Closed
Bug 364801
Opened 18 years ago
Closed 17 years ago
ASSERTION: Some frame destructors were not called with this testcase that makes scrollbars disappear
Categories
(Core :: Layout, defect, P5)
Core
Layout
Tracking
()
VERIFIED
FIXED
People
(Reporter: martijn.martijn, Assigned: roc)
References
Details
(4 keywords, Whiteboard: [sg:critical?][dbaron-1.9:Rs])
Attachments
(3 files)
846 bytes,
text/html
|
Details | |
1.13 KB,
patch
|
MatsPalmgren_bugz
:
review+
MatsPalmgren_bugz
:
superreview+
dveditz
:
approval1.8.1.12+
|
Details | Diff | Splinter Review |
485 bytes,
patch
|
caillon
:
approval1.8.0.next+
|
Details | Diff | Splinter Review |
Marking security sensitive because similar assertions because are also security sensitive. See upcoming testcase. When hovering one of the scrollbars, they disappear. When you reload the page, you get the assertion: ###!!! ASSERTION: Some frame destructors were not called: 'mFrameCount == 0', fi le c:/mozilla/mozilla/layout/base/nsPresShell.cpp, line 623
Reporter | ||
Updated•18 years ago
|
Group: security
Reporter | ||
Comment 1•18 years ago
|
||
Comment 2•17 years ago
|
||
I can reproduce this bug on Mac trunk. The assertion text has changed since the bug was filed, but the assertion still fires. Is this instance of the assertion an indicator of a security hole?
Flags: blocking1.9?
OS: Windows XP → All
Hardware: PC → All
Assignee | ||
Updated•17 years ago
|
Flags: blocking1.9? → blocking1.9+
Whiteboard: [dbaron-1.9:Rs]
Assignee | ||
Updated•17 years ago
|
Assignee: nobody → roc
Assignee | ||
Comment 3•17 years ago
|
||
So the immediate problem here is that we should not be allowing mousemove events targeted at scrollbar parts to bubble up to Web content. Olli, any suggestions about how to fix that? Or if it's already supposed to be fixed, what might have broken?
Assignee | ||
Comment 4•17 years ago
|
||
We should probably fix the underlying bug too, of course. In the testcase we actually remove the slider first (because it's on top) and then once that's gone we generally get another mouseover on the scrollbar and remove that. It's removing the scrollbar that triggers the frame-destructor-not-called assertions.
Assignee | ||
Comment 5•17 years ago
|
||
This turned out to be simple ... nsHTMLScrollFrame::RemoveFrame did not destroy the frame as it's required to. (nsXULScrollFrame::RemoveFrame is fine though.)
Attachment #286245 -
Flags: superreview?(mats.palmgren)
Attachment #286245 -
Flags: review?(mats.palmgren)
Assignee | ||
Comment 6•17 years ago
|
||
We should probably spin off another bug about scrollbar components being exposed to Web content, although I have a feeling one already exists...
Whiteboard: [dbaron-1.9:Rs] → [dbaron-1.9:Rs][needs review]
Reporter | ||
Comment 7•17 years ago
|
||
Yeah, I think that's bug 251197.
Assignee | ||
Updated•17 years ago
|
Priority: -- → P5
Comment 9•17 years ago
|
||
Comment on attachment 286245 [details] [diff] [review] fix the frame destructors warning r+sr=mats
Attachment #286245 -
Flags: superreview?(mats.palmgren)
Attachment #286245 -
Flags: superreview+
Attachment #286245 -
Flags: review?(mats.palmgren)
Attachment #286245 -
Flags: review+
Updated•17 years ago
|
Whiteboard: [dbaron-1.9:Rs][needs review] → [dbaron-1.9:Rs]
Assignee | ||
Comment 10•17 years ago
|
||
checked in
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Updated•17 years ago
|
Flags: in-testsuite?
Comment 11•17 years ago
|
||
Do we need this patch on the 1.8 branch? What severity should we rate this as a security bug? (didn't see signs of crashing of other exploitable conditions)
Comment 12•17 years ago
|
||
guessing possibly sg:critical based on the symptoms of dupe 399411
Whiteboard: [dbaron-1.9:Rs] → [sg:critical?][dbaron-1.9:Rs]
Assignee | ||
Comment 13•17 years ago
|
||
Comment on attachment 286245 [details] [diff] [review] fix the frame destructors warning The patch should apply to branch very easily.
Attachment #286245 -
Flags: approval1.8.1.12?
Comment 14•17 years ago
|
||
Comment on attachment 286245 [details] [diff] [review] fix the frame destructors warning approved for 1.8.1.12, a=dveditz for release-drivers
Attachment #286245 -
Flags: approval1.8.1.12? → approval1.8.1.12+
The MOZILLA_1_8_BRANCH is still burning from this patch, even after roc checked in a bustage fix :(
Comment 17•17 years ago
|
||
I checked in a bustage fix, should go green next cycle.
Assignee | ||
Comment 18•17 years ago
|
||
Sorry about that
Comment 19•17 years ago
|
||
verified fixed on trunk with the testcase and Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9b3pre) Gecko/2008012917 Firefox/3.0b3pre ID:2008012917
Status: RESOLVED → VERIFIED
The scrollbars disappear for me with the testcase at https://bugzilla.mozilla.org/attachment.cgi?id=249508 with both: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12) Gecko/20080128 Firefox/2.0.0.12 -and- Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11 Per comment 6, I think this means that the scrollbars are expected to disappear on hover even with the 1.8.1.12's 2.0.0.12 build; if so, cool, but I still can't verify on opt, since this is an assertion. Martijn, do you have cycles to verify this on the 1.8.1.12 branch, with a debug build?
Reporter | ||
Comment 21•17 years ago
|
||
Bug 334514 didn't go on the branch, so I wouldn't get that assertion anyway in my debug branch build, but I verified that the change was in my source, so this really should be fixed on branch.
Keywords: fixed1.8.1.12 → verified1.8.1.12
Updated•16 years ago
|
Group: security
Comment 22•16 years ago
|
||
Comment on attachment 286245 [details] [diff] [review] fix the frame destructors warning a=asac for 1.8.0.15
Attachment #286245 -
Flags: approval1.8.0.15+
Updated•16 years ago
|
Flags: blocking1.8.0.15+
Updated•16 years ago
|
Attachment #286245 -
Flags: approval1.8.0.15+
Comment 23•16 years ago
|
||
caillon, please review. this has just a tiny adaption because of changed API.
Attachment #310232 -
Flags: approval1.8.0.15?
Comment 24•16 years ago
|
||
err, sign off i mean :)
Comment 25•16 years ago
|
||
Comment on attachment 310232 [details] [diff] [review] 1.8.0 version of patch a=caillon for 1.8.0.15
Attachment #310232 -
Flags: approval1.8.0.15? → approval1.8.0.15+
You need to log in
before you can comment on or make changes to this bug.
Description
•