Crash [@ PresShell::FlushPendingNotifications] when removing window on focus and then reappearing again

VERIFIED FIXED

Status

()

Core
Event Handling
--
critical
VERIFIED FIXED
10 years ago
8 years ago

People

(Reporter: Martijn Wargers (dead), Assigned: smaug)

Tracking

(4 keywords)

Trunk
x86
Windows XP
crash, testcase, verified1.8.0.12, verified1.8.1.4
Points:
---
Bug Flags:
blocking1.8.1.4 +
blocking1.8.0.12 +
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?] deleted frame and presshell, crash signature)

Attachments

(3 attachments)

(Reporter)

Description

10 years ago
Created attachment 262377 [details]
testcase

See testcase, which crashes Mozilla within 500ms after load for me.

Talkback ID: TB31415506E
PresShell::FlushPendingNotifications  [mozilla/layout/base/nspresshell.cpp, line 4627]
nsGfxScrollFrameInner::AsyncScrollPortEvent::Run  [mozilla/layout/generic/nsgfxscrollframe.cpp, line 1893]
NS_ProcessNextEvent_P  [mozilla/xpcom/build/nsthreadutils.cpp, line 227]
nsBaseAppShell::Run  [mozilla/widget/src/xpwidgets/nsbaseappshell.cpp, line 154]
MSVCR80.dll + 0x8ac9 (0x78138ac9)

On current branch builds I get this talkback ID: TB31415588Y
0x00000000
nsGenericElement::SetFocus  [mozilla/content/base/src/nsGenericElement.cpp, line 2623]
nsGenericHTMLElement::SetElementFocus  [mozilla/content/html/content/src/nsGenericHTMLElement.cpp, line 3631]
nsHTMLTextAreaElement::Focus  [mozilla/content/html/content/src/nsHTMLTextAreaElement.cpp, line 236]
XPCWrappedNative::CallMethod  [mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2156]
XPC_WN_CallMethod  [mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 1451]
etc.

That stacktrace was fixed on trunk with the patch from bug 372665. After that fix, the trunk builds have begun to crash with the first mentioned stacktrace.

Marking security sensitive for now, because the testcase also crashes on branch.
(Reporter)

Comment 1

10 years ago
The iframe with the data url consists of this:
<html><body tabindex="1" onfocus="top.doe2();window.frameElement.parentNode.removeChild(window.frameElement);">
<script>
setTimeout(function(){document.body.focus()}, 200);
</script></body></html>
Created attachment 262413 [details] [diff] [review]
for trunk
Assignee: events → Olli.Pettay
Status: NEW → ASSIGNED
Attachment #262413 - Flags: review?(roc)
Created attachment 262414 [details] [diff] [review]
for branches

This is sort of surprising that having a strong ref is enough on branches.
Attachment #262414 - Flags: review?(roc)
Attachment #262413 - Flags: superreview+
Attachment #262413 - Flags: review?(roc)
Attachment #262413 - Flags: review+
Attachment #262414 - Flags: superreview+
Attachment #262414 - Flags: review?(roc)
Attachment #262414 - Flags: review+
Attachment #262414 - Flags: approval1.8.1.4?
Attachment #262414 - Flags: approval1.8.0.12?
Status: ASSIGNED → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED
Comment on attachment 262414 [details] [diff] [review]
for branches

approved for 1.8.0.12 and 1.8.1.4, a=dveditz for release-drivers
Attachment #262414 - Flags: approval1.8.1.4?
Attachment #262414 - Flags: approval1.8.1.4+
Attachment #262414 - Flags: approval1.8.0.12?
Attachment #262414 - Flags: approval1.8.0.12+
Whiteboard: [sg:critical?] deleted frame and presshell
Flags: blocking1.8.1.4+
Flags: blocking1.8.0.12+
Keywords: fixed1.8.0.12, fixed1.8.1.4
(Reporter)

Comment 5

10 years ago
Verified fixed, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a4pre) Gecko/20070427 Minefield/3.0a4pre

I see a painting issue, though. The iframe doesn't get unpainted, after I pressed the stop button, to make the recursive loads go away.
When I change this:
 function doe2() {
 setInterval(doe, 200); 
 }
to:
 function doe2() {
 setTimeout(doe, 200); 
 }
that problem goes away.

I guess I should file a new bug about this one day.
Status: RESOLVED → VERIFIED
verified fixed on the 1.8 branch using Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.4pre) Gecko/2007050804 BonEcho/2.0.0.4pre. No crash with the original testcase. Adding branch verified keyword.
Keywords: fixed1.8.1.4 → verified1.8.1.4
verified fixed on the 1.8.0 branch using Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.0.12pre) Gecko/20070508 Firefox/1.5.0.12pre. No crash with the
original testcase. Adding branch verified keyword.
Keywords: fixed1.8.0.12 → verified1.8.0.12
Group: security
Flags: in-testsuite?

Comment 8

8 years ago
crash test landed
http://hg.mozilla.org/mozilla-central/rev/7356f9a0fd10
Flags: in-testsuite? → in-testsuite+
Crash Signature: [@ PresShell::FlushPendingNotifications]
You need to log in before you can comment on or make changes to this bug.