Closed
Bug 115969
Opened 23 years ago
Closed 23 years ago
Trunk, M097 crash after File->Exit; onunload calls window.open during shutdown [@ nsWindowSH::GetProperty]
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
VERIFIED
FIXED
mozilla0.9.8
People
(Reporter: jrgmorrison, Assigned: danm.moz)
References
()
Details
(Keywords: crash, topcrash)
Crash Data
Attachments
(1 obsolete file)
Hmm, I thought we had code that prevented us from opening windows once Shutdown had begun. Apparently not (although damn ... I had to look for a long time to find a non-porno site that did this so I could report this bug :-]). Steps to reproduce: 0) delete (or rename) cookies.txt, so you're a "new" user. 1) start browser; load http://www.cnn.com/ 2) click on the 'Sports' link in the upper left hand column (goes to http://sportsillustrated.cnn.com/) 3) click on the 'Hockey' link in the upper left hand column (goes to http://sportsillustrated.cnn.com/hockey/) 4) Do File->Exit Actual results: The browser window goes away on shutdown, but a popup ad begins to come up and then crashes. Crash is in line 2782, nsDOMClassInfo.cpp, although this should not be getting called, no? nsCOMPtr<nsIXPConnectWrappedNative> wrapper; sXPConnect->GetWrappedNativeOfJSObject(cx, JSVAL_TO_OBJECT(*vp), getter_AddRefs(wrapper)); with sXPConnect == 0x00000000 This crashes in a win2k trunk build, pulled ~7pm 12/18 (after the redness ended). I don't really know who should get this bug, but I'll take an initial guess at danm. nsWindowSH::GetProperty(nsWindowSH * const 0x01ae76f8, nsIXPConnectWrappedNative * 0x01b00028, JSContext * 0x02c194a0, JSObject * 0x01c57de8, long 0x00b25bdc, long * 0x0012f924, int * 0x0012f7cc) line 2786 + 17 bytes XPC_WN_Helper_GetProperty(JSContext * 0x00000001, JSObject * 0x01c57de8, long 0x00b25bdc, long * 0x0012f924) line 785 js_Interpret(JSContext * 0x02c194a0, long * 0x0012f9b0) line 2891 + 90 bytes js_Invoke(JSContext * 0x00000001, unsigned int 0x00000004, unsigned int 0x00000002) line 849 + 10 bytes nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJSClass * const 0x02e38a88, nsXPCWrappedJS * 0x04c33298, unsigned short 0x0003, const nsXPTMethodInfo * 0x0215f440, nsXPTCMiniVariant * 0x0012fc44) line 1216 + 16 bytes nsXPCWrappedJS::CallMethod(nsXPCWrappedJS * const 0x02c33298, unsigned short 0x0003, const nsXPTMethodInfo * 0x0215f440, nsXPTCMiniVariant * 0x0012fc44) line 430 PrepareAndDispatch(nsXPTCStubBase * 0x0215f440, unsigned int 0x00000003, unsigned int * 0x0012fcfc, unsigned int * 0x0012fcec) line 115 + 18 bytes SharedStub() line 139 nsDocLoaderImpl::FireOnStateChange(nsDocLoaderImpl * const 0x01c58098, nsIWebProgress * 0x022cae84, nsIRequest * 0x0227ee40, int 0x00010010, unsigned int 0x804b0002) line 1110 nsDocLoaderImpl::doStopURLLoad(nsDocLoaderImpl * const 0x01c58098, nsIRequest * 0x0227ee40, unsigned int 0x804b0002) line 715 nsDocLoaderImpl::OnStopRequest(nsDocLoaderImpl * const 0x022cae74, nsIRequest * 0x0227ee40, nsISupports * 0x00000000, unsigned int 0x804b0002) line 568 nsLoadGroup::RemoveRequest(nsLoadGroup * const 0x022cae74, nsIRequest * 0x00000000, nsISupports * 0x00000000, unsigned int 0x804b0002) line 525 + 13 bytes nsLoadGroup::Cancel(nsLoadGroup * const 0x00000001, unsigned int 0x804b0002) line 248 nsDocLoaderImpl::Stop(nsDocLoaderImpl * const 0x00000000) line 293 + 14 bytes nsDocLoaderImpl::Stop(nsDocLoaderImpl * const 0x00000001) line 289 nsDocLoaderImpl::Stop(nsDocLoaderImpl * const 0x00000001) line 289 nsDocLoaderImpl::Destroy(nsDocLoaderImpl * const 0x00b55f20) line 412 nsDocLoaderImpl::~nsDocLoaderImpl(nsDocLoaderImpl * const 0x01c58098) line 184 nsDocLoaderImpl::`scalar deleting destructor'() + 8 bytes nsDocLoaderImpl::Release(nsDocLoaderImpl * const 0x00b55f20) line 206 + 40 bytes nsCOMPtr_base::assign_with_AddRef(nsCOMPtr_base * const 0x01c58098, nsISupports * 0x0032b050) line 74 PL_DHashTableEnumerate(PLDHashTable * 0x00000198, int (PLDHashTable *, PLDHashEntryHdr *, unsigned int, void *)* 0x1002ab28 FreeServiceFactoryEntryEnumerate(PLDHashTable *, PLDHashEntryHdr *, unsigned int, void *), void * 0x00000000) line 601 + 15 bytes nsComponentManagerImpl::FreeServices(nsComponentManagerImpl * const 0x01c58098) line 1714 + 13 bytes NS_ShutdownXPCOM(nsIServiceManager * 0x00000000) line 553 main(int 0x00000001, char * * 0x00323c08) line 1605 WinMain(HINSTANCE__ * 0x00400000, HINSTANCE__ * 0x00400000, char * 0x00133488, HINSTANCE__ * 0x00400000) line 1612 + 21 bytes MOZILLA! WinMainCRTStartup + 308 bytes
Reporter | ||
Comment 1•23 years ago
|
||
simpler test case http://jrgm/bugs/115969/window-onunload.html <html> <head> <script> function newWindow () { window.open('http://www.mozilla.org/'); } window.onunload = newWindow; </script> </head> <body> <p> do "File->Exit". Crashes? </p> </body> </html>
Comment 2•23 years ago
|
||
Hmm, what does 4x/IE do when you exit on a page with a onunload handler? Does it even call the onunload handler, or does it just prevent opening new windows? What about alert() n' other modal dialogs?
