Closed
Bug 419985
Opened 16 years ago
Closed 16 years ago
Crash [@ nsView::~nsView()] with onload focusing and removing window
Categories
(Core :: Layout, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: martijn.martijn, Assigned: martijn.martijn)
Details
(Keywords: crash, testcase)
Crash Data
Attachments
(1 file)
1014 bytes,
text/html
|
Details |
Maybe this is related to bug 402034 and/or bug 395609? It seems so, because of the nsFrameLoader::Destroy() part in the stack. However, this is also crashing on branch, so marking security sensitive for now. It doesn't crash in Mozilla1.7, I can look for a regression range, if wanted. The iframe source consists of this: <html><head></head> <body onfocus="window.frameElement.parentNode.removeChild(window.frameElement)"> <iframe src="data:text/html;charset=utf-8,%3Cbody%20onload%3D%22document.links%5B0%5D.focus%28%29%3B%22%3E%3Ca%20href%3D%22javascript%3A%22%3Em%3C/a%3E"></iframe> <style id="e"> @import URL(http://google.com/); </style> </body> </html> The iframe source of the iframe source consists of this: <body onload="document.links[0].focus();"><a href="javascript:">m</a> http://crash-stats.mozilla.com/report/index/99a8f98a-e591-11dc-9446-001a4bd46e84 0 nsView::~nsView() mozilla/view/src/nsView.cpp:274 1 nsView::`vector deleting destructor'(unsigned int) 2 nsFrame::Destroy() mozilla/layout/generic/nsFrame.cpp:505 3 nsContainerFrame::Destroy() mozilla/layout/generic/nsContainerFrame.cpp:299 4 nsFrameManager::Destroy() mozilla/layout/base/nsFrameManager.cpp:283 5 PresShell::Destroy() mozilla/layout/base/nsPresShell.cpp:1677 6 DocumentViewerImpl::Destroy() mozilla/layout/base/nsDocumentViewer.cpp:1522 7 nsDocShell::Destroy() mozilla/docshell/base/nsDocShell.cpp:3653 8 nsFrameLoader::Finalize() mozilla/content/base/src/nsFrameLoader.cpp:257 9 nsDocument::FinalizeFrameLoader(nsFrameLoader*) mozilla/content/base/src/nsDocument.cpp:3849 10 nsFrameLoader::Destroy() mozilla/content/base/src/nsFrameLoader.cpp:301 11 nsGenericHTMLFrameElement::DestroyContent() mozilla/content/html/content/src/nsGenericHTMLElement.cpp:3042 12 nsGenericElement::DestroyContent() mozilla/content/base/src/nsGenericElement.cpp:2958 13 nsGenericElement::DestroyContent() mozilla/content/base/src/nsGenericElement.cpp:2958 14 nsDocument::Destroy() mozilla/content/base/src/nsDocument.cpp:5530 15 DocumentViewerImpl::Close(nsISHEntry*) mozilla/layout/base/nsDocumentViewer.cpp:1317 16 xul.dll@0x726ccb 17 @0x2e2d81b On branch, talkback ID: TB41980429Z nsView::~nsView [mozilla/view/src/nsView.cpp, line 267] nsSplittableFrame::Destroy [mozilla/layout/generic/nsSplittableFrame.cpp, line 71] nsPositionedInlineFrame::Destroy [mozilla/layout/generic/nsInlineFrame.cpp, line 1175] DocumentViewerImpl::Destroy [mozilla/layout/base/nsDocumentViewer.cpp, line 1556] nsDocShell::Destroy [mozilla/docshell/base/nsDocShell.cpp, line 3601] nsFrameLoader::Destroy [mozilla/content/base/src/nsFrameLoader.cpp, line 247] nsGenericHTMLFrameElement::UnbindFromTree [mozilla/content/html/content/src/nsGenericHTMLElement.cpp, line 3677] nsHTMLBodyElement::UnbindFromTree [mozilla/content/html/content/src/nsHTMLBodyElement.cpp, line 427] nsDocument::Destroy [mozilla/content/base/src/nsDocument.cpp, line 5001] DocumentViewerImpl::Close [mozilla/layout/base/nsDocumentViewer.cpp, line 1354] nsDocShell::SetupNewViewer [mozilla/docshell/base/nsDocShell.cpp, line 6109] nsDocShell::Embed [mozilla/docshell/base/nsDocShell.cpp, line 4663] nsDocShell::CreateContentViewer [mozilla/docshell/base/nsDocShell.cpp, line 5847] nsDSURIContentListener::DoContent [mozilla/docshell/base/nsDSURIContentListener.cpp, line 131] nsDocumentOpenInfo::TryContentListener [mozilla/uriloader/base/nsURILoader.cpp, line 776] nsDocumentOpenInfo::DispatchContent [mozilla/uriloader/base/nsURILoader.cpp, line 500] nsDocumentOpenInfo::OnStartRequest [mozilla/uriloader/base/nsURILoader.cpp, line 345] nsFileChannel::OnStartRequest [mozilla/netwerk/protocol/file/src/nsFileChannel.cpp, line 539] nsOutputStreamReadyEvent::EventHandler [mozilla/xpcom/io/nsStreamUtils.cpp, line 121] 0x778b0c24 nsXULContentUtils::Init [mozilla/content/xul/templates/src/nsXULResourceList.h, line 43] 0x029a0292 0xd1200000
Comment 1•16 years ago
|
||
I bet this is windows only and caused by the same problem why bug 395609 had to be backed out.
Assignee | ||
Updated•16 years ago
|
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → WORKSFORME
Updated•16 years ago
|
Flags: in-testsuite?
Updated•13 years ago
|
Crash Signature: [@ nsView::~nsView()]
Comment 2•9 years ago
|
||
Landed a crashtest: https://hg.mozilla.org/integration/mozilla-inbound/rev/5bf604e8b8d7
Group: core-security
Flags: in-testsuite? → in-testsuite+
Comment 3•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/5bf604e8b8d7
Assignee: nobody → martijn.martijn
You need to log in
before you can comment on or make changes to this bug.
Description
•