As a security precaution, we have turned on the setting "Require API key authentication for API requests" for everyone. If this has broken something, please contact bugzilla-admin@mozilla.org
Last Comment Bug 374102 - Crash [@ HandleEvent] on reload with treechildren with display: -moz-deck inside tabpanels
: Crash [@ HandleEvent] on reload with treechildren with display: -moz-deck ins...
Status: VERIFIED FIXED
[sg:critical] using freed view [must ...
: crash, testcase, verified1.8.0.13, verified1.8.1.5
Product: Core
Classification: Components
Component: XUL (show other bugs)
: Trunk
: x86 All
: -- critical (vote)
: ---
Assigned To: Mats Palmgren (:mats)
:
: Neil Deakin
Mentors:
Depends on:
Blocks: 140218 283154 321224 330480
  Show dependency treegraph
 
Reported: 2007-03-15 11:33 PDT by Martijn Wargers [:mwargers]
Modified: 2011-06-13 10:01 PDT (History)
9 users (show)
dveditz: blocking1.8.1.5+
dveditz: wanted1.8.1.x+
dveditz: blocking1.8.0.13+
dveditz: wanted1.8.0.x+
bob: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
testcase (161 bytes, application/vnd.mozilla.xul+xml)
2007-03-15 11:33 PDT, Martijn Wargers [:mwargers]
no flags Details
Patch rev. 1 (8.05 KB, patch)
2007-05-08 13:34 PDT, Mats Palmgren (:mats)
roc: review+
roc: superreview+
dveditz: approval1.8.1.5+
dveditz: approval1.8.0.13+
Details | Diff | Splinter Review
stack (4.52 KB, text/plain)
2007-05-08 16:01 PDT, Mats Palmgren (:mats)
no flags Details
Additional patch (1.39 KB, patch)
2007-05-08 16:07 PDT, Mats Palmgren (:mats)
roc: review+
roc: superreview+
dveditz: approval1.8.1.5+
dveditz: approval1.8.0.13+
Details | Diff | Splinter Review
One more addition, for branches only (1.95 KB, patch)
2007-05-13 19:14 PDT, Mats Palmgren (:mats)
roc: review+
roc: superreview+
dveditz: approval1.8.1.5+
dveditz: approval1.8.0.13+
Details | Diff | Splinter Review

Description User image Martijn Wargers [:mwargers] 2007-03-15 11:33:40 PDT
Created attachment 258693 [details]
testcase

See testcase, which crashes current trunk builds on reload.

Talkback ID: TB30268064E
HandleEvent  [mozilla/view/src/nsview.cpp, line 171]
nsWindow::DispatchEvent  [mozilla/widget/src/windows/nswindow.cpp, line 1103]
nsWindow::DispatchStandardEvent  [mozilla/widget/src/windows/nswindow.cpp, line 1143]
nsWindow::OnDestroy  [mozilla/widget/src/windows/nswindow.cpp, line 5812]
kModuleInfo
nsWindow::StandardWindowCreate  [mozilla/widget/src/windows/nswindow.cpp, line 1359]
0x5604508b

It also crashes Firefox2.0.0.3pre and Mozilla1.7.13 directly, so it's not a regression. So I'm marking this security sensitive.
Comment 1 User image Martijn Wargers [:mwargers] 2007-03-15 11:40:38 PDT
I filed bug 374103 as the branch version of this bug.
Comment 2 User image :Gavin Sharp [email: gavin@gavinsharp.com] 2007-03-23 12:38:37 PDT
I can reproduce this on a Windows debug and nightly build, but not on a Mac debug build.
Comment 3 User image Olli Pettay [:smaug] (review request backlog because of a work week) 2007-03-28 11:52:22 PDT
I see the following assertion just before the crash
###!!! ASSERTION: We already have a window for this view? BAD: '!mWindow', file /home/smaug/mozilla/mozilla_cvs/mozilla/view/src/nsView.cpp, line 612
WARNING: empty langgroup: file /home/smaug/mozilla/mozilla_cvs/mozilla/gfx/thebes/src/gfxFont.cpp, line 503
Comment 4 User image Olli Pettay [:smaug] (review request backlog because of a work week) 2007-05-07 14:06:13 PDT
I take this for now, will look at later this week.
Jan, if you were working on this, feel free to reassign.
Comment 5 User image Mats Palmgren (:mats) 2007-05-08 13:21:29 PDT
The testcase results in this assertion a bit before the crash:
###!!! ASSERTION: We already have a window for this view? BAD: '!mWindow', file nsView.cpp, line 612

The widget was already created by nsLeafBoxFrame::Init()
http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/layout/xul/base/src/nsLeafBoxFrame.cpp&rev=1.60&root=/cvsroot&mark=107,108#94
but nsTreeBodyFrame::Init() does not check this
http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/layout/xul/base/src/tree/src/nsTreeBodyFrame.cpp&rev=1.313&root=/cvsroot&mark=211#205
Comment 6 User image Mats Palmgren (:mats) 2007-05-08 13:34:12 PDT
Created attachment 264162 [details] [diff] [review]
Patch rev. 1
Comment 7 User image Mats Palmgren (:mats) 2007-05-08 15:57:55 PDT
The testcase crashes my branch debug builds (Linux debug), it's a null-deref
which is bug 140218.  Fixing bug 140218 however makes the crash the same as
on trunk, that is using a destroyed view on Reload...
Comment 8 User image Mats Palmgren (:mats) 2007-05-08 16:01:29 PDT
Created attachment 264183 [details]
stack

Analyzing the crash a little deeper - when the assert occurs we
just release the ref to the old mWindow and set up the new
http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/view/src/nsView.cpp&rev=3.236&root=/cvsroot&mark=612-613#602

This is no good since the old window still references the view
we now have two windows pointing to this view.  When the view
is destroyed it only tears down the "client data" for the
latest window so the first one has a dangling pointer so 
when it is destroyed it will fire an OnDestroy event
on a deleted view.
http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/view/src/nsView.cpp&rev=3.236&root=/cvsroot&mark=167,171#162

This is the stack and trace of calls leading up to the crash.
Comment 9 User image Mats Palmgren (:mats) 2007-05-08 16:07:44 PDT
Created attachment 264186 [details] [diff] [review]
Additional patch

Here's a patch that make the code more robust against this kind
of error in the future.  In fact, this patch fixes the crash alone
(at least in my debug trunk build on Linux).
The layout/xul changes in the first patch avoids causing the error
with two widgets for the same view in the first place.
We should probably take both patches.
Comment 10 User image Mats Palmgren (:mats) 2007-05-13 18:11:04 PDT
Both patches checked in to trunk at 2007-05-13 17:42 PDT.

-> FIXED
Comment 11 User image Mats Palmgren (:mats) 2007-05-13 19:14:08 PDT
Created attachment 264700 [details] [diff] [review]
One more addition, for branches only

Fix same problem in nsNativeScrollbarFrame.cpp, this is only needed
on branches since this file has been removed on trunk.
This patch alone fixes bug 321224, but I prefer to handle all the patches
on this bug.
Comment 12 User image Martijn Wargers [:mwargers] 2007-05-14 08:23:25 PDT
Thanks, verified fixed, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a5pre) Gecko/20070514 Minefield/3.0a5pre
Comment 13 User image Daniel Veditz [:dveditz] 2007-06-15 10:42:25 PDT
Comment on attachment 264162 [details] [diff] [review]
Patch rev. 1

approved for 1.8.1.5 and 1.8.0.13, a=dveditz for release-drivers
Comment 14 User image Mats Palmgren (:mats) 2007-07-01 16:05:58 PDT
All three patches landed on MOZILLA_1_8_BRANCH and MOZILLA_1_8_0_BRANCH
at 2007-07-01 14:30 PDT.
Comment 15 User image Carsten Book [:Tomcat] 2007-07-04 20:48:10 PDT
verified fixed 1.8.1.5. using Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1.5pre) Gecko/20070704 BonEcho/2.0.0.5pre ID:2007070403 and Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.5pre) Gecko/2007070403 BonEcho/2.0.0.5pre on Linux Fedora F7- no crash on Testcase - adding verified keyword
Comment 16 User image juan becerra [:juanb] 2007-08-22 16:35:04 PDT
Verified on MacIntel using version 1.5.0.13 (20070809) and testcase in comment #0. No longer crashes.
Comment 17 User image Bob Clary [:bc:] 2009-04-24 10:53:31 PDT
crash test landed
http://hg.mozilla.org/mozilla-central/rev/27013d682d9f

Note You need to log in before you can comment on or make changes to this bug.