Closed Bug 378961 Opened 14 years ago Closed 14 years ago

Crash [@ nsSplitterFrameInner::RemoveListener] when dragging splitter and DOMAttrModified event removing window

Categories

(Core :: DOM: UI Events & Focus Handling, defect)

x86
Windows XP
defect
Not set
critical

Tracking

()

VERIFIED FIXED

People

(Reporter: martijn.martijn, Assigned: smaug)

References

Details

(Keywords: crash, testcase, Whiteboard: [sg:critical?] masked on 1.8 branch by bug 378963, probably needed)

Crash Data

Attachments

(3 files, 2 obsolete files)

Attached file testcase (obsolete) —
See testcase, when dragging the splitter in the iframe, Mozilla crashes.

Talkback ID: TB31576269E
nsSplitterFrameInner::RemoveListener  [mozilla/layout/xul/base/src/nssplitterframe.cpp, line 634]
nsSplitterFrameInner::MouseMove  [mozilla/layout/xul/base/src/nssplitterframe.cpp, line 884]
nsEventListenerManager::HandleEvent  [mozilla/content/events/src/nseventlistenermanager.cpp, line 1203]
nsEventTargetChainItem::HandleEvent  [mozilla/content/events/src/nseventdispatcher.cpp, line 209]
nsEventTargetChainItem::HandleEventTargetChain  [mozilla/content/events/src/nseventdispatcher.cpp, line 267]
nsEventDispatcher::Dispatch  [mozilla/content/events/src/nseventdispatcher.cpp, line 484]
PresShell::HandleEventInternal  [mozilla/layout/base/nspresshell.cpp, line 5779]
PresShell::HandlePositionedEvent  [mozilla/layout/base/nspresshell.cpp, line 5670]
PresShell::HandleEvent  [mozilla/layout/base/nspresshell.cpp, line 5513]
nsViewManager::HandleEvent  [mozilla/view/src/nsviewmanager.cpp, line 1457]
nsViewManager::DispatchEvent  [mozilla/view/src/nsviewmanager.cpp, line 1410]
HandleEvent  [mozilla/view/src/nsview.cpp, line 174]
nsWindow::DispatchEvent  [mozilla/widget/src/windows/nswindow.cpp, line 1107]
nsWindow::DispatchMouseEvent  [mozilla/widget/src/windows/nswindow.cpp, line 6288]

The testcase is crashing branch builds directly, I'll file a new on that, the stacktrace looks different. Because of crashing on branch, I'm filing this as security sensitive.

The source of the iframe in the testcase:
<?xml version="1.0"?>
<?xml-stylesheet href="chrome://global/skin" type="text/css"?>
<window xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul" orient="horizontal">
<textbox/><splitter/><box/>

<script xmlns="http://www.w3.org/1999/xhtml">
function doe() {
window.frameElement.parentNode.removeChild(window.frameElement);
}
document.addEventListener('DOMAttrModified', doe, true);
</script>
</window>
Attached file testcase (obsolete) —
Attachment #262963 - Attachment is obsolete: true
Attached file testcase
Ugh, finally the correct testcase, I hope.
Attachment #262965 - Attachment is obsolete: true
(In reply to comment #0)
> The testcase is crashing branch builds directly, I'll file a new on that, 

I filed bug 378963 for it.
Assignee: events → Olli.Pettay
Attached patch proposed patchSplinter Review
Attachment #265266 - Flags: superreview?(roc)
Attachment #265266 - Flags: review?(roc)
Attachment #265266 - Flags: superreview?(roc)
Attachment #265266 - Flags: superreview+
Attachment #265266 - Flags: review?(roc)
Attachment #265266 - Flags: review+
Have to test this in the branch too, trunk is FIXED.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Attached patch for branchSplinter Review
If bug 378963 gets fixed, this patch might be needed.
Depends on: 378963
Flags: wanted1.8.1.x?
Flags: wanted1.8.0.x?
Whiteboard: [sg:critical?] masked on 1.8 branch by bug 378963, probably needed
Verified fixed, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a5pre) Gecko/20070524 Minefield/3.0a5pre
Status: RESOLVED → VERIFIED
Crash Signature: [@ nsSplitterFrameInner::RemoveListener]
Group: core-security
Flags: in-testsuite?
Landed a crashtest:
https://hg.mozilla.org/integration/mozilla-inbound/rev/b5e597a7d229
Flags: in-testsuite? → in-testsuite+
Component: Event Handling → User events and focus handling
You need to log in before you can comment on or make changes to this bug.