Closed
Bug 194582
Opened 22 years ago
Closed 21 years ago
gklayout.dll causes crash when saveEdit() function is called on the page (DOM node insertion and removal) [@ nsHTMLButtonElement::HandleDOMEvent]
Categories
(Core :: DOM: Events, defect)
Core
DOM: Events
Tracking
()
VERIFIED
FIXED
People
(Reporter: leonard, Assigned: MatsPalmgren_bugz)
References
()
Details
(Keywords: crash, testcase, topcrash-)
Crash Data
Attachments
(4 files, 4 obsolete files)
2.83 KB,
text/plain
|
Details | |
2.70 KB,
text/plain
|
Details | |
66 bytes,
text/html
|
Details | |
1.79 KB,
patch
|
john
:
review+
bzbarsky
:
superreview+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.3b) Gecko/20030221 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.3b) Gecko/20030221 When visiting PPK's http://www.xs4all.nl/~ppk/js/cms.html page and clicking on the button that calls the saveEdit() function, recent builds (did it on one I had from last week and today's) will always cause a crash. The data dump points to gklayout.dll being the culprit. I made a simplified test case here: http://randomfoo.net/sandbox/mozilla/saveEdit/crasher.html which surprisingly, doesn't exhibit the same crashing behavior. Reproducible: Always Steps to Reproduce: 1. Visit http://www.xs4all.nl/~ppk/js/cms.html 2. Click on a paragraph 3. Click on the 'Ready' button 4. Crash! gklayout.dll - I'd give more detail but that would require crashing the browser that I'm filling the bug in (the Netscape Quality Feedback mechanism doesn't have a way to get to the information being submitted after you click through and there's no documentation in the Help on where the data is stored)
Comment 1•22 years ago
|
||
confirming crash on Linux with a debug build (CVS 10h ago) with URL http://www.xs4all.nl/~ppk/js/cms.html : 0x40eec805 in nsHTMLButtonElement::HandleDOMEvent (this=0x8812b08, aPresContext=0x854a290, aEvent=0xbfffe590, aDOMEvent=0x0, aFlags=1, aEventStatus=0xbfffeac4) at nsHTMLButtonElement.cpp:488 488 mForm->OnSubmitClickEnd(); (gdb) bt #0 0x40eec805 in nsHTMLButtonElement::HandleDOMEvent (this=0x8812b08, aPresContext=0x854a290, aEvent=0xbfffe590, aDOMEvent=0x0, aFlags=1, aEventStatus=0xbfffeac4) at nsHTMLButtonElement.cpp:488 #1 0x40d88f16 in PresShell::HandleEventInternal (this=0x883c508, aEvent=0xbfffe590, aView=0x0, aFlags=1, aStatus=0xbfffeac4) at nsPresShell.cpp:6226 #2 0x40d88dbb in PresShell::HandleEventWithTarget (this=0x883c508, aEvent=0xbfffe590, aFrame=0x867e9c0, aContent=0x8812b08, aFlags=1, aStatus=0xbfffeac4) at nsPresShell.cpp:6195
Keywords: crash
OS: Windows XP → All
Hardware: PC → All
Summary: gklayout.dll causes crash when saveEdit() function is called on the page (DOM node insertion and removal) → gklayout.dll causes crash when saveEdit() function is called on the page (DOM node insertion and removal) [@ nsHTMLButtonElement::HandleDOMEvent ]
Comment 2•22 years ago
|
||
Comment 3•22 years ago
|
||
using the same build, I don't crash when testing URL http://randomfoo.net/sandbox/mozilla/saveEdit/crasher.html but I get this assertion in console: ###!!! ASSERTION: nsFrameManager::GenerateStateKey didn't find content by type!: 'index > -1', file nsFrameManager.cpp, line 2383 Break: at file nsFrameManager.cpp, line 2383
Comment 4•22 years ago
|
||
form submission. Olivier, it really helps if you list the relevant local vars in addition to the stack.. for example, is mForm null here?
Assignee: jst → form-submission
Component: DOM HTML → Form Submission
QA Contact: desale → ashishbhatt
Comment 5•22 years ago
|
||
Boris, I'll do it from now on, here's some more data: (gdb) frame 0 #0 0x40eec805 in nsHTMLButtonElement::HandleDOMEvent (this=0x8932238, aPresContext=0x8882ca8, aEvent=0xbfffe590, aDOMEvent=0x0, aFlags=1, aEventStatus=0xbfffeac4) at nsHTMLButtonElement.cpp:488 488 mForm->OnSubmitClickEnd(); (gdb) print mForm No symbol "mForm" in current context. I guess it's inline, I compiled with enable-optimize=-O2, I'll have to recompile...
Comment 6•22 years ago
|
||
CRASH Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.3b) Gecko/20030223 and talkback can´t connect
Comment 7•22 years ago
|
||
-O exhibits a similar problem with 'No symbol "mForm" in current context.' (gdb) p *this shows that mForm is 0x0
Comment 8•22 years ago
|
||
adding topcrash+ and testcase to keywords.
Summary: gklayout.dll causes crash when saveEdit() function is called on the page (DOM node insertion and removal) [@ nsHTMLButtonElement::HandleDOMEvent ] → gklayout.dll causes crash when saveEdit() function is called on the page (DOM node insertion and removal) [@ nsHTMLButtonElement::HandleDOMEvent]
Comment 9•21 years ago
|
||
*** Bug 198382 has been marked as a duplicate of this bug. ***
Comment 10•21 years ago
|
||
This crash is no longer showing up in reports, but does still show up (though not much) in the database in recent trunk and branch builds. I'll attach the most recent incident id.
