Closed
Bug 53763
Opened 24 years ago
Closed 24 years ago
A crash occurs after closing event dialog and source has been replaced in frame. [@ nsEventStateManager::SendFocusBlur]
Categories
(Core :: DOM: UI Events & Focus Handling, defect, P3)
Core
DOM: UI Events & Focus Handling
Tracking
()
VERIFIED
FIXED
People
(Reporter: chrispetersen, Assigned: hjtoi-bugzilla)
Details
(Keywords: crash, topcrash, Whiteboard: [rtm++][fixinhand])
Crash Data
Attachments
(4 files)
Build: 2000092208 Platforms: All Expected result: After closing the dialog, the source in the second frame should be replaced. No crash should occur. What I got: After second frame src is replace, a onblur dialog appears. Click OK in the dialog results in a crash. Steps to reproduce: 1) Load attached frameset test case. 2) The frameset consists of two col frames. 3) In the second column, select one of the list items in the select menu. This select menu has a onblur event assigned. 4) Click on the link in the first frame. 5) Two things happen here: The sorce is replaced in the second frame and a onblur event is processed. A alert dialog should appear. Click OK. 6) This should result in crash. Note:The key is to replace the content src in the second frame to reproduce this problem.
Reporter | ||
Comment 1•24 years ago
|
||
If just click in the first frame (but not on the link) , the dilaog will appear and can be closed without crashing. The source in the second frame must be replaced.
Reporter | ||
Comment 2•24 years ago
|
||
Reporter | ||
Comment 3•24 years ago
|
||
Reporter | ||
Comment 4•24 years ago
|
||
Call stack info under Win 98: Call Stack: (Signature = 0x40400000 669631f9) 0x40400000 PresShell::~PresShell [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 1268] PresShell::`scalar deleting destructor' nsTextInputListener::Release [d:\builds\seamonkey\mozilla\layout\html\forms\src\nsGfxTextControlFrame2.cpp, line 225] nsCOMPtr_base::~nsCOMPtr_base [d:\builds\seamonkey\mozilla\xpcom\base\nsCOMPtr.cpp, line 50] nsEventStateManager::SendFocusBlur [d:\builds\seamonkey\mozilla\layout\events\src\nsEventStateManager.cpp, line 2687] nsEventStateManager::SetContentState [d:\builds\seamonkey\mozilla\layout\events\src\nsEventStateManager.cpp, line 2484] nsGenericHTMLElement::HandleDOMEventForAnchors [d:\builds\seamonkey\mozilla\layout\html\content\src\nsGenericHTMLElement.cpp, line 1132] nsHTMLAreaElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\layout\html\content\src\nsHTMLAreaElement.cpp, line 235] nsGenericDOMDataNode::HandleDOMEvent [d:\builds\seamonkey\mozilla\layout\base\src\nsGenericDOMDataNode.cpp, line 790] nsCommentNode::HandleDOMEvent [d:\builds\seamonkey\mozilla\layout\base\src\nsCommentNode.cpp, line 383] PresShell::HandleEventInternal [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 4262] PresShell::HandleEvent [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 4192] nsView::HandleEvent [d:\builds\seamonkey\mozilla\view\src\nsView.cpp, line 379] nsView::HandleEvent [d:\builds\seamonkey\mozilla\view\src\nsView.cpp, line 352] nsView::HandleEvent [d:\builds\seamonkey\mozilla\view\src\nsView.cpp, line 352] nsViewManager2::DispatchEvent [d:\builds\seamonkey\mozilla\view\src\nsViewManager2.cpp, line 1429] HandleEvent [d:\builds\seamonkey\mozilla\view\src\nsView.cpp, line 68] nsWindow::DispatchEvent [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 618] nsWindow::DispatchWindowEvent [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 635] nsWindow::DispatchMouseEvent [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 3813] ChildWindow::DispatchMouseEvent [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 4021] nsWindow::ProcessMessage [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 2910] nsWindow::WindowProc [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 884] KERNEL32.DLL + 0x363b (0xbff7363b) KERNEL32.DLL + 0x242e7 (0xbff942e7) 0x00688b3e
Reporter | ||
Updated•24 years ago
|
Severity: normal → major
Comment 5•24 years ago
|
||
Comment 6•24 years ago
|
||
I also see assertions and occasional crashers using the same test case but putting the link and select in a standard document (no frames). The problem seems to be processing events on (ns)frames that have gone away. Should we kill the offending event? Add yet another Kung Fu Deathgrip (tm)? Passing this to the events gurus.
Assignee | ||
Comment 7•24 years ago
|
||
Nominating for RTM. Crash is bad, and we already have some ideas on how to fix it.
