infinite recursion due to focus events (?) of form controls - Trunk crash [@ nsScriptSecurityManager::CheckPropertyAccessImpl][@ nsXULElement::HandleDOMEvent][@ XPCWrappedNative::FindTearOff][@ ntdll.dll]

VERIFIED FIXED in mozilla1.0

Status

()

Core
Layout: Form Controls
--
critical
VERIFIED FIXED
16 years ago
9 years ago

People

(Reporter: John Morrison, Assigned: joki (gone))

Tracking

({crash, testcase, topcrash+})

Trunk
mozilla1.0
x86
Windows 2000
crash, testcase, topcrash+
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [adt2], crash signature, URL)

Attachments

(2 attachments, 1 obsolete attachment)

382 bytes, text/html
Details
1.17 KB, patch
John Keiser (jkeiser)
: review+
Details | Diff | Splinter Review
(Reporter)

Description

16 years ago
Noted at the bottom of bug 135009. 

   If my incident is the same problem, then
   http://www.prosavvy.com/members/affiliates/commissions/index.cfm
   crashes for me everytime if anyone needs a testcase.

I'm not sure this is quite the same crash as bug 135009 so I'm filing 
a separate bug. But the testcase for that page is pretty simple. This
sets off an infinite recursion.

<html>
<body>
  <form name="frmlogin">
    <input type="text" name="username" 
           onfocus="frmlogin.username.select();" 
           onblur="frmlogin.password.focus();">
    <input type="password" name="password" 
           onfocus="frmlogin.password.select();">
  </form>
  <script language="JavaScript">
    document.frmlogin.username.focus();
  </script>
</body>
</html>


Here is a fuller stack trace. Note the repeated lines (separated by blank
lines) beginning about 40 lines down.

recursion stack trace from bug 135009. Look down ~40 lines to the blank 
line to see the actual repeated lines (arbitrarily broken at calls to 
nsHTMLInputElement::Select)



nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x018f6b6a, 
nsIPresContext * 0x01a51274, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, 
nsIDOMEventTarget * 0x00033648, unsigned int 0x00000004, nsEventStatus * 
0x00033834) line 1243 + 7 bytes
GlobalWindowImpl::HandleDOMEvent(GlobalWindowImpl * const 0x015bafdd, 
nsIPresContext * 0x01b5e718, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, 
unsigned int 0x00033648, nsEventStatus * 0x00000004) line 693
nsXULElement::HandleDOMEvent(nsXULElement * const 0x015bafbe, nsIPresContext * 
0x01e66430, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, unsigned int 
0x00033648, nsEventStatus * 0x00000004) line 3444 + 22 bytes
nsXULElement::HandleDOMEvent(nsXULElement * const 0x015bafbe, nsIPresContext * 
0x01f4f8e0, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, unsigned int 
0x00033648, nsEventStatus * 0x00000004) line 3442
nsXULElement::HandleDOMEvent(nsXULElement * const 0x015bafbe, nsIPresContext * 
0x01f4fa58, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, unsigned int 
0x00033648, nsEventStatus * 0x00000004) line 3442
nsXULElement::HandleDOMEvent(nsXULElement * const 0x015bafbe, nsIPresContext * 
0x01f4fba0, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, unsigned int 
0x00033648, nsEventStatus * 0x00000004) line 3442
nsXULElement::HandleDOMEvent(nsXULElement * const 0x015bafbe, nsIPresContext * 
0x01f4fc18, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, unsigned int 
0x00033648, nsEventStatus * 0x00000004) line 3442
nsXULElement::HandleDOMEvent(nsXULElement * const 0x015bafbe, nsIPresContext * 
0x021b8cd0, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, unsigned int 
0x00033648, nsEventStatus * 0x00000004) line 3442
nsXULElement::HandleDOMEvent(nsXULElement * const 0x015bafbe, nsIPresContext * 
0x02188a18, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, unsigned int 
0x00033648, nsEventStatus * 0x00000004) line 3442
nsXULElement::HandleDOMEvent(nsXULElement * const 0x015bdae9, nsIPresContext * 
0x02188b28, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, unsigned int 
0x00033648, nsEventStatus * 0x00000004) line 3442
nsXULElement::HandleChromeEvent(nsXULElement * const 0x01b5e718, nsIPresContext 
* 0x02230438, nsEvent * 0x00033844, nsIDOMEvent * * 0x00033648, unsigned int 
0x00000004, nsEventStatus * 0x00033834) line 4689 + 35 bytes
GlobalWindowImpl::HandleDOMEvent(GlobalWindowImpl * const 0x0162fc86, 
nsIPresContext * 0x0219f7b0, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, 
unsigned int 0x00033648, nsEventStatus * 0x00000004) line 693
nsDocument::HandleDOMEvent(nsDocument * const 0x0161f6f5, nsIPresContext * 
0x02b1bad0, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, unsigned int 
0x00033648, nsEventStatus * 0x00000004) line 3230
nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0161f6cf, 
nsIPresContext * 0x0221c610, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, 
unsigned int 0x00033648, nsEventStatus * 0x00000004) line 1632 + 29 bytes
nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0161f6cf, 
nsIPresContext * 0x00f632a0, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, 
unsigned int 0x00033648, nsEventStatus * 0x00000004) line 1630
nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0161f6cf, 
nsIPresContext * 0x02c20bd0, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, 
unsigned int 0x00033648, nsEventStatus * 0x00000004) line 1630
nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0161f6cf, 
nsIPresContext * 0x02c20c98, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, 
unsigned int 0x00033648, nsEventStatus * 0x00000004) line 1630
nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0161f6cf, 
nsIPresContext * 0x02c20ec8, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, 
unsigned int 0x00033648, nsEventStatus * 0x00000004) line 1630
nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0161f6cf, 
nsIPresContext * 0x02c20f10, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, 
unsigned int 0x00033648, nsEventStatus * 0x00000004) line 1630
nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0161f6cf, 
nsIPresContext * 0x021e0ca0, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, 
unsigned int 0x00033648, nsEventStatus * 0x00000004) line 1630
nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0161f6cf, 
nsIPresContext * 0x02c21710, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, 
unsigned int 0x00033648, nsEventStatus * 0x00000004) line 1630
nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0161f6cf, 
nsIPresContext * 0x02c21990, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, 
unsigned int 0x00033648, nsEventStatus * 0x00000004) line 1630
nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0161f6cf, 
nsIPresContext * 0x02c219d8, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, 
unsigned int 0x00033648, nsEventStatus * 0x00000004) line 1630
nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0161f6cf, 
nsIPresContext * 0x02c21a68, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, 
unsigned int 0x00033648, nsEventStatus * 0x00000004) line 1630
nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0161f6cf, 
nsIPresContext * 0x02c22218, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, 
unsigned int 0x00033648, nsEventStatus * 0x00000004) line 1630
nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0161f6cf, 
nsIPresContext * 0x02c4dd88, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, 
unsigned int 0x00033648, nsEventStatus * 0x00000004) line 1630
nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0161f6cf, 
nsIPresContext * 0x02c37100, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, 
unsigned int 0x00033648, nsEventStatus * 0x00000004) line 1630
nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0161f6cf, 
nsIPresContext * 0x02c371d0, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, 
unsigned int 0x00033648, nsEventStatus * 0x00000004) line 1630
nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0161f6cf, 
nsIPresContext * 0x02c469c8, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, 
unsigned int 0x00033648, nsEventStatus * 0x00000004) line 1630
nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0161f6cf, 
nsIPresContext * 0x02c46ae0, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, 
unsigned int 0x00033648, nsEventStatus * 0x00000004) line 1630
nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0161f6cf, 
nsIPresContext * 0x02c6a980, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, 
unsigned int 0x00033648, nsEventStatus * 0x00000004) line 1630
nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0161f6cf, 
nsIPresContext * 0x02c251e8, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, 
unsigned int 0x00033648, nsEventStatus * 0x00000004) line 1630
nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0161f6cf, 
nsIPresContext * 0x02c25618, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, 
unsigned int 0x00033648, nsEventStatus * 0x00000004) line 1630
nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0161f6cf, 
nsIPresContext * 0x02c25708, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, 
unsigned int 0x00033648, nsEventStatus * 0x00000004) line 1630
nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0161f6cf, 
nsIPresContext * 0x02c42920, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, 
unsigned int 0x00033648, nsEventStatus * 0x00000004) line 1630
nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0161f6cf, 
nsIPresContext * 0x02c514e8, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, 
unsigned int 0x00033648, nsEventStatus * 0x00000004) line 1630
nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0161f6cf, 
nsIPresContext * 0x02c51700, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, 
unsigned int 0x00033648, nsEventStatus * 0x00000004) line 1630
nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0167bfe6, 
nsIPresContext * 0x02c517d8, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, 
unsigned int 0x00000000, nsEventStatus * 0x00000001) line 1630
nsHTMLInputElement::HandleDOMEvent(nsHTMLInputElement * const 0x0167b70e, 
nsIPresContext * 0x02c517d8, nsEvent * 0x02230438, nsIDOMEvent * * 0x00033844, 
unsigned int 0x00000000, nsEventStatus * 0x00000001) line 1404
nsHTMLInputElement::Select(nsHTMLInputElement * const 0x1005261e) line 1082

XPTC_InvokeByIndex(nsISupports * 0x02c51800, unsigned int 0x0000005b, unsigned 
int 0x00000000, nsXPTCVariant * 0x00033a44) line 106
XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode 
0x00033ae0) line 2025 + 36 bytes
XPC_WN_CallMethod(JSContext * 0x0221c080, JSObject * 0x02c14308, unsigned int 
0x00000000, long * 0x02ccaffc, long * 0x00033bcc) line 1266 + 12 bytes
js_Invoke(JSContext * 0x0102664d, unsigned int 0x0221c080, unsigned int 
0x00000000) line 788 + 42 bytes
js_Interpret(JSContext * 0x0221c080, long * 0x00000001) line 2745 + 13 bytes
js_InternalInvoke(JSContext * 0x01005826, JSObject * 0x000349cc, long 
0x02c14308, unsigned int 0x02c14318, unsigned int 0x00000000, long * 
0x02ccafd8, long * 0x00033f38) line 880 + 14 bytes
JS_CallFunctionValue(JSContext * 0x0221c080, JSObject * 0x02c14308, long 
0x02c14318, unsigned int 0x00000001, long * 0x00033f38, long * 0x00033ec8) line 
3410 + 38 bytes
nsJSContext::CallEventHandler(nsJSContext * const 0x0191612b, void * 
0x00ed9538, void * 0x02c14308, unsigned int 0x02c14318, void * 0x00000001, int 
* 0x00033f38, int 0x00033f34) line 1016 + 27 bytes
nsJSEventListener::HandleEvent(nsJSEventListener * const 0x01536450, 
nsIDOMEvent * 0x02c51b58) line 182
nsEventListenerManager::HandleEventSubType(nsEventListenerManager * const 
0x01693704, nsListenerStruct * 0x01537a47, nsIDOMEvent * 0x02c51bd8, 
nsIDOMEventTarget * 0x02cd8ee8, unsigned int 0x02cd8f50, unsigned int 
0x00000001) line 1217 + 10 bytes
nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x0161f7fb, 
nsIPresContext * 0x02c51b10, nsEvent * 0x02230438, nsIDOMEvent * * 0x00034508, 
nsIDOMEventTarget * 0x000342e0, unsigned int 0x02cd8f50, nsEventStatus * 
0x00000007) line 1734 + 28 bytes
nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0167bfe6, 
nsIPresContext * 0x02c517d8, nsEvent * 0x02230438, nsIDOMEvent * * 0x00034508, 
unsigned int 0x00000000, nsEventStatus * 0x00000001) line 1651
nsHTMLInputElement::HandleDOMEvent(nsHTMLInputElement * const 0x01540423, 
nsIPresContext * 0x02c517d8, nsEvent * 0x02230438, nsIDOMEvent * * 0x00034508, 
unsigned int 0x00000000, nsEventStatus * 0x00000001) line 1404
nsEventStateManager::SendFocusBlur(nsEventStateManager * const 0x0153f8ea, 
nsIPresContext * 0x020df200, nsIContent * 0x02230438, int 0x02c517d8) line 3840
nsEventStateManager::SetContentState(nsEventStateManager * const 0x0167b74a, 
nsIContent * 0x00000000, int 0x02c517d8) line 3532 + 17 bytes
nsHTMLInputElement::Select(nsHTMLInputElement * const 0x1005261e) line 1093

