Closed Bug 336744 Opened 19 years ago Closed 18 years ago

Crash when window gets destroyed during popuphiding event

Categories

(Core :: XUL, defect)

Product:
Core
Component:
XUL
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: martijn.martijn, Assigned: smaug)

References

Details

(4 keywords, Whiteboard: [sg:critical])

Attachments

(3 files)

testcase (crashes within 1 sec)
1.22 KB, text/html
Details
proposed patch
3.93 KB, patch
roc
: review+
roc
: superreview+
Details | Diff | Splinter Review
for branches
3.84 KB, patch
dveditz
: approval1.8.1.4+
dveditz
: approval1.8.0.12+
Details | Diff | Splinter Review
This is similar to bug 336739, but now with the popuphiding event (that's why I also made this bug security sensitive). This also crashes Mozilla1.7. Talkback ID: TB18335801Z nsPopupSetFrame::OpenPopup nsPopupSetFrame::DestroyPopup nsPopupBoxObject::HidePopup XPCWrappedNative::CallMethod
taking for now
Assignee: jag → Olli.Pettay
Attached patch proposed patchSplinter Review
Better to use only objects which are guaranteed to be alive. And PresShell should not die while dispatching an event.
Attachment #256914 - Flags: superreview?(roc)
Attachment #256914 - Flags: review?(roc)
Status: NEW → ASSIGNED
Attachment #256914 - Flags: superreview?(roc)
Attachment #256914 - Flags: superreview+
Attachment #256914 - Flags: review?(roc)
Attachment #256914 - Flags: review+
checked in.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Attachment #256914 - Flags: approval1.8.1.3?
On a trunk debug build (before fix) this crashes trying to release an already-deleted object (after we've already been doing stuff with that object for a while). Definitely a security risk involved. QA note: The testcase on this bug doesn't crash me on an optimized 1.8.0.10 or 1.8.1.3, but does in a debug build (slightly different place, but still a deleted object). The branch fix will have to be verified in a debug build
Flags: blocking1.8.1.4+
Flags: blocking1.8.0.12+
Whiteboard: [sg:critical]
Attachment #256914 - Flags: approval1.8.1.4?
Attached patch for branchesSplinter Review
just the change that mPresContext is used in branches, trunk has GetPresContext()
Attachment #259120 - Flags: approval1.8.1.4?
Attachment #259120 - Flags: approval1.8.0.12?
Comment on attachment 259120 [details] [diff] [review] for branches approved for 1.8.0.12 and 1.8.1.4, a=dveditz for release-drivers
Attachment #259120 - Flags: approval1.8.1.4?
Attachment #259120 - Flags: approval1.8.1.4+
Attachment #259120 - Flags: approval1.8.0.12?
Attachment #259120 - Flags: approval1.8.0.12+
verified fixed on the 1.8 branch using Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.4pre) Gecko/2007050804 BonEcho/2.0.0.4pre. No crash with Testcase in Comment 1. Adding branch verified keyword.
Keywords: fixed1.8.1.4verified1.8.1.4
verified fixed on the 1.8.0 branch using Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.0.12pre) Gecko/20070508 Firefox/1.5.0.12pre. No crash with Testcase in Comment 1. Adding branch verified keyword.
Keywords: fixed1.8.0.12verified1.8.0.12
Group: security
Flags: in-testsuite?
crash test landed http://hg.mozilla.org/mozilla-central/rev/c9211196a28e
Flags: in-testsuite? → in-testsuite+
Depends on: 1268050
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: