Closed
Bug 135345
Opened 22 years ago
Closed 22 years ago
infinite recursion due to focus events (?) of form controls - Trunk crash [@ nsScriptSecurityManager::CheckPropertyAccessImpl][@ nsXULElement::HandleDOMEvent][@ XPCWrappedNative::FindTearOff][@ ntdll.dll]
Categories
(Core :: Layout: Form Controls, defect)
Tracking
()
VERIFIED
FIXED
mozilla1.0
People
(Reporter: jrgmorrison, Assigned: joki)
References
()
Details
(Keywords: crash, testcase, topcrash+, Whiteboard: [adt2])
Crash Data
Attachments
(2 files, 1 obsolete file)
382 bytes,
text/html
|
Details | |
1.17 KB,
patch
|
john
:
review+
jst
:
superreview+
asa
:
approval+
|
Details | Diff | Splinter Review |
Noted at the bottom of bug 135009. If my incident is the same problem, then http://www.prosavvy.com/members/affiliates/commissions/index.cfm crashes for me everytime if anyone needs a testcase. I'm not sure this is quite the same crash as bug 135009 so I'm filing a separate bug. But the testcase for that page is pretty simple. This sets off an infinite recursion. <html> <body> <form name="frmlogin"> <input type="text" name="username" onfocus="frmlogin.username.select();" onblur="frmlogin.password.focus();"> <input type="password" name="password" onfocus="frmlogin.password.select();"> </form> <script language="JavaScript"> document.frmlogin.username.focus(); </script> </body> </html> Here is a fuller stack trace. Note the repeated lines (separated by blank lines) beginning about 40 lines down. recursion stack trace from bug 135009. Look down ~40 lines to the blank line to see the actual repeated lines (arbitrarily broken at calls to nsHTMLInputElement::Select) nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x018f6b6a, nsIPresContext * 0x01a51274, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, nsIDOMEventTarget * 0x00033648, unsigned int 0x00000004, nsEventStatus * 0x00033834) line 1243 + 7 bytes GlobalWindowImpl::HandleDOMEvent(GlobalWindowImpl * const 0x015bafdd, nsIPresContext * 0x01b5e718, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, unsigned int 0x00033648, nsEventStatus * 0x00000004) line 693 nsXULElement::HandleDOMEvent(nsXULElement * const 0x015bafbe, nsIPresContext * 0x01e66430, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, unsigned int 0x00033648, nsEventStatus * 0x00000004) line 3444 + 22 bytes nsXULElement::HandleDOMEvent(nsXULElement * const 0x015bafbe, nsIPresContext * 0x01f4f8e0, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, unsigned int 0x00033648, nsEventStatus * 0x00000004) line 3442 nsXULElement::HandleDOMEvent(nsXULElement * const 0x015bafbe, nsIPresContext * 0x01f4fa58, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, unsigned int 0x00033648, nsEventStatus * 0x00000004) line 3442 nsXULElement::HandleDOMEvent(nsXULElement * const 0x015bafbe, nsIPresContext * 0x01f4fba0, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, unsigned int 0x00033648, nsEventStatus * 0x00000004) line 3442 nsXULElement::HandleDOMEvent(nsXULElement * const 0x015bafbe, nsIPresContext * 0x01f4fc18, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, unsigned int 0x00033648, nsEventStatus * 0x00000004) line 3442 nsXULElement::HandleDOMEvent(nsXULElement * const 0x015bafbe, nsIPresContext * 0x021b8cd0, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, unsigned int 0x00033648, nsEventStatus * 0x00000004) line 3442 nsXULElement::HandleDOMEvent(nsXULElement * const 0x015bafbe, nsIPresContext * 0x02188a18, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, unsigned int 0x00033648, nsEventStatus * 0x00000004) line 3442 nsXULElement::HandleDOMEvent(nsXULElement * const 0x015bdae9, nsIPresContext * 0x02188b28, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, unsigned int 0x00033648, nsEventStatus * 0x00000004) line 3442 nsXULElement::HandleChromeEvent(nsXULElement * const 0x01b5e718, nsIPresContext * 0x02230438, nsEvent * 0x00033844, nsIDOMEvent * * 0x00033648, unsigned int 0x00000004, nsEventStatus * 0x00033834) line 4689 + 35 bytes GlobalWindowImpl::HandleDOMEvent(GlobalWindowImpl * const 0x0162fc86, nsIPresContext * 0x0219f7b0, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, unsigned int 0x00033648, nsEventStatus * 0x00000004) line 693 nsDocument::HandleDOMEvent(nsDocument * const 0x0161f6f5, nsIPresContext * 0x02b1bad0, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, unsigned int 