Last Comment Bug 336744 - Crash when window gets destroyed during popuphiding event
: Crash when window gets destroyed during popuphiding event
Status: RESOLVED FIXED
[sg:critical]
: crash, testcase, verified1.8.0.12, verified1.8.1.4
Product: Core
Classification: Components
Component: XUL (show other bugs)
: Trunk
: x86 Windows XP
: -- critical (vote)
: ---
Assigned To: Olli Pettay [:smaug]
: John Morrison
Mentors:
Depends on: 279703 1268050
Blocks:
  Show dependency treegraph
 
Reported: 2006-05-05 08:51 PDT by Martijn Wargers [:mwargers] (gone per 2016-05-31 :-( )
Modified: 2016-04-27 07:59 PDT (History)
3 users (show)
dveditz: blocking1.8.1.4+
dveditz: blocking1.8.0.12+
bob: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
testcase (crashes within 1 sec) (1.22 KB, text/html)
2006-05-05 08:53 PDT, Martijn Wargers [:mwargers] (gone per 2016-05-31 :-( )
no flags Details
proposed patch (3.93 KB, patch)
2007-03-01 08:23 PST, Olli Pettay [:smaug]
roc: review+
roc: superreview+
Details | Diff | Review
for branches (3.84 KB, patch)
2007-03-20 12:10 PDT, Olli Pettay [:smaug]
dveditz: approval1.8.1.4+
dveditz: approval1.8.0.12+
Details | Diff | Review

Description Martijn Wargers [:mwargers] (gone per 2016-05-31 :-( ) 2006-05-05 08:51:03 PDT
This is similar to bug 336739, but now with the popuphiding event (that's why I also made this bug security sensitive).

This also crashes Mozilla1.7.

Talkback ID: TB18335801Z
nsPopupSetFrame::OpenPopup   nsPopupSetFrame::DestroyPopup   nsPopupBoxObject::HidePopup   XPCWrappedNative::CallMethod
Comment 1 Martijn Wargers [:mwargers] (gone per 2016-05-31 :-( ) 2006-05-05 08:53:25 PDT
Created attachment 220933 [details]
testcase (crashes within 1 sec)
Comment 2 Olli Pettay [:smaug] 2007-03-01 07:32:39 PST
taking for now
Comment 3 Olli Pettay [:smaug] 2007-03-01 08:23:55 PST
Created attachment 256914 [details] [diff] [review]
proposed patch

Better to use only objects which are guaranteed to be alive.
And PresShell should not die while dispatching an event.
Comment 4 Olli Pettay [:smaug] 2007-03-01 23:22:48 PST
checked in.
Comment 5 Daniel Veditz [:dveditz] 2007-03-20 11:47:27 PDT
On a trunk debug build (before fix) this crashes trying to release an already-deleted object (after we've already been doing stuff with that object for a while). Definitely a security risk involved.

QA note: The testcase on this bug doesn't crash me on an optimized 1.8.0.10 or 1.8.1.3, but does in a debug build (slightly different place, but still a deleted object). The branch fix will have to be verified in a debug build

Comment 6 Olli Pettay [:smaug] 2007-03-20 12:10:37 PDT
Created attachment 259120 [details] [diff] [review]
for branches

just the change that mPresContext is used in branches, trunk has
GetPresContext()
Comment 7 Daniel Veditz [:dveditz] 2007-03-21 11:41:37 PDT
Comment on attachment 259120 [details] [diff] [review]
for branches

approved for 1.8.0.12 and 1.8.1.4, a=dveditz for release-drivers
Comment 8 Marcia Knous [:marcia - use ni] 2007-05-08 14:34:51 PDT
verified fixed on the 1.8 branch using Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.4pre) Gecko/2007050804 BonEcho/2.0.0.4pre. No crash with Testcase in Comment 1. Adding branch verified keyword.
Comment 9 Marcia Knous [:marcia - use ni] 2007-05-08 16:27:29 PDT
verified fixed on the 1.8.0 branch using Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.0.12pre) Gecko/20070508 Firefox/1.5.0.12pre. No crash with
Testcase in Comment 1. Adding branch verified keyword.
Comment 10 Bob Clary [:bc:] 2009-04-24 11:14:17 PDT
crash test landed
http://hg.mozilla.org/mozilla-central/rev/c9211196a28e

Note You need to log in before you can comment on or make changes to this bug.