XPTC_InvokeByIndex(nsISupports * 0x02c51800, unsigned int 0x0000005b, unsigned 
int 0x00000000, nsXPTCVariant * 0x00034864) line 106
XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode 
0x00034900) line 2025 + 36 bytes
XPC_WN_CallMethod(JSContext * 0x0221c080, JSObject * 0x02c14308, unsigned int 
0x00000000, long * 0x02ccafd8, long * 0x000349ec) line 1266 + 12 bytes
js_Invoke(JSContext * 0x0102664d, unsigned int 0x0221c080, unsigned int 
0x00000000) line 788 + 42 bytes
js_Interpret(JSContext * 0x0221c080, long * 0x00000001) line 2745 + 13 bytes
js_InternalInvoke(JSContext * 0x01005826, JSObject * 0x000357ec, long 
0x02c14308, unsigned int 0x02c14318, unsigned int 0x00000000, long * 
0x02ccafb4, long * 0x00034d58) line 880 + 14 bytes
JS_CallFunctionValue(JSContext * 0x0221c080, JSObject * 0x02c14308, long 
0x02c14318, unsigned int 0x00000001, long * 0x00034d58, long * 0x00034ce8) line 
3410 + 38 bytes
nsJSContext::CallEventHandler(nsJSContext * const 0x0191612b, void * 
0x00ed9538, void * 0x02c14308, unsigned int 0x02c14318, void * 0x00000001, int 
* 0x00034d58, int 0x00034d54) line 1016 + 27 bytes
nsJSEventListener::HandleEvent(nsJSEventListener * const 0x01536450, 
nsIDOMEvent * 0x02c51b58) line 182
nsEventListenerManager::HandleEventSubType(nsEventListenerManager * const 
0x01693704, nsListenerStruct * 0x01537a47, nsIDOMEvent * 0x02c51bd8, 
nsIDOMEventTarget * 0x02cd8c28, unsigned int 0x02cd8c90, unsigned int 
0x00000001) line 1217 + 10 bytes
nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x0161f7fb, 
nsIPresContext * 0x02c51b10, nsEvent * 0x02230438, nsIDOMEvent * * 0x00035328, 
nsIDOMEventTarget * 0x00035100, unsigned int 0x02cd8c90, nsEventStatus * 
0x00000007) line 1734 + 28 bytes
nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0167bfe6, 
nsIPresContext * 0x02c517d8, nsEvent * 0x02230438, nsIDOMEvent * * 0x00035328, 
unsigned int 0x00000000, nsEventStatus * 0x00000001) line 1651
nsHTMLInputElement::HandleDOMEvent(nsHTMLInputElement * const 0x01540423, 
nsIPresContext * 0x02c517d8, nsEvent * 0x02230438, nsIDOMEvent * * 0x00035328, 
unsigned int 0x00000000, nsEventStatus * 0x00000001) line 1404
nsEventStateManager::SendFocusBlur(nsEventStateManager * const 0x0153f8ea, 
nsIPresContext * 0x020df200, nsIContent * 0x02230438, int 0x02c517d8) line 3840
nsEventStateManager::SetContentState(nsEventStateManager * const 0x0167b74a, 
nsIContent * 0x00000000, int 0x02c517d8) line 3532 + 17 bytes
nsHTMLInputElement::Select(nsHTMLInputElement * const 0x1005261e) line 1093

