This is similar to bug 336739, but now with the popuphiding event (that's why I also made this bug security sensitive).
This also crashes Mozilla1.7.
Talkback ID: TB18335801Z
nsPopupSetFrame::OpenPopup nsPopupSetFrame::DestroyPopup nsPopupBoxObject::HidePopup XPCWrappedNative::CallMethod
Created attachment 220933 [details]
testcase (crashes within 1 sec)
taking for now
Created attachment 256914 [details] [diff] [review]
Better to use only objects which are guaranteed to be alive.
And PresShell should not die while dispatching an event.
On a trunk debug build (before fix) this crashes trying to release an already-deleted object (after we've already been doing stuff with that object for a while). Definitely a security risk involved.
QA note: The testcase on this bug doesn't crash me on an optimized 184.108.40.206 or 220.127.116.11, but does in a debug build (slightly different place, but still a deleted object). The branch fix will have to be verified in a debug build
Created attachment 259120 [details] [diff] [review]
just the change that mPresContext is used in branches, trunk has
Comment on attachment 259120 [details] [diff] [review]
approved for 18.104.22.168 and 22.214.171.124, a=dveditz for release-drivers
verified fixed on the 1.8 branch using Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:126.96.36.199pre) Gecko/2007050804 BonEcho/188.8.131.52pre. No crash with Testcase in Comment 1. Adding branch verified keyword.
verified fixed on the 1.8.0 branch using Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:184.108.40.206pre) Gecko/20070508 Firefox/220.127.116.11pre. No crash with
Testcase in Comment 1. Adding branch verified keyword.
crash test landed