Closed Bug 501900 Opened 15 years ago Closed 15 years ago

Crash [@ LazyGeneratePopupDone] with openPopup() and DOMAttrModified event handler removing window

Categories

(Core :: XUL, defect)

Product:
Core
Component:
XUL
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking1.9.1 --- .3+
status1.9.1 --- .3-fixed

People

(Reporter: martijn.martijn, Assigned: smaug)

Details

(4 keywords, Whiteboard: [sg:critical?])

Crash Data

Attachments

(2 files, 1 obsolete file)

zipped up testcase
852 bytes, application/zip
Details
patch
1.46 KB, patch
roc
: review+
roc
: superreview+
dveditz
: approval1.9.1.3+
dveditz
: approval1.9.0.14+
Details | Diff | Splinter Review
Attached file zipped up testcase 
See zipped up testcase. To reproduce, open the file named 'Kopie van parentframe.htm'. After opening Mozilla crashes within 400ms.
It also crashes in Firefox 3.

http://crash-stats.mozilla.com/report/index/fb9fbb8f-537a-4a37-b9e6-f557b2090701?p=1
0  	xul.dll  	LazyGeneratePopupDone  	 layout/xul/base/src/nsMenuPopupFrame.cpp:578
1 	xul.dll 	nsCSSFrameConstructor::LazyGenerateChildrenEvent::Run 	layout/base/nsCSSFrameConstructor.cpp:11773
2 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:527
3 	xul.dll 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:170
4 	xul.dll 	nsAppStartup::Run 	toolkit/components/startup/src/nsAppStartup.cpp:193
5 	nspr4.dll 	PR_GetEnv 	
6 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp:110
7 	firefox.exe 	firefox.exe@0x21a7 	
8 	kernel32.dll 	kernel32.dll@0x17076 

Firefox 3 crash report (garbage, it seems):
http://crash-stats.mozilla.com/report/index/04487184-afa9-4932-8327-18c352090701
0  	 	@0x39e318f
Assignee: nobody → Olli.Pettay
Attached patch patch (obsolete) — Splinter Review 
In this case we really want to use weak frame. re-getting the frame might cause
callback to use an nsIFrame for which a different runnable has been dispatched.
Attachment #386474 - Flags: superreview?(roc)
Attachment #386474 - Flags: review?(roc)
Attached patch patchSplinter Review 

        Attachment #386474 -
        Attachment is obsolete: true

        Attachment #386475 -
        Flags: superreview?(roc)

        Attachment #386475 -
        Flags: review?(roc)

        Attachment #386474 -
        Flags: superreview?(roc)

        Attachment #386474 -
        Flags: review?(roc)

        Attachment #386475 -
        Flags: superreview?(roc)

        Attachment #386475 -
        Flags: superreview+

        Attachment #386475 -
        Flags: review?(roc)

        Attachment #386475 -
        Flags: review+
Flags: wanted1.9.1.x+
Flags: wanted1.9.0.x+
Flags: blocking1.9.1.1?
Flags: blocking1.9.0.13?
Whiteboard: [sg:critical?]

    
    

    
  
For 1.9.1, we'll take this in 1.9.1.2.
Flags: blocking1.9.1.1?
Flags: blocking1.9.0.13?
Flags: blocking1.9.0.13+

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/9cee3c24b53e
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED

    
    

    
  
So what, exactly, kills the frame here?

    
    

    
  
please request approval if this patch works for 1.9.1 and 1.9.0
blocking1.9.1: --- → .3+

          status1.9.1:
          --- → wanted
Flags: wanted1.9.1.x+

        Attachment #386475 -
        Flags: approval1.9.1.3?

        Attachment #386475 -
        Flags: approval1.9.0.14?

    
    

    
  
(In reply to comment #5)
> So what, exactly, kills the frame here?
It goes something like observer getting onDOMAttrModified attr, and that eexutes the mutation listener, which removes the iframe and kills the layout objects of that document.
Martijn's testcases are 'interesting' :)

    
    

    
  
Comment on attachment 386475 [details] [diff] [review]
patch

Approved for 1.9.1.3 and 1.9.0.14, a=dveditz

        Attachment #386475 -
        Flags: approval1.9.1.3?

        Attachment #386475 -
        Flags: approval1.9.1.3+

        Attachment #386475 -
        Flags: approval1.9.0.14?

        Attachment #386475 -
        Flags: approval1.9.0.14+

    
    

    
  
Checking in layout/base/nsCSSFrameConstructor.cpp;
/cvsroot/mozilla/layout/base/nsCSSFrameConstructor.cpp,v  <--  nsCSSFrameConstructor.cpp
new revision: 1.1486; previous revision: 1.1485
done

http://hg.mozilla.org/releases/mozilla-1.9.1/rev/049629a2fe9f

          status1.9.1:
          wanted.3-fixed
Keywords: fixed1.9.0.14

    
    

    
  
So you mean in this case mCallback does something to destroy frames?

    
    

    
  
Verified for 1.9.0.14 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.14pre) Gecko/2009081305 GranParadiso/3.0.14pre (.NET CLR 3.5.30729). It no longer crashes. I verified that crash with 1.9.0.13 as well.
Keywords: fixed1.9.0.14verified1.9.0.14

    
    

    
  
Verified for 1.9.1.3 also with  Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3pre) Gecko/20090817 Shiretoko/3.5.3pre (.NET CLR 3.5.30729).
Keywords: verified1.9.1
Group: core-security
Crash Signature: [@ LazyGeneratePopupDone]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: