Crash [@ PresShell::FlushPendingNotifications] when removing window on focus and then reappearing again

VERIFIED FIXED

Status

()

defect
--
critical
VERIFIED FIXED
12 years ago
4 months ago

People

(Reporter: martijn.martijn, Assigned: smaug)

Tracking

(4 keywords)

Trunk
x86
Windows XP
Points:
---
Bug Flags:
blocking1.8.1.4 +
blocking1.8.0.12 +
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?] deleted frame and presshell, crash signature)

Attachments

(3 attachments)

Posted file testcase
See testcase, which crashes Mozilla within 500ms after load for me.

Talkback ID: TB31415506E
PresShell::FlushPendingNotifications  [mozilla/layout/base/nspresshell.cpp, line 4627]
nsGfxScrollFrameInner::AsyncScrollPortEvent::Run  [mozilla/layout/generic/nsgfxscrollframe.cpp, line 1893]
NS_ProcessNextEvent_P  [mozilla/xpcom/build/nsthreadutils.cpp, line 227]
nsBaseAppShell::Run  [mozilla/widget/src/xpwidgets/nsbaseappshell.cpp, line 154]
MSVCR80.dll + 0x8ac9 (0x78138ac9)

On current branch builds I get this talkback ID: TB31415588Y
0x00000000
nsGenericElement::SetFocus  [mozilla/content/base/src/nsGenericElement.cpp, line 2623]
nsGenericHTMLElement::SetElementFocus  [mozilla/content/html/content/src/nsGenericHTMLElement.cpp, line 3631]
nsHTMLTextAreaElement::Focus  [mozilla/content/html/content/src/nsHTMLTextAreaElement.cpp, line 236]
XPCWrappedNative::CallMethod  [mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2156]
XPC_WN_CallMethod  [mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 1451]
etc.

That stacktrace was fixed on trunk with the patch from bug 372665. After that fix, the trunk builds have begun to crash with the first mentioned stacktrace.

Marking security sensitive for now, because the testcase also crashes on branch.
The iframe with the data url consists of this:
<html><body tabindex="1" onfocus="top.doe2();window.frameElement.parentNode.removeChild(window.frameElement);">
<script>
setTimeout(function(){document.body.focus()}, 200);
</script></body></html>
Posted patch for trunkSplinter Review
Assignee: events → Olli.Pettay
Status: NEW → ASSIGNED
Attachment #262413 - Flags: review?(roc)
Posted patch for branchesSplinter Review
This is sort of surprising that having a strong ref is enough on branches.
Attachment #262414 - Flags: review?(roc)
Attachment #262414 - Flags: approval1.8.1.4?
Attachment #262414 - Flags: approval1.8.0.12?
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Comment on attachment 262414 [details] [diff] [review]
for branches

approved for 1.8.0.12 and 1.8.1.4, a=dveditz for release-drivers
Attachment #262414 - Flags: approval1.8.1.4?
Attachment #262414 - Flags: approval1.8.1.4+
Attachment #262414 - Flags: approval1.8.0.12?
Attachment #262414 - Flags: approval1.8.0.12+
Whiteboard: [sg:critical?] deleted frame and presshell
Flags: blocking1.8.1.4+
Flags: blocking1.8.0.12+
Verified fixed, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a4pre) Gecko/20070427 Minefield/3.0a4pre

I see a painting issue, though. The iframe doesn't get unpainted, after I pressed the stop button, to make the recursive loads go away.
When I change this:
 function doe2() {
 setInterval(doe, 200); 
 }
to:
 function doe2() {
 setTimeout(doe, 200); 
 }
that problem goes away.

I guess I should file a new bug about this one day.
Status: RESOLVED → VERIFIED
verified fixed on the 1.8 branch using Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.4pre) Gecko/2007050804 BonEcho/2.0.0.4pre. No crash with the original testcase. Adding branch verified keyword.
verified fixed on the 1.8.0 branch using Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.0.12pre) Gecko/20070508 Firefox/1.5.0.12pre. No crash with the
original testcase. Adding branch verified keyword.
Group: security
Flags: in-testsuite?
crash test landed
http://hg.mozilla.org/mozilla-central/rev/7356f9a0fd10
Flags: in-testsuite? → in-testsuite+
Crash Signature: [@ PresShell::FlushPendingNotifications]
Component: Event Handling → User events and focus handling
You need to log in before you can comment on or make changes to this bug.