164065 - Trunk crashes with form submission [@ nsHTMLInputElement::SubmitNamesValues]

Status: RESOLVED FIXED

(Core :: Layout: Form Controls, defect)

Description

[greer]

A group of crashes at nsHTMLInputElement::SubmitNamesValues has been showing up
in the Trunk Talkback data since the 16th. (Build ID range: 2002081612 to
2002082104)

cc'ing joki. Possibly a regression from his checkin for bug 162648 on 8/15.
cc'ing jkeiser for input.

Unfortunately, there is a dearth of user comment to point to the steps causing
this crash. One user has commented:
     (9514706)	URL: http://www.dell.com
     (9514706)  removed item from dell shopping cart  then tried to close
confirmation window

Stack Trace: 

	 nsHTMLInputElement::SubmitNamesValues
[c:/builds/seamonkey/mozilla/content/html/content/src/nsHTMLInputElement.cpp 
line 2305]
	 nsHTMLFormElement::WalkFormElements
[c:/builds/seamonkey/mozilla/content/html/content/src/nsHTMLFormElement.cpp 
line 1022]
	 nsHTMLFormElement::DoSubmit
[c:/builds/seamonkey/mozilla/content/html/content/src/nsHTMLFormElement.cpp 
line 826]
	 nsHTMLFormElement::DoSubmitOrReset
[c:/builds/seamonkey/mozilla/content/html/content/src/nsHTMLFormElement.cpp 
line 766]
	 nsHTMLFormElement::HandleDOMEvent
[c:/builds/seamonkey/mozilla/content/html/content/src/nsHTMLFormElement.cpp 
line 732]
	 PresShell::HandleDOMEventWithTarget
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp  line 6171]
	 nsHTMLInputElement::HandleDOMEvent
[c:/builds/seamonkey/mozilla/content/html/content/src/nsHTMLInputElement.cpp 
line 1724]
	 PresShell::HandleEventInternal
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp  line 6123]
	 PresShell::HandleEventWithTarget
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp  line 6091]
	 nsEventStateManager::CheckForAndDispatchClick
[c:/builds/seamonkey/mozilla/content/events/src/nsEventStateManager.cpp  line 2759]
	 nsEventStateManager::PostHandleEvent
[c:/builds/seamonkey/mozilla/content/events/src/nsEventStateManager.cpp  line 1763]
	 PresShell::HandleEventInternal
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp  line 6144]
	 PresShell::HandleEvent
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp  line 6046]
	 nsViewManager::HandleEvent
[c:/builds/seamonkey/mozilla/view/src/nsViewManager.cpp  line 2098]
	 nsView::HandleEvent
[c:/builds/seamonkey/mozilla/view/src/nsView.cpp  line 301]
	 nsViewManager::DispatchEvent
[c:/builds/seamonkey/mozilla/view/src/nsViewManager.cpp  line 1909]
	 HandleEvent
[c:/builds/seamonkey/mozilla/view/src/nsView.cpp  line 83]
	 nsWindow::DispatchEvent
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp  line 1038]
	 nsWindow::DispatchWindowEvent
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp  line 1055]
	 nsWindow::DispatchMouseEvent
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp  line 5127]
	 ChildWindow::DispatchMouseEvent
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp  line 5382]
	 nsWindow::ProcessMessage
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp  line 3834]
	 nsWindow::WindowProc
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp  line 1304]
	 USER32.dll + 0x2a290 (0x77e3a290)
	 USER32.dll + 0x45b1 (0x77e145b1)
	 USER32.dll + 0x5b1d (0x77e15b1d)
	 nsAppShellService::Run
[c:/builds/seamonkey/mozilla/xpfe/appshell/src/nsAppShellService.cpp  line 452]
	 main1
[c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp  line 1525]
	 main
[c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp  line 1876]
	 WinMain
[c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp  line 1894]
	 WinMainCRTStartup()
	 KERNEL32.DLL + 0x1ca90 (0x77e9ca90)
 
 	Source File :
c:/builds/seamonkey/mozilla/content/html/content/src/nsHTMLInputElement.cpp line
: 2305

Comment 1

[rods (gone)]

-->

Comment 2

[Oliver Klee]

Should this get the keyword zt4newcrash?

Comment 3

[greer]

It doesn't qualify as zt4newcrash because it was not introduced in the past
72hrs. It first started appearing 5 days ago.

Comment 4

[Adam Hauner]

Attachment: testcase (?)

I'm crashing while click on <INPUT TYPE="image"> where SRC is non-existent
image. 
2002082208/trunk/W2K -> TB9721859Y, TB9721858E, TB9721669G, TB9721665Z,
TB9721324K
Is it same signature or I have to fill new bug report?

Comment 5

[greer]

Adam, same signatures, same crash. And your testcase crashes for me too.
With a testcase -> topcrash+

Comment 6

[Alexandru Savulov]

i'm on it. thanks for the testcase.

Comment 7

[Andrew Schultz]

this is a regression from bug 150232

Comment 8

[John Keiser (jkeiser)]

Good call.  The problem was specifically caused by the change to
nsHTMLInputElement.cpp:

@@ -2306,8 +2311,8 @@
     PRInt32 clickedY;
     nsIFormControlFrame* formControlFrame = GetFormControlFrame(PR_TRUE);
 
-    nsCOMPtr<nsIImageControlFrame> imageControlFrame(
-        do_QueryInterface(formControlFrame));
+    nsIImageControlFrame* imageControlFrame = nsnull;
+    CallQueryInterface(formControlFrame, &imageControlFrame);
     if (imageControlFrame) {
       imageControlFrame->GetClickedX(&clickedX);
       imageControlFrame->GetClickedY(&clickedY);

CallQueryInterface is not null-safe WRT left-hand-side (more's the pity).  My
bad.  I'll fix it manana if no one else has.

Comment 9

[greer]

*** Bug 164523 has been marked as a duplicate of this bug. ***

Comment 10

[Alexandru Savulov]

Attachment: proposed patch

nullcheck patch

Comment 11

[Alexandru Savulov]

r=jkeiser (verbal)

Comment 12

[Johnny Stenback (:jst)]

Comment on attachment 96747 [details] [diff] [review]
proposed patch

sr=jst

Comment 13

[Alexandru Savulov]

*** Bug 164834 has been marked as a duplicate of this bug. ***

Comment 14

[Alexandru Savulov]

fixed on trunk