Closed
Bug 310508
Opened 19 years ago
Closed 18 years ago
Calling method on another window crashes when the function uses XMLHttpRequest and alert() [@ js_FreeStack]
Categories
(Core :: DOM: Core & HTML, defect, P1)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
mozilla1.9alpha1
People
(Reporter: jst, Assigned: mrbkap)
References
Details
(Keywords: crash, fixed1.8.1, verified1.8.0.2, Whiteboard: [patch][rft-dl])
Crash Data
Attachments
(3 files, 1 obsolete file)
|
195 bytes,
text/html
|
Details | |
|
291 bytes,
text/html
|
Details | |
|
6.86 KB,
patch
|
jst
:
review+
bzbarsky
:
superreview+
jst
:
approval-branch-1.8.1+
dveditz
:
approval1.8.0.2+
|
Details | Diff | Splinter Review |
Not sure what's going on here, but I get a reproducable crash with the testcase I'm about to attach. The testcase opens a new window and loads a page in it that has a JS function in it that creates a XMLHttpRequest object and then calls alert(), and that ends up crashing in JS_FreeStack() called from the window watcher. The problem seems to be that the context passed to JS_FreeStack() has been deleted...
|
Reporter | |
Comment 1•19 years ago
|
||
|
|
Reporter | |
Comment 2•19 years ago
|
||
This is the testcase. Load this, click "open", then "close" and the new window should close after two alerts, but instead we crash either when closing the first or second alert.
|
|
Reporter | |
Updated•19 years ago
|
Attachment #197932 -
Attachment is obsolete: true
|
|
Reporter | |
Comment 3•19 years ago
|
||
Right URL this time, I hope...
|
|
Reporter | |
Comment 4•19 years ago
|
||
Note that I've only seen this in debug builds so far, 1.8 branch.
|
||
Comment 5•19 years ago
|
||
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b5) Gecko/20050929 Firefox/1.4 ID:2005092922 I could only reproduce this once but never again: TB9890886W
Incident ID: 9890886 Stack Signature js_FreeStack 799b5d0d Product ID Firefox15 Build ID 2005092906 Trigger Time 2005-09-30 03:28:55.0 Platform Win32 Operating System Windows NT 5.1 build 2600 Module js3250.dll + (0001e1a2) URL visited https://bugzilla.mozilla.org/attachment.cgi?id=197933 User Comments Since Last Crash 4111 sec Total Uptime 4111 sec Trigger Reason Access violation Source File, Line No. c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 427 Stack Trace js_FreeStack [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 427] nsWindowWatcher::OpenWindowJS [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/embedding/components/windowwatcher/src/nsWin dowWatcher.cpp, line 565] nsJSConsoleService::Open [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/embedding/components/jsconsole/src/nsJSConso leService.cpp, line 71] nsPromptService::Confirm [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/embedding/components/windowwatcher/src/nsPro mptService.cpp, line 185] nsPrompt::PromptUsernameAndPassword [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/embedding/components/windowwatcher/src/nsPro mpt.cpp, line 325] nsGlobalWindow::Alert [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp, line 3234] XPTC_InvokeByIndex [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvok e.cpp, line 102] XPCWrappedNative::CallMethod [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2173] XPC_WN_GetterSetter [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.c pp, line 1422] js_Invoke [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1163] js_Interpret [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 3468] js_Invoke [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1183] js_InternalInvoke [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1260] JS_CallFunctionValue [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 4017] nsJSContext::CallEventHandler [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1406] nsJSEventListener::HandleEvent [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/dom/src/events/nsJSEventListener.cpp, line 134] nsEventListenerManager::HandleEventSubType [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/content/events/src/nsEventListenerManager.cp p, line 1655] DispatchToInterface [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/content/events/src/nsEventListenerManager.cp p, line 135] nsGenericElement::HandleDOMEvent [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 2152] nsHTMLInputElement::HandleDOMEvent [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/content/html/content/src/nsHTMLInputElement. cpp, line 1353] PresShell::HandleEventInternal [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6373] PresShell::HandleEventInternal [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6283] nsEventStateManager::GenerateDragDropEnterExit [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/content/events/src/nsEventStateManager.cpp, line 2830] nsEventStateManager::DoScrollText [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/content/events/src/nsEventStateManager.cpp, line 1797] PresShell::HandleEventInternal [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6443] PresShell::HandleEvent [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6134] nsViewManager::HandleEvent [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 2536] nsViewManager::DispatchEvent [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 2217] nsIView::CreateWidget [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/view/src/nsView.cpp, line 638] nsWindow::DispatchWindowEvent [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1277] nsWindow::DispatchMouseEvent [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 6010] PromiseFlatString [../../../dist/include/string/nsTPromiseFlatString.h, line 145] nsWindow::DefaultWindowProc [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1456] USER32.dll + 0x8709 (0x77d18709) USER32.dll + 0x87eb (0x77d187eb) USER32.dll + 0x89a5 (0x77d189a5) USER32.dll + 0x89e8 (0x77d189e8) nsAppShell::GetNativeEvent [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsAppShell.cpp, line 181] nsAppStartup::Quit [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup. cpp, line 164] main [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 61] kernel32.dll + 0x16d4f (0x7c816d4f)
Keywords: crash
|
||
Updated•19 years ago
|
Severity: normal → critical
Summary: Calling method on another window crashes when the function uses XMLHttpRequest and alert() → Calling method on another window crashes when the function uses XMLHttpRequest and alert() [@ js_FreeStack]
|
||
Comment 7•19 years ago
|
||
talkback: TB11693607G may be this
|
||
Comment 8•19 years ago
|
||
is bug 314974 duplicate?
