Closed Bug 378961 Opened 18 years ago Closed 18 years ago

Crash [@ nsSplitterFrameInner::RemoveListener] when dragging splitter and DOMAttrModified event removing window

Categories

(Core :: DOM: UI Events & Focus Handling, defect)

Product:
Core
Component:
DOM: UI Events & Focus Handling
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: martijn.martijn, Assigned: smaug)

References

Details

(Keywords: crash, testcase, Whiteboard: [sg:critical?] masked on 1.8 branch by bug 378963, probably needed)

Crash Data

Attachments

(3 files, 2 obsolete files)

testcase
890 bytes, text/html
Details
proposed patch
5.62 KB, patch
roc
: review+
roc
: superreview+
Details | Diff | Splinter Review
for branch
5.62 KB, patch
Details | Diff | Splinter Review
Attached file testcase (obsolete) —
See testcase, when dragging the splitter in the iframe, Mozilla crashes. Talkback ID: TB31576269E nsSplitterFrameInner::RemoveListener [mozilla/layout/xul/base/src/nssplitterframe.cpp, line 634] nsSplitterFrameInner::MouseMove [mozilla/layout/xul/base/src/nssplitterframe.cpp, line 884] nsEventListenerManager::HandleEvent [mozilla/content/events/src/nseventlistenermanager.cpp, line 1203] nsEventTargetChainItem::HandleEvent [mozilla/content/events/src/nseventdispatcher.cpp, line 209] nsEventTargetChainItem::HandleEventTargetChain [mozilla/content/events/src/nseventdispatcher.cpp, line 267] nsEventDispatcher::Dispatch [mozilla/content/events/src/nseventdispatcher.cpp, line 484] PresShell::HandleEventInternal [mozilla/layout/base/nspresshell.cpp, line 5779] PresShell::HandlePositionedEvent [mozilla/layout/base/nspresshell.cpp, line 5670] PresShell::HandleEvent [mozilla/layout/base/nspresshell.cpp, line 5513] nsViewManager::HandleEvent [mozilla/view/src/nsviewmanager.cpp, line 1457] nsViewManager::DispatchEvent [mozilla/view/src/nsviewmanager.cpp, line 1410] HandleEvent [mozilla/view/src/nsview.cpp, line 174] nsWindow::DispatchEvent [mozilla/widget/src/windows/nswindow.cpp, line 1107] nsWindow::DispatchMouseEvent [mozilla/widget/src/windows/nswindow.cpp, line 6288] The testcase is crashing branch builds directly, I'll file a new on that, the stacktrace looks different. Because of crashing on branch, I'm filing this as security sensitive. The source of the iframe in the testcase: <?xml version="1.0"?> <?xml-stylesheet href="chrome://global/skin" type="text/css"?> <window xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul" orient="horizontal"> <textbox/><splitter/><box/> <script xmlns="http://www.w3.org/1999/xhtml"> function doe() { window.frameElement.parentNode.removeChild(window.frameElement); } document.addEventListener('DOMAttrModified', doe, true); </script> </window>
Attached file testcase (obsolete) —
Attachment #262963 - Attachment is obsolete: true
Attached file testcase
Ugh, finally the correct testcase, I hope.
Attachment #262965 - Attachment is obsolete: true
(In reply to comment #0) > The testcase is crashing branch builds directly, I'll file a new on that, I filed bug 378963 for it.
Assignee: events → Olli.Pettay
Attached patch proposed patchSplinter Review
Attachment #265266 - Flags: superreview?(roc)
Attachment #265266 - Flags: review?(roc)
Attachment #265266 - Flags: superreview?(roc)
Attachment #265266 - Flags: superreview+
Attachment #265266 - Flags: review?(roc)
Attachment #265266 - Flags: review+
Have to test this in the branch too, trunk is FIXED.
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Attached patch for branchSplinter Review
If bug 378963 gets fixed, this patch might be needed.
Depends on: 378963
Flags: wanted1.8.1.x?
Flags: wanted1.8.0.x?
Whiteboard: [sg:critical?] masked on 1.8 branch by bug 378963, probably needed
Verified fixed, using: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a5pre) Gecko/20070524 Minefield/3.0a5pre
Status: RESOLVED → VERIFIED
Crash Signature: [@ nsSplitterFrameInner::RemoveListener]
Group: core-security
Flags: in-testsuite?
Landed a crashtest: https://hg.mozilla.org/integration/mozilla-inbound/rev/b5e597a7d229
Flags: in-testsuite? → in-testsuite+
Component: Event Handling → User events and focus handling
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: