Closed
Bug 125624
Opened 23 years ago
Closed 23 years ago
Trunk crash closing a window via jscript [@ nsHTMLInputElement::HandleDOMEvent]
Categories
(Core :: DOM: Events, defect)
Tracking
()
VERIFIED
FIXED
mozilla1.0
People
(Reporter: jay, Assigned: joki)
References
Details
(4 keywords)
Crash Data
Attachments
(6 files)
|
409 bytes,
text/html
|
Details | |
|
797 bytes,
patch
|
john
:
review+
jst
:
superreview+
shaver
:
approval+
|
Details | Diff | Splinter Review |
|
8.59 KB,
text/plain
|
Details | |
|
890 bytes,
patch
|
john
:
review+
|
Details | Diff | Splinter Review |
|
2.04 KB,
patch
|
john
:
review+
|
Details | Diff | Splinter Review |
|
3.04 KB,
patch
|
shaver
:
review+
jst
:
superreview+
shaver
:
approval+
|
Details | Diff | Splinter Review |
There have been quite a few of these crashes on recent MozillaTrunk builds with
Windows and Linux. Here's the latest from Talkback:
Count Offset Real Signature
[ 9 nsHTMLInputElement::HandleDOMEvent 51234b34 -
nsHTMLInputElement::HandleDOMEvent ]
[ 8 nsHTMLInputElement::HandleDOMEvent ad348f3b -
nsHTMLInputElement::HandleDOMEvent ]
[ 6 nsHTMLInputElement::HandleDOMEvent f26d80c9 -
nsHTMLInputElement::HandleDOMEvent ]
[ 5 nsHTMLInputElement::HandleDOMEvent dedec8ff -
nsHTMLInputElement::HandleDOMEvent ]
[ 5 nsHTMLInputElement::HandleDOMEvent 29adf9ff -
nsHTMLInputElement::HandleDOMEvent ]
[ 4 nsHTMLInputElement::HandleDOMEvent a0ce02d8 -
nsHTMLInputElement::HandleDOMEvent ]
Crash date range: 2002-02-09 to 2002-02-13
Min/Max Seconds since last crash: 96 - 98712
Min/Max Runtime: 528 - 122359
Keyword List : attach(4), button(5), mail(8), netscape(4), yahoo(4),
Count Platform List
13 Windows NT 5.0 build 2195
8 Windows 98 4.10 build 67766446
6 Windows 98 4.10 build 67766222
5 Windows NT 5.1 build 2600
5 Windows NT 4.0 build 1381
Count Build Id List
37 2002020911
No of Unique Users 26
Stack trace(Frame)
nsHTMLInputElement::HandleDOMEvent
[d:\builds\seamonkey\mozilla\content\html\content\src\nsHTMLInputElement.cpp
line 1380]
PresShell::HandleEventInternal
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp line 6002]
PresShell::HandleEventWithTarget
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp line 5970]
nsEventStateManager::CheckForAndDispatchClick
[d:\builds\seamonkey\mozilla\content\events\src\nsEventStateManager.cpp line 2464]
nsEventStateManager::PostHandleEvent
[d:\builds\seamonkey\mozilla\content\events\src\nsEventStateManager.cpp line 1546]
PresShell::HandleEventInternal
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp line 6023]
PresShell::HandleEvent
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp line 5925]
nsView::HandleEvent
[d:\builds\seamonkey\mozilla\view\src\nsView.cpp line 390]
nsView::HandleEvent
[d:\builds\seamonkey\mozilla\view\src\nsView.cpp line 347]
nsView::HandleEvent
[d:\builds\seamonkey\mozilla\view\src\nsView.cpp line 347]
nsViewManager::DispatchEvent
