Closed Bug 394800 Opened 17 years ago Closed 17 years ago

"ASSERTION: Some objects allocated with AllocateFrame were not freed" with xul:menulist, xul:tooltip

Categories

(Core :: XUL, defect)

Product:
Core
Component:
XUL
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9beta1

People

(Reporter: jruderman, Assigned: MatsPalmgren_bugz)

References

Details

(Keywords: assertion, crash, testcase, Whiteboard: [sg:critical?][dbaron-1.9:Rs])

Attachments

(3 files)

testcase (triggers the assertion but not the crash)
375 bytes, application/xhtml+xml
Details
Mochitest (.tar.gz)
1.58 KB, application/octet-stream
Details
Patch rev. 1
3.20 KB, patch
enndeakin
: review+
bzbarsky
: superreview+
dbaron
: approval1.9+
Details | Diff | Splinter Review 
###!!! ASSERTION: Shallow unbind won't clear document and binding parent on kids!: 'aDeep || (!GetCurrentDoc() && !GetBindingParent())', file /Users/jruderman/trunk/mozilla/content/base/src/nsGenericElement.cpp, line 2090

###!!! ASSERTION: Some objects allocated with AllocateFrame were not freed: 'mFrameCount == 0', file /Users/jruderman/trunk/mozilla/layout/base/nsPresShell.cpp, line 673

This bug appears to be exploitable via the usual method for exploiting "ASSERTION: Some objects allocated with AllocateFrame were not freed" bugs.
Flags: blocking1.9?
You have to reload to see the second assertion, as usual.
Whiteboard: [sg:critical?]
We're calling nsMenuFrame::InsertFrames with aPrevFrame == the popup frame
on its ::popupList although we insert the new frame into the principal list.
This is same problem as we had with nsFieldSetFrame when aPrevFrame was
the legend frame in bug 345249.  Patch coming up.
Assignee: nobody → mats.palmgren
Flags: in-testsuite?
OS: Mac OS X → All
Hardware: PC → All
Attached file Mochitest (.tar.gz) 

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Patch rev. 1Splinter Review
      

    


  
Fixes the second assertion (and the crash I hope -- Jesse, confirm?).
The first assertion still occurs but I think it's unrelated and can
be handled in a separate bug.

        Attachment #279581 -
        Flags: superreview?(enndeakin)

        Attachment #279581 -
        Flags: review?(enndeakin)

    
    

    
  
make[5]: *** No rule to make target `/Users/jruderman/trunk/mozilla/layout/xul/test/Makefile.in', needed by `test/Makefile'.  Stop.

Did you forget to include your new tests in the patch?

    
    

    
  
The patch does fix the crash :)

    
    

    
  
(In reply to comment #6)
> Did you forget to include your new tests in the patch?

It's in the attached .tar.gz file.  I don't think it's possible to make
a cvs diff with files in new directories (layout/xul/test), IIRC "cvs add"
of a directory is immediate and I didn't want to affect the repository
without approval.

(In reply to comment #7)
> The patch does fix the crash :)

Thanks!

    
    

    
  
(In reply to comment #8)
>I don't think it's possible to make a cvs diff with files in new directories
There are third-party utilities that allow this (e.g. cvsdo).

    
  

        Attachment #279581 -
        Flags: superreview?(enndeakin)

        Attachment #279581 -
        Flags: superreview?(bzbarsky)

        Attachment #279581 -
        Flags: review?(enndeakin)

        Attachment #279581 -
        Flags: review+

    
    

    
  
Comment on attachment 279581 [details] [diff] [review]
Patch rev. 1

sr=bzbarsky

        Attachment #279581 -
        Flags: superreview?(bzbarsky) → superreview+

    
  

        Attachment #279581 -
        Flags: approval1.9?
Flags: blocking1.9? → blocking1.9+

    
    

    
  
Comment on attachment 279581 [details] [diff] [review]
Patch rev. 1

a1.9=dbaron

        Attachment #279581 -
        Flags: approval1.9? → approval1.9+
Whiteboard: [sg:critical?] → [sg:critical?][dbaron-1.9:Rs]

    
    

    
  
mozilla/layout/xul/test/Makefile.in 	1.2
mozilla/layout/xul/test/test_bug394800.xhtml 	1.1
mozilla/layout/xul/base/src/nsBoxFrame.cpp 	1.341
mozilla/layout/xul/base/src/nsMenuFrame.cpp 	1.362 

-> FIXED
Status: NEW → RESOLVED
Closed: 17 years ago
Flags: in-testsuite? → in-testsuite+
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9 M9

    
    

    
  
verified fixed 1.9.0 debug no AllocateFrame assertion with attachment 279517 [details] on linux/macppc/windows. Also no assertion on linux/windows with the mochikit test (mac wouldn't run mochikit...)
Status: RESOLVED → VERIFIED

    
    

    
  
This bug doesn't seem to affect branch.  I ported the patch for bug 334514 to branch just to make sure ;)
Group: security
Flags: wanted1.8.1.x-

    
  
Component: XP Toolkit/Widgets: XUL → XUL
QA Contact: xptoolkit.xul → xptoolkit.widgets

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: