Closed Bug 349201 Opened 13 years ago Closed 13 years ago

Crash [@ XULPopupListenerImpl::ClosePopup]

Categories

(Core :: XUL, defect, critical)

defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla1.8.1

People

(Reporter: smaug, Assigned: smaug)

Details

(Keywords: crash, verified1.8.0.7, verified1.8.1, Whiteboard: [sg:critical] uses freed mem)

Crash Data

Attachments

(2 files, 1 obsolete file)

nsXULPopupListener keeps a weak reference to the popup.
Bad things happen if popup is deleted before the listener.
Testcase and patch coming.
Attached file tescase
Right click to see context menu. Wait until it disappears.
You may have to reload/retry few times.
Tested 1.8.1 and trunk and crashes in both cases.
Attached patch proposed patch (obsolete) — Splinter Review
Don't use raw pointer but boxobject, since box object won't do anything after
the element it points to is deleted or removed from document.
Attachment #234449 - Flags: superreview?(bzbarsky)
Attachment #234449 - Flags: review?(enndeakin)
Flags: blocking1.9?
Flags: blocking1.8.1?
Flags: blocking1.8.0.7?
Also 1.8.0 crashes.
Oops, the changes to nsXULDocument.cpp aren't related to this bug.
Attached patch proposed patchSplinter Review
Attachment #234449 - Attachment is obsolete: true
Attachment #234455 - Flags: superreview?(bzbarsky)
Attachment #234455 - Flags: review?(enndeakin)
Attachment #234449 - Flags: superreview?(bzbarsky)
Attachment #234449 - Flags: review?(enndeakin)
Attachment #234455 - Flags: review?(enndeakin) → review+
Comment on attachment 234455 [details] [diff] [review]
proposed patch

Makes sense.
Attachment #234455 - Flags: superreview?(bzbarsky) → superreview+
Attachment #234455 - Flags: approval1.8.1?
Attachment #234455 - Flags: approval1.8.0.7?
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Flags: blocking1.8.1? → blocking1.8.1+
Target Milestone: --- → mozilla1.8.1
Whiteboard: [181approval pending]
What is the 181 approval pending on? coordination with 1.8.0.7?
Whiteboard: [181approval pending] → [sg:critical] uses freed mem [181approval pending]
Comment on attachment 234455 [details] [diff] [review]
proposed patch

a=schrep for drivers - approving all [181approval pending] bugs now that tree is open.
Attachment #234455 - Flags: approval1.8.1? → approval1.8.1+
Keywords: fixed1.8.1
Flags: blocking1.8.0.7? → blocking1.8.0.7+
Whiteboard: [sg:critical] uses freed mem [181approval pending] → [sg:critical] uses freed mem
Comment on attachment 234455 [details] [diff] [review]
proposed patch

approved for 1.8.0 branch, a=dveditz for drivers
Attachment #234455 - Flags: approval1.8.0.7? → approval1.8.0.7+
Keywords: fixed1.8.0.7
Flags: blocking1.9?
https://bugzilla.mozilla.org/attachment.cgi?id=234448&action=view shouldn't cause a crash when following directions in comment #1.

Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1b2) Gecko/20060825 BonEcho/2.0b2

verified 1.8.1b2

Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.7pre) Gecko/20060825 Firefox/1.5.0.7pre

verified 1.8.0.7
Status: RESOLVED → VERIFIED
Group: security
Component: XP Toolkit/Widgets: XUL → XUL
QA Contact: xptoolkit.xul → xptoolkit.widgets
Crash Signature: [@ XULPopupListenerImpl::ClosePopup]
You need to log in before you can comment on or make changes to this bug.