Closed Bug 116918 Opened 23 years ago Closed 23 years ago

onFocus/onBlur crashes browser

Categories

(Core :: DOM: Events, defect)

Product:
Core
Component:
DOM: Events
Platform:
x86
Windows 98
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED DUPLICATE of bug 77271

People

(Reporter: philarete, Assigned: joki)

Details

(Keywords: crash, Whiteboard: [INF-REC])

Attachments

(2 files)

The accused HTML
295 bytes, text/html
Details
win2k stack trace
141.50 KB, text/plain
Details 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:0.9.7) Gecko/20011221
BuildID:    2001122106

The following HTML fragment will crash every version of Mozilla I've tried on
Win32. (Haven't tried other platforms.)

<html>
<body onLoad="document.form1.field1.focus()">
<form name="form1">
<input type="text" name="field1" onFocus="document.form1.field1.select()"
onBlur="document.form1.field2.focus()">
<input type="text" name="field2" onFocus="document.form1.field2.select()">
</form>
</body>
</html>

Reproducible: Always
Steps to Reproduce:
1. Attempt to load given HTML fragment.
2.
3.

Actual Results:  Broswer crashes.

Expected Results:  Browser does not crash.
Confirming Build ID 2001122408, Win 98, TB909866W
stephend, could you get the stack?  TB909866W
Attached file The accused HTML 

    
    

    
  
I see this on Windows 98 2001122606-trunk. Oddly, I have no problems when it is
loaded from the local filesystem.
Status: UNCONFIRMED → NEW
Ever confirmed: true

    
  
Keywords: crash

    
    

    
  
cfm: build 2001122106 (moz 0.9.7), w2k, TB926000G

This is perhaps a dup of bug 65581.

    
    

    
  
ksosez means -> threading

Assignee: asa → rpotts
Component: Browser-General → Threading
QA Contact: doronr → rpotts

    
    

    
  
I doubt our puny threading code is responsible for this. :-)

Sending off to DOM Events.
Assignee: rpotts → joki
Component: Threading → DOM Events
QA Contact: rpotts → vladimire

    
    

    
  
The problem seems to be a recursive infinite loop that blows the stack:

nsEventStateManager::SendFocusBlur(nsEventStateManager * const 0x040fbea8, 
nsIPresContext * 0x040c1448, nsIContent * 0x0414ac40) line 3533
nsEventStateManager::SetContentState(nsEventStateManager * const 0x040fbeb0, 
nsIContent * 0x0414ac40, int 2) line 3311
nsHTMLInputElement::Select(nsHTMLInputElement * const 0x0414ac6c) line 848
XPTC_InvokeByIndex(nsISupports * 0x0414ac6c, unsigned int 91, unsigned int 0, 
nsXPTCVariant * 0x00037774) line 106
XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode 
CALL_METHOD) line 2009 + 42 bytes
XPC_WN_CallMethod(JSContext * 0x03c3e680, JSObject * 0x03d88fc8, unsigned int 0, 
long * 0x0413c504, long * 0x00037a48) line 1266 + 14 bytes
js_Invoke(JSContext * 0x03c3e680, unsigned int 0, unsigned int 0) line 832 + 23 
bytes
js_Interpret(JSContext * 0x03c3e680, long * 0x00038838) line 2798 + 15 bytes
js_Invoke(JSContext * 0x03c3e680, unsigned int 1, unsigned int 2) line 849 + 13 
bytes
js_InternalInvoke(JSContext * 0x03c3e680, JSObject * 0x03d88fc8, long 64524272, 
unsigned int 0, unsigned int 1, long * 0x00038aa8, long * 0x00038960) line 924 + 
20 bytes
JS_CallFunctionValue(JSContext * 0x03c3e680, JSObject * 0x03d88fc8, long 
64524272, unsigned int 1, long * 0x00038aa8, long * 0x00038960) line 3405 + 31 
bytes
nsJSContext::CallEventHandler(nsJSContext * const 0x03b81a98, void * 0x03d88fc8, 
void * 0x03d88ff0, unsigned int 1, void * 0x00038aa8, int * 0x00038aac, int 0) 
line 1011 + 33 bytes
nsJSEventListener::HandleEvent(nsJSEventListener * const 0x0414af38, nsIDOMEvent 
* 0x041c7608) line 180 + 77 bytes
nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x0414aff8, 
nsIDOMEvent * 0x041c7608, nsIDOMEventTarget * 0x041c7af0, unsigned int 1, 
unsigned int 7) line 1205 + 20 bytes
nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x0414aed0, 
nsIPresContext * 0x040c1448, nsEvent * 0x0003970c, nsIDOMEvent * * 0x000392c4, 
nsIDOMEventTarget * 0x041c7af0, unsigned int 7, nsEventStatus * 0x00039738) line 
1722 + 36 bytes
nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0414ac40, 
nsIPresContext * 0x040c1448, nsEvent * 0x0003970c, nsIDOMEvent * * 0x000392c4, 
unsigned int 1, nsEventStatus * 0x00039738) line 1648
nsHTMLInputElement::HandleDOMEvent(nsHTMLInputElement * const 0x0414ac40, 
nsIPresContext * 0x040c1448, nsEvent * 0x0003970c, nsIDOMEvent * * 0x00000000, 
unsigned int 1, nsEventStatus * 0x00039738) line 1147 + 29 bytes
nsEventStateManager::SendFocusBlur(nsEventStateManager * const 0x040fbea8, 
nsIPresContext * 0x040c1448, nsIContent * 0x0414ac40) line 3615
nsEventStateManager::SetContentState(nsEventStateManager * const 0x040fbeb0, 
nsIContent * 0x0414ac40, int 2) line 3311

and so forth

    
    

    
  
Bug 116206 comes to mind

    
    

    
  
dup'ing per joki@netscape.com

*** This bug has been marked as a duplicate of 77271 ***
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → DUPLICATE
Whiteboard: [INF-REC]

    
    

    
  
verifying
Status: RESOLVED → VERIFIED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: