Last Comment Bug 354645 - Crash [@ nsBoxFrame::AppendFrames] removing <xul:tabs> during onselect
: Crash [@ nsBoxFrame::AppendFrames] removing <xul:tabs> during onselect
[sg:critical] fixed by 267833
: arch, crash, testcase, verified1.8.1.8
Product: Core
Classification: Components
Component: XBL (show other bugs)
: Trunk
: PowerPC Mac OS X
-- critical (vote)
: ---
Assigned To: Jonas Sicking (:sicking) No longer reading bugmail consistently
: Hixie (not reading bugmail)
: Andrew Overholt [:overholt]
Depends on: 267833
Blocks: 344486
  Show dependency treegraph
Reported: 2006-09-28 00:29 PDT by Jesse Ruderman
Modified: 2008-02-19 08:38 PST (History)
9 users (show)
jonas: blocking1.9+
mconnor: blocking1.8.1-
dveditz: blocking1.8.1.8+
dveditz: wanted1.8.1.x+
jaymoz: wanted1.8.0.x+
jruderman: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

testcase (552 bytes, application/vnd.mozilla.xul+xml)
2006-09-28 00:32 PDT, Jesse Ruderman
no flags Details

Description User image Jesse Ruderman 2006-09-28 00:29:50 PDT
Loading this testcase makes Firefox (debug) crash with


Nightlies crash too, but with a slightly different stack trace.
Comment 1 User image Jesse Ruderman 2006-09-28 00:32:18 PDT
Created attachment 240427 [details]
Comment 2 User image Jesse Ruderman 2006-10-04 00:03:47 PDT
I can reproduce on the Firefox 2 branch, too, so nominating for blocking1.8.1.
Comment 3 User image Mike Connor [:mconnor] 2006-10-04 10:06:32 PDT
Too late for this type of thing, should fix for
Comment 4 User image Boris Zbarsky [:bz] (still a bit busy) 2006-11-02 22:11:33 PST
Usual problem -- the XBL constructor is run while the frame tree is not yet done being constructed, it does some stuff, said stuff triggers a select event firing, which removes the node from the tree (and destroys its frames).  Then we unwind and attempt to insert said deleted frames into the tree, dereference 0xdddddddd (in debug builds, or random memory in opt builds), and crash.
Comment 5 User image Daniel Veditz [:dveditz] 2006-12-15 11:03:22 PST
Does this happen in 1.8.0.x as well?
Comment 6 User image Jay Patel [:jay] 2006-12-27 14:20:11 PST
Jonas:  Can you take a look at this? 
Comment 7 User image Jonas Sicking (:sicking) No longer reading bugmail consistently 2007-01-05 16:32:30 PST
By bzs description I don't think we should try to fix this one particular crash since there's a bigger general issue that can cause many different types of crashes. I.e. that we run XBL ctors at unsafe times. I'll try to look in to that issue as i'm whacking XBL and nsCSSFrameCtor interaction in general.
Comment 8 User image chris hofmann 2007-02-13 15:08:57 PST
does the "whacking XBL and nsCSSFrameCtor interaction in general" work have bugs or a spec to help tracking the work and its possible impact on fixing this one?  be good to add those links here.
Comment 9 User image Jonas Sicking (:sicking) No longer reading bugmail consistently 2007-03-02 17:08:44 PST
Marking blocking for now. Hopefully the fix for 267833 will fix this one.
Comment 10 User image Jesse Ruderman 2007-03-10 07:34:44 PST
Doesn't crash now (probably due to the patch in bug 267833).
Comment 11 User image Daniel Veditz [:dveditz] 2007-07-09 15:57:28 PDT
Moving out to following bug 267833
Comment 12 User image Daniel Veditz [:dveditz] 2007-10-01 15:42:34 PDT
bug 267833 landed on the branch, fixed1.8.1.8
Comment 13 User image Carsten Book [:Tomcat] 2007-10-12 08:45:20 PDT
verified fixed using : Mozilla/5.0 (Macintosh; U; Intel Mac OS X; ja-JP-mac; rv: Gecko/2007100816 Firefox/ - no crash on testcase - adding verified keyword
Comment 14 User image Jesse Ruderman 2007-12-17 22:58:19 PST
Crashtest checked in.
Comment 15 User image Carsten Book [:Tomcat] 2007-12-31 14:12:49 PST
verified fixed using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9b3pre) Gecko/2007123104 Minefield/3.0b3pre and the testcase from this bug - no crash on testcase

-> Verified fixed

Note You need to log in before you can comment on or make changes to this bug.