Closed
Bug 384105
Opened 18 years ago
Closed 18 years ago
Crash [@ PresShell::AttributeChanged] with menuitem sizetopopup="always", position: absolute and tree stuff
Categories
(Core :: Layout, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: martijn.martijn, Assigned: smaug)
References
Details
(4 keywords, Whiteboard: [sg:critical?] fixed by 279703 on trunk)
Crash Data
Attachments
(4 files)
|
529 bytes,
application/vnd.mozilla.xul+xml
|
Details | |
|
23.02 KB,
text/plain
|
Details | |
|
2.47 KB,
patch
|
enndeakin
:
review+
roc
:
superreview+
dveditz
:
approval1.8.1.8+
asac
:
approval1.8.0.next+
|
Details | Diff | Splinter Review |
|
937 bytes,
patch
|
Details | Diff | Splinter Review |
See testcase, which crashes Mozilla within 100ms.
It also crashes branch builds, so marking security sensitive for now.
I guess bug 279703 might fix things here.
Talkback ID: TB33045810E
0x01eb9089
PresShell::AttributeChanged [mozilla/layout/base/nspresshell.cpp, line 4408]
nsNodeUtils::AttributeChanged [mozilla/content/base/src/nsnodeutils.cpp, line 100]
nsXULElement::UnsetAttr [mozilla/content/xul/content/src/nsxulelement.cpp, line 1316]
nsXULElement::GetAttrInfo [mozilla/content/xul/content/src/nsxulelement.cpp, line 2108]
0x02dc3aa0
0x02c44be8
PresShell::AddRef [mozilla/layout/base/nspresshell.cpp, line 1394]
0x08244c8b
|
Assignee | |
Updated•18 years ago
|
OS: Windows XP → All
|
|
Assignee | |
Comment 1•18 years ago
|
||
taking for now. Need to think this a bit. Ungeneratemenu() shouldn't be called in ::Destroy().
Probably need to call that asynchronously, but only if menu doesn't
have a new frame.
Assignee: nobody → Olli.Pettay
|
Reporter | |
Comment 2•18 years ago
|
||
This is worksforme now that the patch for bug 279703 went in. (tested with a tinderbox build)
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
|
||
Comment 3•18 years ago
|
||
This still affects a branch build. Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.5pre) Gecko/20070716 BonEcho/2.0.0.5pre
Requesting blocking (though; should probably be changed to wanted).
|
|
||
Updated•18 years ago
|
Flags: blocking1.8.1.6?
|
||
Comment 4•18 years ago
|
||
Crashes rv:1.8.0.12 as well (Firefox 1.5.0.12).
I can't see bug 279703 landing on the 1.8 branch. I also get a different stack on branch, "this" is a deleted object in nsCachedStyleData::GetStyleData(). Is there some way to wallpaper this for the branch? This looks familiar actually, maybe this testcase is triggering a different bug that's already fixed on trunk but not yet backported, and once we get that out of the way we'll see the nsPresShell::AttributeChanged issue on the branch.
> nsCachedStyleData::GetStyleData() Line 210 C++
nsStyleContext::GetStyleData() Line 248 C++
nsIFrame::GetStyleData() Line 612 C++
nsIFrame::GetStyleDisplay() Line 90 C++
nsCSSFrameConstructor::AttributeChanged() Line 10752 C++
PresShell::AttributeChanged() Line 5499 C++
nsXULDocument::AttributeChanged() Line 1133 C++
nsXULElement::UnsetAttr() Line 1706 C++
nsMenuFrame::UngenerateMenu() Line 712 C++
nsMenuFrame::Destroy() Line 398 C++
nsLineBox::DeleteLineList() Line 325 C++
nsBlockFrame::Destroy() Line 303 C++
nsAreaFrame::Destroy() Line 155 C++
nsBoxFrame::RemoveFrame() Line 1178 C++
nsFrameManager::RemoveFrame() Line 717 C++
nsCSSFrameConstructor::ContentRemoved() Line 10141 C++
nsCSSFrameConstructor::RecreateFramesForContent() Line 12102 C++
nsCSSFrameConstructor::RestyleElement() Line 10600 C++
nsCSSFrameConstructor::ProcessOneRestyle() Line 14147 C++
nsCSSFrameConstructor::ProcessPendingRestyles() Line 14201 C++
nsCSSFrameConstructor::RestyleEvent::HandleEvent() Line 14265 C++
HandleRestyleEvent() Line 14274 C++
PL_HandleEvent() Line 688 C
PL_ProcessPendingEvents() Line 623 C
_md_EventReceiverProc() Line 1408 C
7e418724
7e418806
7e4189bd
7e4193f2
7e418a00
nsAppShell::Run() Line 133 C++
nsAppStartup::Run() Line 151 C++
XRE_main() Line 2711 C++
main() Line 61 C++
mainCRTStartup() Line 398 C
7c816fd7
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
|
|
||
Updated•18 years ago
|
Whiteboard: [sg:critical?] fixed by 279703 on trunk
|
|
||
Comment 5•18 years ago
|
||
This is a 1.8.1 branch blocker, but we can't take the 500K trunk patch ("redesign XUL popups"). Please see if there's a local fix for just this crash.
Flags: blocking1.8.1.7? → blocking1.8.1.7+
|
|
Assignee | |
Comment 6•18 years ago
|
||
Fixes the crash, but I do see
###!!! ASSERTION: frame was not removed from primary frame map before destruction or was readded to map after being removed: 'Not Reached', file /home/smaug/mozilla/mozilla_cvs/18_branch/mozilla/layout/base/nsFrameManager.cpp, line 734
That assertion is (sort of) from bug Bug 265404.
|
|
Assignee | |
Comment 7•18 years ago
|
||
Other possibility is to not to notify when removing the attribute. Same assertions
happen then though. And not notifying means no mutation events when dom is mutated; that is hackish.
|
|
Assignee | |
Comment 8•18 years ago
|
||
|
|
Assignee | |
Comment 9•18 years ago
|
||
Are there any other possibilities?
|
|
||
Comment 10•18 years ago
|
||
Smaug: is this likely to get a branch patch, reviews and approvals by tomorrow night (1.8.1.8 code freeze)?
|
|
Assignee | |
Comment 11•18 years ago
|
||
Comment on attachment 280653 [details] [diff] [review]
WIP for 1.8
Roc, what do you think about this. Not perfect, but possibly enough for branch. Not sure if some problem occurs when recreating a frame for menu...
Attachment #280653 -
Flags: review?(roc)
Comment on attachment 280653 [details] [diff] [review]
WIP for 1.8
looks OK but Neil should take a look
Attachment #280653 -
Flags: superreview+
Attachment #280653 -
Flags: review?(roc)
Attachment #280653 -
Flags: review?(enndeakin)
|
||
Updated•18 years ago
|
Attachment #280653 -
Flags: review?(enndeakin) → review+
|
|
||
Comment 13•18 years ago
|
||
Comment on attachment 280653 [details] [diff] [review]
WIP for 1.8
approved for 1.8.1.8, a=dveditz
Attachment #280653 -
Flags: approval1.8.1.8+
|
|
||
Updated•18 years ago
|
Whiteboard: [sg:critical?] fixed by 279703 on trunk → [sg:critical?] fixed by 279703 on trunk; need branch landing
|
|
||
Updated•18 years ago
|
Whiteboard: [sg:critical?] fixed by 279703 on trunk; need branch landing → [sg:critical?] fixed by 279703 on trunk
|
|
Assignee | |
Comment 15•18 years ago
|
||
Thanks Daniel. Somehow I didn't notice this got reviews.
|
|
||
Comment 16•18 years ago
|
||
verified fixed 1.8.1.8 using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.8) Gecko/2007100816 Firefox/2.0.0.8 and Mozilla/5.0 (Macintosh; U; Intel Mac OS X; ja-JP-mac; rv:1.8.1.8) Gecko/2007100816 Firefox/2.0.0.8 and the testcase from this bug.
-> no crash on testcase - adding verified keyword
Keywords: fixed1.8.1.8 → verified1.8.1.8
|
|
||
Updated•18 years ago
|
Group: security
|
||
Updated•18 years ago
|
Flags: in-testsuite?
|
|
||
Comment 17•18 years ago
|
||
Comment on attachment 280653 [details] [diff] [review]
WIP for 1.8
a=asac for 1.8.0.15
(same patch shipped by distros for some time now)
Attachment #280653 -
Flags: approval1.8.0.15+
|
||
Comment 19•16 years ago
|
||
crash test landed
http://hg.mozilla.org/mozilla-central/rev/4457b7408447
Flags: in-testsuite? → in-testsuite+
|
||
Updated•14 years ago
|
Crash Signature: [@ PresShell::AttributeChanged]
You need to log in
before you can comment on or make changes to this bug.
Description
•