Closed
Bug 321224
Opened 19 years ago
Closed 18 years ago
crash with nativescrollbar inside tabpanels [@ nsView::SetTopMost] [@ HandleEvent] [@ nsViewManager::UpdateWidgetArea]
Categories
(Core :: XUL, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: bernd_mozilla, Assigned: MatsPalmgren_bugz)
References
Details
(4 keywords, Whiteboard: [sg:critical] using freed view; fixed by bug 374102)
Crash Data
Attachments
(1 file)
|
165 bytes,
text/xml
|
Details |
see upcoming testcase
crashes Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051221 Firefox/1.6a1
but I dont get a nice stacktrace in a debug build, if it does not crash immeadetely reload does fix it. The load triggers:
###!!! ASSERTION: We already have a window for this view? BAD: '!mWindow', file
d:/moz_src/mozilla/view/src/nsView.cpp, line 657
|
||
Comment 2•19 years ago
|
||
It crashes also 1.0.7 and branch, always after closing the browser. Currently problems with the talkback server.
|
||
Updated•19 years ago
|
OS: Windows XP → All
Hardware: PC → All
|
||
Comment 5•19 years ago
|
||
Can confirm on Windows XP Home, Firefox 1.5 Final
|
||
Comment 6•19 years ago
|
||
TB13192392H, TB13192279G
HandleEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/view/src/nsView.cpp, line 173]
nsWindow::DispatchEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1162]
nsWindow::DispatchStandardEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1202]
nsWindow::OnDestroy [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 5652]
ChildWindow::`vftable'
nsWindow::StandardWindowCreate [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1399]
|
||
Comment 7•19 years ago
|
||
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a1) Gecko/20051223 Firefox/1.6a1 ID:2005122313
Incident ID: 13216053
Stack Signature nsView::SetTopMost 6393c0f1
Product ID FirefoxTrunk
Build ID 2005122305
Trigger Time 2005-12-23 16:17:30.0
Platform Win32
Operating System Windows NT 5.0 build 2195
Module FIREFOX.EXE + (00234478)
URL visited https://bugzilla.mozilla.org/attachment.cgi?id=206596
User Comments
Since Last Crash 11193 sec
Total Uptime 11193 sec
Trigger Reason Access violation
Source File, Line No. c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/view/src/nsView.h, line 281
Stack Trace
nsView::SetTopMost [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/view/src/nsView.h, line 281]
nsWindow::DispatchAppCommandEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1214]
nsWindow::CaptureRollupEvents [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1236]
nsWindow::OnPaint [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 5743]
ChildWindow::`vftable'
nsWindow::StandardWindowCreate [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1449]
0x8bf63356
|
||
Comment 8•19 years ago
|
||
Still crashes on Windows. TB19459617X just has nsViewManager::UpdateWidgetArea, no rest-of-the-stack.
Summary: crash with nativescrollbar inside tabpanels → crash with nativescrollbar inside tabpanels [@ nsView::SetTopMost] [@ HandleEvent] [@ nsViewManager::UpdateWidgetArea]
|
|
||
Comment 9•19 years ago
|
||
No crash with a Mac trunk nightly.
|
|
||
Comment 10•19 years ago
|
||
With a Mac trunk debug build, I don't see a crash, but I do see the assertion from comment 0:
###!!! ASSERTION: We already have a window for this view? BAD: '!mWindow', file /Users/admin/trunk/mozilla/view/src/nsView.cpp, line 621
|
Assignee | |
Comment 11•18 years ago
|
||
Based on the assertion I think this is the same underlying cause as
bug 374102. The patches on that bug made the crash go away for the
attached testcase. Haven't really analyzed this crash though.
Assignee: nobody → mats.palmgren
Depends on: 374102
|
|
||
Comment 12•18 years ago
|
||
xul:nativescrollbar is gone now, isn't it?
|
|
Assignee | |
Comment 13•18 years ago
|
||
(In reply to comment #12)
> xul:nativescrollbar is gone now, isn't it?
Yes, on trunk. Branches still crash, using freed memory.
I'm pretty sure it's the same underlying cause as bug 374102 -
a branch version of those patches fixes this crash.
Group: security
Whiteboard: [sg:critical] using freed view
Version: Trunk → 1.8 Branch
|
|
Assignee | |
Updated•18 years ago
|
Flags: in-testsuite?
|
||
Comment 14•18 years ago
|
||
This doesn't crash anymore, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a5pre) Gecko/20070514 Minefield/3.0a5pre
So I'm marking this fixed (by the patch from bug 374102).
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
|
||
Updated•18 years ago
|
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Flags: blocking1.8.1.5?
Flags: blocking1.8.0.13?
Whiteboard: [sg:critical] using freed view → [sg:critical] using freed view; fixed by bug 374102
|
|
||
Updated•18 years ago
|
Flags: blocking1.8.1.5?
Flags: blocking1.8.1.5+
Flags: blocking1.8.0.13?
Flags: blocking1.8.0.13+
|
|
Assignee | |
Comment 15•18 years ago
|
||
Now also fixed on branches, by bug 374102.
Keywords: fixed1.8.0.13,
fixed1.8.1.5
|
||
Comment 16•18 years ago
|
||
verified fixed 1.8.1.5 using Mozilla/5.0
(X11; U; Linux i686; en-US; rv:1.8.1.5pre) Gecko/2007070403 BonEcho/2.0.0.5pre
on Linux Fedora F7 and Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1.5pre) Gecko/20070704 BonEcho/2.0.0.5pre ID:2007070403 - no crash on testcase - adding verified keyword.
Keywords: fixed1.8.1.5 → verified1.8.1.5
|
|
||
Comment 17•18 years ago
|
||
verified fixed
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.1.5pre) Gecko/20070704 BonEcho/2.0.0.5pre
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.0.13pre) Gecko/20070703 SeaMonkey/1.0.9
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.1.5pre) Gecko/20070703 SeaMonkey/1.1.2
|
||
Comment 18•17 years ago
|
||
Verified fixed in Thunderbird(rc1) version 1.5.0.13 (20070809) in MacIntel using the testcase in comment#1. No crash observed.
Keywords: fixed1.8.0.13 → verified1.8.0.13
|
|
||
Updated•17 years ago
|
Group: security
Component: XP Toolkit/Widgets: XUL → XUL
QA Contact: xptoolkit.xul → xptoolkit.widgets
|
||
Comment 19•16 years ago
|
||
mats, if nativescrollbar is gone on 1.9.0 and later is there point in adding a crash test?
|
||
Updated•14 years ago
|
Crash Signature: [@ nsView::SetTopMost]
[@ HandleEvent]
[@ nsViewManager::UpdateWidgetArea]
|
|
Assignee | |
Comment 20•12 years ago
|
||
Added crashtest:
https://hg.mozilla.org/integration/mozilla-inbound/rev/3f5d453c4a28
Crash Signature: [@ nsView::SetTopMost]
[@ HandleEvent]
[@ nsViewManager::UpdateWidgetArea] → [@ nsView::SetTopMost]
[@ HandleEvent]
[@ nsViewManager::UpdateWidgetArea]
Flags: in-testsuite? → in-testsuite+
|
||
Comment 21•12 years ago
|
||
You need to log in
before you can comment on or make changes to this bug.
Description
•