Bugzilla@Mozilla – Bug 501900
Crash [@ LazyGeneratePopupDone] with openPopup() and DOMAttrModified event handler removing window
Last modified: 2009-09-13 12:52:39 PDT
Summon comment box
Created attachment 386468 [details] zipped up testcase See zipped up testcase. To reproduce, open the file named 'Kopie van parentframe.htm'. After opening Mozilla crashes within 400ms. It also crashes in Firefox 3. http://crash-stats.mozilla.com/report/index/fb9fbb8f-537a-4a37-b9e6-f557b2090701?p=1 0 xul.dll LazyGeneratePopupDone layout/xul/base/src/nsMenuPopupFrame.cpp:578 1 xul.dll nsCSSFrameConstructor::LazyGenerateChildrenEvent::Run layout/base/nsCSSFrameConstructor.cpp:11773 2 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:527 3 xul.dll nsBaseAppShell::Run widget/src/xpwidgets/nsBaseAppShell.cpp:170 4 xul.dll nsAppStartup::Run toolkit/components/startup/src/nsAppStartup.cpp:193 5 nspr4.dll PR_GetEnv 6 firefox.exe wmain toolkit/xre/nsWindowsWMain.cpp:110 7 firefox.exe firefox.exe@0x21a7 8 kernel32.dll kernel32.dll@0x17076 Firefox 3 crash report (garbage, it seems): http://crash-stats.mozilla.com/report/index/04487184-afa9-4932-8327-18c352090701 0 @0x39e318f
Created attachment 386474 [details] [review] patch In this case we really want to use weak frame. re-getting the frame might cause callback to use an nsIFrame for which a different runnable has been dispatched.
Created attachment 386475 [details] [review] patch
For 1.9.1, we'll take this in 1.9.1.2.
http://hg.mozilla.org/mozilla-central/rev/9cee3c24b53e
So what, exactly, kills the frame here?
please request approval if this patch works for 1.9.1 and 1.9.0
(In reply to comment #5) > So what, exactly, kills the frame here? It goes something like observer getting onDOMAttrModified attr, and that eexutes the mutation listener, which removes the iframe and kills the layout objects of that document. Martijn's testcases are 'interesting' :)
Comment on attachment 386475 [details] [review] patch Approved for 1.9.1.3 and 1.9.0.14, a=dveditz
Checking in layout/base/nsCSSFrameConstructor.cpp; /cvsroot/mozilla/layout/base/nsCSSFrameConstructor.cpp,v <-- nsCSSFrameConstructor.cpp new revision: 1.1486; previous revision: 1.1485 done http://hg.mozilla.org/releases/mozilla-1.9.1/rev/049629a2fe9f
So you mean in this case mCallback does something to destroy frames?
Verified for 1.9.0.14 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.14pre) Gecko/2009081305 GranParadiso/3.0.14pre (.NET CLR 3.5.30729). It no longer crashes. I verified that crash with 1.9.0.13 as well.
Verified for 1.9.1.3 also with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3pre) Gecko/20090817 Shiretoko/3.5.3pre (.NET CLR 3.5.30729).