0x00033648, nsEventStatus * 0x00000004) line 3230 nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0161f6cf, nsIPresContext * 0x0221c610, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, unsigned int 0x00033648, nsEventStatus * 0x00000004) line 1632 + 29 bytes nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0161f6cf, nsIPresContext * 0x00f632a0, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, unsigned int 0x00033648, nsEventStatus * 0x00000004) line 1630 nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0161f6cf, nsIPresContext * 0x02c20bd0, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, unsigned int 0x00033648, nsEventStatus * 0x00000004) line 1630 nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0161f6cf, nsIPresContext * 0x02c20c98, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, unsigned int 0x00033648, nsEventStatus * 0x00000004) line 1630 nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0161f6cf, nsIPresContext * 0x02c20ec8, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, unsigned int 0x00033648, nsEventStatus * 0x00000004) line 1630 nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0161f6cf, nsIPresContext * 0x02c20f10, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, unsigned int 0x00033648, nsEventStatus * 0x00000004) line 1630 nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0161f6cf, nsIPresContext * 0x021e0ca0, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, unsigned int 0x00033648, nsEventStatus * 0x00000004) line 1630 nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0161f6cf, nsIPresContext * 0x02c21710, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, unsigned int 0x00033648, nsEventStatus * 0x00000004) line 1630 nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0161f6cf, nsIPresContext * 0x02c21990, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, unsigned int 0x00033648, nsEventStatus * 0x00000004) line 1630 nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0161f6cf, nsIPresContext * 0x02c219d8, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, unsigned int 0x00033648, nsEventStatus * 0x00000004) line 1630 nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0161f6cf, nsIPresContext * 0x02c21a68, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, unsigned int 0x00033648, nsEventStatus * 0x00000004) line 1630 nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0161f6cf, nsIPresContext * 0x02c22218, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, unsigned int 0x00033648, nsEventStatus * 0x00000004) line 1630 nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0161f6cf, nsIPresContext * 0x02c4dd88, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, unsigned int 0x00033648, nsEventStatus * 0x00000004) line 1630 nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0161f6cf, nsIPresContext * 0x02c37100, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, unsigned int 0x00033648, nsEventStatus * 0x00000004) line 1630 nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0161f6cf, nsIPresContext * 0x02c371d0, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, unsigned int 0x00033648, nsEventStatus * 0x00000004) line 1630 nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0161f6cf, nsIPresContext * 0x02c469c8, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, unsigned int 0x00033648, nsEventStatus * 0x00000004) line 1630 nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0161f6cf, nsIPresContext * 0x02c46ae0, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, unsigned int 0x00033648, nsEventStatus * 0x00000004) line 1630 nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0161f6cf, nsIPresContext * 0x02c6a980, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, unsigned int 0x00033648, nsEventStatus * 0x00000004) line 1630 nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0161f6cf, nsIPresContext * 0x02c251e8, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, unsigned int 0x00033648, nsEventStatus * 0x00000004) line 1630 nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0161f6cf, nsIPresContext * 0x02c25618, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, unsigned int 0x00033648, nsEventStatus * 0x00000004) line 1630 nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0161f6cf, nsIPresContext * 0x02c25708, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, unsigned