Last Comment Bug 375299 - [FIX]Crash [@ nsFileControlFrame::CreateAnonymousContent] when removing stylesheet with binding and removing file input
: [FIX]Crash [@ nsFileControlFrame::CreateAnonymousContent] when removing style...
Status: VERIFIED FIXED
: crash, regression, testcase, verified1.8.0.14, verified1.8.1.8
Product: Core
Classification: Components
Component: Layout (show other bugs)
: Trunk
: All All
: P1 critical (vote)
: mozilla1.9alpha5
Assigned To: Boris Zbarsky [:bz]
:
Mentors:
Depends on:
Blocks: 374405 375839
  Show dependency treegraph
 
Reported: 2007-03-25 11:11 PDT by Martijn Wargers [:mwargers] (gone per 2016-05-31 :-( )
Modified: 2013-12-24 14:47 PST (History)
6 users (show)
mats: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
testcase (679 bytes, text/html)
2007-03-25 11:11 PDT, Martijn Wargers [:mwargers] (gone per 2016-05-31 :-( )
no flags Details
Binding for testcase (115 bytes, application/xml)
2007-03-29 22:20 PDT, Boris Zbarsky [:bz]
no flags Details
Testcase that crashes in older builds too (534 bytes, text/html)
2007-03-29 22:24 PDT, Boris Zbarsky [:bz]
no flags Details
Patch. (2.70 KB, patch)
2007-03-29 22:53 PDT, Boris Zbarsky [:bz]
jonas: review+
jonas: superreview+
Details | Diff | Review

Description Martijn Wargers [:mwargers] (gone per 2016-05-31 :-( ) 2007-03-25 11:11:13 PDT
Created attachment 259593 [details]
testcase

See testcase, which crashes current trunk builds within 200ms after load.
Talkback ID: TB30579018E
nsFileControlFrame::CreateAnonymousContent  [mozilla/layout/forms/nsfilecontrolframe.cpp, line 171]

This regressed between 2005-11-05 and 2005-11-08:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2005-11-05+05&maxdate=2005-11-08+09&cvsroot=%2Fcvsroot
I suspect a regression from bug 315306, somehow.
This doesn't happen on the branch.

This crash also happens when using an isindex, btw.
Comment 1 Martijn Wargers [:mwargers] (gone per 2016-05-31 :-( ) 2007-03-25 11:14:06 PDT
(In reply to comment #0)
> I suspect a regression from bug 315306, somehow.

Er, I meant bug 314776 here
Comment 2 Boris Zbarsky [:bz] 2007-03-29 21:49:46 PDT
This seems to be very similar to bug 375839, with a simpler testcase... Looking.
Comment 3 Boris Zbarsky [:bz] 2007-03-29 22:20:32 PDT
Created attachment 260104 [details]
Binding for testcase
Comment 4 Boris Zbarsky [:bz] 2007-03-29 22:24:20 PDT
Created attachment 260105 [details]
Testcase that crashes in older builds too

All that happened with bug 314776 is the ordering changed.  If I manually flip the ordering, then this crashes with builds from before bug 314776 as well.
Comment 5 Boris Zbarsky [:bz] 2007-03-29 22:53:08 PDT
Created attachment 260106 [details] [diff] [review]
Patch.

This fixes this bug and bug 375839.  In this case we do not have anything in the mContentListTable but we do have our single insertion point in mAnonymousNodesTable.

I did some CVS digging, and the reason this is needed is because of http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/content/xbl/src/nsXBLBinding.cpp&rev=1.226&mark=353-359#352 -- that code means we could have insertion points in either hashtable.

It looks like this has NEVER worked.  The nsIDocumentObserver impl for nsBindingManager landed 5 days after the nsXBLBinding code linked to above, and was already buggy.  I suspect the two patches were just worked on independently... :(

Sicking, you think this is worth taking on branches?  So far I've only seen null-pointer derefs resulting from this, but at the same time this is a really simple patch.
Comment 6 Boris Zbarsky [:bz] 2007-04-26 21:44:22 PDT
Fixed.  We need some tests here... :(
Comment 7 Martijn Wargers [:mwargers] (gone per 2016-05-31 :-( ) 2007-04-27 09:58:42 PDT
Verified fixed, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a4pre) Gecko/20070427 Minefield/3.0a4pre
Comment 8 Reed Loden [:reed] (use needinfo?) 2007-10-21 10:25:30 PDT
Check-in of the branch patch in bug 382376 included this fix.
Comment 9 Daniel Veditz [:dveditz] 2007-10-21 17:42:24 PDT
Verified in FF 2.0.0.8 on WinXP using "Testcase that crashes older builds too" (which did indeed crash me in 2.0.0.7).
Comment 11 Wes Kocher (:KWierso) 2013-12-24 14:47:06 PST
https://hg.mozilla.org/mozilla-central/rev/235c56c14822

Note You need to log in before you can comment on or make changes to this bug.