Last Comment Bug 349201 - Crash [@ XULPopupListenerImpl::ClosePopup]
: Crash [@ XULPopupListenerImpl::ClosePopup]
Status: VERIFIED FIXED
[sg:critical] uses freed mem
: crash, verified1.8.0.7, verified1.8.1
Product: Core
Classification: Components
Component: XUL (show other bugs)
: Trunk
: All All
: -- critical (vote)
: mozilla1.8.1
Assigned To: Olli Pettay [:smaug]
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2006-08-18 11:20 PDT by Olli Pettay [:smaug]
Modified: 2011-06-13 10:01 PDT (History)
3 users (show)
mtschrep: blocking1.8.1+
dveditz: blocking1.8.0.7+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
tescase (595 bytes, application/vnd.mozilla.xul+xml)
2006-08-18 11:22 PDT, Olli Pettay [:smaug]
no flags Details
proposed patch (5.77 KB, patch)
2006-08-18 11:25 PDT, Olli Pettay [:smaug]
no flags Details | Diff | Splinter Review
proposed patch (4.55 KB, patch)
2006-08-18 11:56 PDT, Olli Pettay [:smaug]
enndeakin: review+
bzbarsky: superreview+
dveditz: approval1.8.0.7+
mtschrep: approval1.8.1+
Details | Diff | Splinter Review

Description Olli Pettay [:smaug] 2006-08-18 11:20:07 PDT
nsXULPopupListener keeps a weak reference to the popup.
Bad things happen if popup is deleted before the listener.
Testcase and patch coming.
Comment 1 Olli Pettay [:smaug] 2006-08-18 11:22:04 PDT
Created attachment 234448 [details]
tescase

Right click to see context menu. Wait until it disappears.
You may have to reload/retry few times.
Tested 1.8.1 and trunk and crashes in both cases.
Comment 2 Olli Pettay [:smaug] 2006-08-18 11:25:04 PDT
Created attachment 234449 [details] [diff] [review]
proposed patch

Don't use raw pointer but boxobject, since box object won't do anything after
the element it points to is deleted or removed from document.
Comment 3 Olli Pettay [:smaug] 2006-08-18 11:37:17 PDT
Also 1.8.0 crashes.
Comment 4 Olli Pettay [:smaug] 2006-08-18 11:52:22 PDT
Oops, the changes to nsXULDocument.cpp aren't related to this bug.
Comment 5 Olli Pettay [:smaug] 2006-08-18 11:56:12 PDT
Created attachment 234455 [details] [diff] [review]
proposed patch
Comment 6 Boris Zbarsky [:bz] 2006-08-19 09:43:23 PDT
Comment on attachment 234455 [details] [diff] [review]
proposed patch

Makes sense.
Comment 7 Daniel Veditz [:dveditz] 2006-08-21 11:11:21 PDT
What is the 181 approval pending on? coordination with 1.8.0.7?
Comment 8 Mike Schroepfer 2006-08-22 18:41:47 PDT
Comment on attachment 234455 [details] [diff] [review]
proposed patch

a=schrep for drivers - approving all [181approval pending] bugs now that tree is open.
Comment 9 Daniel Veditz [:dveditz] 2006-08-23 14:40:06 PDT
Comment on attachment 234455 [details] [diff] [review]
proposed patch

approved for 1.8.0 branch, a=dveditz for drivers
Comment 10 alice nodelman [:alice] [:anode] 2006-08-25 15:22:16 PDT
https://bugzilla.mozilla.org/attachment.cgi?id=234448&action=view shouldn't cause a crash when following directions in comment #1.

Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1b2) Gecko/20060825 BonEcho/2.0b2

verified 1.8.1b2

Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.7pre) Gecko/20060825 Firefox/1.5.0.7pre

verified 1.8.0.7

Note You need to log in before you can comment on or make changes to this bug.