Created attachment 259593 [details]
See testcase, which crashes current trunk builds within 200ms after load.
Talkback ID: TB30579018E
nsFileControlFrame::CreateAnonymousContent [mozilla/layout/forms/nsfilecontrolframe.cpp, line 171]
This regressed between 2005-11-05 and 2005-11-08:
I suspect a regression from bug 315306, somehow.
This doesn't happen on the branch.
This crash also happens when using an isindex, btw.
(In reply to comment #0)
> I suspect a regression from bug 315306, somehow.
Er, I meant bug 314776 here
This seems to be very similar to bug 375839, with a simpler testcase... Looking.
Created attachment 260104 [details]
Binding for testcase
Created attachment 260105 [details]
Testcase that crashes in older builds too
All that happened with bug 314776 is the ordering changed. If I manually flip the ordering, then this crashes with builds from before bug 314776 as well.
Created attachment 260106 [details] [diff] [review]
This fixes this bug and bug 375839. In this case we do not have anything in the mContentListTable but we do have our single insertion point in mAnonymousNodesTable.
I did some CVS digging, and the reason this is needed is because of http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/content/xbl/src/nsXBLBinding.cpp&rev=1.226&mark=353-359#352 -- that code means we could have insertion points in either hashtable.
It looks like this has NEVER worked. The nsIDocumentObserver impl for nsBindingManager landed 5 days after the nsXBLBinding code linked to above, and was already buggy. I suspect the two patches were just worked on independently... :(
Sicking, you think this is worth taking on branches? So far I've only seen null-pointer derefs resulting from this, but at the same time this is a really simple patch.
Fixed. We need some tests here... :(
Verified fixed, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a4pre) Gecko/20070427 Minefield/3.0a4pre
Check-in of the branch patch in bug 382376 included this fix.
Verified in FF 184.108.40.206 on WinXP using "Testcase that crashes older builds too" (which did indeed crash me in 220.127.116.11).