Closed
Bug 310426
Opened 18 years ago
Closed 18 years ago
Crash [@ DoDeletingFrameSubtree] involving <select> with position:absolute child
Categories
(Core :: Layout: Form Controls, defect, P1)
Core
Layout: Form Controls
Tracking
()
RESOLVED
FIXED
mozilla1.9alpha1
People
(Reporter: jruderman, Assigned: mrbkap)
References
Details
(Keywords: crash, testcase, Whiteboard: [sg:critical?] post 1.8-branch)
Crash Data
Attachments
(1 file)
135 bytes,
application/xhtml+xml
|
Details |
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20050928 Firefox/1.6a1 Steps to reproduce: 1. Load the testcase. 2. Close the tab, close the window, or reload. Result: Crash [@ DoDeletingFrameSubtree]. TB9854206G. I think this crash is exploitable. (I know there is *an* exploitable crash [@ DoDeletingFrameSubtree], but I'm not sure *this* crash is exploitable.) I can't reproduce this crash on the Gecko 1.8 branch.
Reporter | ||
Comment 1•18 years ago
|
||
Reporter | ||
Updated•18 years ago
|
Whiteboard: [sg:fix]?
Reporter | ||
Comment 2•18 years ago
|
||
Bug 310520, "Removing <select> with <input> descendant gives 'ASSERTION: RemovedAsPrimaryFrame called after PreDestroy'", might be related.
Reporter | ||
Comment 3•18 years ago
|
||
This might be a dup of bug 310505.
Comment 4•18 years ago
|
||
RemoveMappingsForFrameSubtree() will in some situations be called with frames that already had there mappings removed - which eventually leads to a crash DoDeletingFrameSubtree(). This is similar (but not same) as bug 310505 where the placeholder still has a valid OOF pointer but the OOF have been destroyed. Bug 310520 probably has the same underlying cause as well. I will have a look at this after bug 310638, unless someone beats me to it...
Updated•18 years ago
|
Assignee: nobody → mats.palmgren
Backing out the patch for bug 117984 does fix the testcase here as it does for bug 310505.
![]() |
||
Updated•18 years ago
|
Flags: blocking1.9a1?
Comment 7•18 years ago
|
||
I guess I should mention that Boris's patch for bug 315752 fixes this (as well as bug 310505 and bug 310520); that's why I added the dependency.
Updated•18 years ago
|
Whiteboard: [sg:fix]? → [sg:critical?] post 1.8-branch
Assignee | ||
Updated•18 years ago
|
Priority: -- → P1
Target Milestone: --- → mozilla1.9alpha
Assignee | ||
Comment 8•18 years ago
|
||
This should be fixed by the checkin for bug 315752.
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Updated•18 years ago
|
Flags: testcase+
Updated•18 years ago
|
Flags: blocking1.9a1?
Updated•17 years ago
|
Group: security
Flags: wanted1.8.1.x-
Flags: wanted1.8.0.x-
Updated•17 years ago
|
Flags: in-testsuite+ → in-testsuite?
Updated•13 years ago
|
Crash Signature: [@ DoDeletingFrameSubtree]
You need to log in
before you can comment on or make changes to this bug.
Description
•