Crash [@ nsSplitterFrameInner::RemoveListener] when dragging splitter and DOMAttrModified event removing window

VERIFIED FIXED

Status

()

defect
--
critical
VERIFIED FIXED
13 years ago
5 months ago

People

(Reporter: martijn.martijn, Assigned: smaug)

Tracking

({crash, testcase})

Trunk
x86
Windows XP
Points:
---
Dependency tree / graph
Bug Flags:
wanted1.8.1.x ?
wanted1.8.0.x ?
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?] masked on 1.8 branch by bug 378963, probably needed, crash signature)

Attachments

(3 attachments, 2 obsolete attachments)

Posted file testcase (obsolete) —
See testcase, when dragging the splitter in the iframe, Mozilla crashes.

Talkback ID: TB31576269E
nsSplitterFrameInner::RemoveListener  [mozilla/layout/xul/base/src/nssplitterframe.cpp, line 634]
nsSplitterFrameInner::MouseMove  [mozilla/layout/xul/base/src/nssplitterframe.cpp, line 884]
nsEventListenerManager::HandleEvent  [mozilla/content/events/src/nseventlistenermanager.cpp, line 1203]
nsEventTargetChainItem::HandleEvent  [mozilla/content/events/src/nseventdispatcher.cpp, line 209]
nsEventTargetChainItem::HandleEventTargetChain  [mozilla/content/events/src/nseventdispatcher.cpp, line 267]
nsEventDispatcher::Dispatch  [mozilla/content/events/src/nseventdispatcher.cpp, line 484]
PresShell::HandleEventInternal  [mozilla/layout/base/nspresshell.cpp, line 5779]
PresShell::HandlePositionedEvent  [mozilla/layout/base/nspresshell.cpp, line 5670]
PresShell::HandleEvent  [mozilla/layout/base/nspresshell.cpp, line 5513]
nsViewManager::HandleEvent  [mozilla/view/src/nsviewmanager.cpp, line 1457]
nsViewManager::DispatchEvent  [mozilla/view/src/nsviewmanager.cpp, line 1410]
HandleEvent  [mozilla/view/src/nsview.cpp, line 174]
nsWindow::DispatchEvent  [mozilla/widget/src/windows/nswindow.cpp, line 1107]
nsWindow::DispatchMouseEvent  [mozilla/widget/src/windows/nswindow.cpp, line 6288]

The testcase is crashing branch builds directly, I'll file a new on that, the stacktrace looks different. Because of crashing on branch, I'm filing this as security sensitive.

The source of the iframe in the testcase:
<?xml version="1.0"?>
<?xml-stylesheet href="chrome://global/skin" type="text/css"?>
<window xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul" orient="horizontal">
<textbox/><splitter/><box/>

<script xmlns="http://www.w3.org/1999/xhtml">
function doe() {
window.frameElement.parentNode.removeChild(window.frameElement);
}
document.addEventListener('DOMAttrModified', doe, true);
</script>
</window>
Posted file testcase (obsolete) —
Attachment #262963 - Attachment is obsolete: true
Posted file testcase
Ugh, finally the correct testcase, I hope.
Attachment #262965 - Attachment is obsolete: true
(In reply to comment #0)
> The testcase is crashing branch builds directly, I'll file a new on that, 

I filed bug 378963 for it.
Assignee: events → Olli.Pettay
Attachment #265266 - Flags: superreview?(roc)
Attachment #265266 - Flags: review?(roc)
Attachment #265266 - Flags: superreview?(roc)
Attachment #265266 - Flags: superreview+
Attachment #265266 - Flags: review?(roc)
Attachment #265266 - Flags: review+
Have to test this in the branch too, trunk is FIXED.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Posted patch for branchSplinter Review
If bug 378963 gets fixed, this patch might be needed.
Depends on: 378963
Flags: wanted1.8.1.x?
Flags: wanted1.8.0.x?
Whiteboard: [sg:critical?] masked on 1.8 branch by bug 378963, probably needed
Verified fixed, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a5pre) Gecko/20070524 Minefield/3.0a5pre
Status: RESOLVED → VERIFIED
Crash Signature: [@ nsSplitterFrameInner::RemoveListener]
Group: core-security
Flags: in-testsuite?
Landed a crashtest:
https://hg.mozilla.org/integration/mozilla-inbound/rev/b5e597a7d229
Flags: in-testsuite? → in-testsuite+
Component: Event Handling → User events and focus handling
You need to log in before you can comment on or make changes to this bug.