Closed Bug 419985 Opened 12 years ago Closed 12 years ago

Crash [@ nsView::~nsView()] with onload focusing and removing window

Categories

(Core :: Layout, defect, critical)

x86
Windows XP
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: martijn.martijn, Assigned: martijn.martijn)

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(1 file)

Attached file testcase
Maybe this is related to bug 402034 and/or bug 395609?
It seems so, because of the nsFrameLoader::Destroy() part in the stack.
However, this is also crashing on branch, so marking security sensitive for now.
It doesn't crash in Mozilla1.7, I can look for a regression range, if wanted.

The iframe source consists of this:
<html><head></head>
<body onfocus="window.frameElement.parentNode.removeChild(window.frameElement)">
<iframe src="data:text/html;charset=utf-8,%3Cbody%20onload%3D%22document.links%5B0%5D.focus%28%29%3B%22%3E%3Ca%20href%3D%22javascript%3A%22%3Em%3C/a%3E"></iframe>
<style id="e">
@import URL(http://google.com/);
</style>
</body>
</html>

The iframe source of the iframe source consists of this:
<body onload="document.links[0].focus();"><a href="javascript:">m</a>

http://crash-stats.mozilla.com/report/index/99a8f98a-e591-11dc-9446-001a4bd46e84
0  	nsView::~nsView()  	 mozilla/view/src/nsView.cpp:274
1 	nsView::`vector deleting destructor'(unsigned int) 	
2 	nsFrame::Destroy() 	mozilla/layout/generic/nsFrame.cpp:505
3 	nsContainerFrame::Destroy() 	mozilla/layout/generic/nsContainerFrame.cpp:299
4 	nsFrameManager::Destroy() 	mozilla/layout/base/nsFrameManager.cpp:283
5 	PresShell::Destroy() 	mozilla/layout/base/nsPresShell.cpp:1677
6 	DocumentViewerImpl::Destroy() 	mozilla/layout/base/nsDocumentViewer.cpp:1522
7 	nsDocShell::Destroy() 	mozilla/docshell/base/nsDocShell.cpp:3653
8 	nsFrameLoader::Finalize() 	mozilla/content/base/src/nsFrameLoader.cpp:257
9 	nsDocument::FinalizeFrameLoader(nsFrameLoader*) 	mozilla/content/base/src/nsDocument.cpp:3849
10 	nsFrameLoader::Destroy() 	mozilla/content/base/src/nsFrameLoader.cpp:301
11 	nsGenericHTMLFrameElement::DestroyContent() 	mozilla/content/html/content/src/nsGenericHTMLElement.cpp:3042
12 	nsGenericElement::DestroyContent() 	mozilla/content/base/src/nsGenericElement.cpp:2958
13 	nsGenericElement::DestroyContent() 	mozilla/content/base/src/nsGenericElement.cpp:2958
14 	nsDocument::Destroy() 	mozilla/content/base/src/nsDocument.cpp:5530
15 	DocumentViewerImpl::Close(nsISHEntry*) 	mozilla/layout/base/nsDocumentViewer.cpp:1317
16 	xul.dll@0x726ccb 	
17 	@0x2e2d81b 	

On branch, talkback ID: TB41980429Z
nsView::~nsView  [mozilla/view/src/nsView.cpp, line 267]
nsSplittableFrame::Destroy  [mozilla/layout/generic/nsSplittableFrame.cpp, line 71]
nsPositionedInlineFrame::Destroy  [mozilla/layout/generic/nsInlineFrame.cpp, line 1175]
DocumentViewerImpl::Destroy  [mozilla/layout/base/nsDocumentViewer.cpp, line 1556]
nsDocShell::Destroy  [mozilla/docshell/base/nsDocShell.cpp, line 3601]
nsFrameLoader::Destroy  [mozilla/content/base/src/nsFrameLoader.cpp, line 247]
nsGenericHTMLFrameElement::UnbindFromTree  [mozilla/content/html/content/src/nsGenericHTMLElement.cpp, line 3677]
nsHTMLBodyElement::UnbindFromTree  [mozilla/content/html/content/src/nsHTMLBodyElement.cpp, line 427]
nsDocument::Destroy  [mozilla/content/base/src/nsDocument.cpp, line 5001]
DocumentViewerImpl::Close  [mozilla/layout/base/nsDocumentViewer.cpp, line 1354]
nsDocShell::SetupNewViewer  [mozilla/docshell/base/nsDocShell.cpp, line 6109]
nsDocShell::Embed  [mozilla/docshell/base/nsDocShell.cpp, line 4663]
nsDocShell::CreateContentViewer  [mozilla/docshell/base/nsDocShell.cpp, line 5847]
nsDSURIContentListener::DoContent  [mozilla/docshell/base/nsDSURIContentListener.cpp, line 131]
nsDocumentOpenInfo::TryContentListener  [mozilla/uriloader/base/nsURILoader.cpp, line 776]
nsDocumentOpenInfo::DispatchContent  [mozilla/uriloader/base/nsURILoader.cpp, line 500]
nsDocumentOpenInfo::OnStartRequest  [mozilla/uriloader/base/nsURILoader.cpp, line 345]
nsFileChannel::OnStartRequest  [mozilla/netwerk/protocol/file/src/nsFileChannel.cpp, line 539]
nsOutputStreamReadyEvent::EventHandler  [mozilla/xpcom/io/nsStreamUtils.cpp, line 121]
0x778b0c24
nsXULContentUtils::Init  [mozilla/content/xul/templates/src/nsXULResourceList.h, line 43]
0x029a0292
0xd1200000
I bet this is windows only and caused by the same problem why bug 395609
had to be backed out.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
Flags: in-testsuite?
Crash Signature: [@ nsView::~nsView()]
Landed a crashtest:
https://hg.mozilla.org/integration/mozilla-inbound/rev/5bf604e8b8d7
Group: core-security
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.