XPTC_InvokeByIndex(nsISupports * 0x02c51800, unsigned int 0x0000005b, unsigned 
int 0x00000000, nsXPTCVariant * 0x00035684) line 106
XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode 
0x00035720) line 2025 + 36 bytes
XPC_WN_CallMethod(JSContext * 0x0221c080, JSObject * 0x02c14308, unsigned int 
0x00000000, long * 0x02ccafb4, long * 0x0003580c) line 1266 + 12 bytes
js_Invoke(JSContext * 0x0102664d, unsigned int 0x0221c080, unsigned int 
0x00000000) line 788 + 42 bytes
js_Interpret(JSContext * 0x0221c080, long * 0x00000001) line 2745 + 13 bytes
js_InternalInvoke(JSContext * 0x01005826, JSObject * 0x0003660c, long 
0x02c14308, unsigned int 0x02c14318, unsigned int 0x00000000, long * 
0x02ccaf90, long * 0x00035b78) line 880 + 14 bytes
JS_CallFunctionValue(JSContext * 0x0221c080, JSObject * 0x02c14308, long 
0x02c14318, unsigned int 0x00000001, long * 0x00035b78, long * 0x00035b08) line 
3410 + 38 bytes
nsJSContext::CallEventHandler(nsJSContext * const 0x0191612b, void * 
0x00ed9538, void * 0x02c14308, unsigned int 0x02c14318, void * 0x00000001, int 
* 0x00035b78, int 0x00035b74) line 1016 + 27 bytes
nsJSEventListener::HandleEvent(nsJSEventListener * const 0x01536450, 
nsIDOMEvent * 0x02c51b58) line 182
nsEventListenerManager::HandleEventSubType(nsEventListenerManager * const 
0x01693704, nsListenerStruct * 0x01537a47, nsIDOMEvent * 0x02c51bd8, 
nsIDOMEventTarget * 0x02cd8968, unsigned int 0x02cd89d0, unsigned int 
0x00000001) line 1217 + 10 bytes
nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x0161f7fb, 
nsIPresContext * 0x02c51b10, nsEvent * 0x02230438, nsIDOMEvent * * 0x00036148, 
nsIDOMEventTarget * 0x00035f20, unsigned int 0x02cd89d0, nsEventStatus * 
0x00000007) line 1734 + 28 bytes
nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0167bfe6, 
nsIPresContext * 0x02c517d8, nsEvent * 0x02230438, nsIDOMEvent * * 0x00036148, 
unsigned int 0x00000000, nsEventStatus * 0x00000001) line 1651
nsHTMLInputElement::HandleDOMEvent(nsHTMLInputElement * const 0x01540423, 
nsIPresContext * 0x02c517d8, nsEvent * 0x02230438, nsIDOMEvent * * 0x00036148, 
unsigned int 0x00000000, nsEventStatus * 0x00000001) line 1404
nsEventStateManager::SendFocusBlur(nsEventStateManager * const 0x0153f8ea, 
nsIPresContext * 0x020df200, nsIContent * 0x02230438, int 0x02c517d8) line 3840
nsEventStateManager::SetContentState(nsEventStateManager * const 0x0167b74a, 
nsIContent * 0x00000000, int 0x02c517d8) line 3532 + 17 bytes
nsHTMLInputElement::Select(nsHTMLInputElement * const 0x1005261e) line 1093

... and so on and so on ...

nsbeta1, (topcrash?)
(Reporter)

Comment 1

16 years ago
Created attachment 77592 [details]
simple testcase
(Reporter)

Updated

16 years ago
Severity: normal → critical
Keywords: crash, nsbeta1, topcrash

*** This bug has been marked as a duplicate of 135194 ***
Status: NEW → RESOLVED
Last Resolved: 16 years ago
Resolution: --- → DUPLICATE
(Reporter)

Comment 3

16 years ago
I wouldn't be surprised if the crashes are connected in some way, but 
since they have clearly different stack traces, reopening this bug.


Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---

Comment 4

16 years ago
Making topcrash+ and adding testcase keyword since the given url crashes everytime.
Keywords: topcrash → testcase, topcrash+
Summary: infinite recursion due to focus events (?) of form controls. → infinite recursion due to focus events (?) of form controls. - Trunk [@ nsEventListenerManager::HandleEvent]

Comment 5

16 years ago
Removing [@ nsEventListenerManager::HandleEvent] from summary... I crashed twice
with jrgm's testcase, but both crashes showed different stack signatures (i'm
guessing because of the stack overflow).
Summary: infinite recursion due to focus events (?) of form controls. - Trunk [@ nsEventListenerManager::HandleEvent] → infinite recursion due to focus events (?) of form controls.

Updated

16 years ago
Keywords: nsbeta1 → nsbeta1+
Target Milestone: --- → mozilla1.0

Comment 6

16 years ago
Well, I just verified fixed bug 133669 (another recursion problem)...but both
the url and testcase in this bug are still crashing for me.  

Here is what stack signatures I'm seeing from Talkback for each scenerio I've
tested:

WinNT build 2002040809 (testcase)-    5013125  2002-04-09 14:19:50
nsScriptSecurityManager::CheckPropertyAccessImpl 70663961
NetscapeMozillaTrunkWin322002040809 jrgm's testcase in bug 135345

WinNT build 2002040809 (url)-    5013255  2002-04-09 14:18:21
nsXULElement::HandleDOMEvent 0bcd2cdb NetscapeMozillaTrunkWin322002040809 bug
135345...still crashing at prosavvy.com

Win2K build 2002040809 (url)-    5013925  2002-04-09 14:41:11 ntdll.dll +
0x4b134 (0x77fcb134) d3d6f251 NetscapeMozillaTrunkWin322002040809  just went to
url in bug 135345...seems to hang my computer until i clicked
ctrl-alt-del...then i saw the windows error message...

Win2K build 2002040210 (testcase)-    4828235  2002-04-04 12:07:14
XPCWrappedNative::FindTearOff 1c9bd1d2 NetscapeMozillaTrunkWin322002040210
testcase hangs browser...after ctrl-alt-del i see the windows acception window
and talkback comes up...

Adding all those stack signatures to the summary for tracking...
I wonder if a similar fix that worked for bug 133669 can be applied here.
Summary: infinite recursion due to focus events (?) of form controls. → infinite recursion due to focus events (?) of form controls - Trunk crash [@ nsScriptSecurityManager::CheckPropertyAccessImpl][@ nsXULElement::HandleDOMEvent][@ XPCWrappedNative::FindTearOff][@ ntdll.dll]

Updated

16 years ago
Whiteboard: [adt2]
(Reporter)

Comment 7

16 years ago
I'll note, as a general comment, that in this type of situation (a deep 
recursive stack trace), the actual point in the code that is at the top of the 
stack when the crash occurs is not really relevant. It just happens to be the 
lucky victim.

(Although, I also note, that methods like nsGenericElement::HandleDOMEvent
are more likely than other methods to show up at the top of stack. I.e., when 
the stack is nearing overflow, any routine that uses recursion, e.g., to bubble 
events, is more likely to blow out the stack than a method that does not use 
recursion).

Comment 8

16 years ago
OK, the specific recursion is that nsHTMLInputElement::Select() has to set focus
before it can select the contents of the box.  When it does that, the
EventListenerManager doesn't seem to be aware of whether the element is already
focused in this case, and calls the onFocus event again, which calls Select,
which sets focus to TRUE.  (Sort of understandably, we have gone synchronously
through three JavaScript functions to get to this point.)

It's not my impression that the input element needs to know whether it is
focused or not; I thought it just had to call the focus manager and tell it what
to do.

CC'ing joki, who may know what is going on better than I do.  It is puzzling to
me that this does *not* happen when you directly call password.focus() from the
script, only when you get to it in a roundabout sort of way.
(Reporter)

Comment 9

16 years ago
and really cc: joki, like jkeiser meant to do ;)

> CC'ing joki, who may know what is going on better than I do.  It is puzzling 
> to me that this does *not* happen when you directly call password.focus() 
> from the script, only when you get to it in a roundabout sort of way.

