Closed
Bug 378961
Opened 17 years ago
Closed 17 years ago
Crash [@ nsSplitterFrameInner::RemoveListener] when dragging splitter and DOMAttrModified event removing window
Categories
(Core :: DOM: UI Events & Focus Handling, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: martijn.martijn, Assigned: smaug)
References
Details
(Keywords: crash, testcase, Whiteboard: [sg:critical?] masked on 1.8 branch by bug 378963, probably needed)
Crash Data
Attachments
(3 files, 2 obsolete files)
890 bytes,
text/html
|
Details | |
5.62 KB,
patch
|
roc
:
review+
roc
:
superreview+
|
Details | Diff | Splinter Review |
5.62 KB,
patch
|
Details | Diff | Splinter Review |
See testcase, when dragging the splitter in the iframe, Mozilla crashes. Talkback ID: TB31576269E nsSplitterFrameInner::RemoveListener [mozilla/layout/xul/base/src/nssplitterframe.cpp, line 634] nsSplitterFrameInner::MouseMove [mozilla/layout/xul/base/src/nssplitterframe.cpp, line 884] nsEventListenerManager::HandleEvent [mozilla/content/events/src/nseventlistenermanager.cpp, line 1203] nsEventTargetChainItem::HandleEvent [mozilla/content/events/src/nseventdispatcher.cpp, line 209] nsEventTargetChainItem::HandleEventTargetChain [mozilla/content/events/src/nseventdispatcher.cpp, line 267] nsEventDispatcher::Dispatch [mozilla/content/events/src/nseventdispatcher.cpp, line 484] PresShell::HandleEventInternal [mozilla/layout/base/nspresshell.cpp, line 5779] PresShell::HandlePositionedEvent [mozilla/layout/base/nspresshell.cpp, line 5670] PresShell::HandleEvent [mozilla/layout/base/nspresshell.cpp, line 5513] nsViewManager::HandleEvent [mozilla/view/src/nsviewmanager.cpp, line 1457] nsViewManager::DispatchEvent [mozilla/view/src/nsviewmanager.cpp, line 1410] HandleEvent [mozilla/view/src/nsview.cpp, line 174] nsWindow::DispatchEvent [mozilla/widget/src/windows/nswindow.cpp, line 1107] nsWindow::DispatchMouseEvent [mozilla/widget/src/windows/nswindow.cpp, line 6288] The testcase is crashing branch builds directly, I'll file a new on that, the stacktrace looks different. Because of crashing on branch, I'm filing this as security sensitive. The source of the iframe in the testcase: <?xml version="1.0"?> <?xml-stylesheet href="chrome://global/skin" type="text/css"?> <window xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul" orient="horizontal"> <textbox/><splitter/><box/> <script xmlns="http://www.w3.org/1999/xhtml"> function doe() { window.frameElement.parentNode.removeChild(window.frameElement); } document.addEventListener('DOMAttrModified', doe, true); </script> </window>
Reporter | ||
Comment 1•17 years ago
|
||
Attachment #262963 -
Attachment is obsolete: true
Reporter | ||
Comment 2•17 years ago
|
||
Ugh, finally the correct testcase, I hope.
Attachment #262965 -
Attachment is obsolete: true
Reporter | ||
Comment 3•17 years ago
|
||
(In reply to comment #0) > The testcase is crashing branch builds directly, I'll file a new on that, I filed bug 378963 for it.
Assignee | ||
Updated•17 years ago
|
Assignee: events → Olli.Pettay
Assignee | ||
Comment 4•17 years ago
|
||
Attachment #265266 -
Flags: superreview?(roc)
Attachment #265266 -
Flags: review?(roc)
Attachment #265266 -
Flags: superreview?(roc)
Attachment #265266 -
Flags: superreview+
Attachment #265266 -
Flags: review?(roc)
Attachment #265266 -
Flags: review+
Assignee | ||
Comment 5•17 years ago
|
||
Have to test this in the branch too, trunk is FIXED.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 6•17 years ago
|
||
If bug 378963 gets fixed, this patch might be needed.
Updated•17 years ago
|
Flags: wanted1.8.1.x?
Flags: wanted1.8.0.x?
Whiteboard: [sg:critical?] masked on 1.8 branch by bug 378963, probably needed
Reporter | ||
Comment 7•17 years ago
|
||
Verified fixed, using: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a5pre) Gecko/20070524 Minefield/3.0a5pre
Status: RESOLVED → VERIFIED
Updated•13 years ago
|
Crash Signature: [@ nsSplitterFrameInner::RemoveListener]
Updated•11 years ago
|
Group: core-security
Updated•10 years ago
|
Flags: in-testsuite?
Comment 8•9 years ago
|
||
Landed a crashtest: https://hg.mozilla.org/integration/mozilla-inbound/rev/b5e597a7d229
Flags: in-testsuite? → in-testsuite+
Updated•5 years ago
|
Component: Event Handling → User events and focus handling
You need to log in
before you can comment on or make changes to this bug.
Description
•