Closed
Bug 459710
Opened 16 years ago
Closed 16 years ago
Crash [@ nsCSSFrameConstructor::ConstructFrameInternal] with invalid url alert and removing window in xbl
Categories
(Core :: XBL, defect)
Core
XBL
Tracking
()
VERIFIED
DUPLICATE
of bug 436965
People
(Reporter: martijn.martijn, Unassigned)
References
Details
(Keywords: crash, testcase, verified1.9.0.7, Whiteboard: [sg:dupe 436965])
Crash Data
Attachments
(3 files)
See upcoming testcase, it crash current trunk build and Firefox 3 after you've clicked the alert away.
http://crash-stats.mozilla.com/report/index/789df22b-995c-11dd-a500-001a4bd43ef6
0 xul.dll nsCSSFrameConstructor::ConstructFrameInternal layout/base/nsCSSFrameConstructor.cpp:7451
1 xul.dll nsCSSFrameConstructor::ConstructFrame layout/base/nsCSSFrameConstructor.cpp:7395
2 xul.dll nsCSSFrameConstructor::ContentInserted layout/base/nsCSSFrameConstructor.cpp:8980
3 xul.dll nsCSSFrameConstructor::RecreateFramesForContent layout/base/nsCSSFrameConstructor.cpp:11102
4 xul.dll nsCSSFrameConstructor::ProcessRestyledFrames layout/base/nsCSSFrameConstructor.cpp:9839
5 xul.dll PresShell::RecreateFramesFor layout/base/nsPresShell.cpp:3381
6 xul.dll nsFrameManager::GetUndisplayedContent layout/base/nsFrameManager.cpp:557
7 xul.dll nsXBLStreamListener::Load content/xbl/src/nsXBLService.cpp:477
|
Reporter | |
Comment 1•16 years ago
|
||
|
||
Comment 2•16 years ago
|
||
Do you have the data url in some easily readable form?
|
|
Reporter | |
Comment 3•16 years ago
|
||
The data url is: <html><head></head><body style="https://bugzilla.mozilla.org/attachment.cgi?id=342928#a"></body></html>
|
|
||
Comment 4•16 years ago
|
||
I guess that style attr is something like
-moz-binding: url(...)
|
|
Reporter | |
Comment 5•16 years ago
|
||
Oops, yes, I forgot that part.
|
||
Comment 6•16 years ago
|
||
The fundamental problem is that we're spinning the event queue and running JS under frame construction, with the exact stack described in bug 436965. Bad stuff all around.
|
|
||
Comment 7•16 years ago
|
||
Or more precisely, here's the bad part of this stack:
#5 0x03341e07 in nsFrameLoader::LoadURI (this=0xcb41eb0, aURI=0xcb41e70) at /Users/bzbarsky/mozilla/debug/mozilla/content/base/src/nsFrameLoader.cpp:184
#6 0x033409de in nsFrameLoader::LoadFrame (this=0xcb41eb0) at /Users/bzbarsky/mozilla/debug/mozilla/content/base/src/nsFrameLoader.cpp:165
#7 0x03412929 in nsGenericHTMLFrameElement::LoadSrc (this=0xe2934a0) at /Users/bzbarsky/mozilla/debug/mozilla/content/html/content/src/nsGenericHTMLElement.cpp:2833
#8 0x03412ab8 in nsGenericHTMLFrameElement::BindToTree (this=0xe2934a0, aDocument=0x1548a00, aParent=0xe2607b0, aBindingParent=0xe2607b0, aCompileEventHandlers=1) at /Users/bzbarsky/mozilla/debug/mozilla/content/html/content/src/nsGenericHTMLElement.cpp:2856
#9 0x035453c3 in nsXBLBinding::InstallAnonymousContent (this=0xcb53d20, aAnonParent=0xcb53ea0, aElement=0xe2607b0) at /Users/bzbarsky/mozilla/debug/mozilla/content/xbl/src/nsXBLBinding.cpp:355
#10 0x03547145 in nsXBLBinding::GenerateAnonymousContent (this=0xcb53d20) at /Users/bzbarsky/mozilla/debug/mozilla/content/xbl/src/nsXBLBinding.cpp:661
#11 0x03565648 in nsXBLService::LoadBindings (this=0xa0f510, aContent=0xe2607b0, aURL=0xe260950, aOriginPrincipal=0xe2dce00, aAugmentFlag=0, aBinding=0xbfffc348, aResolveStyle=0xbfffc334) at /Users/bzbarsky/mozilla/debug/mozilla/content/xbl/src/nsXBLService.cpp:628
#12 0x0301b0e5 in nsCSSFrameConstructor::ConstructFrameInternal (this=0xe261cb0, aState=@0xbfffc528, aContent=0xe2607b0, aParentFrame=0x165733c, aTag=0x1008ba0, aNameSpaceID=0, aStyleContext=0x1650de4, aFrameItems=@0xbfffc624, aXBLBaseTag=0) at /Users/bzbarsky/mozilla/debug/mozilla/layout/base/nsCSSFrameConstructor.cpp:7440
Then we lose.
|
||
Updated•16 years ago
|
Whiteboard: [sg:critical?]
|
||
Comment 8•16 years ago
|
||
Crashes on my Linux mozilla-central nightly, too.
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1b2pre) Gecko/20081105 Minefield/3.1b2pre
Crash ID: 0e371e2b-af6e-11dd-bd87-001321b13766
Platform --> All/All
OS: Windows XP → All
Hardware: PC → All
|
|
Reporter | |
Updated•16 years ago
|
Flags: blocking1.9.1?
|
|
||
Comment 9•16 years ago
|
||
This bug has been placed in the "Top Security Bugs" list. Please treat this as a priority.
|
||
Comment 10•16 years ago
|
||
Duping against bug 436965 per request from Jonas.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
|
|
Reporter | |
Comment 11•16 years ago
|
||
Fine by me, but I won't retest this when bug 436965 is fixed.
|
||
Comment 12•16 years ago
|
||
I don't see a crash on this test case or the test case in bug 436965. Fixed/worksforme ?
|
|
Reporter | |
Comment 13•16 years ago
|
||
Yes, this was fixed by bug 436965.
|
||
Updated•16 years ago
|
Flags: blocking1.9.1?
|
||
Comment 14•16 years ago
|
||
Adding fixed1.9.0.7 so QA can verify this was indeed fixed by bug 436965 on the 1.9.0 branch.
Keywords: fixed1.9.0.7
Whiteboard: [sg:critical?] → [sg:dupe 436965]
|
||
Comment 15•16 years ago
|
||
Martijn, can you verify this with the 1.9.0.7 candidate build, as we discussed?
|
|
Reporter | |
Comment 16•16 years ago
|
||
Because of the change in bugzilla, the testcase doesn't work anymore, so that's why I've now used this zipped up testcase to test.
Verified fixed, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7pre) Gecko/2009021705 GranParadiso/3.0.7pre
I've seen it crash with the zipped up testcase, using a Firefox3.0.5 build.
|
|
Reporter | |
Updated•16 years ago
|
Status: RESOLVED → VERIFIED
|
||
Comment 18•16 years ago
|
||
This is a dupe of bug 436965 which is not wanted for 1.8.1, so this bug isn't either.
Flags: wanted1.8.1.x-
|
|
||
Updated•15 years ago
|
Group: core-security
|
Assignee | |
Updated•13 years ago
|
Crash Signature: [@ nsCSSFrameConstructor::ConstructFrameInternal]
You need to log in
before you can comment on or make changes to this bug.
Description
•