Closed Bug 263771 Opened 20 years ago Closed 20 years ago

Manipulating hidden listbox results in crash

Categories

(Core :: XUL, defect)

Product:
Core
Component:
XUL
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 240720

People

(Reporter: agilmore, Unassigned)

Details

Attachments

(1 file)

Firefox crash
3.49 KB, application/vnd.mozilla.xul+xml
Details 
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040626 Firefox/0.9.1
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040626 Firefox/0.9.1

Attached test case demonstrates the problem.  Manipluating hidden content can
regularly result in crashing firefox.

Im currently working on a very large remote XUL app that makes use of a deck for
dialog boxes.  It works wonders.  However there is alot of manipulating hidden
XUL elements and this crash has been a huge hurdle.  Modifying the test case
even slightly will often cause it to stop crashing.

Reproducible: Always
Steps to Reproduce:
1.Open testcase
2. Click 'FILL'
3. Click 'HIDE LISTBOX'
4. Click 'CLEAR'

Actual Results:  
Firefox crashes.

Expected Results:  
Listbox rows should be deleted, listbox should remain hidden.  Firefox shouldn't
crash.

Occurs on all modern versions of Firefox, on both Windows and Linux.
Attached file Firefox crash 
Follow the 3 steps given at the bottom of the XUL testcase to crash firefox.
It does indeed seem to crash my Mozilla1.7.
However it doesn't crash, what I'm using now:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a5) Gecko/20041010
Firefox/0.9.1+
I tested it on 3 setups, and all 3 crashed :
FF 0.9.1 on Linux
FF 0.9.1 on Windows 98
FF 0.10.1 on Windows 2000
WFM, Mozilla 2004-10-09-07 trunk Linux
Strace for a current 1.7 branch build:
nsListBoxBodyFrame::OnContentRemoved(nsListBoxBodyFrame * const 0x00000000,
nsIPresContext * 0x03277fb0, nsIFrame * 0x00000000, int 0x00000004) line 1310 +
3 bytes
NotifyListBoxBody(nsIPresContext * 0x03277fb0, nsIContent * 0x0281f87c,
nsIContent * 0x0281f580, int 0x00000004, nsIDocument * 0x032aa0ac, nsIFrame *
0x00000000, int 0x00000000, content_operation CONTENT_REMOVED) line 8659
nsCSSFrameConstructor::ContentRemoved(nsCSSFrameConstructor * const 0x00000000,
nsIPresContext * 0x03277fb0, nsIContent * 0x032aa0a0, nsIContent * 0x0281f580,
int 0x00000004, int 0x00000000) line 9317 + 30 bytes
PresShell::ContentRemoved(PresShell * const 0x00000000, nsIDocument *
0x028ffc80, nsIContent * 0x032aa0a0, nsIContent * 0x0281f580, int 0x00000004)
line 5282
nsDocument::ContentRemoved(nsDocument * const 0x00000000, nsIContent *
0x032aa0a0, nsIContent * 0x0281f580, int 0x00000004) line 2011 + 20 bytes
nsXULDocument::ContentRemoved(nsXULDocument * const 0x00000000, nsIContent *
0x032aa0a0, nsIContent * 0x0281f580, int 0x00000004) line 1223 + 19 bytes
nsXULElement::RemoveChildAt(nsXULElement * const 0x00000000, unsigned int
0x00000004, int 0x00000001) line 1943
nsGenericElement::doRemoveChild(nsIContent * 0x032aa0a0, nsIDOMNode *
0x0281f580, nsIDOMNode * * 0x00000000) line 3091 + 10 bytes
nsXULElement::RemoveChild(nsXULElement * const 0x032aa0ac, nsIDOMNode *
0x0281f58c, nsIDOMNode * * 0x0012e910) line 853 + 21 bytes
XPTC_InvokeByIndex(nsISupports * 0x032aa0ac, unsigned int 0x00000011, unsigned
int 0x00000002, nsXPTCVariant * 0x0012e900) line 102
XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode
0x922992b8) line 2028 + 22 bytes
XPC_WN_CallMethod(JSContext * 0x0288e308, JSObject * 0x032992b8, unsigned int
0x00000001, long * 0x01fe137c, long * 0x01fe12c8) line 1287 + 10 bytes
js_Invoke(JSContext * 0x00000001, unsigned int 0x00000001, unsigned int
0x00000000) line 941 + 17 bytes
js_Interpret(JSContext * 0x0288e308, long * 0x0012edc4) line 2973
js_Invoke(JSContext * 0x00000001, unsigned int 0x00000001, unsigned int
0x00000002) line 958 + 10 bytes
