198254 - Closing a javascript-created popup window crashes mozilla [@ nsWebShell::OnLinkClick ]

Status: RESOLVED FIXED

(Core :: DOM: Core & HTML, defect)

Description

[slaton]

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3) Gecko/20030314
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3) Gecko/20030314

Mozilla crashes when you click on the "Close Window" link of a
javascript-created window.

Reproducible: Sometimes

Steps to Reproduce:
1. Visit the website url I've provided. 
2. Click on the product image, which uses javascript to pop open a window with a
larger image. 
3. When you click "Close Window" on the new window, Mozilla crashes.

Actual Results:  
Mozilla crashes

Expected Results:  
Just closed the popup window.

Using the Modern theme.

Comment 1

[James Graham]

I see this using linux 2003031808. 

Talkback ID TB18255846E
This needs the 'crash' keyword
The offening link is:
<a href="javascript: self.close();" onclick="self.close();">Close Window</a>

Having said all of which this is probably a dupe of bug 60938

Comment 2

[James Graham]

Actually I can't reproduce bug 60938, so maybe it's not a dupe

Comment 3

[Andrew Schultz]

Attachment: stacktrace

stacktrace from CVS.  the stack is similar to bug 60938, but is a bit different

Comment 4

[Andrew Schultz]

regression between linux trunk 2003022605 and 2003022705, perhaps bug 125318

marking NEW
==> DOM 0

Comment 5

[Andrew Schultz]

==> DOM 0 for real

Comment 6

[Andrew Schultz]

Attachment: fun with valgrind

the basic idea is that an nsWebShell object is being accessed after it has been
deleted

Comment 7

[Andrew Schultz]

whatever regression I was seeing was probably just a regression in
reproducibility.  I can get 1.3 (which is what slaton originally reported it
with) to crash along with 1.2.1.

I've noticed that it is easier to reproduce if you drag over the link to trigger
the drag'n'drop, release and then click while the flying-paper-icon is still
visible.  the stack trace for that is the same as clicking normally.

Comment 8

[Andrew Schultz]

Attachment: testcase

Comment 9

[Johnny Stenback (:jst)]

Attachment: Would this fix it?

Comment 10

[Andrew Schultz]

I am unable to reproduce the crash with the patch applied

Comment 11

[Andrew Schultz]

*** Bug 198737 has been marked as a duplicate of this bug. ***

Comment 12

[Phil Schwartau]

*** Bug 201026 has been marked as a duplicate of this bug. ***

Comment 13

[Julien Bidault]

Tryed to reproduce it, and the window closed properly without crashing mozilla

1.4b - 2003043008 - win XP pro

Comment 14

[James Graham]

This worked fine with the 2003042511/Gtk2 build. Anyone like to mark gthis fixed?

Comment 15

[Phil Schwartau]

Something is still going wrong. I'm crashing on the original
steps to reprocuce above, using a 20030429 build on WinNT.

I'll try again and see if I can get a stack trace -

Comment 16

[Phil Schwartau]

NOTE: the crash is intermittent. I'm following the original steps
to reproduce given above, over and over again. Eventually, I crash
at a "Privileged Instruction". My binary stack trace on WinNT is:

036d32ba()
DOCSHELL! 01a21fe2()
GKLAYOUT! 011b7ab1()
GKLAYOUT! 01202a63()
GKLAYOUT! 01304a29()
GKLAYOUT! 0112cd97()
GKLAYOUT! 0112cc5a()
GKLAYOUT! 011f9677()
GKLAYOUT! 011f83f7()
GKLAYOUT! 0112ce96()
GKLAYOUT! 0112ca0c()
GKLAYOUT! 0127afa1()
GKLAYOUT! 0127cee9()
GKLAYOUT! 0127d6fc()
GKWIDGET! 014c1eeb()
GKWIDGET! 014c589a()
GKWIDGET! 014c5c84()
GKWIDGET! 014c2455()
USER32! 77e7124c()
01a20102()

Comment 17

[frank]

My Moz 1.3.1 on Linux Mandrake 9.1 crashes on clicking OK on a popup saying I'm
logged in at www.asnbank.nl.  (Yez, that is a bank.)
It is reproducable allright, just log in at www.asnbank.nl by clicking the lower
squirrel that says: "log hier direct in". Provide with any name and 5 digit
password. Clicking OK on the popup will crash Mozilla.

Comment 18

[Neil Paris]

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7b) Gecko/20040316

Could not crash with any URL listed, nor with the testcase.

Comment 19

[Andrew Schultz]

testcase (as html) still crashes for me with linux trunk 2004033007.

Comment 20

[Boris Zbarsky [:bzbarsky]]

Comment on attachment 117821 [details] [diff] [review]
Would this fix it?

Yeah, this seems reasonable....

Comment 21

[Brendan Eich [:brendan]]

Noting blocking-aviary1.0PR1 and blocking-1.7.3.

/be

Comment 22

[Brendan Eich [:brendan]]

Comment on attachment 117821 [details] [diff] [review]
Would this fix it?

a=brendan@mozilla.org for aviary1.0PR1 and 1.7.3.

/be

Comment 23

[Johnny Stenback (:jst)]

Fixed on trunk, aviary and 1.7 branches.

Comment 24

[Axel Hecht]

This patch regressed clicking links on XSLT generated links, see bug 256514.