Closed Bug 232356 Opened 21 years ago Closed 20 years ago

entering parent.close in the console crashes mozilla [@ nsFrameManager::GetPropertyListFor ]

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: viklund, Unassigned)

References

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(3 files)

Crash log
8.35 KB, text/plain
Details
Stacktrace Mozilla debug build 20040604
6.50 KB, text/plain
Details
Hack to make us not crash in the frame constructor when a window is closed that it's making attr change notifications for...
1.62 KB, patch
Details | Diff | Splinter Review
User-Agent: Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113 Start the javascript console and enter parent.close() and the browser and all other running instances of mozilla crash Reproducible: Always Steps to Reproduce: 1. in the menu bar select, tools -> web development -> javascript console 2. enter parent.close() 3. mozilla crashes Actual Results: mozilla crashes Expected Results: It should have displayed the, "Scripts may not close windows that were not opened by script." (as is printed in the console when typing parent.close() in the browser's location bar) This bug is evident in Mozilla 1.4 on SunOS 5.9 and 1.6 on Windows XP as well as the the 0.7 version of MozillaFirebird. Talkback crash ID: TB29515276K
Severity: normal → critical
Keywords: crash
Confirming on Mozilla 2004012705 & 2004011905 with Mac OS 10.2.8. Changing component to DOM (looks similar to bug 100270 but that one is wfm). Crash log is coming...
Assignee: js-console → general
Status: UNCONFIRMED → NEW
Component: JavaScript Console → DOM
Ever confirmed: true
OS: Windows XP → All
QA Contact: jrgmorrison → ian
Attached file Crash log
Hmm, kind of unsure if this actually could belong to layout...
Keywords: clean-report, testcase
Summary: entering parent.close in the console crashes mozilla → entering parent.close in the console crashes mozilla [@ nsFrameManager::GetPropertyListFor ]
*** Bug 265790 has been marked as a duplicate of this bug. ***
*** Bug 242213 has been marked as a duplicate of this bug. ***
Flags: blocking-aviary1.0+
Flags: blocking-aviary1.0+ → blocking-aviary1.0?
Want a fix here, given the dups. Dan, jst, dbaron: any thoughts? /be
Flags: blocking-aviary1.0? → blocking-aviary1.0+
first release candidate builds are being tested and should go out tuesday and need to be tested, but I think we would pick up a good fix for this post RC1 if it comes available.
Blocks: 265962
bug 265790 has the test case....
Mozilla can't possibly ship 1.0 with this bug. I think a release candidate with this bug will be embarrassing. In my admittedly baseless estimation, this will be the most common topcrash Mozilla has ever had. Using tab browsing in its most common post-0.10PR1 configuration, visit: http://www.niho.com/forsale/detail2.asp?prop=241 click on a map picture and close it CRASH (bug 265790) http://cyndilauper.com/pictures_det.php click on a picture and close it CRUNCH (bug 68454) http://popupcheck.com/freescan/popup/popup_test_advanced.asp run test (2) POW (bug 265962) The trick these sites are pulling isn't super common but I think there are other examples. We can't afford to lose the Cyndi fan club, can we?
danm recommends we back out https://bugzilla.mozilla.org/show_bug.cgi?id=263844 to fix this.
So we're crashing (at the most immediate level) because when nsCSSFrameConstructor::ProcessRestyledFrames calls aPresContext->GetFrameManager(), aPresContext's mShell is null, so |frameManager| ends up as 0x18.
he's recommending backing out a fix for a bug filed this october to fix a bug filed this january?
(In reply to comment #9) > http://popupcheck.com/freescan/popup/popup_test_advanced.asp > run test (2) > POW (bug 265962) This is the only one of the three reproducable on Linux, according to Asa, and looks like it's a crash due to deleting a frame twice. So I think there are currently at least three separate crashes covered by this bug, unless somebody knows something more than I do about the underlying cause of the crashes. (If so, please share!)
No longer blocks: 265962
