Closed
Bug 378325
Opened 17 years ago
Closed 17 years ago
Crash [@ PresShell::FlushPendingNotifications] when removing window on focus and then reappearing again
Categories
(Core :: DOM: UI Events & Focus Handling, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: martijn.martijn, Assigned: smaug)
Details
(4 keywords, Whiteboard: [sg:critical?] deleted frame and presshell)
Crash Data
Attachments
(3 files)
1.07 KB,
text/html
|
Details | |
2.24 KB,
patch
|
roc
:
review+
roc
:
superreview+
|
Details | Diff | Splinter Review |
1.22 KB,
patch
|
roc
:
review+
roc
:
superreview+
dveditz
:
approval1.8.1.4+
dveditz
:
approval1.8.0.12+
|
Details | Diff | Splinter Review |
See testcase, which crashes Mozilla within 500ms after load for me. Talkback ID: TB31415506E PresShell::FlushPendingNotifications [mozilla/layout/base/nspresshell.cpp, line 4627] nsGfxScrollFrameInner::AsyncScrollPortEvent::Run [mozilla/layout/generic/nsgfxscrollframe.cpp, line 1893] NS_ProcessNextEvent_P [mozilla/xpcom/build/nsthreadutils.cpp, line 227] nsBaseAppShell::Run [mozilla/widget/src/xpwidgets/nsbaseappshell.cpp, line 154] MSVCR80.dll + 0x8ac9 (0x78138ac9) On current branch builds I get this talkback ID: TB31415588Y 0x00000000 nsGenericElement::SetFocus [mozilla/content/base/src/nsGenericElement.cpp, line 2623] nsGenericHTMLElement::SetElementFocus [mozilla/content/html/content/src/nsGenericHTMLElement.cpp, line 3631] nsHTMLTextAreaElement::Focus [mozilla/content/html/content/src/nsHTMLTextAreaElement.cpp, line 236] XPCWrappedNative::CallMethod [mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2156] XPC_WN_CallMethod [mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 1451] etc. That stacktrace was fixed on trunk with the patch from bug 372665. After that fix, the trunk builds have begun to crash with the first mentioned stacktrace. Marking security sensitive for now, because the testcase also crashes on branch.
Reporter | ||
Comment 1•17 years ago
|
||
The iframe with the data url consists of this: <html><body tabindex="1" onfocus="top.doe2();window.frameElement.parentNode.removeChild(window.frameElement);"> <script> setTimeout(function(){document.body.focus()}, 200); </script></body></html>
Assignee | ||
Comment 2•17 years ago
|
||
Assignee | ||
Comment 3•17 years ago
|
||
This is sort of surprising that having a strong ref is enough on branches.
Attachment #262414 -
Flags: review?(roc)
Attachment #262413 -
Flags: superreview+
Attachment #262413 -
Flags: review?(roc)
Attachment #262413 -
Flags: review+
Attachment #262414 -
Flags: superreview+
Attachment #262414 -
Flags: review?(roc)
Attachment #262414 -
Flags: review+
Assignee | ||
Updated•17 years ago
|
Attachment #262414 -
Flags: approval1.8.1.4?
Attachment #262414 -
Flags: approval1.8.0.12?
Assignee | ||
Updated•17 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Comment 4•17 years ago
|
||
Comment on attachment 262414 [details] [diff] [review] for branches approved for 1.8.0.12 and 1.8.1.4, a=dveditz for release-drivers
Attachment #262414 -
Flags: approval1.8.1.4?
Attachment #262414 -
Flags: approval1.8.1.4+
Attachment #262414 -
Flags: approval1.8.0.12?
Attachment #262414 -
Flags: approval1.8.0.12+
Updated•17 years ago
|
Whiteboard: [sg:critical?] deleted frame and presshell
Updated•17 years ago
|
Flags: blocking1.8.1.4+
Flags: blocking1.8.0.12+
Assignee | ||
Updated•17 years ago
|
Keywords: fixed1.8.0.12,
fixed1.8.1.4
Reporter | ||
Comment 5•17 years ago
|
||
Verified fixed, using: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a4pre) Gecko/20070427 Minefield/3.0a4pre I see a painting issue, though. The iframe doesn't get unpainted, after I pressed the stop button, to make the recursive loads go away. When I change this: function doe2() { setInterval(doe, 200); } to: function doe2() { setTimeout(doe, 200); } that problem goes away. I guess I should file a new bug about this one day.
Status: RESOLVED → VERIFIED
Comment 6•17 years ago
|
||
verified fixed on the 1.8 branch using Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.4pre) Gecko/2007050804 BonEcho/2.0.0.4pre. No crash with the original testcase. Adding branch verified keyword.
Keywords: fixed1.8.1.4 → verified1.8.1.4
Comment 7•17 years ago
|
||
verified fixed on the 1.8.0 branch using Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.0.12pre) Gecko/20070508 Firefox/1.5.0.12pre. No crash with the original testcase. Adding branch verified keyword.
Keywords: fixed1.8.0.12 → verified1.8.0.12
Updated•17 years ago
|
Group: security
Updated•17 years ago
|
Flags: in-testsuite?
Comment 8•15 years ago
|
||
crash test landed http://hg.mozilla.org/mozilla-central/rev/7356f9a0fd10
Flags: in-testsuite? → in-testsuite+
Updated•13 years ago
|
Crash Signature: [@ PresShell::FlushPendingNotifications]
Updated•5 years ago
|
Component: Event Handling → User events and focus handling
You need to log in
before you can comment on or make changes to this bug.
Description
•