[FIX]Crash [@ nsFileControlFrame::CreateAnonymousContent] when removing stylesheet with binding and removing file input

VERIFIED FIXED in mozilla1.9alpha5

Status

()

defect
P1
critical
VERIFIED FIXED
12 years ago
5 years ago

People

(Reporter: martijn.martijn, Assigned: bzbarsky)

Tracking

(5 keywords)

Trunk
mozilla1.9alpha5
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(3 attachments, 1 obsolete attachment)

(Reporter)

Description

12 years ago
Posted file testcase (obsolete) —
See testcase, which crashes current trunk builds within 200ms after load.
Talkback ID: TB30579018E
nsFileControlFrame::CreateAnonymousContent  [mozilla/layout/forms/nsfilecontrolframe.cpp, line 171]

This regressed between 2005-11-05 and 2005-11-08:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2005-11-05+05&maxdate=2005-11-08+09&cvsroot=%2Fcvsroot
I suspect a regression from bug 315306, somehow.
This doesn't happen on the branch.

This crash also happens when using an isindex, btw.
(Reporter)

Comment 1

12 years ago
(In reply to comment #0)
> I suspect a regression from bug 315306, somehow.

Er, I meant bug 314776 here
This seems to be very similar to bug 375839, with a simpler testcase... Looking.
Blocks: 375839
All that happened with bug 314776 is the ordering changed.  If I manually flip the ordering, then this crashes with builds from before bug 314776 as well.
Attachment #259593 - Attachment is obsolete: true
Posted patch Patch.Splinter Review
This fixes this bug and bug 375839.  In this case we do not have anything in the mContentListTable but we do have our single insertion point in mAnonymousNodesTable.

I did some CVS digging, and the reason this is needed is because of http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/content/xbl/src/nsXBLBinding.cpp&rev=1.226&mark=353-359#352 -- that code means we could have insertion points in either hashtable.

It looks like this has NEVER worked.  The nsIDocumentObserver impl for nsBindingManager landed 5 days after the nsXBLBinding code linked to above, and was already buggy.  I suspect the two patches were just worked on independently... :(

Sicking, you think this is worth taking on branches?  So far I've only seen null-pointer derefs resulting from this, but at the same time this is a really simple patch.
Attachment #260106 - Flags: superreview?(jonas)
Attachment #260106 - Flags: review?(jonas)
(Assignee)

Updated

12 years ago
Assignee: nobody → bzbarsky
OS: Windows XP → All
Priority: -- → P1
Hardware: PC → All
Summary: Crash [@ nsFileControlFrame::CreateAnonymousContent] when removing stylesheet with binding and removing file input → [FIX]Crash [@ nsFileControlFrame::CreateAnonymousContent] when removing stylesheet with binding and removing file input
Target Milestone: --- → mozilla1.9alpha4
(Assignee)

Updated

12 years ago
Blocks: 374405
Attachment #260106 - Flags: superreview?(jonas)
Attachment #260106 - Flags: superreview+
Attachment #260106 - Flags: review?(jonas)
Attachment #260106 - Flags: review+
Fixed.  We need some tests here... :(
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: mozilla1.9alpha4 → mozilla1.9alpha5
(Reporter)

Comment 7

12 years ago
Verified fixed, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a4pre) Gecko/20070427 Minefield/3.0a4pre
Status: RESOLVED → VERIFIED
Check-in of the branch patch in bug 382376 included this fix.
Verified in FF 2.0.0.8 on WinXP using "Testcase that crashes older builds too" (which did indeed crash me in 2.0.0.7).
(Reporter)

Updated

12 years ago
Crash Signature: [@ nsFileControlFrame::CreateAnonymousContent]
You need to log in before you can comment on or make changes to this bug.