Crash [@ XULPopupListenerImpl::ClosePopup]

VERIFIED FIXED in mozilla1.8.1

Status

()

Core
XUL
--
critical
VERIFIED FIXED
11 years ago
6 years ago

People

(Reporter: smaug, Assigned: smaug)

Tracking

({crash, verified1.8.0.7, verified1.8.1})

Trunk
mozilla1.8.1
crash, verified1.8.0.7, verified1.8.1
Points:
---
Bug Flags:
blocking1.8.1 +
blocking1.8.0.7 +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical] uses freed mem, crash signature)

Attachments

(2 attachments, 1 obsolete attachment)

595 bytes, application/vnd.mozilla.xul+xml
Details
4.55 KB, patch
Neil Deakin (not available until Aug 9)
: review+
Mike Schroepfer
: approval1.8.1+
Details | Diff | Splinter Review
(Assignee)

Description

11 years ago
nsXULPopupListener keeps a weak reference to the popup.
Bad things happen if popup is deleted before the listener.
Testcase and patch coming.
(Assignee)

Comment 1

11 years ago
Created attachment 234448 [details]
tescase

Right click to see context menu. Wait until it disappears.
You may have to reload/retry few times.
Tested 1.8.1 and trunk and crashes in both cases.
(Assignee)

Comment 2

11 years ago
Created attachment 234449 [details] [diff] [review]
proposed patch

Don't use raw pointer but boxobject, since box object won't do anything after
the element it points to is deleted or removed from document.
Attachment #234449 - Flags: superreview?(bzbarsky)
Attachment #234449 - Flags: review?(enndeakin)
(Assignee)

Updated

11 years ago
Flags: blocking1.9?
Flags: blocking1.8.1?
Flags: blocking1.8.0.7?
(Assignee)

Comment 3

11 years ago
Also 1.8.0 crashes.
(Assignee)

Comment 4

11 years ago
Oops, the changes to nsXULDocument.cpp aren't related to this bug.
(Assignee)

Comment 5

11 years ago
Created attachment 234455 [details] [diff] [review]
proposed patch
Attachment #234449 - Attachment is obsolete: true
Attachment #234455 - Flags: superreview?(bzbarsky)
Attachment #234455 - Flags: review?(enndeakin)
Attachment #234449 - Flags: superreview?(bzbarsky)
Attachment #234449 - Flags: review?(enndeakin)
Attachment #234455 - Flags: review?(enndeakin) → review+
Comment on attachment 234455 [details] [diff] [review]
proposed patch

Makes sense.
Attachment #234455 - Flags: superreview?(bzbarsky) → superreview+
(Assignee)

Updated

11 years ago
Attachment #234455 - Flags: approval1.8.1?
Attachment #234455 - Flags: approval1.8.0.7?
(Assignee)

Updated

11 years ago
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED

Updated

11 years ago
Flags: blocking1.8.1? → blocking1.8.1+
Target Milestone: --- → mozilla1.8.1

Updated

11 years ago
Whiteboard: [181approval pending]
What is the 181 approval pending on? coordination with 1.8.0.7?
Whiteboard: [181approval pending] → [sg:critical] uses freed mem [181approval pending]

Comment 8

11 years ago
Comment on attachment 234455 [details] [diff] [review]
proposed patch

a=schrep for drivers - approving all [181approval pending] bugs now that tree is open.
Attachment #234455 - Flags: approval1.8.1? → approval1.8.1+
(Assignee)

Updated

11 years ago
Keywords: fixed1.8.1
Flags: blocking1.8.0.7? → blocking1.8.0.7+
Whiteboard: [sg:critical] uses freed mem [181approval pending] → [sg:critical] uses freed mem
Comment on attachment 234455 [details] [diff] [review]
proposed patch

approved for 1.8.0 branch, a=dveditz for drivers
Attachment #234455 - Flags: approval1.8.0.7? → approval1.8.0.7+
(Assignee)

Updated

11 years ago
Keywords: fixed1.8.0.7
(Assignee)

Updated

11 years ago
Flags: blocking1.9?
https://bugzilla.mozilla.org/attachment.cgi?id=234448&action=view shouldn't cause a crash when following directions in comment #1.

Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1b2) Gecko/20060825 BonEcho/2.0b2

verified 1.8.1b2

Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.7pre) Gecko/20060825 Firefox/1.5.0.7pre

verified 1.8.0.7
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.0.7, fixed1.8.1 → verified1.8.0.7, verified1.8.1
Keywords: crash
Group: security

Updated

9 years ago
Component: XP Toolkit/Widgets: XUL → XUL
QA Contact: xptoolkit.xul → xptoolkit.widgets
Crash Signature: [@ XULPopupListenerImpl::ClosePopup]
You need to log in before you can comment on or make changes to this bug.