Closed
Bug 336744
Opened 19 years ago
Closed 18 years ago
Crash when window gets destroyed during popuphiding event
Categories
(Core :: XUL, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: martijn.martijn, Assigned: smaug)
References
Details
(4 keywords, Whiteboard: [sg:critical])
Attachments
(3 files)
1.22 KB,
text/html
|
Details | |
3.93 KB,
patch
|
roc
:
review+
roc
:
superreview+
|
Details | Diff | Splinter Review |
3.84 KB,
patch
|
dveditz
:
approval1.8.1.4+
dveditz
:
approval1.8.0.12+
|
Details | Diff | Splinter Review |
This is similar to bug 336739, but now with the popuphiding event (that's why I also made this bug security sensitive).
This also crashes Mozilla1.7.
Talkback ID: TB18335801Z
nsPopupSetFrame::OpenPopup nsPopupSetFrame::DestroyPopup nsPopupBoxObject::HidePopup XPCWrappedNative::CallMethod
Reporter | ||
Comment 1•19 years ago
|
||
Assignee | ||
Comment 3•18 years ago
|
||
Better to use only objects which are guaranteed to be alive.
And PresShell should not die while dispatching an event.
Attachment #256914 -
Flags: superreview?(roc)
Attachment #256914 -
Flags: review?(roc)
Assignee | ||
Updated•18 years ago
|
Status: NEW → ASSIGNED
Attachment #256914 -
Flags: superreview?(roc)
Attachment #256914 -
Flags: superreview+
Attachment #256914 -
Flags: review?(roc)
Attachment #256914 -
Flags: review+
Assignee | ||
Comment 4•18 years ago
|
||
checked in.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•18 years ago
|
Attachment #256914 -
Flags: approval1.8.1.3?
Comment 5•18 years ago
|
||
On a trunk debug build (before fix) this crashes trying to release an already-deleted object (after we've already been doing stuff with that object for a while). Definitely a security risk involved.
QA note: The testcase on this bug doesn't crash me on an optimized 1.8.0.10 or 1.8.1.3, but does in a debug build (slightly different place, but still a deleted object). The branch fix will have to be verified in a debug build
Flags: blocking1.8.1.4+
Flags: blocking1.8.0.12+
Whiteboard: [sg:critical]
Assignee | ||
Updated•18 years ago
|
Attachment #256914 -
Flags: approval1.8.1.4?
Assignee | ||
Comment 6•18 years ago
|
||
just the change that mPresContext is used in branches, trunk has
GetPresContext()
Attachment #259120 -
Flags: approval1.8.1.4?
Attachment #259120 -
Flags: approval1.8.0.12?
Comment 7•18 years ago
|
||
Comment on attachment 259120 [details] [diff] [review]
for branches
approved for 1.8.0.12 and 1.8.1.4, a=dveditz for release-drivers
Attachment #259120 -
Flags: approval1.8.1.4?
Attachment #259120 -
Flags: approval1.8.1.4+
Attachment #259120 -
Flags: approval1.8.0.12?
Attachment #259120 -
Flags: approval1.8.0.12+
Assignee | ||
Updated•18 years ago
|
Keywords: fixed1.8.0.12,
fixed1.8.1.4
Comment 8•18 years ago
|
||
verified fixed on the 1.8 branch using Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.4pre) Gecko/2007050804 BonEcho/2.0.0.4pre. No crash with Testcase in Comment 1. Adding branch verified keyword.
Keywords: fixed1.8.1.4 → verified1.8.1.4
Comment 9•18 years ago
|
||
verified fixed on the 1.8.0 branch using Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.0.12pre) Gecko/20070508 Firefox/1.5.0.12pre. No crash with
Testcase in Comment 1. Adding branch verified keyword.
Keywords: fixed1.8.0.12 → verified1.8.0.12
Updated•18 years ago
|
Group: security
Updated•17 years ago
|
Flags: in-testsuite?
Comment 10•16 years ago
|
||
crash test landed
http://hg.mozilla.org/mozilla-central/rev/c9211196a28e
Flags: in-testsuite? → in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•