Closed
Bug 459613
Opened 16 years ago
Closed 16 years ago
ASSERTION: GetPrimaryFrameFor() called while nsFrameManager is being destroyed!
Categories
(Core :: Layout: Form Controls, defect, P2)
Core
Layout: Form Controls
Tracking
()
VERIFIED
FIXED
mozilla1.9.1b3
People
(Reporter: MatsPalmgren_bugz, Assigned: roc)
References
Details
(Keywords: assertion, testcase, verified1.9.1, Whiteboard: [sg:investigate])
Attachments
(5 files, 1 obsolete file)
6.22 KB,
text/plain
|
Details | |
56 bytes,
text/html
|
Details | |
1.09 KB,
patch
|
Details | Diff | Splinter Review | |
143 bytes,
text/html
|
Details | |
12.00 KB,
patch
|
MatsPalmgren_bugz
:
review+
MatsPalmgren_bugz
:
superreview+
|
Details | Diff | Splinter Review |
STEPS TO REPRODUCE
1. load the mochitest content/base/test/test_bug398243.html
2. reload
###!!! ASSERTION: GetPrimaryFrameFor() called while nsFrameManager is being destroyed!: 'Error', file /usr/moz/hg1/layout/base/nsFrameManager.cpp, line 332
Filing as security-sensitive because GetPrimaryFrameFor() during frame
destruction can potentially lead to nasty crashes (using freed frames).
Reporter | ||
Comment 1•16 years ago
|
||
Updated•16 years ago
|
Whiteboard: [sg:investigate]
Comment 2•16 years ago
|
||
Yeah, so we either need someone here (selection code?) to check the frame manager state or do some part of this cleanup async... Or remove the assert and just make the frame manager return null in this case.
Doesn't look like a form controls issue much, since the form control code is just doing the only thing editor will let it do.
Updated•16 years ago
|
Flags: blocking1.9.1?
Comment 3•16 years ago
|
||
Close this testcase to see the assertion.
Assignee | ||
Updated•16 years ago
|
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P2
Assignee | ||
Updated•16 years ago
|
Assignee: nobody → roc
Assignee | ||
Comment 4•16 years ago
|
||
1) tell spellchecker Cleanup() if the editor is going away. If it is, then we don't need to bother removing spellcheck ranges since all that content is going away. That avoids us doing dangerous work during frame destruction.
2) Fix presshell so that if something causes presshell destruction we don't keep going through the event phases so we don't do frame lookups on a dying frame manager and trigger the GetPrimaryFrameFor assertion.
Attachment #349387 -
Flags: superreview?(mats.palmgren)
Attachment #349387 -
Flags: review?(mats.palmgren)
Assignee | ||
Updated•16 years ago
|
Whiteboard: [sg:investigate] → [sg:investigate][needs review]
Assignee | ||
Comment 5•16 years ago
|
||
I'm not sure how to test this. Is a mochitest that does window.open of attachment #342950 [details] and immediately closes it the best way?
Assignee | ||
Updated•16 years ago
|
OS: Linux → All
Hardware: PC → All
What we're doing for assertions now is putting them in crashtests (which are written like reftests), although we're not actually running them under automation that detects assertions...
(And you can of course use class="reftest-wait" for a crashtest. Does it assert if you create and destroy an iframe?)
Reporter | ||
Comment 8•16 years ago
|
||
Reporter | ||
Comment 9•16 years ago
|
||
Reporter | ||
Comment 10•16 years ago
|
||
Comment on attachment 349387 [details] [diff] [review]
fix
There's a misspell-indication after loading Testcase #2 with this patch.
r- based on that.
Nit:
> layout/base/nsPresShell.cpp
>+ if (!mIsDestroying && (GetCurrentEventFrame()) && NS_SUCCEEDED(rv)) {
FYI, GetCurrentEventFrame() now returns null when mIsDestroying is true -
you can have the explicit test there for clarity if you want though.
Remove the extra parentheses around the call.
Attachment #349387 -
Flags: superreview?(mats.palmgren)
Attachment #349387 -
Flags: review?(mats.palmgren)
Attachment #349387 -
Flags: review-
Reporter | ||
Updated•16 years ago
|
Whiteboard: [sg:investigate][needs review] → [sg:investigate]
Assignee | ||
Comment 11•16 years ago
|
||
Fix that by propagating information about frame teardown through nsEditor::PreDestroy. Also rolls up the tests.
Attachment #349387 -
Attachment is obsolete: true
Attachment #352259 -
Flags: superreview?(mats.palmgren)
Attachment #352259 -
Flags: review?(mats.palmgren)
Assignee | ||
Updated•16 years ago
|
Whiteboard: [sg:investigate] → [sg:investigate][needs review]
Reporter | ||
Comment 12•16 years ago
|
||
Comment on attachment 352259 [details] [diff] [review]
fix v2
r+sr=mats with the following nit:
> editor/txtsvc/public/nsIInlineSpellChecker.idl
>+ [noscript] void cleanup(in boolean aDestroyingEditor);
> extensions/spellcheck/src/mozInlineSpellChecker.cpp
>+nsresult mozInlineSpellChecker::Cleanup(PRBool aDestroyingEditor)
> ...
>+ if (!aDestroyingEditor) {
These should also be renamed aDestroyingFrames?
Attachment #352259 -
Flags: superreview?(mats.palmgren)
Attachment #352259 -
Flags: superreview+
Attachment #352259 -
Flags: review?(mats.palmgren)
Attachment #352259 -
Flags: review+
Reporter | ||
Updated•16 years ago
|
Whiteboard: [sg:investigate][needs review] → [sg:investigate]
Assignee | ||
Comment 13•16 years ago
|
||
Yes.
Whiteboard: [sg:investigate] → [sg:investigate][needs landing]
Assignee | ||
Comment 14•16 years ago
|
||
Pushed to trunk as 2cbcaca3fcdb
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Whiteboard: [sg:investigate][needs landing] → [sg:investigate][needs 191 landing]
Assignee | ||
Updated•16 years ago
|
Flags: in-testsuite+
Blocks: 463681
When you land this on 1.9.1, could you land bug 463681 as well? (It's worth double-checking the logs for the leak test tinderboxes for ASSERTIONs first, though.)
Comment 16•16 years ago
|
||
It would be helpful to land this on branch soon, as it will simplify life in Thunderbird-land.
Keywords: fixed1.9.1
Whiteboard: [sg:investigate][needs 191 landing] → [sg:investigate]
Target Milestone: --- → mozilla1.9.1b3
Comment 19•16 years ago
|
||
verified FIXED (on both attached testcases as well as no results for a red on the attached crashtest via bugzilla) using debug builds:
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1pre) Gecko/20090608 Shiretoko/3.5pre ID:20090608122057
and
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090608 Minefield/3.6a1pre ID:20090608122028
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1 → verified1.9.1
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•