(Assignee)

Comment 10

16 years ago
Created attachment 79185 [details] [diff] [review]
Possible patch

You're right in theory, the content shouldn't need to know whether it is
focused but the focus code in nsEventStateManager (ESM) pretty wacky.  Between
keepings the menu focus listeners and global focus objects and local focus
objects in sync its hard to say which focus messages we can ignore and which we
must process.  Saari would know better than I, he wrote most of the focus code
in the ESM.  I know he also has plans to rewrite it at some point.

So for the moment the easiest (and safest) fix is probably to have to content
know about its focus state.  I'm attaching a simple patch which does that.  The
better longterm fix is certainly in the ESM but given the fragility of the code
making any changes to the ESM focus code is fairly high risk.

By the way, this fixes the crash but still doesn't make that particular piece
of script work exactly as expected.  Calling focus() within an onblur handler
is something that doesn't really work in mozilla.  Hopefully focus changes in
the future might fix that.
Comment on attachment 79185 [details] [diff] [review]
Possible patch

r=jkeiser, but could you put an XXX comment in there explaining that this is a
workaround until ESM is fixed?	I don't want myself (or others) to look at that
and think that everything that does focus is *supposed* to check its state.

Thanks much!
Attachment #79185 - Flags: review+
Giving to joki since it's his fix.
Assignee: jkeiser → joki
Status: REOPENED → NEW
(Assignee)

Comment 13

16 years ago
Created attachment 79309 [details] [diff] [review]
Updated patch

For the sake of completeness, updated patch with comment.
Attachment #79185 - Attachment is obsolete: true
Comment on attachment 79309 [details] [diff] [review]
Updated patch

sr=jst
Attachment #79309 - Flags: superreview+

Updated

16 years ago
Attachment #79309 - Flags: review+
Joki, is there a reason this can't be done at the beginning of SetContentState()
itself?  It seems like that's the simplest and broadest solution to the many
infinite recursions I have seen over the last few months.  This patch is still
fine, just curiosity speaking.
(Assignee)

Comment 16

16 years ago
Mostly just the fact that the focus code inside the ESM updates multiple state v 
variables and I (and Saari) are concerned that the seemingly excessive focus 
calls might be necessary to keep activation/deactivation state or cross window 
focus in sync.  Its slightly paranoia, I haven't actually tested to see if it 
would break there, but the focus system in notoriously delicate.  Saari agrees 
that it shouldn't be necessary for content to check its own focus state but also 
thinks this is the safest patch for the moment.
(Assignee)

Comment 17

16 years ago
Fixed on trunk.  Marking fixed and adding adt1.0.0 to nominate for branch 
inclusion.
Status: NEW → RESOLVED
Last Resolved: 16 years ago16 years ago
Keywords: adt1.0.0
Resolution: --- → FIXED

Comment 18

16 years ago
Pls update the bug, when testing has been completed on the trunk.

Comment 19

16 years ago
Comment on attachment 79309 [details] [diff] [review]
Updated patch

a=asa (on behalf of drivers) for checkin to the 1.0 branch
Attachment #79309 - Flags: approval+

Comment 20

16 years ago
changing qa contact to tpreston.
QA Contact: madhur → tpreston

Comment 21

16 years ago
Changing QA contact to Terri Preston.

Terri please verify this bug

Comment 22

16 years ago
This is fixed on trunk build win 2k build 2002041603
Status: RESOLVED → VERIFIED

Comment 23

16 years ago
adding adt1.0.0+ on behalf of the adt.  Please check this into the branch as
soon as possible and add the fixed1.0.0 keyword.
Keywords: adt1.0.0 → adt1.0.0+
(Assignee)

Comment 24

16 years ago
Fixed on branch.
Keywords: fixed1.0.0

Comment 25

16 years ago
Verified fixed win 2k branch build 2002052208
Keywords: fixed1.0.0 → verified1.0.0

Comment 26

9 years ago
Crashtest added as part of http://hg.mozilla.org/mozilla-central/rev/54417ebbaea2
Flags: in-testsuite+
Crash Signature: [@ nsScriptSecurityManager::CheckPropertyAccessImpl] [@ nsXULElement::HandleDOMEvent] [@ XPCWrappedNative::FindTearOff] [@ ntdll.dll]
You need to log in before you can comment on or make changes to this bug.