Closed
Bug 387632
Opened 17 years ago
Closed 17 years ago
Crash [@ nsFrame::Destroy] with removing window onfocus while setting display none on other window
Categories
(Core :: Layout, defect, P3)
Tracking
()
RESOLVED
FIXED
People
(Reporter: martijn.martijn, Assigned: cpearce)
References
Details
(Keywords: crash, testcase, Whiteboard: [dbaron-1.9:Rs])
Crash Data
Attachments
(1 file)
|
(deleted),
text/html
|
Details |
See testcase, which crashes current trunk and branch builds on windowsXP after 200ms.
Because it crashes on branch, I'm marking it security sensitive for now.
The data url of the iframe is this:
<html><head></head>
<body onfocus="window.frameElement.parentNode.removeChild(window.frameElement);" onload="
window.frames[0].focus();
setTimeout(function(){
var x=document.getElementsByTagName('iframe')[0];
x.style.display = 'none';
}, 200);">
<iframe></iframe>
</body>
</html>
http://crash-stats.mozilla.com/report/index/1c9d904f-2f53-11dc-913d-001a4bd46e84
0 nsFrame::Destroy()
1 nsSubDocumentFrame::Destroy()
2 nsBlockFrame::DoRemoveFrame(nsIFrame *,int,int)
3 nsBlockFrame::RemoveFrame(nsIAtom *,nsIFrame *)
4 nsFrameManager::RemoveFrame(nsIFrame *,nsIAtom *,nsIFrame *)
5 nsCSSFrameConstructor::ContentRemoved(nsIContent *,nsIContent *,int,int)
6 nsCSSFrameConstructor::RecreateFramesForContent(nsIContent *)
7 nsCSSFrameConstructor::RestyleElement(nsIContent *,nsIFrame *,nsChangeHint)
8 nsCSSFrameConstructor::ProcessOneRestyle(nsIContent *,nsReStyleHint,nsChangeHint)
9 nsCSSFrameConstructor::ProcessPendingRestyles()
Talkack ID: TB33920385K
|
Reporter | |
Updated•17 years ago
|
Flags: blocking1.9?
|
||
Updated•17 years ago
|
Flags: blocking1.9? → blocking1.9+
|
||
Comment 1•17 years ago
|
||
I can't reproduce this in trunk/linux.
|
|
||
Updated•17 years ago
|
Whiteboard: [dbaron-1.9:Rs]
Doesn't crash for me on trunk Mac debug. Windows only?
Priority: -- → P3
|
|
Reporter | |
Comment 3•17 years ago
|
||
Yeah, windows only, it still crashes in current trunk build.
|
Assignee | |
Comment 4•17 years ago
|
||
This crashes for me in [Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-US; rv:1.9b2pre) Gecko/2007111313 Minefield/3.0b2pre], so it's not Windows only. OS -> All.
OS: Windows XP → All
|
||
Comment 5•17 years ago
|
||
Sounds like another case of triggering focus events while destroying frame tree.
This will probably be fixed by the patch in Bug 399852. (or could be fixed by the same strategy -- "defer focus events while in DeletingFrameSubtree()")
|
|
Assignee | |
Comment 6•17 years ago
|
||
(In reply to comment #5)
> Sounds like another case of triggering focus events while destroying frame
> tree.
>
> This will probably be fixed by the patch in Bug 399852. (or could be fixed by
> the same strategy -- "defer focus events while in DeletingFrameSubtree()")
>
Unfortunately not, the patch for bug 399852 doesn't fix this bug...
Assignee: nobody → chris
OS: All → Windows XP
|
|
Reporter | |
Comment 7•17 years ago
|
||
(In reply to comment #6)
> Unfortunately not, the patch for bug 399852 doesn't fix this bug...
Well, it is now worksforme, using today's trunk build, while it crashed with 2008-02-16 trunk build, so I think your latest patch did fix this bug too.
Status: NEW → RESOLVED
Closed: 17 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
|
||
Updated•13 years ago
|
Crash Signature: [@ nsFrame::Destroy]
|
||
Comment 8•11 years ago
|
||
Can we open this bug now so we can land the test please?
Flags: needinfo?(dveditz)
|
||
Updated•11 years ago
|
Group: core-security
Flags: needinfo?(dveditz)
You need to log in
before you can comment on or make changes to this bug.
Description
•