int 0x00033648, nsEventStatus * 0x00000004) line 1630 nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0161f6cf, nsIPresContext * 0x02c42920, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, unsigned int 0x00033648, nsEventStatus * 0x00000004) line 1630 nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0161f6cf, nsIPresContext * 0x02c514e8, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, unsigned int 0x00033648, nsEventStatus * 0x00000004) line 1630 nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0161f6cf, nsIPresContext * 0x02c51700, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, unsigned int 0x00033648, nsEventStatus * 0x00000004) line 1630 nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0167bfe6, nsIPresContext * 0x02c517d8, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, unsigned int 0x00000000, nsEventStatus * 0x00000001) line 1630 nsHTMLInputElement::HandleDOMEvent(nsHTMLInputElement * const 0x0167b70e, nsIPresContext * 0x02c517d8, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, unsigned int 0x00000000, nsEventStatus * 0x00000001) line 1404 nsHTMLInputElement::Select(nsHTMLInputElement * const 0x1005261e) line 1082 XPTC_InvokeByIndex(nsISupports * 0x02c51800, unsigned int 0x0000005b, unsigned int 0x00000000, nsXPTCVariant * 0x00033a44) line 106 XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode 0x00033ae0) line 2025 + 36 bytes XPC_WN_CallMethod(JSContext * 0x0221c080, JSObject * 0x02c14308, unsigned int 0x00000000, long * 0x02ccaffc, long * 0x00033bcc) line 1266 + 12 bytes js_Invoke(JSContext * 0x0102664d, unsigned int 0x0221c080, unsigned int 0x00000000) line 788 + 42 bytes js_Interpret(JSContext * 0x0221c080, long * 0x00000001) line 2745 + 13 bytes js_InternalInvoke(JSContext * 0x01005826, JSObject * 0x000349cc, long 0x02c14308, unsigned int 0x02c14318, unsigned int 0x00000000, long * 0x02ccafd8, long * 0x00033f38) line 880 + 14 bytes JS_CallFunctionValue(JSContext * 0x0221c080, JSObject * 0x02c14308, long 0x02c14318, unsigned int 0x00000001, long * 0x00033f38, long * 0x00033ec8) line 3410 + 38 bytes nsJSContext::CallEventHandler(nsJSContext * const 0x0191612b, void * 0x00ed9538, void * 0x02c14308, unsigned int 0x02c14318, void * 0x00000001, int * 0x00033f38, int 0x00033f34) line 1016 + 27 bytes nsJSEventListener::HandleEvent(nsJSEventListener * const 0x01536450, nsIDOMEvent * 0x02c51b58) line 182 nsEventListenerManager::HandleEventSubType(nsEventListenerManager * const 0x01693704, nsListenerStruct * 0x01537a47, nsIDOMEvent * 0x02c51bd8, nsIDOMEventTarget * 0x02cd8ee8, unsigned int 0x02cd8f50, unsigned int 0x00000001) line 1217 + 10 bytes nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x0161f7fb, nsIPresContext * 0x02c51b10, nsEvent * 0x02230438, nsIDOMEvent * * 0x00034508, nsIDOMEventTarget * 0x000342e0, unsigned int 0x02cd8f50, nsEventStatus * 0x00000007) line 1734 + 28 bytes nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0167bfe6, nsIPresContext * 0x02c517d8, nsEvent * 0x02230438, nsIDOMEvent * * 0x00034508, unsigned int 0x00000000, nsEventStatus * 0x00000001) line 1651 nsHTMLInputElement::HandleDOMEvent(nsHTMLInputElement * const 0x01540423, nsIPresContext * 0x02c517d8, nsEvent * 0x02230438, nsIDOMEvent * * 0x00034508, unsigned int 0x00000000, nsEventStatus * 0x00000001) line 1404 nsEventStateManager::SendFocusBlur(nsEventStateManager * const 0x0153f8ea, nsIPresContext * 0x020df200, nsIContent * 0x02230438, int 0x02c517d8) line 3840 nsEventStateManager::SetContentState(nsEventStateManager * const 0x0167b74a, nsIContent * 0x00000000, int 0x02c517d8) line 3532 + 17 bytes nsHTMLInputElement::Select(nsHTMLInputElement * const 0x1005261e) line 1093 XPTC_InvokeByIndex(nsISupports * 0x02c51800, unsigned int 0x0000005b, unsigned int 0x00000000, nsXPTCVariant * 0x00034864) line 106 XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode 0x00034900) line 2025 + 36 bytes XPC_WN_CallMethod(JSContext * 0x0221c080, JSObject * 0x02c14308, unsigned int 0x00000000, long * 0x02ccafd8, long * 0x000349ec) line 1266 + 12 bytes js_Invoke(JSContext * 0x0102664d, unsigned int 0x0221c080, unsigned int 0x00000000) line 788 + 42 bytes js_Interpret(JSContext * 0x0221c080, long * 0x00000001) line 2745 + 13 bytes js_InternalInvoke(JSContext * 0x01005826, JSObject * 0x000357ec, long 0x02c14308, unsigned int 0x02c14318, unsigned int 0x00000000, long * 0x02ccafb4, long * 0x00034d58) line 880 + 14 bytes JS_CallFunctionValue(JSContext * 0x0221c080, JSObject * 0x02c14308, long 0x02c14318, unsigned int 0x00000001, long * 0x00034d58, long * 0x00034ce8) line 3410 + 38 bytes nsJSContext::CallEventHandler(nsJSContext * const 0x0191612b, void * 0x00ed9538, void * 0x02c14308, unsigned int 0x02c14318, void * 0x00000001, int * 0x00034d58, int 0x00034d54) line 1016 + 27 bytes nsJSEventListener::HandleEvent(nsJSEventListener * const 0x01536450, nsIDOMEvent * 0x02c51b58) line 182 nsEventListenerManager::HandleEventSubType(nsEventListenerManager * const 0x01693704, nsListenerStruct * 0x01537a47, nsIDOMEvent * 0x02c51bd8, nsIDOMEventTarget * 0x02cd8c28, unsigned int 0x02cd8c90, unsigned int 0x00000001) line 1217 + 10 bytes nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x0161f7fb, nsIPresContext * 0x02c51b10, nsEvent * 0x02230438, nsIDOMEvent * * 0x00035328, nsIDOMEventTarget * 0x00035100, unsigned int 0x02cd8c90, nsEventStatus * 0x00000007) line 1734 + 28 bytes nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0167bfe6, nsIPresContext * 0x02c517d8, nsEvent * 0x02230438, nsIDOMEvent * * 0x00035328, unsigned int 0x00000000, nsEventStatus * 0x00000001) line 1651 nsHTMLInputElement::HandleDOMEvent(nsHTMLInputElement * const 0x01540423, nsIPresContext * 0x02c517d8, nsEvent * 0x02230438, nsIDOMEvent * * 0x00035328, unsigned int 0x00000000, nsEventStatus * 0x00000001) line 1404 nsEventStateManager::SendFocusBlur(nsEventStateManager * const 0x0153f8ea, nsIPresContext * 0x020df200, nsIContent * 0x02230438, int 0x02c517d8) line 3840 nsEventStateManager::SetContentState(nsEventStateManager * const 0x0167b74a, nsIContent * 0x00000000, int 0x02c517d8) line 3532 + 17 bytes nsHTMLInputElement::Select(nsHTMLInputElement * const 0x1005261e) line 1093 XPTC_InvokeByIndex(nsISupports * 0x02c51800, unsigned int 0x0000005b, unsigned int 0x00000000, nsXPTCVariant * 0x00035684) line 106 XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode 0x00035720) line 2025 + 36 bytes XPC_WN_CallMethod(JSContext * 0x0221c080, JSObject * 0x02c14308, unsigned int 0x00000000, long * 0x02ccafb4, long * 0x0003580c) line 1266 + 12 bytes js_Invoke(JSContext * 0x0102664d, unsigned int 0x0221c080, unsigned int 0x00000000) line 788 + 42 bytes js_Interpret(JSContext * 0x0221c080, long * 0x00000001) line 2745 + 13 bytes js_InternalInvoke(JSContext * 0x01005826, JSObject * 0x0003660c, long 0x02c14308, unsigned int 0x02c14318, unsigned int 0x00000000, long * 0x02ccaf90, long * 0x00035b78) line 880 + 14 bytes JS_CallFunctionValue(JSContext * 0x0221c080, JSObject * 0x02c14308, long 0x02c14318, unsigned int 0x00000001, long * 0x00035b78, long * 0x00035b08) line 3410 + 38 bytes nsJSContext::CallEventHandler(nsJSContext * const 0x0191612b, void * 0x00ed9538, void * 0x02c14308, unsigned int 0x02c14318, void * 0x00000001, int * 0x00035b78, int 0x00035b74) line 1016 + 27 bytes nsJSEventListener::HandleEvent(nsJSEventListener * const 0x01536450, nsIDOMEvent * 0x02c51b58) line 182 nsEventListenerManager::HandleEventSubType(nsEventListenerManager * const 0x01693704, nsListenerStruct * 0x01537a47, nsIDOMEvent * 0x02c51bd8, nsIDOMEventTarget * 0x02cd8968, unsigned int 0x02cd89d0, unsigned int 0x00000001) line 1217 + 10 bytes nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x0161f7fb, nsIPresContext * 0x02c51b10, nsEvent * 0x02230438, nsIDOMEvent * * 0x00036148, nsIDOMEventTarget * 0x00035f20, unsigned int 0x02cd89d0, nsEventStatus * 0x00000007) line 1734 + 28 bytes nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0167bfe6, nsIPresContext * 0x02c517d8, nsEvent * 0x02230438, nsIDOMEvent * * 0x00036148, unsigned int 0x00000000, nsEventStatus * 0x00000001) line 1651 nsHTMLInputElement::HandleDOMEvent(nsHTMLInputElement * const 0x01540423, nsIPresContext * 0x02c517d8, nsEvent * 0x02230438, nsIDOMEvent * * 0x00036148, unsigned int 0x00000000, nsEventStatus * 0x00000001) line 1404 nsEventStateManager::SendFocusBlur(nsEventStateManager * const 0x0153f8ea, nsIPresContext * 0x020df200, nsIContent * 0x02230438, int 0x02c517d8) line 3840 nsEventStateManager::SetContentState(nsEventStateManager * const 0x0167b74a, nsIContent * 0x00000000, int 0x02c517d8) line 3532 + 17 bytes nsHTMLInputElement::Select(nsHTMLInputElement * const 0x1005261e) line 1093 ... and so on and so on ... nsbeta1, (topcrash?)
Reporter | ||
Comment 1•22 years ago
|
||
Reporter | ||
Updated•22 years ago
|
Comment 2•22 years ago
|
||
*** This bug has been marked as a duplicate of 135194 ***
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → DUPLICATE
Reporter | ||
Comment 3•22 years ago
|
||
I wouldn't be surprised if the crashes are connected in some way, but since they have clearly different stack traces, reopening this bug.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Comment 4•22 years ago
|
||
Making topcrash+ and adding testcase keyword since the given url crashes everytime.
Comment 5•22 years ago
|
||
Removing [@ nsEventListenerManager::HandleEvent] from summary... I crashed twice with jrgm's testcase, but both crashes showed different stack signatures (i'm guessing because of the stack overflow).
Summary: infinite recursion due to focus events (?) of form controls. - Trunk [@ nsEventListenerManager::HandleEvent] → infinite recursion due to focus events (?) of form controls.
Updated•22 years ago
|
Comment 6•22 years ago
|
||
Well, I just verified fixed bug 133669 (another recursion problem)...but both the url and testcase in this bug are still crashing for me. Here is what stack signatures I'm seeing from Talkback for each scenerio I've tested: WinNT build 2002040809 (testcase)- 5013125 2002-04-09 14:19:50 nsScriptSecurityManager::CheckPropertyAccessImpl 70663961 NetscapeMozillaTrunkWin322002040809 jrgm's testcase in bug 135345 WinNT build 2002040809 (url)- 5013255 2002-04-09 14:18:21 nsXULElement::HandleDOMEvent 0bcd2cdb NetscapeMozillaTrunkWin322002040809 bug 135345...still crashing at prosavvy.com Win2K build 2002040809 (url)- 5013925 2002-04-09 14:41:11 ntdll.dll + 0x4b134 (0x77fcb134) d3d6f251 NetscapeMozillaTrunkWin322002040809 just went to url in bug 135345...seems to hang my computer until i clicked ctrl-alt-del...then i saw the windows error message... Win2K build 2002040210 (testcase)- 4828235 2002-04-04 12:07:14 XPCWrappedNative::FindTearOff 1c9bd1d2 NetscapeMozillaTrunkWin322002040210 testcase hangs browser...after ctrl-alt-del i see the windows acception window and talkback comes up... Adding all those stack signatures to the summary for tracking... I wonder if a similar fix that worked for bug 133669 can be applied here.
Summary: infinite recursion due to focus events (?) of form controls. → infinite recursion due to focus events (?) of form controls - Trunk crash [@ nsScriptSecurityManager::CheckPropertyAccessImpl][@ nsXULElement::HandleDOMEvent][@ XPCWrappedNative::FindTearOff][@ ntdll.dll]
Updated•22 years ago
|
Whiteboard: [adt2]
Reporter | ||
Comment 7•22 years ago
|
||
I'll note, as a general comment, that in this type of situation (a deep recursive stack trace), the actual point in the code that is at the top of the stack when the crash occurs is not really relevant. It just happens to be the lucky victim. (Although, I also note, that methods like nsGenericElement::HandleDOMEvent are more likely than other methods to show up at the top of stack. I.e., when the stack is nearing overflow, any routine that uses recursion, e.g., to bubble events, is more likely to blow out the stack than a method that does not use recursion).
Comment 8•22 years ago
|
||
OK, the specific recursion is that nsHTMLInputElement::Select() has to set focus before it can select the contents of the box. When it does that, the EventListenerManager doesn't seem to be aware of whether the element is already focused in this case, and calls the onFocus event again, which calls Select, which sets focus to TRUE. (Sort of understandably, we have gone synchronously through three JavaScript functions to get to this point.) It's not my impression that the input element needs to know whether it is focused or not; I thought it just had to call the focus manager and tell it what to do. CC'ing joki, who may know what is going on better than I do. It is puzzling to me that this does *not* happen when you directly call password.focus() from the script, only when you get to it in a roundabout sort of way.
