Closed Bug 378961 Opened 17 years ago Closed 17 years ago

Crash [@ nsSplitterFrameInner::RemoveListener] when dragging splitter and DOMAttrModified event removing window

Categories

(Core :: DOM: UI Events & Focus Handling, defect)

Product:
Core
Component:
DOM: UI Events & Focus Handling
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: martijn.martijn, Assigned: smaug)

References

Details

(Keywords: crash, testcase, Whiteboard: [sg:critical?] masked on 1.8 branch by bug 378963, probably needed)

Crash Data

Attachments

(3 files, 2 obsolete files)

testcase
890 bytes, text/html
Details
proposed patch
5.62 KB, patch
roc
: review+
roc
: superreview+
Details | Diff | Splinter Review
for branch
5.62 KB, patch
Details | Diff | Splinter Review
Attached file testcase (obsolete) — 
See testcase, when dragging the splitter in the iframe, Mozilla crashes.

Talkback ID: TB31576269E
nsSplitterFrameInner::RemoveListener  [mozilla/layout/xul/base/src/nssplitterframe.cpp, line 634]
nsSplitterFrameInner::MouseMove  [mozilla/layout/xul/base/src/nssplitterframe.cpp, line 884]
nsEventListenerManager::HandleEvent  [mozilla/content/events/src/nseventlistenermanager.cpp, line 1203]
nsEventTargetChainItem::HandleEvent  [mozilla/content/events/src/nseventdispatcher.cpp, line 209]
nsEventTargetChainItem::HandleEventTargetChain  [mozilla/content/events/src/nseventdispatcher.cpp, line 267]
nsEventDispatcher::Dispatch  [mozilla/content/events/src/nseventdispatcher.cpp, line 484]
PresShell::HandleEventInternal  [mozilla/layout/base/nspresshell.cpp, line 5779]
PresShell::HandlePositionedEvent  [mozilla/layout/base/nspresshell.cpp, line 5670]
PresShell::HandleEvent  [mozilla/layout/base/nspresshell.cpp, line 5513]
nsViewManager::HandleEvent  [mozilla/view/src/nsviewmanager.cpp, line 1457]
nsViewManager::DispatchEvent  [mozilla/view/src/nsviewmanager.cpp, line 1410]
HandleEvent  [mozilla/view/src/nsview.cpp, line 174]
nsWindow::DispatchEvent  [mozilla/widget/src/windows/nswindow.cpp, line 1107]
nsWindow::DispatchMouseEvent  [mozilla/widget/src/windows/nswindow.cpp, line 6288]

The testcase is crashing branch builds directly, I'll file a new on that, the stacktrace looks different. Because of crashing on branch, I'm filing this as security sensitive.

The source of the iframe in the testcase:
<?xml version="1.0"?>
<?xml-stylesheet href="chrome://global/skin" type="text/css"?>
<window xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul" orient="horizontal">
<textbox/><splitter/><box/>

<script xmlns="http://www.w3.org/1999/xhtml">
function doe() {
window.frameElement.parentNode.removeChild(window.frameElement);
}
document.addEventListener('DOMAttrModified', doe, true);
</script>
</window>
Attached file testcase (obsolete) — 

        Attachment #262963 -
        Attachment is obsolete: true

    
    

    
  

      
      
      
      

        Attached file
          
        testcase
      

    


  
Ugh, finally the correct testcase, I hope.

        Attachment #262965 -
        Attachment is obsolete: true

    
    

    
  
(In reply to comment #0)
> The testcase is crashing branch builds directly, I'll file a new on that, 

I filed bug 378963 for it.
Assignee: events → Olli.Pettay

    
    

    
  

      
      
      
      

        Attached patch
          
          
        proposed patchSplinter Review
      

    


  

        Attachment #265266 -
        Flags: superreview?(roc)

        Attachment #265266 -
        Flags: review?(roc)

        Attachment #265266 -
        Flags: superreview?(roc)

        Attachment #265266 -
        Flags: superreview+

        Attachment #265266 -
        Flags: review?(roc)

        Attachment #265266 -
        Flags: review+

    
    

    
  
Have to test this in the branch too, trunk is FIXED.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED

    
    

    
  

      
      
      
      

        Attached patch
          
          
        for branchSplinter Review
      

    


  
If bug 378963 gets fixed, this patch might be needed.
Depends on: 378963
Flags: wanted1.8.1.x?
Flags: wanted1.8.0.x?
Whiteboard: [sg:critical?] masked on 1.8 branch by bug 378963, probably needed

    
    

    
  
Verified fixed, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a5pre) Gecko/20070524 Minefield/3.0a5pre
Status: RESOLVED → VERIFIED
Crash Signature: [@ nsSplitterFrameInner::RemoveListener]
Group: core-security
Flags: in-testsuite?

    
    

    
  
Landed a crashtest:
https://hg.mozilla.org/integration/mozilla-inbound/rev/b5e597a7d229
Flags: in-testsuite? → in-testsuite+
Component: Event Handling → User events and focus handling

          You need to log in
          before you can comment on or make changes to this bug.