|
Assignee | |
Updated•18 years ago
|
Status: NEW → ASSIGNED
Priority: -- → P1
Whiteboard: [patch]
Target Milestone: --- → mozilla1.9alpha
|
|
Assignee | |
Comment 9•18 years ago
|
||
In the middle of displaying the dialog, our window is having SetDocShell(nsnull) called on it, causing it to destroy its script context. The window watcher needs to hold onto said script context until after it really is done with the context.
Attachment #212955 -
Flags: review?(jst)
|
|
Reporter | |
Comment 10•18 years ago
|
||
Comment on attachment 212955 [details] [diff] [review] Potential fix r=jst
Attachment #212955 -
Flags: review?(jst) → review+
|
|
Assignee | |
Updated•18 years ago
|
Attachment #212955 -
Flags: superreview?(bzbarsky)
|
||
Comment 11•18 years ago
|
||
Comment on attachment 212955 [details] [diff] [review] Potential fix s/truely/truly/ please.
Attachment #212955 -
Flags: superreview?(bzbarsky) → superreview+
|
|
Assignee | |
Comment 12•18 years ago
|
||
Fix checked into trunk.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Comment 13•18 years ago
|
||
Comment on attachment 212955 [details] [diff] [review] Potential fix I know that time is short for 1.8.0.2, but this does block blocker bug 315254. Do we want this on the 1.8.0 branch or should it wait for more trunk baking?
Attachment #212955 -
Flags: approval1.8.0.2?
Attachment #212955 -
Flags: approval-branch-1.8.1?(jst)
|
||
Comment 14•18 years ago
|
||
Comment on attachment 212955 [details] [diff] [review] Potential fix approved for 1.8.0 branch, a=dveditz for drivers
Attachment #212955 -
Flags: approval1.8.0.2? → approval1.8.0.2+
|
|
||
Updated•18 years ago
|
Flags: blocking1.8.0.2+
|
|
Assignee | |
Comment 15•18 years ago
|
||
Fix checked into the 1.8 branches.
Keywords: fixed1.8.0.2,
fixed1.8.1
|
|
Reporter | |
Updated•18 years ago
|
Attachment #212955 -
Flags: approval-branch-1.8.1?(jst) → approval-branch-1.8.1+
|
||
Updated•18 years ago
|
Whiteboard: [patch] → [patch][rft-dl]
|
||
Comment 16•18 years ago
|
||
Using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060302 Firefox/1.5.0.1, I don't crash with the testcase, but I am also not seeing the second alert after closing the first one ("foo"). I don't see anything in the JS console, so I'm wondering if the second part is executed at all
var result_html = xmlhttp.responseText;
alert(result_html);
That would be bad, no? Johnny is going to try to reproduce with today's 1.8.0 build as well.|
|
||
Comment 17•18 years ago
|
||
v.fixed on 1.8.0 branch, no crash. Second alert not popping up is expected behavior on Windows (more from mrbkap soon).
Keywords: fixed1.8.0.2 → verified1.8.0.2
|
|
Assignee | |
Comment 18•18 years ago
|
||
jst and I looked into this and we found that the script was actually continuing to execute as expected, however on Windows, the alert was simply failing to show, probably because it was a modal alert and it didn't have a parent to display on. Linux probably doesn't require a parent window for modal dialogs, so it was displaying the alert anyway.
|
||
Updated•13 years ago
|
Crash Signature: [@ js_FreeStack]
|
|
||
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•