Last Comment Bug 501900 - Crash [@ LazyGeneratePopupDone] with openPopup() and DOMAttrModified event handler removing window
: Crash [@ LazyGeneratePopupDone] with openPopup() and DOMAttrModified event ha...
Status: RESOLVED FIXED
[sg:critical?]
: crash, testcase, verified1.9.0.14, verified1.9.1
Product: Core
Classification: Components
Component: XUL (show other bugs)
: Trunk
: x86 Windows XP
: -- critical (vote)
: ---
Assigned To: Olli Pettay [:smaug]
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-07-02 01:36 PDT by Martijn Wargers [:mwargers] (gone per 2016-05-31 :-( )
Modified: 2011-06-13 10:01 PDT (History)
6 users (show)
samuel.sidler+old: blocking1.9.0.14+
samuel.sidler+old: wanted1.9.0.x+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
.3+
.3-fixed


Attachments
zipped up testcase (852 bytes, application/zip)
2009-07-02 01:36 PDT, Martijn Wargers [:mwargers] (gone per 2016-05-31 :-( )
no flags Details
patch (1.28 KB, patch)
2009-07-02 02:42 PDT, Olli Pettay [:smaug]
no flags Details | Diff | Review
patch (1.46 KB, patch)
2009-07-02 02:43 PDT, Olli Pettay [:smaug]
roc: review+
roc: superreview+
dveditz: approval1.9.1.3+
dveditz: approval1.9.0.14+
Details | Diff | Review

Description Martijn Wargers [:mwargers] (gone per 2016-05-31 :-( ) 2009-07-02 01:36:54 PDT
Created attachment 386468 [details]
zipped up testcase

See zipped up testcase. To reproduce, open the file named 'Kopie van parentframe.htm'. After opening Mozilla crashes within 400ms.
It also crashes in Firefox 3.

http://crash-stats.mozilla.com/report/index/fb9fbb8f-537a-4a37-b9e6-f557b2090701?p=1
0  	xul.dll  	LazyGeneratePopupDone  	 layout/xul/base/src/nsMenuPopupFrame.cpp:578
1 	xul.dll 	nsCSSFrameConstructor::LazyGenerateChildrenEvent::Run 	layout/base/nsCSSFrameConstructor.cpp:11773
2 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:527
3 	xul.dll 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:170
4 	xul.dll 	nsAppStartup::Run 	toolkit/components/startup/src/nsAppStartup.cpp:193
5 	nspr4.dll 	PR_GetEnv 	
6 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp:110
7 	firefox.exe 	firefox.exe@0x21a7 	
8 	kernel32.dll 	kernel32.dll@0x17076 

Firefox 3 crash report (garbage, it seems):
http://crash-stats.mozilla.com/report/index/04487184-afa9-4932-8327-18c352090701
0  	 	@0x39e318f
Comment 1 Olli Pettay [:smaug] 2009-07-02 02:42:14 PDT
Created attachment 386474 [details] [diff] [review]
patch

In this case we really want to use weak frame. re-getting the frame might cause
callback to use an nsIFrame for which a different runnable has been dispatched.
Comment 2 Olli Pettay [:smaug] 2009-07-02 02:43:32 PDT
Created attachment 386475 [details] [diff] [review]
patch
Comment 3 Samuel Sidler (old account; do not CC) 2009-07-10 11:17:35 PDT
For 1.9.1, we'll take this in 1.9.1.2.
Comment 4 Olli Pettay [:smaug] 2009-07-21 05:12:38 PDT
http://hg.mozilla.org/mozilla-central/rev/9cee3c24b53e
Comment 5 Boris Zbarsky [:bz] 2009-07-24 13:42:54 PDT
So what, exactly, kills the frame here?
Comment 6 Daniel Veditz [:dveditz] 2009-08-05 16:44:09 PDT
please request approval if this patch works for 1.9.1 and 1.9.0
Comment 7 Olli Pettay [:smaug] 2009-08-08 07:26:54 PDT
(In reply to comment #5)
> So what, exactly, kills the frame here?
It goes something like observer getting onDOMAttrModified attr, and that eexutes the mutation listener, which removes the iframe and kills the layout objects of that document.
Martijn's testcases are 'interesting' :)
Comment 8 Daniel Veditz [:dveditz] 2009-08-08 11:19:26 PDT
Comment on attachment 386475 [details] [diff] [review]
patch

Approved for 1.9.1.3 and 1.9.0.14, a=dveditz
Comment 9 Olli Pettay [:smaug] 2009-08-08 11:57:31 PDT
Checking in layout/base/nsCSSFrameConstructor.cpp;
/cvsroot/mozilla/layout/base/nsCSSFrameConstructor.cpp,v  <--  nsCSSFrameConstructor.cpp
new revision: 1.1486; previous revision: 1.1485
done

http://hg.mozilla.org/releases/mozilla-1.9.1/rev/049629a2fe9f
Comment 10 Boris Zbarsky [:bz] 2009-08-10 09:50:42 PDT
So you mean in this case mCallback does something to destroy frames?
Comment 11 Al Billings [:abillings] 2009-08-18 17:40:36 PDT
Verified for 1.9.0.14 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.14pre) Gecko/2009081305 GranParadiso/3.0.14pre (.NET CLR 3.5.30729). It no longer crashes. I verified that crash with 1.9.0.13 as well.
Comment 12 Al Billings [:abillings] 2009-08-19 12:16:17 PDT
Verified for 1.9.1.3 also with  Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3pre) Gecko/20090817 Shiretoko/3.5.3pre (.NET CLR 3.5.30729).

Note You need to log in before you can comment on or make changes to this bug.