Tested on m-c revision 8ea5c983743f: It seems that an OOM condition in | FramePropertyTable::Set | can leave | mLastEntry | initialized to NULL which causes the following crash: Program received signal SIGSEGV, Segmentation fault.0x00002aaaac64dcf8 in mozilla::FramePropertyTable::PropertyValue::IsArray (this=0x10) at /srv/repos/browser/mozilla-central/layout/base/FramePropertyTable.h:167 167 bool IsArray() { return !mProperty && mValue; } #0 0x00002aaaac64dcf8 in mozilla::FramePropertyTable::PropertyValue::IsArray (this=0x10) at /srv/repos/browser/mozilla-central/layout/base/FramePropertyTable.h:167 #1 0x00002aaaac64e102 in mozilla::FramePropertyTable::Set (this=<optimized out>, aFrame=0x4c537a0, aProperty=0x2aaaadbd52d0, aValue=0x4c55790) at /srv/repos/browser/mozilla-central/layout/base/FramePropertyTable.cpp:56 #2 0x00002aaaac6f9287 in nsIFrame::SetView (this=0x4c537a0, aView=0x4c55790) at /srv/repos/browser/mozilla-central/layout/generic/nsFrame.cpp:4138 #3 0x00002aaaac82746d in nsMenuPopupFrame::CreatePopupView (this=0x4c537a0) at /srv/repos/browser/mozilla-central/layout/xul/base/src/nsMenuPopupFrame.cpp:1938 #4 0x00002aaaac828f52 in nsMenuPopupFrame::Init (this=0x4c537a0, aContent=0x3e6dc50, aParent=<optimized out>, aPrevInFlow=<optimized out>) at /srv/repos/browser/mozilla-central/layout/xul/base/src/nsMenuPopupFrame.cpp:159 #5 0x00002aaaac65308b in InitAndRestoreFrame (aAllowCounters=true, aNewFrame=0x4c537a0, aPrevInFlow=0x0, aParentFrame=0x48be6d0, aContent=0x3e6dc50, aState=..., this=0x2aaac005ed00) at /srv/repos/browser/mozilla-central/layout/base/nsCSSFrameConstructor.cpp:4461 #6 nsCSSFrameConstructor::InitAndRestoreFrame (this=0x2aaac005ed00, aState=..., aContent=0x3e6dc50, aParentFrame=0x48be6d0, aPrevInFlow=0x0, aNewFrame=0x4c537a0, aAllowCounters=true) at /srv/repos/browser/mozilla-central/layout/base/nsCSSFrameConstructor.cpp:4444 #7 0x00002aaaac65baa1 in nsCSSFrameConstructor::ConstructFrameFromItemInternal (this=0x2aaac005ed00, aItem=..., aState=..., aParentFrame=0x48befd8, aFrameItems=...) at /srv/repos/browser/mozilla-central/layout/base/nsCSSFrameConstructor.cpp:3637 (gdb) f 1 #1 0x00002aaaac64e102 in mozilla::FramePropertyTable::Set (this=<optimized out>, aFrame=0x4d14a20, aProperty=0x2aaaadbd52d0, aValue=0x4d16a10) at /srv/repos/browser/mozilla-central/layout/base/FramePropertyTable.cpp:56 56 if (!entry->mProp.IsArray()) { (gdb) p entry $1 = (mozilla::FramePropertyTable::Entry *) 0x0 The backtrace of the failing allocation is as follows: #0 /srv/repos/browser/mozilla-central/objdir-ff-gcc64dbg/dist/bin/libmozalloc.so(moz_malloc+0x5f) #1 ChangeTable at objdir-ff-gcc64dbg/xpcom/build/pldhash.cpp:565 #2 PL_DHashTableOperate at objdir-ff-gcc64dbg/xpcom/build/pldhash.cpp:649 #3 mozilla::FramePropertyTable::Set(nsIFrame*, mozilla::FramePropertyDescriptor const*, void*) at layout/base/FramePropertyTable.cpp:52 #4 nsFrame::InitBoxMetrics(bool) at layout/generic/nsFrame.cpp:7890 #5 nsFrame::Init(nsIContent*, nsIFrame*, nsIFrame*) at layout/generic/nsFrame.cpp:549 #6 nsPlaceholderFrame::SetOutOfFlowFrame(nsIFrame*) at layout/base/../generic/nsPlaceholderFrame.h:117 #7 nsFrameConstructorState::AddChild(nsIFrame*, nsFrameItems&, nsIContent*, nsStyleContext*, nsIFrame*, bool, bool, bool, bool, nsIFrame*) at layout/base/nsCSSFrameConstructor.cpp:1170 #8 nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsIFrame*, nsFrameItems&) at layout/base/nsCSSFrameConstructor.cpp:3691

I suspect the reported null-pointer crash on OOM here is intentional. I think we should make this explicit by using an infallible type. https://tbpl.mozilla.org/?usebuildbot=1&tree=Try&rev=079034b54a86

Comment on attachment 605053 [details] [diff] [review] fix Benjamin didn't want a separate infallible type (in bug 734847), so I'll make a new patch...

nsTHashtable::PutEntry(key) is now infallible by default. (bug 734847)