354645 - Crash [@ nsBoxFrame::AppendFrames] removing <xul:tabs> during onselect

Status: VERIFIED FIXED

(Core :: XBL, defect)

Description

[Jesse Ruderman]

Loading this testcase makes Firefox (debug) crash with

0xdddddddc
nsBoxFrame::AppendFrames
nsFrameManager::AppendFrames
nsCSSFrameConstructor::AppendFrames
...

Nightlies crash too, but with a slightly different stack trace.

Comment 1

[Jesse Ruderman]

Attachment: testcase

Comment 2

[Jesse Ruderman]

I can reproduce on the Firefox 2 branch, too, so nominating for blocking1.8.1.

Comment 3

[Mike Connor [:mconnor]]

Too late for this type of thing, should fix for 1.8.1.1

Comment 4

[Boris Zbarsky [:bzbarsky]]

Usual problem -- the XBL constructor is run while the frame tree is not yet done being constructed, it does some stuff, said stuff triggers a select event firing, which removes the node from the tree (and destroys its frames).  Then we unwind and attempt to insert said deleted frames into the tree, dereference 0xdddddddd (in debug builds, or random memory in opt builds), and crash.

Comment 5

[Daniel Veditz [:dveditz]]

Does this happen in 1.8.0.x as well?

Comment 6

[Jay Patel [:jay]]

Jonas:  Can you take a look at this? 

Comment 7

[Jonas Sicking (:sicking) No longer reading bugmail consistently]

By bzs description I don't think we should try to fix this one particular crash since there's a bigger general issue that can cause many different types of crashes. I.e. that we run XBL ctors at unsafe times. I'll try to look in to that issue as i'm whacking XBL and nsCSSFrameCtor interaction in general.

Comment 8

[chris hofmann]

does the "whacking XBL and nsCSSFrameCtor interaction in general" work have bugs or a spec to help tracking the work and its possible impact on fixing this one?  be good to add those links here.

Comment 9

[Jonas Sicking (:sicking) No longer reading bugmail consistently]

Marking blocking for now. Hopefully the fix for 267833 will fix this one.

Comment 10

[Jesse Ruderman]

Doesn't crash now (probably due to the patch in bug 267833).

Comment 11

[Daniel Veditz [:dveditz]]

Moving out to 1.8.1.6 following bug 267833

Comment 12

[Daniel Veditz [:dveditz]]

bug 267833 landed on the branch, fixed1.8.1.8

Comment 13

[Carsten Book [:Tomcat]]

verified fixed 1.8.1.8 using : Mozilla/5.0 (Macintosh; U; Intel Mac OS X; ja-JP-mac; rv:1.8.1.8) Gecko/2007100816 Firefox/2.0.0.8 - no crash on testcase - adding verified keyword

Comment 14

[Jesse Ruderman]

Crashtest checked in.

Comment 15

[Carsten Book [:Tomcat]]

verified fixed using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9b3pre) Gecko/2007123104 Minefield/3.0b3pre and the testcase from this bug - no crash on testcase

-> Verified fixed