Comment 11•21 years ago
|
||
Comment 13•21 years ago
|
||
*** Bug 203026 has been marked as a duplicate of this bug. ***
Comment 14•21 years ago
|
||
reduced testcase from bug 203026: attachment 121447 [details].
Comment 15•21 years ago
|
||
All the dupes (plus the stack) seem to point to DOM Events. Punting there, smack me if I am wrong...
Assignee: form-submission → saari
Component: Form Submission → DOM Events
QA Contact: ashishbhatt → desale
Comment 16•21 years ago
|
||
*** Bug 210749 has been marked as a duplicate of this bug. ***
Comment 17•21 years ago
|
||
Is this the same bug? It looks very similar. Type something into the text field and press return to crash. TB21430177H
Assignee | ||
Comment 18•21 years ago
|
||
When a form element removes itself from it's form it assigns NULL to |mForm|
(in nsGenericHTMLContainerFormElement::SetDocument() in this case)
This patch fixes both the URL (and duplicates) and also the testcase in
attachment 126671 [details] which is a separate bug but the same type of problem.
nsHTMLButtonElement.cpp: add a NULL check after HandleDOMEvent() was called.
nsHTMLInputElement.cpp: add a NULL check after CheckFireOnChange() was called.
Assignee | ||
Updated•21 years ago
|
Attachment #127140 -
Attachment description: Patch → Patch (diff -wu)
Assignee | ||
Comment 19•21 years ago
|
||
Assignee | ||
Updated•21 years ago
|
Attachment #127140 -
Flags: review?(bzbarsky)
Comment 20•21 years ago
|
||
Comment on attachment 127140 [details] [diff] [review] Patch (diff -wu) I'm really not the best person to review this (I would need to do a lot of code reading before I could reasonably do this review). In any case, please add comments in both spots explaining why you are checking mForm.
Attachment #127140 -
Flags: review?(bzbarsky) → review?(jkeiser)
Assignee | ||
Comment 21•21 years ago
|
||
Attachment #127140 -
Attachment is obsolete: true
Attachment #127141 -
Attachment is obsolete: true
Assignee | ||
Comment 22•21 years ago
|
||
Assignee | ||
Updated•21 years ago
|
Attachment #127149 -
Flags: review?(jkeiser)
Comment 23•21 years ago
|
||
Comment on attachment 127149 [details] [diff] [review] Patch rev. 2 (diff -wu) This will solve the problem, but the new if() in InputElement should cover the submitControl and numTextControlsFound variables and cover the next section including GetShell() since if there is no form we're certainly not even going to try to submit it. While you're at that, a less-indentful way of doing this would be to *close* the if (mForm) surrounding CheckFireOnChange and add the new if (mForm) as a sibling.
Attachment #127149 -
Flags: review?(jkeiser) → review-
Assignee | ||
Comment 24•21 years ago
|
||
The suggestion to close the previous "if (mForm)" and make a new block was a good catch, it made the intent more obvious and the code less indentful.
Attachment #127149 -
Attachment is obsolete: true
Attachment #127150 -
Attachment is obsolete: true
Assignee | ||
Updated•21 years ago
|
Attachment #127231 -
Flags: review?(jkeiser)
Updated•21 years ago
|
Attachment #127231 -
Flags: review?(jkeiser) → review+
Updated•21 years ago
|
Attachment #127140 -
Flags: review?(jkeiser)
Comment 25•21 years ago
|
||
I've just encountered this bug when searching by "Bug #" on the Bugzilla submission/search form. Keystrokes were: Scrolled to bottom of bugzilla form by draging slide bar to bottom Entered the Bug # in the Bug # box Hit Enter Crash The resulting error was: MOZILLA caused an invalid page fault in module GKLAYOUT.DLL at 0167:6027dfaa. Registers: EAX=614fde7f CS=0167 EIP=6027dfaa EFLGS=00010246 EBX=021413c0 SS=016f ESP=0065f6b4 EBP=0065f6c4 ECX=01a33784 DS=016f ESI=01a33784 FS=3dbf EDX=0065f6c0 ES=016f EDI=021413c0 GS=0000 Bytes at CS:EIP: ff 90 40 01 00 00 8b 45 fc 56 ff 36 8b 08 50 ff Stack dump: 00000001 021413c0 01a33784 0214d440 0065f6ec 60288458 01a33784 00000000 01a33784 6028276e 01a33784 021413c0 021413c0 01a33784 0065f728 60289039
Updated•21 years ago
|
Attachment #127231 -
Flags: superreview?(bzbarsky)
Comment 26•21 years ago
|
||
Comment on attachment 127231 [details] [diff] [review] Patch rev. 3 (diff -u) sr=bzbarsky; drop me a mail if this needs checking in
Attachment #127231 -
Flags: superreview?(bzbarsky) → superreview+
Comment 27•21 years ago
|
||
Looks like this landed on 7/29. Can we resolve the bug?
Assignee | ||
Comment 29•21 years ago
|
||
-> FIXED (2003-07-29)
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Updated•21 years ago
|
Status: RESOLVED → VERIFIED
Updated•13 years ago
|
Crash Signature: [@ nsHTMLButtonElement::HandleDOMEvent]
You need to log in
before you can comment on or make changes to this bug.
Description
•