Closed Bug 375299 Opened 14 years ago Closed 14 years ago

[FIX]Crash [@ nsFileControlFrame::CreateAnonymousContent] when removing stylesheet with binding and removing file input

Categories

(Core :: Layout, defect, P1)

defect

Tracking

()

VERIFIED FIXED
mozilla1.9alpha5

People

(Reporter: martijn.martijn, Assigned: bzbarsky)

References

Details

(5 keywords)

Crash Data

Attachments

(3 files, 1 obsolete file)

Attached file testcase (obsolete) —
See testcase, which crashes current trunk builds within 200ms after load.
Talkback ID: TB30579018E
nsFileControlFrame::CreateAnonymousContent  [mozilla/layout/forms/nsfilecontrolframe.cpp, line 171]

This regressed between 2005-11-05 and 2005-11-08:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2005-11-05+05&maxdate=2005-11-08+09&cvsroot=%2Fcvsroot
I suspect a regression from bug 315306, somehow.
This doesn't happen on the branch.

This crash also happens when using an isindex, btw.
(In reply to comment #0)
> I suspect a regression from bug 315306, somehow.

Er, I meant bug 314776 here
This seems to be very similar to bug 375839, with a simpler testcase... Looking.
Blocks: 375839
Attached file Binding for testcase
All that happened with bug 314776 is the ordering changed.  If I manually flip the ordering, then this crashes with builds from before bug 314776 as well.
Attachment #259593 - Attachment is obsolete: true
Attached patch Patch.Splinter Review
This fixes this bug and bug 375839.  In this case we do not have anything in the mContentListTable but we do have our single insertion point in mAnonymousNodesTable.

I did some CVS digging, and the reason this is needed is because of http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/content/xbl/src/nsXBLBinding.cpp&rev=1.226&mark=353-359#352 -- that code means we could have insertion points in either hashtable.

It looks like this has NEVER worked.  The nsIDocumentObserver impl for nsBindingManager landed 5 days after the nsXBLBinding code linked to above, and was already buggy.  I suspect the two patches were just worked on independently... :(

Sicking, you think this is worth taking on branches?  So far I've only seen null-pointer derefs resulting from this, but at the same time this is a really simple patch.
Attachment #260106 - Flags: superreview?(jonas)
Attachment #260106 - Flags: review?(jonas)
Assignee: nobody → bzbarsky
OS: Windows XP → All
Priority: -- → P1
Hardware: PC → All
Summary: Crash [@ nsFileControlFrame::CreateAnonymousContent] when removing stylesheet with binding and removing file input → [FIX]Crash [@ nsFileControlFrame::CreateAnonymousContent] when removing stylesheet with binding and removing file input
Target Milestone: --- → mozilla1.9alpha4
Blocks: 374405
Attachment #260106 - Flags: superreview?(jonas)
Attachment #260106 - Flags: superreview+
Attachment #260106 - Flags: review?(jonas)
Attachment #260106 - Flags: review+
Fixed.  We need some tests here... :(
Status: NEW → RESOLVED
Closed: 14 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: mozilla1.9alpha4 → mozilla1.9alpha5
Verified fixed, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a4pre) Gecko/20070427 Minefield/3.0a4pre
Status: RESOLVED → VERIFIED
Check-in of the branch patch in bug 382376 included this fix.
Verified in FF 2.0.0.8 on WinXP using "Testcase that crashes older builds too" (which did indeed crash me in 2.0.0.7).
Crash Signature: [@ nsFileControlFrame::CreateAnonymousContent]
You need to log in before you can comment on or make changes to this bug.