Closed Bug 677486 Opened 14 years ago Closed 13 years ago

Content crash [@ nsRegion::Copy] Fennec desktop Windows with input type=file in iframe

Categories

(Firefox for Android Graveyard :: General, defect)

Product:
Firefox for Android Graveyard
Component:
General
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: martijn.martijn, Unassigned)

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(1 file)

testcase
286 bytes, text/html
Details
Attached file testcase
I'm only able to crash on Fennec desktop Windows (trunk), with these steps to reproduce. Steps to reproduce: - Open testcase - Click on the "Browse..." button - Click again on the "Browse..." button Result: - Content crash The crash stack seems to indicate that this might have something to do with bug 582057, perhaps? https://crash-stats.mozilla.com/report/index/88e248c5-5b4b-46dd-8b9a-b5ccf2110808 0 xul.dll `anonymous namespace'::SizePair::operator= gfx/src/nsRegion.h:94 1 xul.dll nsRegion::Copy gfx/src/nsRegion.cpp:594 2 xul.dll nsRegion::SubRect gfx/src/nsRegion.cpp:1092 3 xul.dll nsRegion::Or gfx/src/nsRegion.cpp:843 4 xul.dll nsIntRegion::Or gfx/src/nsRegion.h:353 5 xul.dll mozilla::widget::PuppetWidget::Invalidate widget/src/xpwidgets/PuppetWidget.cpp:245 6 xul.dll nsViewManager::UpdateWidgetArea view/src/nsViewManager.cpp:603 7 xul.dll nsViewManager::ProcessPendingUpdates view/src/nsViewManager.cpp:457 8 xul.dll nsViewManager::FlushPendingInvalidates view/src/nsViewManager.cpp:1558 9 xul.dll nsViewManager::TriggerRefresh view/src/nsViewManager.cpp:1456 10 xul.dll nsViewManager::EndUpdateViewBatch view/src/nsViewManager.cpp:1491 11 xul.dll nsIViewManager::UpdateViewBatch::EndUpdateViewBatch obj-firefox/dist/include/nsIViewManager.h:331 12 xul.dll PresShell::FlushPendingNotifications layout/base/nsPresShell.cpp:4828 13 xul.dll nsRefreshDriver::Notify layout/base/nsRefreshDriver.cpp:378 14 xul.dll nsTimerImpl::Fire xpcom/threads/nsTimerImpl.cpp:427 15 xul.dll nsTimerEvent::Run xpcom/threads/nsTimerImpl.cpp:520 16 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:631 17 xul.dll NS_ProcessPendingEvents_P obj-firefox/xpcom/build/nsThreadUtils.cpp:195 18 xul.dll nsBaseAppShell::NativeEventCallback widget/src/xpwidgets/nsBaseAppShell.cpp:130 19 xul.dll nsAppShell::EventWindowProc widget/src/windows/nsAppShell.cpp:114 20 user32.dll InternalCallWinProc
This looks suspiciously like a use-after-free bug. That said, you shouldn't have been able to press "Browse" a second time while the first dialog was open. Another issue here is that we're throwing the native file picker from the content process. Is that intended? I would have thought not. Definitely not the right long-term solution.
Hmm, we have machinery that remotes the file picker on other platforms, at least.
Crash Signature: [@ `anonymous namespace''::SizePair::operator=(A0x66849974::SizePair const&) ]
Not going to worry about this anymore.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: