crash in nsRuleNode::Mark()

[GoogleCodeExporter]

Google is most notorious for this where trying to set the rulenodes for garbage 
collection (bug 117316) may sometimes yield a bad pointer and crash. This is 
rarely severe as the browser can get right back up again but it's annoying and 
on a major site. However, it's also really intermittent, so it's hard to pin 
down.

So far trying this kludge and making sure that memory usage is not too bad:

void
nsRuleNode::Mark()
{
>  if (!this->mParent || !this->mDependentBits) {
>   // Try to mark ourselves, and escape
>   mDependentBits |= NS_RULE_NODE_GC_MARK;
>   return;
>  }
  for (nsRuleNode *node = this;
       node && !(node->mDependentBits & NS_RULE_NODE_GC_MARK);
       node = node->mParent)
    node->mDependentBits |= NS_RULE_NODE_GC_MARK;
}

Original issue reported on code.google.com by classi...@floodgap.com on 1 Jul 2011 at 4:33

• Blocked on: #176

[GoogleCodeExporter]

Original comment by classi...@floodgap.com on 1 Jul 2011 at 5:20

• Added labels: Milestone-Release9.2.3

[GoogleCodeExporter]

Unfortunately this moves the crash out to other areas, but it does make the 
crash less frequent.

Original comment by classi...@floodgap.com on 30 Aug 2011 at 3:39

[GoogleCodeExporter]

The crash still occurs. Based on my analysis, it's probably safer just to 
disable sweeping of the style context, and this seems to have eliminated the 
crash completely. There will be some increase in memory requirements, but not 
likely to be a big deal since we discourage heavy JS usage anyway.

Original comment by classi...@floodgap.com on 10 Oct 2011 at 9:25

[GoogleCodeExporter]

Now running such a build. No more crashing in Google.

Original comment by classi...@floodgap.com on 10 Oct 2011 at 9:26

[GoogleCodeExporter]

Original comment by classi...@floodgap.com on 12 Oct 2011 at 4:57

• Changed state: Verified

[GoogleCodeExporter]

Original comment by classi...@floodgap.com on 6 Nov 2011 at 2:58