The default bug view has changed. See this FAQ.

[FIX]Crash [@ nsFileControlFrame::CreateAnonymousContent] when removing stylesheet with binding and removing file input

VERIFIED FIXED in mozilla1.9alpha5

Status

()

Core
Layout
P1
critical
VERIFIED FIXED
10 years ago
3 years ago

People

(Reporter: Martijn Wargers (dead), Assigned: bz)

Tracking

(5 keywords)

Trunk
mozilla1.9alpha5
crash, regression, testcase, verified1.8.0.14, verified1.8.1.8
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(3 attachments, 1 obsolete attachment)

(Reporter)

Description

10 years ago
Created attachment 259593 [details]
testcase

See testcase, which crashes current trunk builds within 200ms after load.
Talkback ID: TB30579018E
nsFileControlFrame::CreateAnonymousContent  [mozilla/layout/forms/nsfilecontrolframe.cpp, line 171]

This regressed between 2005-11-05 and 2005-11-08:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2005-11-05+05&maxdate=2005-11-08+09&cvsroot=%2Fcvsroot
I suspect a regression from bug 315306, somehow.
This doesn't happen on the branch.

This crash also happens when using an isindex, btw.
(Reporter)

Comment 1

10 years ago
(In reply to comment #0)
> I suspect a regression from bug 315306, somehow.

Er, I meant bug 314776 here
This seems to be very similar to bug 375839, with a simpler testcase... Looking.
Blocks: 375839
Created attachment 260104 [details]
Binding for testcase
Created attachment 260105 [details]
Testcase that crashes in older builds too

All that happened with bug 314776 is the ordering changed.  If I manually flip the ordering, then this crashes with builds from before bug 314776 as well.
Attachment #259593 - Attachment is obsolete: true
Created attachment 260106 [details] [diff] [review]
Patch.

This fixes this bug and bug 375839.  In this case we do not have anything in the mContentListTable but we do have our single insertion point in mAnonymousNodesTable.

I did some CVS digging, and the reason this is needed is because of http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/content/xbl/src/nsXBLBinding.cpp&rev=1.226&mark=353-359#352 -- that code means we could have insertion points in either hashtable.

It looks like this has NEVER worked.  The nsIDocumentObserver impl for nsBindingManager landed 5 days after the nsXBLBinding code linked to above, and was already buggy.  I suspect the two patches were just worked on independently... :(

Sicking, you think this is worth taking on branches?  So far I've only seen null-pointer derefs resulting from this, but at the same time this is a really simple patch.
Attachment #260106 - Flags: superreview?(jonas)
Attachment #260106 - Flags: review?(jonas)
Assignee: nobody → bzbarsky
OS: Windows XP → All
Priority: -- → P1
Hardware: PC → All
Summary: Crash [@ nsFileControlFrame::CreateAnonymousContent] when removing stylesheet with binding and removing file input → [FIX]Crash [@ nsFileControlFrame::CreateAnonymousContent] when removing stylesheet with binding and removing file input
Target Milestone: --- → mozilla1.9alpha4
Blocks: 374405
Attachment #260106 - Flags: superreview?(jonas)
Attachment #260106 - Flags: superreview+
Attachment #260106 - Flags: review?(jonas)
Attachment #260106 - Flags: review+
Fixed.  We need some tests here... :(
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: mozilla1.9alpha4 → mozilla1.9alpha5
(Reporter)

Comment 7

10 years ago
Verified fixed, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a4pre) Gecko/20070427 Minefield/3.0a4pre
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.0.14, fixed1.8.1.8
Check-in of the branch patch in bug 382376 included this fix.
Verified in FF 2.0.0.8 on WinXP using "Testcase that crashes older builds too" (which did indeed crash me in 2.0.0.7).
Keywords: fixed1.8.1.8 → verified1.8.1.8
(Reporter)

Updated

10 years ago
Keywords: fixed1.8.0.14 → verified1.8.0.14
Crash Signature: [@ nsFileControlFrame::CreateAnonymousContent]
https://hg.mozilla.org/integration/mozilla-inbound/rev/235c56c14822
Flags: in-testsuite? → in-testsuite+
https://hg.mozilla.org/mozilla-central/rev/235c56c14822
You need to log in before you can comment on or make changes to this bug.