[d:\builds\seamonkey\mozilla\view\src\nsViewManager.cpp line 1900]
HandleEvent
[d:\builds\seamonkey\mozilla\view\src\nsView.cpp line 83]
nsWindow::DispatchEvent
[d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp line 854]
nsWindow::DispatchWindowEvent
[d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp line 871]
nsWindow::DispatchMouseEvent
[d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp line 4537]
ChildWindow::DispatchMouseEvent
[d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp line 4787]
nsWindow::ProcessMessage
[d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp line 3463]
nsWindow::WindowProc
[d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp line 1116]
USER32.DLL + 0x1b60 (0x77e11b60)
USER32.DLL + 0x1cca (0x77e11cca)
USER32.DLL + 0x83f1 (0x77e183f1)
nsAppShellService::Run
[d:\builds\seamonkey\mozilla\xpfe\appshell\src\nsAppShellService.cpp line 308]
main1
[d:\builds\seamonkey\mozilla\xpfe\bootstrap\nsAppRunner.cpp line 1301]
main
[d:\builds\seamonkey\mozilla\xpfe\bootstrap\nsAppRunner.cpp line 1628]
WinMain
[d:\builds\seamonkey\mozilla\xpfe\bootstrap\nsAppRunner.cpp line 1646]
WinMainCRTStartup()
KERNEL32.DLL + 0xd326 (0x77e8d326)
(2880520) Comments: javascript popup with two frames and hit close button
windows.close() this always happens
(2862422) Comments: Preparing to send an attachment within Yahoo mail.
(2834225) Comments: closing javascript opened window
(2833037) Comments: tried to "save a draft' in netscape mail
(2810383) URL: www.adamant.com
(2810383) Comments: closing a window via jscript (clicked a 'close' form button)
(2794178) Comments: i had just sent an email from netscape webmail it involved
multiple calls to the address book
(2791313) Comments: sending mail from Netscape mail
(2788863) URL: domaindirect.com
(2788863) Comments: Clicking on a "close window/webbrowser" button at the end of a
site registration.
(2783963) URL: www.mapblast.com
(2783963) Comments: Closed "Customize" map window
(2782906) URL: www.startour.no
(2782906) Comments: I was printing from this page
(2782193) URL: www.biostar.com.tw
(2782193) Comments: Closed pop-up window under support
(2780354) URL: http://www.firinsquad.com
(2780354) Comments: Tried to close a windows using the 'close this windows' button.
Failed.
(2777016) URL: www.iht.com
(2771342) Comments: closing an javascript created window with the javascript close
window button
(2755653) Comments: crashes when clicking close on mail attachments window at yahoo
(2755367) Comments: crashed when clicking 'done' on attachments window at yahoo mail
(2755093) Comments: wouldnt do attachment to yahoo mail..crashed when closing
attachment window
(2730546) URL: www.retirementpassport.com/0304
(2730546) Comments: Looks like Mozilla is totally useless for me on this site now :o(
(2730497) URL: www.retirementpassport.com/0304
(2730497) Comments: I tried to log in by typing my SS# and password when Mozilla died.
Here is the details from windows:MOZILLA caused an invalid page fault inmodule
GKCONTENT.DLL at 015f:016d4841.Registers:EAX=00000000 CS=015f EIP=016d4841
EFLGS=00010246
(2730497) Comments: EBX=00000000 SS=0167 ESP=0064f50c EBP=0064f604ECX=029960e0 DS=0167
ESI=0064f6c0 FS=10b7EDX=0064f620 ES=0167 EDI=02994e60 GS=0000Bytes at CS:EIP:8b
08 8d 55 84 53 52 50 ff 91 fc 00 00 00 8d 4d Stack dump:029960e0 00000001
0064f620 00000000
(2730497) Comments: 021a79b0 0064f6c0 0064f678 603ceb10 610369f9 610369f9 021a79b0
603cec69 021a1860 00000003 0064f550 0000000a
(2726701) URL: http://www.darkhorizons.com
(2726701) Comments: sending mail from netscape.com
====================================================================================================
Count Offset Real Signature
[ 7 nsHTMLInputElement::HandleDOMEvent() a44ef39d -
nsHTMLInputElement::HandleDOMEvent() ]
Crash date range: 2002-02-09 to 2002-02-12
Min/Max Seconds since last crash: 70 - 13140
Min/Max Runtime: 285 - 14388
Keyword List :
Count Platform List
6 Linux 2.4.8-26mdk
1 Linux 2.4.17
Count Build Id List
4 2002021006
3 2002020921
No of Unique Users 5
Stack trace(Frame)
nsHTMLInputElement::HandleDOMEvent()
PresShell::HandleEventInternal()
PresShell::HandleEventWithTarget()
nsEventStateManager::CheckForAndDispatchClick()
nsEventStateManager::PostHandleEvent()
PresShell::HandleEventInternal()
PresShell::HandleEvent()
nsView::HandleEvent()
nsView::HandleEvent()
nsView::HandleEvent()
nsViewManager::DispatchEvent()
HandleEvent()
nsWidget::DispatchEvent()
nsWidget::DispatchWindowEvent()
nsWidget::DispatchMouseEvent()
nsWidget::OnButtonReleaseSignal()
nsWindow::HandleGDKEvent()
dispatch_superwin_event()
handle_gdk_event()
(2813536) URL: http://www.tgsoft.fr/plan_ni.htm
(2813536) Comments: Mozilla crashed while pressing the 'fermer' button (which means
close in French)
(2760133) Comments: Replicated problem from the last build I tested: just clicked the
'close' button in an Outlook Web access email and it crashed.
(2733379) Comments: click on an html/javascript generated botton to close an email in
the Web Outlook application(the Microsoft Web Outlook thing...)
|
Reporter | |
Comment 1•23 years ago
|
||
adding crash, topcrash keywords...and qawanted to see if we can get a solid
reproducible testcase.
|
||
Comment 2•23 years ago
|
||
Tried to reproduce on 2002-02-15-03-trunk on Windows 98 and did not see the crash...
|
|
Reporter | |
Comment 3•23 years ago
|
||
I was able to reproduce this on my WinNT machine with MozillaTrunk build
2002021803. Here's what I did:
1. goto www.swissair.com
2. click on Select other Airports (under the Arrivals and Departures section)
3. click on the Cities link (in the Request by time, flight or from/to city section)
4. a popup window will allow you to select a city...pick one and click the
from/to city button to close the window.
5. as soon as the window closes...boom!
Adding testcase keyword since I have been able to reproduce this with the steps
above. Here's my incident:
Incident ID 3155283
Stack Signature nsHTMLInputElement::HandleDOMEvent 61cb6db4
Trigger Time 2002-02-20 10:43:00
Email Address jpatel@netscape.com
URL visited www.swissair.com
Build ID 2002021809
Product ID MozillaTrunk
Platform
Operating System Win32
Module
Trigger Reason Access violation
User Comments tried to pick destinatino city in js popup window...crashed after
selecting city and closing window
Stack Trace
nsHTMLInputElement::HandleDOMEvent
[d:\builds\seamonkey\mozilla\content\html\content\src\nsHTMLInputElement.cpp,
line 1385]
PresShell::HandleEventInternal
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 6005]
PresShell::HandleEventWithTarget
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 5973]
nsEventStateManager::CheckForAndDispatchClick
[d:\builds\seamonkey\mozilla\content\events\src\nsEventStateManager.cpp, line 2465]
nsEventStateManager::PostHandleEvent
[d:\builds\seamonkey\mozilla\content\events\src\nsEventStateManager.cpp, line 1547]
PresShell::HandleEventInternal
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 6026]
PresShell::HandleEvent
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 5928]
nsViewManager::HandleEvent
[d:\builds\seamonkey\mozilla\view\src\nsViewManager.cpp, line 2010]
nsView::HandleEvent [d:\builds\seamonkey\mozilla\view\src\nsView.cpp, line 301]
nsViewManager::DispatchEvent
[d:\builds\seamonkey\mozilla\view\src\nsViewManager.cpp, line 1849]
HandleEvent [d:\builds\seamonkey\mozilla\view\src\nsView.cpp, line 83]
nsWindow::DispatchEvent
[d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 858]
nsWindow::DispatchWindowEvent
[d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 875]
nsWindow::DispatchMouseEvent
[d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 4579]
ChildWindow::DispatchMouseEvent
[d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 4829]
nsWindow::ProcessMessage
[d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 3504]
nsWindow::WindowProc
[d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 1120]
USER32.dll + 0x1820 (0x77e71820)
|
||
Comment 5•23 years ago
|
||
jkeiser or jst, any idea on this one? maybe one of the things we're dealing with
(presShell perhaps) when handling the click event is already gone because the
window is closed?
|
|
||
Comment 6•23 years ago
|
||
*** Bug 127971 has been marked as a duplicate of this bug. ***
|
||
Updated•23 years ago
|
|
||
Comment 7•23 years ago
|
||
The text link and checkbox close the window properly. The button crashes
|
|
||
Comment 8•23 years ago
|
||
hackish patch
|
|
||
Comment 9•23 years ago
|
||
Mozilla crashes in nsHTMLInputElement.cpp because presShell is null.
It would probably be better to catch this earlier...
|
|
||
Comment 10•23 years ago
|
||
build 20020207 did not have this bug, but 20020209 does.
|
|
||
Comment 11•23 years ago
|
||
More specifically, the regression occured between builds 2002020722 and 2002020821
|
|
Reporter | |
Comment 12•23 years ago
|
||
*** Bug 128625 has been marked as a duplicate of this bug. ***
|
||
Updated•23 years ago
|
Target Milestone: --- → mozilla1.0
|
|
||
Comment 13•23 years ago
|
||
this regression occured as a result of the patch for bug 124298
|
|
||
Comment 14•23 years ago
|
||
could someone review the patch here? it seems no less hackish than the behavior
before 124298. It would be good to get this in for 0.9.9
|
||
Comment 15•23 years ago
|
||
Comment on attachment 72190 [details] [diff] [review]
patch
erm, I want to know why pres shell is null. r=jkeiser for 0.9.9, but please
don't check in on 1.0 (I would rather we find the One True Cause here).
If we don't find the final cause shortly before 1.0 freezes (I know we're
busy), we can check it in on trunk and just open a new bug to find out why pres
shell is null..
Attachment #72190 -
Flags: review+
|
|
||
Comment 16•23 years ago
|
||
when nsHTMLInputElement::HandleDOMEvent is called, mShell is valid.
at line nsHTMLInputElement.cpp:1216,
nsGenericHTMLLeafFormElement::HandleDOMEvent is called, which handles the
onClick part of the submit button. In this case, it closes the window and
calls the destructor for aPresContext, nuking mShell.
when we get down to line 1392 to actually submit the form, mShell is already
gone => crash
the following modified testcase works fine (without the patch):
<form action="Javascript:window.close();">
<input type="submit" onClick="alert('still here');">
</form>
the alert dialog is displayed first, and then the window closes.
|
||
Comment 17•23 years ago
|
||
Do we need some kungFuDeathGrip love here to make sure mShell is accessable
after the window has been torn down, or is there something else we can do?
This stack shows what's going on a little better, I think. The
|nsPresContext|s and |PresShell|s that were destroyed were associated with the
outer XUL window, not with the HTML document being viewed inside of it. The
|nsPresContext| from which we couldn't get a pres shell is the one associated
with the HTML document. Neither than pres context nor its pres shell have been
deleted. However, PresShell::Destroy has been called, and that calls
|nsPresContext::SetShell|.
So this may be the correct solution -- do we really want to be passing an event
to a pres shell that's no longer displaying a document? Or should we be
passing the event to the pres shell earlier?
|
|
||
Comment 19•23 years ago
|
||
Comment on attachment 72190 [details] [diff] [review]
patch
sr=jst
Attachment #72190 -
Flags: superreview+
|
|
||
Comment 20•23 years ago
|
||
Oh, but please split that if check and the statement onto separate lines.
For the record, to clarify my comment 18: I think attachment 72190 [details] [diff] [review] is probably
the right patch, since the only alternatives I can think of are both somewhat
scary: changing the order that things are done, which is probably also
incorrect, or passing an event to a dead pres shell, which also seems pointless.
|
||
Comment 22•23 years ago
|
||
Comment on attachment 72190 [details] [diff] [review]
patch
a=shaver for 0.9.9 branch and 1.0 trunk.
Attachment #72190 -
Flags: approval+
|
|
||
Comment 23•23 years ago
|
||
diff against newer source and split the line.
|
|
||
Comment 24•23 years ago
|
||
Comment on attachment 73358 [details] [diff] [review]
patch v2
Yes, I agree. We just shouldn't be sending the events. I'm OK with 0.9.9 and
trunk also.
This also to be fixed in nsHTMLButtonElement.cpp. We could file a separate
bug, but that seems silly.
(If you make another patch, could you also do if(presShell) outside the form
QI?)
r=jkeiser for 0.9.9 *and* trunk.
Attachment #73358 -
Flags: review+
|
|
||
Comment 25•23 years ago
|
||
fix input and button elements, move form QI inside if(presShell)
|
|
||
Comment 26•23 years ago
|
||
Comment on attachment 73365 [details] [diff] [review]
patch v3
yessss, my precioussss
r=jkeiser for 0.9.9 and trunk
Attachment #73365 -
Flags: review+
|
|
||
Comment 27•23 years ago
|
||
*** Bug 129207 has been marked as a duplicate of this bug. ***
It might also be worth a comment like:
// If |nsIPresShell::Destroy| has been called due to handling the event,
// the pres context will return a null pres shell. See bug 125624.
|
|
||
Comment 29•23 years ago
|
||
add comment after calling HandleDOMEvent
|
|
||
Comment 30•23 years ago
|
||
Comment on attachment 73391 [details] [diff] [review]
patch v4
sr=jst
Attachment #73391 -
Flags: superreview+
|
|
||
Comment 31•23 years ago
|
||
Comment on attachment 73391 [details] [diff] [review]
patch v4
Porting review forward and reapproving for 0.9.9 branch and 1.0 trunk;
a=shaver.
Attachment #73391 -
Flags: review+
Attachment #73391 -
Flags: approval+
Fix checked in
* to trunk, 2002-03-09 17:09 PST, and
* to MOZILLA_0_9_9_BRANCH, 2002-03-09 17:11 PST.
Marking as fixed. Thanks for the patch.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
|
||
Comment 33•23 years ago
|
||
Well the crash is fixed, however, it still doesnt work with the url that i
posted in 129207 (marked as dupe for this bug). ->
http://www.amd.com/us-en/Processors/TechnicalResources/0,,30_182_871_2336,00.html
-> click on "Microsoft Windows® 2000 Patch for AGP Applications" & accept the
agreement. You should be redirected to
http://www.amd.com/us-en/Processors/TechnicalResources/0,,30_182_871_2367,00.html
but mozilla redirects to
http://www.amd.com%2fus%2den%2fprocessors%2ftechnicalresources%2f0%2c%2c30%5f182%5f871%5f2367%2c00%2ehtml/
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
||
Comment 34•23 years ago
|
||
The fact that you didn't crash means this bug is fixed.
The redirect URL is garbled in the original source document:
http://www.amd.com/us-en/Processors/TechnicalResources/0,,30_182_871_2336,00.html
(do View->Page Source, and search for "2000 Patch")
I'm not sure why it's garbled, but it is not related to this bug. Please file a
new bug.
|
|
Reporter | |
Comment 35•23 years ago
|
||
Yes, this crash is no longer happening according to the latest Talkback
data...the last crash was with builds from 3/9. Returning this bug to resolved
fixed.
|
||
Updated•14 years ago
|
Crash Signature: [@ nsHTMLInputElement::HandleDOMEvent]
You need to log in
before you can comment on or make changes to this bug.
Description
•