Closed Bug 375299 Opened 14 years ago Closed 14 years ago
[FIX]Crash [@ ns
File Control Frame::Create Anonymous Content] when removing stylesheet with binding and removing file input
See testcase, which crashes current trunk builds within 200ms after load. Talkback ID: TB30579018E nsFileControlFrame::CreateAnonymousContent [mozilla/layout/forms/nsfilecontrolframe.cpp, line 171] This regressed between 2005-11-05 and 2005-11-08: http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2005-11-05+05&maxdate=2005-11-08+09&cvsroot=%2Fcvsroot I suspect a regression from bug 315306, somehow. This doesn't happen on the branch. This crash also happens when using an isindex, btw.
(In reply to comment #0) > I suspect a regression from bug 315306, somehow. Er, I meant bug 314776 here
All that happened with bug 314776 is the ordering changed. If I manually flip the ordering, then this crashes with builds from before bug 314776 as well.
Attachment #259593 - Attachment is obsolete: true
This fixes this bug and bug 375839. In this case we do not have anything in the mContentListTable but we do have our single insertion point in mAnonymousNodesTable. I did some CVS digging, and the reason this is needed is because of http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/content/xbl/src/nsXBLBinding.cpp&rev=1.226&mark=353-359#352 -- that code means we could have insertion points in either hashtable. It looks like this has NEVER worked. The nsIDocumentObserver impl for nsBindingManager landed 5 days after the nsXBLBinding code linked to above, and was already buggy. I suspect the two patches were just worked on independently... :( Sicking, you think this is worth taking on branches? So far I've only seen null-pointer derefs resulting from this, but at the same time this is a really simple patch.
Assignee: nobody → bzbarsky
OS: Windows XP → All
Priority: -- → P1
Hardware: PC → All
Summary: Crash [@ nsFileControlFrame::CreateAnonymousContent] when removing stylesheet with binding and removing file input → [FIX]Crash [@ nsFileControlFrame::CreateAnonymousContent] when removing stylesheet with binding and removing file input
Target Milestone: --- → mozilla1.9alpha4
Fixed. We need some tests here... :(
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Target Milestone: mozilla1.9alpha4 → mozilla1.9alpha5
Verified fixed, using: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a4pre) Gecko/20070427 Minefield/3.0a4pre
Status: RESOLVED → VERIFIED
Check-in of the branch patch in bug 382376 included this fix.
Verified in FF 18.104.22.168 on WinXP using "Testcase that crashes older builds too" (which did indeed crash me in 22.214.171.124).
Crash Signature: [@ nsFileControlFrame::CreateAnonymousContent]
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.