Keywords: rtm
Comment 8•24 years ago
|
||
Marking [rtm need info] and re-assigning to heikki. I agree that we should investigate this for rtm.
Whiteboard: [rtm need info]
Assignee | ||
Updated•24 years ago
|
Status: NEW → ASSIGNED
Assignee | ||
Updated•24 years ago
|
Severity: major → critical
Assignee | ||
Comment 10•24 years ago
|
||
This is a potential duplicate of bug 54868.
Assignee | ||
Comment 11•24 years ago
|
||
Well, this is not a dup after all. Have to see if the if we could use the same principle that fixes bug 54868, though...
Assignee | ||
Comment 12•24 years ago
|
||
Assignee | ||
Comment 13•24 years ago
|
||
The first proposed fix makes sure that presshell gets released before viewmanager, which will destroy stuff that presshell is accessing in its destructor. This fixes the crash. There is a problem, though. Using the frameset testcase, when you click the link in the left frame it should update the document in the right frame. It does, but there is a catch: the select element STAYS ON THE PAGE until you dismiss the alert dialog. So in effect, you have data from two pages visible at the same time even though only one page should be displayed. NN 4.2 does not replace the document in the right frame until the dialog is dismissed, after dismissal NN actually opens the right frame iin new window. IE does not replace the right frame at all, even though it displays the alert dialog. Robert, how is this possible, and can there be other adverse effects? joki, how could we know that the right frame was replaced and stop the blur event from bubbling after the user dismisses the alert? I believe this would be the other way to stop this crash.
Whiteboard: [rtm need info] → [rtm need info][fixinhand]
Assignee | ||
Comment 14•24 years ago
|
||
s/NN 4.2/NN 4.7/
Assignee | ||
Comment 15•24 years ago
|
||
Hmm, actually it appears that the new frame gets an incomplete paint. Try the frameset test, and when you have the dialog up you see there is the incorrect SELECT element in the right frame. Move some window over & out that area and you will see it is correctly repainted with background color. You will not see this weird effect if your new document to the right frame is "longer" than the previous document.
Assignee | ||
Comment 16•24 years ago
|
||
joki, any possible adverse effect that I am not doing anything extra to kill the blur event?
Assignee | ||
Comment 17•24 years ago
|
||
Does anyone know of a real site that causes this crash? Chris?
Reporter | ||
Comment 18•24 years ago
|
||
Actually, I don't have a commerical site that reproduces this problem. This bug was found when running our existing HTML tests in a frameset.
The same underlying problem was causing bugs in dynamic theme switching: frames --- and even the entire view manager --- were being destroyed in the view manager's event handler. I think the long-term solution is for the view manager to collect all potential target views and perform view->frame mapping over them all, then hand off the entire resulting list into nsPresShell. nsPresShell should then hand the list down into nsEventStateManager for frame->content translation, and only then do we actually process events. Thus if frames are destroyed or whatever, the events will still be correctly processed. I can't really help you with this workaround. I don't know much about nsPresShell. But I'm not surprised that weird stuff happens when the frame tree and view manager disappear halfway through handling an event.
Comment 20•24 years ago
|
||
I'm afraid, I'm going to have to rtm- this bug based on the feedback from Chris. Heikki, please keep this bug in mind. In case, QA report a ship stopper crash bug with the same track trace, we can check this fix in to the rtm branch. Please go ahead and check this fix into the trunk once you've gotten it reviewed according to Mozilla tree rules. Thanks!
Whiteboard: [rtm need info][fixinhand] → [rtm-][fixinhand]
Comment 21•24 years ago
|
||
At Heikki request, I'm just annotating this bug with the comment I added to related bug #54233. Just a clarification of the language here: the order of destruction is a requirement and is guaranteed by C++'s definition. See in particular section 6.6 Jump statements [stmt.jump], paragraph 2, which reads (in part) On exit from a scope (however accomplished), destructors (12.4) are called for all constructed objects with automatic storage duration (3.7.2) (named objects or temporaries) that are declared in that scope, in the reverse order of their declaration. [...] This is a promise. All compilers will destroy named variables local to a scope on exit from that scope in the reverse order or their declaration. This promise is similar to the promises about the order of destruction of member variables and of the elements of an array. So we _can_ rely on this to fix order dependent situations, and this is even a recommendation in the |nsCOMPtr| user guide. Quoting from paragraph 2 of the section "How do I ... |Release()| an |nsCOMPtr| before it goes out of scope?" You should note, though, that there is a small performance penalty for [|Release()|ing an |nsCOMPtr| by assigning |0| into it before destruction]. The |nsCOMPtr| will still exercize logic in its destructor to attempt to |Release()| the value it has at that time. The optimal solution is to arrange the lifetime of your |nsCOMPtr| to correspond to exactly how long you want to hold the reference. [followed by an example] So I designed it with this specific use in mind.
