As a security precaution, we have turned on the setting "Require API key authentication for API requests" for everyone. If this has broken something, please contact bugzilla-admin@mozilla.org
Last Comment Bug 501900 - Crash [@ LazyGeneratePopupDone] with openPopup() and DOMAttrModified event handler removing window
: Crash [@ LazyGeneratePopupDone] with openPopup() and DOMAttrModified event ha...
Status: RESOLVED FIXED
[sg:critical?]
: crash, testcase, verified1.9.0.14, verified1.9.1
Product: Core
Classification: Components
Component: XUL (show other bugs)
: Trunk
: x86 Windows XP
: -- critical (vote)
: ---
Assigned To: Olli Pettay [:smaug] (review request backlog because of a work week)
:
: Neil Deakin
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-07-02 01:36 PDT by Martijn Wargers [:mwargers]
Modified: 2011-06-13 10:01 PDT (History)
6 users (show)
samuel.sidler+old: blocking1.9.0.14+
samuel.sidler+old: wanted1.9.0.x+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
.3+
.3-fixed


Attachments
zipped up testcase (852 bytes, application/zip)
2009-07-02 01:36 PDT, Martijn Wargers [:mwargers]
no flags Details
patch (1.28 KB, patch)
2009-07-02 02:42 PDT, Olli Pettay [:smaug] (review request backlog because of a work week)
no flags Details | Diff | Splinter Review
patch (1.46 KB, patch)
2009-07-02 02:43 PDT, Olli Pettay [:smaug] (review request backlog because of a work week)
roc: review+
roc: superreview+
dveditz: approval1.9.1.3+
dveditz: approval1.9.0.14+
Details | Diff | Splinter Review

Description User image Martijn Wargers [:mwargers] 2009-07-02 01:36:54 PDT
Created attachment 386468 [details]
zipped up testcase

See zipped up testcase. To reproduce, open the file named 'Kopie van parentframe.htm'. After opening Mozilla crashes within 400ms.
It also crashes in Firefox 3.

http://crash-stats.mozilla.com/report/index/fb9fbb8f-537a-4a37-b9e6-f557b2090701?p=1
0  	xul.dll  	LazyGeneratePopupDone  	 layout/xul/base/src/nsMenuPopupFrame.cpp:578
1 	xul.dll 	nsCSSFrameConstructor::LazyGenerateChildrenEvent::Run 	layout/base/nsCSSFrameConstructor.cpp:11773
2 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:527
3 	xul.dll 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:170
4 	xul.dll 	nsAppStartup::Run 	toolkit/components/startup/src/nsAppStartup.cpp:193
5 	nspr4.dll 	PR_GetEnv 	
6 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp:110
7 	firefox.exe 	firefox.exe@0x21a7 	
8 	kernel32.dll 	kernel32.dll@0x17076 

Firefox 3 crash report (garbage, it seems):
http://crash-stats.mozilla.com/report/index/04487184-afa9-4932-8327-18c352090701
0  	 	@0x39e318f
Comment 1 User image Olli Pettay [:smaug] (review request backlog because of a work week) 2009-07-02 02:42:14 PDT
Created attachment 386474 [details] [diff] [review]
patch

In this case we really want to use weak frame. re-getting the frame might cause
callback to use an nsIFrame for which a different runnable has been dispatched.
Comment 2 User image Olli Pettay [:smaug] (review request backlog because of a work week) 2009-07-02 02:43:32 PDT
Created attachment 386475 [details] [diff] [review]
patch
Comment 3 User image Samuel Sidler (old account; do not CC) 2009-07-10 11:17:35 PDT
For 1.9.1, we'll take this in 1.9.1.2.
Comment 4 User image Olli Pettay [:smaug] (review request backlog because of a work week) 2009-07-21 05:12:38 PDT
http://hg.mozilla.org/mozilla-central/rev/9cee3c24b53e
Comment 5 User image Boris Zbarsky [:bz] (still a bit busy) 2009-07-24 13:42:54 PDT
So what, exactly, kills the frame here?
Comment 6 User image Daniel Veditz [:dveditz] 2009-08-05 16:44:09 PDT
please request approval if this patch works for 1.9.1 and 1.9.0
Comment 7 User image Olli Pettay [:smaug] (review request backlog because of a work week) 2009-08-08 07:26:54 PDT
(In reply to comment #5)
> So what, exactly, kills the frame here?
It goes something like observer getting onDOMAttrModified attr, and that eexutes the mutation listener, which removes the iframe and kills the layout objects of that document.
Martijn's testcases are 'interesting' :)
Comment 8 User image Daniel Veditz [:dveditz] 2009-08-08 11:19:26 PDT
Comment on attachment 386475 [details] [diff] [review]
patch

Approved for 1.9.1.3 and 1.9.0.14, a=dveditz
Comment 9 User image Olli Pettay [:smaug] (review request backlog because of a work week) 2009-08-08 11:57:31 PDT
Checking in layout/base/nsCSSFrameConstructor.cpp;
/cvsroot/mozilla/layout/base/nsCSSFrameConstructor.cpp,v  <--  nsCSSFrameConstructor.cpp
new revision: 1.1486; previous revision: 1.1485
done

http://hg.mozilla.org/releases/mozilla-1.9.1/rev/049629a2fe9f
Comment 10 User image Boris Zbarsky [:bz] (still a bit busy) 2009-08-10 09:50:42 PDT
So you mean in this case mCallback does something to destroy frames?
Comment 11 User image Al Billings [:abillings] 2009-08-18 17:40:36 PDT
Verified for 1.9.0.14 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.14pre) Gecko/2009081305 GranParadiso/3.0.14pre (.NET CLR 3.5.30729). It no longer crashes. I verified that crash with 1.9.0.13 as well.
Comment 12 User image Al Billings [:abillings] 2009-08-19 12:16:17 PDT
Verified for 1.9.1.3 also with  Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3pre) Gecko/20090817 Shiretoko/3.5.3pre (.NET CLR 3.5.30729).

Note You need to log in before you can comment on or make changes to this bug.