310426 - Crash [@ DoDeletingFrameSubtree] involving <select> with position:absolute child

Status: RESOLVED FIXED

(Core :: Layout: Form Controls, defect, P1)

Description

[Jesse Ruderman]

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20050928
Firefox/1.6a1

Steps to reproduce:
1. Load the testcase.
2. Close the tab, close the window, or reload.

Result: Crash [@ DoDeletingFrameSubtree]. TB9854206G.

I think this crash is exploitable.  (I know there is *an* exploitable crash [@
DoDeletingFrameSubtree], but I'm not sure *this* crash is exploitable.)

I can't reproduce this crash on the Gecko 1.8 branch.

Comment 1

[Jesse Ruderman]

Attachment: XHTML testcase, crashes when unloaded

Comment 2

[Jesse Ruderman]

Bug 310520, "Removing <select> with <input> descendant gives 'ASSERTION:
RemovedAsPrimaryFrame called after PreDestroy'", might be related.

Comment 3

[Jesse Ruderman]

This might be a dup of bug 310505.

Comment 4

[Mats Palmgren (inactive)]

RemoveMappingsForFrameSubtree() will in some situations be called
with frames that already had there mappings removed - which
eventually leads to a crash DoDeletingFrameSubtree().
This is similar (but not same) as bug 310505 where the placeholder still has
a valid OOF pointer but the OOF have been destroyed.
Bug 310520 probably has the same underlying cause as well.
I will have a look at this after bug 310638, unless someone beats me to it...

Comment 5

[Bernd]

Backing out the patch for bug 117984 does fix the testcase here as it does for bug 310505.

Comment 6

[Mike Schroepfer]

Blake - can you take a look?

Comment 7

[Adam Guthrie]

I guess I should mention that Boris's patch for bug 315752 fixes this (as well as bug 310505 and bug 310520); that's why I added the dependency.

Comment 8

[Blake Kaplan (:mrbkap) (inactive)]

This should be fixed by the checkin for bug 315752.

Comment 9

[Jesse Ruderman]

Crashtest checked in.