Last Comment Bug 501900 - Crash [@ LazyGeneratePopupDone] with openPopup() and DOMAttrModified event handler removing window
: Crash [@ LazyGeneratePopupDone] with openPopup() and DOMAttrModified event ha...
: crash, testcase, verified1.9.0.14, verified1.9.1
Product: Core
Classification: Components
Component: XUL (show other bugs)
: Trunk
: x86 Windows XP
: -- critical (vote)
: ---
Assigned To: Olli Pettay [:smaug]
: Neil Deakin
Depends on:
  Show dependency treegraph
Reported: 2009-07-02 01:36 PDT by Martijn Wargers [:mwargers] (not working for Mozilla)
Modified: 2011-06-13 10:01 PDT (History)
6 users (show)
samuel.sidler+old: blocking1.9.0.14+
samuel.sidler+old: wanted1.9.0.x+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

zipped up testcase (852 bytes, application/zip)
2009-07-02 01:36 PDT, Martijn Wargers [:mwargers] (not working for Mozilla)
no flags Details
patch (1.28 KB, patch)
2009-07-02 02:42 PDT, Olli Pettay [:smaug]
no flags Details | Diff | Splinter Review
patch (1.46 KB, patch)
2009-07-02 02:43 PDT, Olli Pettay [:smaug]
roc: review+
roc: superreview+
dveditz: approval1.9.1.3+
dveditz: approval1.9.0.14+
Details | Diff | Splinter Review

Description Martijn Wargers [:mwargers] (not working for Mozilla) 2009-07-02 01:36:54 PDT
Created attachment 386468 [details]
zipped up testcase

See zipped up testcase. To reproduce, open the file named 'Kopie van parentframe.htm'. After opening Mozilla crashes within 400ms.
It also crashes in Firefox 3.
0  	xul.dll  	LazyGeneratePopupDone  	 layout/xul/base/src/nsMenuPopupFrame.cpp:578
1 	xul.dll 	nsCSSFrameConstructor::LazyGenerateChildrenEvent::Run 	layout/base/nsCSSFrameConstructor.cpp:11773
2 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:527
3 	xul.dll 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:170
4 	xul.dll 	nsAppStartup::Run 	toolkit/components/startup/src/nsAppStartup.cpp:193
5 	nspr4.dll 	PR_GetEnv 	
6 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp:110
7 	firefox.exe 	firefox.exe@0x21a7 	
8 	kernel32.dll 	kernel32.dll@0x17076 

Firefox 3 crash report (garbage, it seems):
0  	 	@0x39e318f
Comment 1 Olli Pettay [:smaug] 2009-07-02 02:42:14 PDT
Created attachment 386474 [details] [diff] [review]

In this case we really want to use weak frame. re-getting the frame might cause
callback to use an nsIFrame for which a different runnable has been dispatched.
Comment 2 Olli Pettay [:smaug] 2009-07-02 02:43:32 PDT
Created attachment 386475 [details] [diff] [review]
Comment 3 Samuel Sidler (old account; do not CC) 2009-07-10 11:17:35 PDT
For 1.9.1, we'll take this in
Comment 4 Olli Pettay [:smaug] 2009-07-21 05:12:38 PDT
Comment 5 Boris Zbarsky [:bz] (still a bit busy) 2009-07-24 13:42:54 PDT
So what, exactly, kills the frame here?
Comment 6 Daniel Veditz [:dveditz] 2009-08-05 16:44:09 PDT
please request approval if this patch works for 1.9.1 and 1.9.0
Comment 7 Olli Pettay [:smaug] 2009-08-08 07:26:54 PDT
(In reply to comment #5)
> So what, exactly, kills the frame here?
It goes something like observer getting onDOMAttrModified attr, and that eexutes the mutation listener, which removes the iframe and kills the layout objects of that document.
Martijn's testcases are 'interesting' :)
Comment 8 Daniel Veditz [:dveditz] 2009-08-08 11:19:26 PDT
Comment on attachment 386475 [details] [diff] [review]

Approved for and, a=dveditz
Comment 9 Olli Pettay [:smaug] 2009-08-08 11:57:31 PDT
Checking in layout/base/nsCSSFrameConstructor.cpp;
/cvsroot/mozilla/layout/base/nsCSSFrameConstructor.cpp,v  <--  nsCSSFrameConstructor.cpp
new revision: 1.1486; previous revision: 1.1485
Comment 10 Boris Zbarsky [:bz] (still a bit busy) 2009-08-10 09:50:42 PDT
So you mean in this case mCallback does something to destroy frames?
Comment 11 Al Billings [:abillings] 2009-08-18 17:40:36 PDT
Verified for with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/2009081305 GranParadiso/3.0.14pre (.NET CLR 3.5.30729). It no longer crashes. I verified that crash with as well.
Comment 12 Al Billings [:abillings] 2009-08-19 12:16:17 PDT
Verified for also with  Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20090817 Shiretoko/3.5.3pre (.NET CLR 3.5.30729).

Note You need to log in before you can comment on or make changes to this bug.