Reporter | ||
Comment 9•22 years ago
|
||
and really cc: joki, like jkeiser meant to do ;)
> CC'ing joki, who may know what is going on better than I do. It is puzzling
> to me that this does *not* happen when you directly call password.focus()
> from the script, only when you get to it in a roundabout sort of way.
Assignee | ||
Comment 10•22 years ago
|
||
You're right in theory, the content shouldn't need to know whether it is focused but the focus code in nsEventStateManager (ESM) pretty wacky. Between keepings the menu focus listeners and global focus objects and local focus objects in sync its hard to say which focus messages we can ignore and which we must process. Saari would know better than I, he wrote most of the focus code in the ESM. I know he also has plans to rewrite it at some point. So for the moment the easiest (and safest) fix is probably to have to content know about its focus state. I'm attaching a simple patch which does that. The better longterm fix is certainly in the ESM but given the fragility of the code making any changes to the ESM focus code is fairly high risk. By the way, this fixes the crash but still doesn't make that particular piece of script work exactly as expected. Calling focus() within an onblur handler is something that doesn't really work in mozilla. Hopefully focus changes in the future might fix that.
Comment 11•22 years ago
|
||
Comment on attachment 79185 [details] [diff] [review] Possible patch r=jkeiser, but could you put an XXX comment in there explaining that this is a workaround until ESM is fixed? I don't want myself (or others) to look at that and think that everything that does focus is *supposed* to check its state. Thanks much!
Attachment #79185 -
Flags: review+
Comment 12•22 years ago
|
||
Giving to joki since it's his fix.
Assignee: jkeiser → joki
Status: REOPENED → NEW
Assignee | ||
Comment 13•22 years ago
|
||
For the sake of completeness, updated patch with comment.
Attachment #79185 -
Attachment is obsolete: true
Comment 14•22 years ago
|
||
Comment on attachment 79309 [details] [diff] [review] Updated patch sr=jst
Attachment #79309 -
Flags: superreview+
Updated•22 years ago
|
Attachment #79309 -
Flags: review+
Comment 15•22 years ago
|
||
Joki, is there a reason this can't be done at the beginning of SetContentState() itself? It seems like that's the simplest and broadest solution to the many infinite recursions I have seen over the last few months. This patch is still fine, just curiosity speaking.
Assignee | ||
Comment 16•22 years ago
|
||
Mostly just the fact that the focus code inside the ESM updates multiple state v variables and I (and Saari) are concerned that the seemingly excessive focus calls might be necessary to keep activation/deactivation state or cross window focus in sync. Its slightly paranoia, I haven't actually tested to see if it would break there, but the focus system in notoriously delicate. Saari agrees that it shouldn't be necessary for content to check its own focus state but also thinks this is the safest patch for the moment.
Assignee | ||
Comment 17•22 years ago
|
||
Fixed on trunk. Marking fixed and adding adt1.0.0 to nominate for branch inclusion.
Comment 18•22 years ago
|
||
Pls update the bug, when testing has been completed on the trunk.
Comment 19•22 years ago
|
||
Comment on attachment 79309 [details] [diff] [review] Updated patch a=asa (on behalf of drivers) for checkin to the 1.0 branch
Attachment #79309 -
Flags: approval+
Comment 21•22 years ago
|
||
Changing QA contact to Terri Preston. Terri please verify this bug
Comment 22•22 years ago
|
||
This is fixed on trunk build win 2k build 2002041603
Status: RESOLVED → VERIFIED
Comment 23•22 years ago
|
||
adding adt1.0.0+ on behalf of the adt. Please check this into the branch as soon as possible and add the fixed1.0.0 keyword.
Comment 25•22 years ago
|
||
Verified fixed win 2k branch build 2002052208
Keywords: fixed1.0.0 → verified1.0.0
Comment 26•15 years ago
|
||
Crashtest added as part of http://hg.mozilla.org/mozilla-central/rev/54417ebbaea2
Flags: in-testsuite+
Updated•13 years ago
|
Crash Signature: [@ nsScriptSecurityManager::CheckPropertyAccessImpl]
[@ nsXULElement::HandleDOMEvent]
[@ XPCWrappedNative::FindTearOff]
[@ ntdll.dll]
You need to log in
before you can comment on or make changes to this bug.
Description
•