Not too surprisingly, this one shows up 49 times in the Trunk topcrash data for the last 10 days (on Win and Linux). Marking as topcrash.
Summary: crash after File->Exit; onunload calls window.open during shutdown → Trunk crash after File->Exit; onunload calls window.open during shutdown [@ nsWindowSH::GetProperty]
Reporter | ||
Comment 4•23 years ago
|
||
Huh? Really? This shows up as a top crash [wasn't me; I didn't submit any. Is this just people crashing for kicks based on this bug report, or is it real users stumbling into this (i.e., do the comments indicate any knowledge of this bug?)]. Anyways, to answer jst's question (at least for win32), nav4.x will successfully open the new window, closing the initial window but aborting the shutdown. For an alert fired onunload (http://jrgm/bugs/115969/alert-onunload.html), nav4.x will apparently refuse to show the alert and shutdown completes. Mozilla on the other hand, will show the alert, and not shutdown (no crash), leaving nothing but the alert showing on screen (original window is closed). Maybe amar can concoct the tests for other scenarios (what if multiple windows are open) and try them in 4.x/ie/moz for mac/linux too.
Porn sites and CNN, eh? Despite Nav4's terribly clever precedent, I say we should just turn off the ability to open new windows in an onunload handler. I can't think of a legitimate reason to allow that. As a user, if I said "close," damnit, you heard me. I'm attaching a patch to do this. Note this doesn't affect "save before closing?" dialogs, like Composer's, for instance. That happens before window shutdown has actually begun. This patch prevents a window that's already irreversibly deep in the throes of undergoing final dissolution from chucking new windows at you from beyond the grave. Seems like a win.
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla0.9.8
Comment 7•23 years ago
|
||
Looks okay to me, so it's up to jst. You have my r=.
Comment 8•23 years ago
|
||
Hmm, from a code point of view, this looks fine, and I really do agree with you Dan, I can't see any reasons for alowing this other than abusive and annoying ones. I'll sr, but I would like to have more input from people on this before we land it, at least from Brendan, cc:ing.
Hardware: PC → All
Comment 9•23 years ago
|
||
I like simple, brute force and ignorance solutions. I haven't reviewed the patch closely, but I say "go for it". I have no idea whether you'll get sued by porn industry lawyers :-). I once received unsolicited, unauthenticated email from someone claiming to be a lawyer who seemed to be litigating against one or more porn-sites' onunload=>window.open daisy-chaining. More than that, deponent sayeth not! /be
Assignee | ||
Comment 10•23 years ago
|
||
You're trying to scare me. This patch came to me in a vision which also featured soaring eagles, a white buffalo, and a half-eaten submarine sandwich floating on a bed of pretzels. I understand nothing of this, other than the source is trustworthy and good. And it's in. No more hucking of new windows from beyond the grave. The world is a better place.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Comment 11•23 years ago
|
||
ROFL :-)
Comment 12•23 years ago
|
||
Haven't seen this on the trunk since the fix. VERIFIED per talkback.
Status: RESOLVED → VERIFIED
Comment 13•23 years ago
|
||
Adding M097 to summary for future reference, this *was* a topcrasher in Mozilla 0.9.7.
Summary: Trunk crash after File->Exit; onunload calls window.open during shutdown [@ nsWindowSH::GetProperty] → Trunk, M097 crash after File->Exit; onunload calls window.open during shutdown [@ nsWindowSH::GetProperty]
Assignee | ||
Comment 14•22 years ago
|
||
Comment on attachment 63327 [details] [diff] [review] disallow a window being destroyed from opening new windows this patch has been backed out, replaced by a better patch in bug 130719.
Attachment #63327 -
Attachment is obsolete: true
Updated•13 years ago
|
Crash Signature: [@ nsWindowSH::GetProperty]
You need to log in
before you can comment on or make changes to this bug.
Description
•