js_InternalInvoke(JSContext * 0x0288e334, JSObject * 0x03298f48, long
0x0287aa78, unsigned int 0x00000000, unsigned int 0x00000001, long * 0x0012ef90,
long * 0x0012ef9c) line 1035 + 13 bytes
JS_CallFunctionValue(JSContext * 0x0288e308, JSObject * 0x03298f48, long
0x0287aa78, unsigned int 0x00000001, long * 0x0012ef90, long * 0x0012ef9c) line
3698 + 26 bytes
nsJSContext::CallEventHandler(nsJSContext * const 0x00000000, JSObject *
0x03298f48, JSObject * 0x0287aa78, unsigned int 0x00000001, long * 0x0012ef90,
long * 0x0012ef9c) line 1297 + 24 bytes
nsJSEventListener::HandleEvent(nsJSEventListener * const 0x00000000, nsIDOMEvent
* 0x033192b0) line 184 + 73 bytes
nsEventListenerManager::HandleEventSubType(nsEventListenerManager * const
0x00000000, nsListenerStruct * 0x032a6d7c, nsIDOMEvent * 0x033192b0,
nsIDOMEventTarget * 0x0287f150, unsigned int 0x033192bc, unsigned int
0x0024f1d0) line 1434 + 11 bytes
nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x032a6da0,
nsIPresContext * 0x00000000, nsEvent * 0x00000000, nsIDOMEvent * * 0x0012f394,
nsIDOMEventTarget * 0x0287f150, unsigned int 0x00000007, nsEventStatus *
0x0012f50c) line 1512
nsXULElement::HandleDOMEvent(nsXULElement * const 0x00000000, nsIPresContext *
0x03277fb0, nsEvent * 0x0012f4b4, nsIDOMEvent * * 0x0012f394, unsigned int
0x00000007, nsEventStatus * 0x0012f50c) line 2841
PresShell::HandleDOMEventWithTarget(PresShell * const 0x02871fb0, nsIContent *
0x02871fb0, nsEvent * 0x0012f4b4, nsEventStatus * 0x0012f50c) line 6116
nsButtonBoxFrame::MouseClicked(nsButtonBoxFrame * const 0x00000000,
nsIPresContext * 0x03277fb0, nsGUIEvent * 0x0012f5f8) line 178
nsButtonBoxFrame::HandleEvent(nsButtonBoxFrame * const 0x032c83b8,
nsIPresContext * 0x03277fb0, nsGUIEvent * 0x0012f5f8, nsEventStatus *
0x0012f998) line 147
PresShell::HandleEventInternal(PresShell * const 0x00000000, nsEvent *
0x00000000, nsIView * 0x00000000, unsigned int 0x00000001, nsEventStatus *
0x0012f998) line 6080 + 19 bytes
PresShell::HandleEventWithTarget(PresShell * const 0x028f0ff8, nsEvent *
0x0012f5f8, nsIFrame * 0x032c83b8, nsIContent * 0x032a6d08, unsigned int
0x00000001, nsEventStatus * 0x0012f998) line 5992
nsEventStateManager::CheckForAndDispatchClick(nsEventStateManager * const
0x00000000, nsIPresContext * 0x03277fb0, nsMouseEvent * 0x032a6d08,
nsEventStatus * 0x0012f998) line 2905
nsEventStateManager::PostHandleEvent(nsEventStateManager * const 0x0328a600,
nsIPresContext * 0x03277fb0, nsEvent * 0x0012fa48, nsIFrame * 0x032c83b8,
nsEventStatus * 0x0012f998, nsIView * 0x0327b540) line 1905 + 16 bytes
PresShell::HandleEventInternal(PresShell * const 0x00000000, nsEvent *
0x00000000, nsIView * 0x0327b540, unsigned int 0x00000001, nsEventStatus *
0x0012f998) line 6088 + 25 bytes
PresShell::HandleEvent(PresShell * const 0x00000000, nsIView * 0x0327b540,
nsGUIEvent * 0x0012fa48, nsEventStatus * 0x0012f998, int 0x00000001, int &
0x013ae2d0) line 5929 + 19 bytes
nsViewManager::HandleEvent(nsViewManager * const 0x00000000, nsView *
0x00000000, nsGUIEvent * 0x0012fa48, int 0x00000001) line 2285
nsViewManager::DispatchEvent(nsViewManager * const 0x0328f0d0, nsGUIEvent *
0x0327b540, nsEventStatus * 0x0012fa04) line 2025 + 30 bytes

Apparently this has been fixed in the meantime for trunk, but i can't find any
bug with that crash signature for branch or trunk (TB lists 230 crashes, were
most crashes were from 9/30, where a regression appeared on trunk it seems and
was fixed the next day).
This got fixed between 2004-04-27-07 and 2004-04-28-08 on trunk.  Marking
duplicate of the bug that fixed it.

*** This bug has been marked as a duplicate of 240720 ***
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
Component: XP Toolkit/Widgets: XUL → XUL
QA Contact: xptoolkit.widgets
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: