Closed Bug 394800 Opened 13 years ago Closed 13 years ago

"ASSERTION: Some objects allocated with AllocateFrame were not freed" with xul:menulist, xul:tooltip

Categories

(Core :: XUL, defect)

defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla1.9beta1

People

(Reporter: jruderman, Assigned: mats)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, crash, testcase, Whiteboard: [sg:critical?][dbaron-1.9:Rs])

Attachments

(3 files)

###!!! ASSERTION: Shallow unbind won't clear document and binding parent on kids!: 'aDeep || (!GetCurrentDoc() && !GetBindingParent())', file /Users/jruderman/trunk/mozilla/content/base/src/nsGenericElement.cpp, line 2090

###!!! ASSERTION: Some objects allocated with AllocateFrame were not freed: 'mFrameCount == 0', file /Users/jruderman/trunk/mozilla/layout/base/nsPresShell.cpp, line 673

This bug appears to be exploitable via the usual method for exploiting "ASSERTION: Some objects allocated with AllocateFrame were not freed" bugs.
Flags: blocking1.9?
You have to reload to see the second assertion, as usual.
Whiteboard: [sg:critical?]
We're calling nsMenuFrame::InsertFrames with aPrevFrame == the popup frame
on its ::popupList although we insert the new frame into the principal list.
This is same problem as we had with nsFieldSetFrame when aPrevFrame was
the legend frame in bug 345249.  Patch coming up.
Assignee: nobody → mats.palmgren
Flags: in-testsuite?
OS: Mac OS X → All
Hardware: PC → All
Attached file Mochitest (.tar.gz)
Attached patch Patch rev. 1Splinter Review
Fixes the second assertion (and the crash I hope -- Jesse, confirm?).
The first assertion still occurs but I think it's unrelated and can
be handled in a separate bug.
Attachment #279581 - Flags: superreview?(enndeakin)
Attachment #279581 - Flags: review?(enndeakin)
make[5]: *** No rule to make target `/Users/jruderman/trunk/mozilla/layout/xul/test/Makefile.in', needed by `test/Makefile'.  Stop.

Did you forget to include your new tests in the patch?
The patch does fix the crash :)
(In reply to comment #6)
> Did you forget to include your new tests in the patch?

It's in the attached .tar.gz file.  I don't think it's possible to make
a cvs diff with files in new directories (layout/xul/test), IIRC "cvs add"
of a directory is immediate and I didn't want to affect the repository
without approval.

(In reply to comment #7)
> The patch does fix the crash :)

Thanks!
(In reply to comment #8)
>I don't think it's possible to make a cvs diff with files in new directories
There are third-party utilities that allow this (e.g. cvsdo).
Attachment #279581 - Flags: superreview?(enndeakin)
Attachment #279581 - Flags: superreview?(bzbarsky)
Attachment #279581 - Flags: review?(enndeakin)
Attachment #279581 - Flags: review+
Comment on attachment 279581 [details] [diff] [review]
Patch rev. 1

sr=bzbarsky
Attachment #279581 - Flags: superreview?(bzbarsky) → superreview+
Attachment #279581 - Flags: approval1.9?
Flags: blocking1.9? → blocking1.9+
Comment on attachment 279581 [details] [diff] [review]
Patch rev. 1

a1.9=dbaron
Attachment #279581 - Flags: approval1.9? → approval1.9+
Whiteboard: [sg:critical?] → [sg:critical?][dbaron-1.9:Rs]
mozilla/layout/xul/test/Makefile.in 	1.2
mozilla/layout/xul/test/test_bug394800.xhtml 	1.1
mozilla/layout/xul/base/src/nsBoxFrame.cpp 	1.341
mozilla/layout/xul/base/src/nsMenuFrame.cpp 	1.362 

-> FIXED
Status: NEW → RESOLVED
Closed: 13 years ago
Flags: in-testsuite? → in-testsuite+
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9 M9
verified fixed 1.9.0 debug no AllocateFrame assertion with attachment 279517 [details] on linux/macppc/windows. Also no assertion on linux/windows with the mochikit test (mac wouldn't run mochikit...)
Status: RESOLVED → VERIFIED
This bug doesn't seem to affect branch.  I ported the patch for bug 334514 to branch just to make sure ;)
Group: security
Flags: wanted1.8.1.x-
Component: XP Toolkit/Widgets: XUL → XUL
QA Contact: xptoolkit.xul → xptoolkit.widgets
You need to log in before you can comment on or make changes to this bug.