Comment 104 for bug 226470

I am confirming that the bug *still* exists in Firefox 3.0a7pre using CVS source dated 19 Jul 07. I managed to spring it by reopening (via Back) a gmail window. It looks like gmail may be managing more windows-within-windows as it threw up 6-8 untitled windows in quick succession as it attempted to redraw the entire gmail environment. In the past springing the bug in gmail usually only sprang 2-3 new untitled windows.

I will also confirm that it isn't a memory use by the current Firefox problem (the 3.0a7pre version was only consuming about 30% of main memory. However main memory was fully in use and a high (nice -19'ed) CPU load had been generated by starting a Gentoo package emerge sequence.

The problem clearly seems to be a window delete (or redraw / resize?) operation is stuck into the glib events queue at the same time various processes are operating on the window. When the subsequent operations go to work on the deleted window the errors (and new untitled windows) are the result.

It seems to me that this might present a security problem as one is depending on the integrity of the glib code to detect the fact that a window has been deleted and prevent operations on it -- if there are cases where it misses that situation the code (which might be foreign Javascript) could be copying things to/from random parts of memory (e.g. former window memory reallocated to contain form data such as CC #'s, SS #'s, etc).