If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Trunk crashes with form submission [@ nsHTMLInputElement::SubmitNamesValues]

RESOLVED FIXED

Status

()

Core
Layout: Form Controls
--
critical
RESOLVED FIXED
15 years ago
15 years ago

People

(Reporter: greer, Assigned: Alexandru Savulov)

Tracking

({crash, testcase, topcrash+})

Trunk
x86
All
crash, testcase, topcrash+
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(2 attachments)

(Reporter)

Description

15 years ago
A group of crashes at nsHTMLInputElement::SubmitNamesValues has been showing up
in the Trunk Talkback data since the 16th. (Build ID range: 2002081612 to
2002082104)

cc'ing joki. Possibly a regression from his checkin for bug 162648 on 8/15.
cc'ing jkeiser for input.

Unfortunately, there is a dearth of user comment to point to the steps causing
this crash. One user has commented:
     (9514706)	URL: http://www.dell.com
     (9514706)  removed item from dell shopping cart  then tried to close
confirmation window

Stack Trace: 

	 nsHTMLInputElement::SubmitNamesValues
[c:/builds/seamonkey/mozilla/content/html/content/src/nsHTMLInputElement.cpp 
line 2305]
	 nsHTMLFormElement::WalkFormElements
[c:/builds/seamonkey/mozilla/content/html/content/src/nsHTMLFormElement.cpp 
line 1022]
	 nsHTMLFormElement::DoSubmit
[c:/builds/seamonkey/mozilla/content/html/content/src/nsHTMLFormElement.cpp 
line 826]
	 nsHTMLFormElement::DoSubmitOrReset
[c:/builds/seamonkey/mozilla/content/html/content/src/nsHTMLFormElement.cpp 
line 766]
	 nsHTMLFormElement::HandleDOMEvent
[c:/builds/seamonkey/mozilla/content/html/content/src/nsHTMLFormElement.cpp 
line 732]
	 PresShell::HandleDOMEventWithTarget
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp  line 6171]
	 nsHTMLInputElement::HandleDOMEvent
[c:/builds/seamonkey/mozilla/content/html/content/src/nsHTMLInputElement.cpp 
line 1724]
	 PresShell::HandleEventInternal
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp  line 6123]
	 PresShell::HandleEventWithTarget
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp  line 6091]
	 nsEventStateManager::CheckForAndDispatchClick
[c:/builds/seamonkey/mozilla/content/events/src/nsEventStateManager.cpp  line 2759]
	 nsEventStateManager::PostHandleEvent
[c:/builds/seamonkey/mozilla/content/events/src/nsEventStateManager.cpp  line 1763]
	 PresShell::HandleEventInternal
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp  line 6144]
	 PresShell::HandleEvent
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp  line 6046]
	 nsViewManager::HandleEvent
[c:/builds/seamonkey/mozilla/view/src/nsViewManager.cpp  line 2098]
	 nsView::HandleEvent
[c:/builds/seamonkey/mozilla/view/src/nsView.cpp  line 301]
	 nsViewManager::DispatchEvent
[c:/builds/seamonkey/mozilla/view/src/nsViewManager.cpp  line 1909]
	 HandleEvent
[c:/builds/seamonkey/mozilla/view/src/nsView.cpp  line 83]
	 nsWindow::DispatchEvent
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp  line 1038]
	 nsWindow::DispatchWindowEvent
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp  line 1055]
	 nsWindow::DispatchMouseEvent
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp  line 5127]
	 ChildWindow::DispatchMouseEvent
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp  line 5382]
	 nsWindow::ProcessMessage
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp  line 3834]
	 nsWindow::WindowProc
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp  line 1304]
	 USER32.dll + 0x2a290 (0x77e3a290)
	 USER32.dll + 0x45b1 (0x77e145b1)
	 USER32.dll + 0x5b1d (0x77e15b1d)
	 nsAppShellService::Run
[c:/builds/seamonkey/mozilla/xpfe/appshell/src/nsAppShellService.cpp  line 452]
	 main1
[c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp  line 1525]
	 main
[c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp  line 1876]
	 WinMain
[c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp  line 1894]
	 WinMainCRTStartup()
	 KERNEL32.DLL + 0x1ca90 (0x77e9ca90)
 
 	Source File :
c:/builds/seamonkey/mozilla/content/html/content/src/nsHTMLInputElement.cpp line
: 2305
(Reporter)

Updated

15 years ago
Keywords: crash, topcrash

Comment 1

15 years ago
-->
Assignee: rods → alexsavulov

Comment 2

15 years ago
Should this get the keyword zt4newcrash?
(Reporter)

Comment 3

15 years ago
It doesn't qualify as zt4newcrash because it was not introduced in the past
72hrs. It first started appearing 5 days ago.

Comment 4

15 years ago
Created attachment 96430 [details]
testcase (?)

I'm crashing while click on <INPUT TYPE="image"> where SRC is non-existent
image. 
2002082208/trunk/W2K -> TB9721859Y, TB9721858E, TB9721669G, TB9721665Z,
TB9721324K
Is it same signature or I have to fill new bug report?
(Reporter)

Comment 5

15 years ago
Adam, same signatures, same crash. And your testcase crashes for me too.
With a testcase -> topcrash+
Keywords: topcrash → testcase, topcrash+
(Assignee)

Comment 6

15 years ago
i'm on it. thanks for the testcase.

Comment 7

15 years ago
this is a regression from bug 150232
Depends on: 150232

Comment 8

15 years ago
Good call.  The problem was specifically caused by the change to
nsHTMLInputElement.cpp:

@@ -2306,8 +2311,8 @@
     PRInt32 clickedY;
     nsIFormControlFrame* formControlFrame = GetFormControlFrame(PR_TRUE);
 
-    nsCOMPtr<nsIImageControlFrame> imageControlFrame(
-        do_QueryInterface(formControlFrame));
+    nsIImageControlFrame* imageControlFrame = nsnull;
+    CallQueryInterface(formControlFrame, &imageControlFrame);
     if (imageControlFrame) {
       imageControlFrame->GetClickedX(&clickedX);
       imageControlFrame->GetClickedY(&clickedY);

CallQueryInterface is not null-safe WRT left-hand-side (more's the pity).  My
bad.  I'll fix it manana if no one else has.
(Reporter)

Comment 9

15 years ago
*** Bug 164523 has been marked as a duplicate of this bug. ***
(Assignee)

Comment 10

15 years ago
Created attachment 96747 [details] [diff] [review]
proposed patch

nullcheck patch
(Assignee)

Comment 11

15 years ago
r=jkeiser (verbal)
(Assignee)

Updated

15 years ago
Attachment #96747 - Flags: review+
Comment on attachment 96747 [details] [diff] [review]
proposed patch

sr=jst
Attachment #96747 - Flags: superreview+
(Assignee)

Comment 13

15 years ago
*** Bug 164834 has been marked as a duplicate of this bug. ***
(Assignee)

Comment 14

15 years ago
fixed on trunk
Status: NEW → RESOLVED
Last Resolved: 15 years ago
Resolution: --- → FIXED
Crash Signature: [@ nsHTMLInputElement::SubmitNamesValues]
You need to log in before you can comment on or make changes to this bug.