Closed
Bug 1260531
Opened 8 years ago
Closed 8 years ago
nsSubDocumentFrame::Init call nsFrameLoader::Hide which leads to presentation destruction
Categories
(Core :: Layout, defect)
Core
Layout
Tracking
()
RESOLVED
INVALID
People
(Reporter: tnikkel, Assigned: tnikkel)
Details
Attachments
(1 file)
|
3.85 KB,
patch
|
Details | Diff | Splinter Review |
Which is probably a bad idea during frame construction. nsSubDocumentFrame::Init also accesses |this| after the call, which could be deleted. And we should clear the detached views before exiting this function. Fix is to move the hide call to be done async like the show call for the new frame loader.
|
Assignee | |
Comment 1•8 years ago
|
||
|
|
Assignee | |
Updated•8 years ago
|
Attachment #8735992 -
Flags: review?(mats)
|
|
Assignee | |
Comment 2•8 years ago
|
||
Found this while looking for potential causes of bug 724355 and bug 1259572. So maybe (hopefully?) this helps those bugs.
|
||
Comment 3•8 years ago
|
||
Could you CC me on bug 724355?
|
|
Assignee | |
Comment 4•8 years ago
|
||
CC'd you on bug 724355 and bug 1259572.
|
|
Assignee | |
Comment 5•8 years ago
|
||
(In reply to Timothy Nikkel (:tnikkel) from comment #0) > Which is probably a bad idea during frame construction. > nsSubDocumentFrame::Init also accesses |this| after the call, which could be > deleted. And we should clear the detached views before exiting this function. "before exiting" -> "before calling an external function which can do lots of things"
|
||
Updated•8 years ago
|
Group: core-security → layout-core-security
|
|
||
Comment 6•8 years ago
|
||
Comment on attachment 8735992 [details] [diff] [review] patch Bug 724355 seems unrelated to this bug (it involves nsObjectFrame, not nsSubDocumentFrame). Bug 1259572 might be related although I'm not convinced it has anything to do with Init. (In reply to Timothy Nikkel (:tnikkel) from comment #0) > Which is probably a bad idea during frame construction. Why? Scripts are blocked during frame construction. > nsSubDocumentFrame::Init also accesses |this| after the call, which could be > deleted. And we should clear the detached views before exiting this function. Destroying a sub-shell and its frames/views should be completely safe from the parent shell's (and its frames/views) POV. I'm inclined to leave this code as is since it seems safer to me to destroy the old shell/frames/views as soon as possible when we know we wont use them. If you have any particular error-scenario in mind for bug 1259572, perhaps we could add assertions/annotations to verify it first?
Attachment #8735992 -
Flags: review?(mats)
|
|
Assignee | |
Comment 7•8 years ago
|
||
(In reply to Mats Palmgren (:mats) from comment #6) > Bug 724355 seems unrelated to this bug (it involves nsObjectFrame, not > nsSubDocumentFrame). They hijacked the bug lower down in the comments to be about a crash in GetRootPresContext. > > (In reply to Timothy Nikkel (:tnikkel) from comment #0) > > Which is probably a bad idea during frame construction. > > Why? Scripts are blocked during frame construction. > > > nsSubDocumentFrame::Init also accesses |this| after the call, which could be > > deleted. And we should clear the detached views before exiting this function. > > Destroying a sub-shell and its frames/views should be completely safe from > the parent shell's (and its frames/views) POV. > > I'm inclined to leave this code as is since it seems safer to me to destroy > the old shell/frames/views as soon as possible when we know we wont use them. > > If you have any particular error-scenario in mind for bug 1259572, perhaps > we could add assertions/annotations to verify it first? Nothing specific.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID
|
|
||
Updated•8 years ago
|
Group: layout-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•