Assignee | ||
Comment 22•24 years ago
|
||
Nisheeth, I am seeing SendFocusBlur in talkback data, and I believe this is the bug. Search for "SendFocusBlur" in QuickFind and you will get 69 incidents (as of right now). Looking at the reports of what people were doing, it appears as they have this situation that they have a dialog up caused by some event, and by the time they submit the dialog the contents have been deleted -> crash. Most often this seems to happen when the password manager asks if you want to remember the password for this site. For example logging into http://my.netscape.com can cause crash (exactly the same situation as in pollmann's reduced test case). Talkback reports say they were trying to log into AOL, some forums and MSN pages.
Whiteboard: [rtm-][fixinhand] → [rtm need info][fixinhand]
Assignee | ||
Comment 23•24 years ago
|
||
Adding topcrash keyword since I found this in talkback, and it was also in the condensed summary posted to NS internal...
Keywords: topcrash
Assignee | ||
Comment 24•24 years ago
|
||
Linux does not have the paint problem.
Comment 25•24 years ago
|
||
Looks good to me. r:joki
Comment 26•24 years ago
|
||
adding [@ nsEventStateManager::SendFocusBlur] for topcrash tracking and here are some entries from talkback for this crash: nsEventStateManager::SendFocusBlur 1664fa4d http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/layout/events/src/nsEventSta teManager.cpp line 2732 Build: 2000101309 CrashDate: 2000-10-13 UptimeMinutes: 150 Total: 150 OS: Windows NT 4.0 build 1381 URL: Vewing Microsoft Page Comment: Vewing Microsoft Page Detailed : http://climate/reports/incidenttemplate.cfm?bbid=19035711 StackTrace: http://climate/reports/stackcommentemail.cfm?dynamicBBID=19035711 nsEventStateManager::SendFocusBlur c013dc20 http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/layout/events/src/nsEventSta teManager.cpp line 2732 Build: 2000101309 CrashDate: 2000-10-13 UptimeMinutes: 6 Total: 157 OS: Windows NT 4.0 build 1381 URL: Vewing Microsoft Page Comment: Vewing Microsoft Page Detailed : http://climate/reports/incidenttemplate.cfm?bbid=19036159 StackTrace: http://climate/reports/stackcommentemail.cfm?dynamicBBID=19036159 nsEventStateManager::SendFocusBlur 7c76592a http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/layout/events/src/nsEventSta teManager.cpp line 2732 Build: 2000101509 CrashDate: 2000-10-15 UptimeMinutes: 1 Total: 1 OS: Windows 98 4.10 build 67766222 URL: http://aolmail.aol.com/ Comment: Attempting to access secure page. Detailed : http://climate/reports/incidenttemplate.cfm?bbid=19137049 StackTrace: http://climate/reports/stackcommentemail.cfm?dynamicBBID=19137049
Summary: A crash occurs after closing event dialog and source has been replaced in frame. → A crash occurs after closing event dialog and source has been replaced in frame. [@ nsEventStateManager::SendFocusBlur]
Comment 27•24 years ago
|
||
sr=vidur. By introducing the local reference to the view manager, we're guaranteeing that view manager/presshell destruction happens in the same order as in the common case, so the change seems reasonable and safe. A similar change was necessary in the presshell reflow event code. Post NS6, we should reconsider the current ownership model - this and the reflow event changes should be considered as short-term band-aids only.
Comment 29•24 years ago
|
||
PDT says rtm++, please land on branch ASAP.
Whiteboard: [rtm+][fixinhand] → [rtm++][fixinhand]
Assignee | ||
Comment 30•24 years ago
|
||
Fixed on branch & trunk.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 31•24 years ago
|
||
The paint problem is bug 57190.
Reporter | ||
Comment 32•24 years ago
|
||
Fixed on the Mac Oct 20th branch build. Need to test on Linux and Windows Oct 2O th builds.
Reporter | ||
Comment 33•24 years ago
|
||
Fixed in the Oct 20th Windows branch build.
Comment 34•24 years ago
|
||
Verified Fixed on Mozilla trunk builds linux 102708 RedHat 6.2 win32 102704 NT 4 mac 102708 Mac OS9 Also Verified on 10/27 branch bits on all 3 platforms Setting bug to Verified and removing vtrunk keyword
Status: RESOLVED → VERIFIED
Keywords: vtrunk
Updated•13 years ago
|
Crash Signature: [@ nsEventStateManager::SendFocusBlur]
Updated•5 years ago
|
Component: Event Handling → User events and focus handling
You need to log in
before you can comment on or make changes to this bug.
Description
•