Closed Bug 381153 Opened 17 years ago Closed 17 years ago

crash [@ nsSliderFrame::SetCurrentPositionInternal]

Categories

(Core :: XUL, defect)

Product:
Core
Component:
XUL
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: smaug, Assigned: smaug)

References

(
URL
)

Details

(Keywords: crash, verified1.8.0.13, verified1.8.1.5, Whiteboard: [sg:critical?] deleted frame)

Crash Data

Attachments

(2 files, 2 obsolete files)

v2
16.79 KB, patch
roc
: review+
roc
: superreview+
Details | Diff | Splinter Review
v2 for 1.8
15.68 KB, patch
roc
: review+
roc
: superreview+
dveditz
: approval1.8.1.5+
dveditz
: approval1.8.0.13+
Details | Diff | Splinter Review
Attached patch possible patch, using weakframes (obsolete) — Splinter Review 
See url for a testcase.

I'm not happy to use weakframes again, but can't see any other way to
fix this (easily).
Attachment #265246 - Flags: superreview?(roc)
Attachment #265246 - Flags: review?(roc)
Assignee: nobody → Olli.Pettay
Whiteboard: [sg:critical?] deleted frame
+         NS_ENSURE_TRUE(weakFrame.IsAlive(), NS_OK);
          return NS_OK;

Why?

        SetCurrentPosition(scrollbar, pospx, PR_FALSE);
+       NS_ENSURE_TRUE(weakFrame.IsAlive(), NS_OK);

Can you avoid the need here by removing mRedrawImmediate and just passing it as a parameter through SetCurrentPosition/SetCurrentPositionInternal/CurrentPositionChanged?

+    NS_ENSURE_TRUE(weakFrame.IsAlive(), NS_OK);
 
     DragThumb(PR_TRUE);

Can we avoid the need here by moving DragThumb() and the other code below to above the SetCurrentPosition call? Maybe in general MouseDown should just end with a SetCurrentPosition call, so every path just sets pospx?

+      nsWeakFrame weakFrame(this);
       mediator->PositionChanged(scrollbarFrame, GetCurrentPosition(scrollbar), newpos);
       // 'mediator' might be dangling now...
+      ENSURE_TRUE(weakFrame.IsAlive());
       UpdateAttribute(scrollbar, newpos, PR_FALSE, aIsSmooth);
+      ENSURE_TRUE(weakFrame.IsAlive());
       CurrentPositionChanged(PresContext());

UpdateAttribute is static so if we hold a strong ref to the scrollbar element, this is safe.

For CurrentPositionChanged, we could re-get the frame and call CurrentPositionChanged on it, right?

+    nsWeakFrame weakFrame(this);
     SetCurrentPosition(scrollbar, pospx, PR_FALSE);
+    NS_ENSURE_TRUE(weakFrame.IsAlive(), NS_OK);
   }
 
   DragThumb(PR_TRUE);

Same sort of thing as above...

+  nsWeakFrame weakFrame(this);
   PageUpDown(change);
+  NS_ENSURE_TRUE(weakFrame.IsAlive(), NS_OK);
   
   nsRepeatService::GetInstance()->Start(mMediator);

Just start the repeatservice before calling PageUpDown...
Comment on attachment 265246 [details] [diff] [review]
possible patch, using weakframes

Will update the patch.
Attachment #265246 - Flags: superreview?(roc)
Attachment #265246 - Flags: review?(roc)
(In reply to comment #1)
> UpdateAttribute is static so if we hold a strong ref to the scrollbar element,
> this is safe.
> 

It may still kill the frame.
Ah, sorry, you meant something else
Attached patch v2Splinter Review 
This has only one weakFrame, in ::HandleEvent to check that whether
nsFrame::HandleEvent can be called.
The testcase doesn't trigger that weakFrame.IsAlive() warning.
Attachment #265246 - Attachment is obsolete: true
Attachment #265927 - Flags: superreview?(roc)
Attachment #265927 - Flags: review?(roc)
Comment on attachment 265927 [details] [diff] [review]
v2

great!

+  nscoord pospx;

set it to zero to avoid compiler warnings
Attachment #265927 - Flags: superreview?(roc)
Attachment #265927 - Flags: superreview+
Attachment #265927 - Flags: review?(roc)
Attachment #265927 - Flags: review+
Crashes on 1.8 branch also
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Flags: blocking1.8.1.5?
Flags: blocking1.8.0.13?
Keywords: crash
Will do 1.8 patch, maybe just using weakframes to minimize regression
risk.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Attached patch for 1.8 (obsolete) — Splinter Review 
using more weakframes and changing some nsCOMPtrs to raw refs.
Should be safe for branches.
It seems that GetScrollbarMediator returns an nsIFrame object which 
isn't refcounted, so nsCOMPtr should be used.
Attachment #266209 - Flags: superreview?(roc)
Attachment #266209 - Flags: review?(roc)
Would it make more sense to stick close to the trunk? We'll get better test coverage in both directions that way.
The trunk patch will have baking time, but I really wouldn't want to 
change any functionality in branches. We have had quite some regressions 
in 1.8.1.x. The branch patch is ugly-but-safe, trunk patch not-so-ugly-but-may-cause-regressions (though, regressions are very unlikely).
Roc, do you want a new, more trunk-like 1.8 patch?
Attached patch v2 for 1.8Splinter Review 

        Attachment #266209 -
        Attachment is obsolete: true

        Attachment #267949 -
        Flags: superreview?(roc)

        Attachment #267949 -
        Flags: review?(roc)

        Attachment #266209 -
        Flags: superreview?(roc)

        Attachment #266209 -
        Flags: review?(roc)

        Attachment #267949 -
        Flags: superreview?(roc)

        Attachment #267949 -
        Flags: superreview+

        Attachment #267949 -
        Flags: review?(roc)

        Attachment #267949 -
        Flags: review+

        Attachment #267949 -
        Flags: approval1.8.1.5?

        Attachment #267949 -
        Flags: approval1.8.0.13?
Flags: blocking1.8.1.5?
Flags: blocking1.8.1.5+
Flags: blocking1.8.0.13?
Flags: blocking1.8.0.13+

    
    

    
  
Comment on attachment 267949 [details] [diff] [review]
v2 for 1.8

approved for 1.8.1.5 and 1.8.0.13, a=dveditz for release-drivers

        Attachment #267949 -
        Flags: approval1.8.1.5?

        Attachment #267949 -
        Flags: approval1.8.1.5+

        Attachment #267949 -
        Flags: approval1.8.0.13?

        Attachment #267949 -
        Flags: approval1.8.0.13+

    
    

    
  
Verified fixed on Trunk using  Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9a7pre) Gecko/200707110505 Minefield/3.0a7pre and the testcase from https://bugzilla.mozilla.org/attachment.cgi?id=265242 - no crash on Testcase  

Also verified fixed 1.8.1.5 using Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1.5pre) Gecko/2007071103 BonEcho/2.0.0.5pre and Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.5pre) Gecko/2007071103 BonEcho/2.0.0.5pre on Fedora F7 - no crash on testcase - adding verified keyword
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.1.5verified1.8.1.5

    
    

    
  
This doesn't crash Thunderbird 1.5.0.13 (2007080918) but I cannot get it to crash 1.5.0.12 either.

    
    

    
  
verified fixed 1.8.0.13 using Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.0.13pre) Gecko/20070822 Firefox/1.5.0.13pre

No crash on testcase - adding verified keyword.
Keywords: fixed1.8.0.13verified1.8.0.13
Group: security
Flags: in-testsuite?

    
  
Component: XP Toolkit/Widgets: XUL → XUL
QA Contact: xptoolkit.xul → xptoolkit.widgets
Crash Signature: [@ nsSliderFrame::SetCurrentPositionInternal]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: