Crash [@ DoDeletingFrameSubtree] involving <select> with position:absolute child

RESOLVED FIXED in mozilla1.9alpha1

Status

()

defect
P1
critical
RESOLVED FIXED
14 years ago
8 years ago

People

(Reporter: jruderman, Assigned: mrbkap)

Tracking

(Blocks 1 bug, {crash, testcase})

Trunk
mozilla1.9alpha1
Points:
---
Dependency tree / graph
Bug Flags:
wanted1.8.1.x -
wanted1.8.0.x -
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?] post 1.8-branch, crash signature)

Attachments

(1 attachment)

(Reporter)

Description

14 years ago
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20050928
Firefox/1.6a1

Steps to reproduce:
1. Load the testcase.
2. Close the tab, close the window, or reload.

Result: Crash [@ DoDeletingFrameSubtree]. TB9854206G.

I think this crash is exploitable.  (I know there is *an* exploitable crash [@
DoDeletingFrameSubtree], but I'm not sure *this* crash is exploitable.)

I can't reproduce this crash on the Gecko 1.8 branch.
(Reporter)

Comment 1

14 years ago
(Reporter)

Updated

14 years ago
Whiteboard: [sg:fix]?
(Reporter)

Comment 2

14 years ago
Bug 310520, "Removing <select> with <input> descendant gives 'ASSERTION:
RemovedAsPrimaryFrame called after PreDestroy'", might be related.
(Reporter)

Comment 3

14 years ago
This might be a dup of bug 310505.
RemoveMappingsForFrameSubtree() will in some situations be called
with frames that already had there mappings removed - which
eventually leads to a crash DoDeletingFrameSubtree().
This is similar (but not same) as bug 310505 where the placeholder still has
a valid OOF pointer but the OOF have been destroyed.
Bug 310520 probably has the same underlying cause as well.
I will have a look at this after bug 310638, unless someone beats me to it...
Blocks: 310520
OS: Windows XP → All
Hardware: PC → All

Updated

14 years ago
Assignee: nobody → mats.palmgren
Blocks: 316636

Comment 5

14 years ago
Backing out the patch for bug 117984 does fix the testcase here as it does for bug 310505.
Flags: blocking1.9a1?

Updated

14 years ago
No longer blocks: 316636
Blocks: 318451

Updated

14 years ago
Depends on: 315752

Comment 6

14 years ago
Blake - can you take a look?
Assignee: mats.palmgren → mrbkap

Comment 7

14 years ago
I guess I should mention that Boris's patch for bug 315752 fixes this (as well as bug 310505 and bug 310520); that's why I added the dependency.
Whiteboard: [sg:fix]? → [sg:critical?] post 1.8-branch
Priority: -- → P1
Target Milestone: --- → mozilla1.9alpha
This should be fixed by the checkin for bug 315752.
Status: NEW → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → FIXED
No longer blocks: 318451

Updated

13 years ago
Flags: testcase+
Flags: blocking1.9a1?
Group: security
Flags: wanted1.8.1.x-
Flags: wanted1.8.0.x-

Updated

12 years ago
Flags: in-testsuite+ → in-testsuite?
(Reporter)

Comment 9

12 years ago
Crashtest checked in.
Flags: in-testsuite? → in-testsuite+
Crash Signature: [@ DoDeletingFrameSubtree]
You need to log in before you can comment on or make changes to this bug.