldhash.c:723 9 xul.dll PL_DHashTableEnumerate obj-firefox/xpcom/build/pldhash.c:757 10 xul.dll xul.dll@0x97a10f 11 xul.dll nsObserverService::Shutdown xpcom/ds/nsObserverService.cpp:95 12 xul.dll nsIDocument::operator delete obj-firefox/dist/include/nsIDocument.h:122 13 xul.dll mozilla::ShutdownXPCOM xpcom/build/nsXPComInit.cpp:807 14 xul.dll ScopedXPCOMStartup::~ScopedXPCOMStartup toolkit/xre/nsAppRunner.cpp:1033 15 nspr4.dll PR_GetEnv 16 xul.dll XRE_main toolkit/xre/nsAppRunner.cpp:3525 more at http://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=exact&query=&date=&range_value=1&range_unit=weeks&do_query=1&signature=nsIFrame::GetView%28%29 then sort on address
Blocks: PoisonFrameCrash
The security team would be interested if steps-to-reproduce showed up.
Group: core-security
Whiteboard: [sg:watch]
Keywords: crash, testcase-wanted
Whiteboard: [sg:watch]
Crash Signature: [@nsIFrame::GetView() ]
Crash Signature: [@nsIFrame::GetView() ] → [@nsIFrame::GetView() ] [@nsIFrame::GetView ]
Crash volume for signature 'nsIFrame::GetView': - nightly (version 50): 0 crash from 2016-06-06. - aurora (version 49): 0 crash from 2016-06-07. - beta (version 48): 21 crashes from 2016-06-06. - release (version 47): 57 crashes from 2016-05-31. - esr (version 45): 2 crashes from 2016-04-07. Crash volume on the last weeks: Week N-1 Week N-2 Week N-3 Week N-4 Week N-5 Week N-6 Week N-7 - nightly 0 0 0 0 0 0 0 - aurora 0 0 0 0 0 0 0 - beta 6 1 0 12 1 0 1 - release 10 7 14 4 7 5 2 - esr 1 0 0 0 0 1 0 Affected platform: Windows
status-firefox47: --- → affected
status-firefox48: --- → affected
status-firefox-esr45: --- → affected
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.