>he's recommending backing out a fix for a bug filed this october to fix a bug >filed this january? Oh. Well my recommendation does fix the crashes listed in comment 9, though as expected it has no effect on this bug. I've just reopened bug 265790 since it's clearly not related. As David has noticed, this bug has collected some false duplicates. I no longer care about this bug. I think it's obscure enough that most people won't notice it. I care about those other three bugs and I still recommend backing out bug 263844 for the painfully imminent RC1.
(I should say rather, this bug may be related to those others in effect, but not in cause. Perhaps the same real fix will apply to all. But backing out bug 263844 will make this bug(s?) much more difficult to stumble upon. It will also of course break bug 263844, bug 264021, and a variety of others. None of which are crashes.)
no longer a serious crash problem with the backout. removing the blocking status.
Flags: blocking-aviary1.0+ → blocking-aviary1.0-
Blocks: 244305
back on the nomination list for discussion
Flags: blocking-aviary1.0- → blocking-aviary1.0?
(In reply to comment #9) > http://www.niho.com/forsale/detail2.asp?prop=241 > click on a map picture and close it > CRASH (bug 265790) > http://cyndilauper.com/pictures_det.php > click on a picture and close it > CRUNCH (bug 68454) > http://popupcheck.com/freescan/popup/popup_test_advanced.asp > run test (2) > POW (bug 265962) These seem to crash again in 20041028.
Entering document.write() seems to run an infinate loop.
Please keep this bug about parent.close(), file additional bugs on other problems with evaluating JS in the console.
(In reply to comment #19) > > http://www.niho.com/forsale/detail2.asp?prop=241 > > click on a map picture and close it > > CRASH (bug 265790) > > http://cyndilauper.com/pictures_det.php > > click on a picture and close it > > CRUNCH (bug 68454) None of those crash here with the 1028 branch build. Can someone confirm either way?
(In reply to comment #22) > (In reply to comment #19) > > > http://www.niho.com/forsale/detail2.asp?prop=241 > > > click on a map picture and close it > > > CRASH (bug 265790) > > > http://cyndilauper.com/pictures_det.php > > > click on a picture and close it > > > CRUNCH (bug 68454) > > None of those crash here with the 1028 branch build. Can someone confirm either way? > Neither do they crash with Mozilla 2004102906 (nightly trunk) on Mac OS 10.3.5.
(In reply to comment #23) > (In reply to comment #22) > > (In reply to comment #19) > > > > http://www.niho.com/forsale/detail2.asp?prop=241 > > > > click on a map picture and close it > > > > CRASH (bug 265790) > > > > http://cyndilauper.com/pictures_det.php > > > > click on a picture and close it > > > > CRUNCH (bug 68454) > > > > None of those crash here with the 1028 branch build. Can someone confirm > either way? > > > > Neither do they crash with Mozilla 2004102906 (nightly trunk) on Mac OS 10.3.5. The maps http://www.niho.com/forsale/detail2.asp?prop=241 and popuptest2 http://popupcheck.com/freescan/popup/popup_test_advanced.asp still crash here (Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20041029 Firefox/1.0RC1)
(In reply to comment #24) > The maps > http://www.niho.com/forsale/detail2.asp?prop=241 Can you submit talkback data for this crash and give us the incident ID?
(In reply to comment #25) > (In reply to comment #24) > > The maps > > http://www.niho.com/forsale/detail2.asp?prop=241 > > Can you submit talkback data for this crash and give us the incident ID? Yes, ofcourse. Had to try several times this time to get it to crash: Talkback ID: 1600843
The stack for that crash is: nsFrameManager::GetPropertyListFor [nsFrameManager.cpp, line 1879] nsFrame::Destroy [nsFrame.cpp, line 622] nsSubDocumentFrame::Destroy [nsFrameFrame.cpp, line 567] nsFrameList::DestroyFrames [nsFrameList.cpp, line 129] nsBoxFrame::Destroy [nsBoxFrame.cpp, line 1065] nsFrameList::DestroyFrame [nsFrameList.cpp, line 214] nsFrameManager::RemoveFrame [nsFrameManager.cpp, line 757] nsCSSFrameConstructor::ContentRemoved [nsCSSFrameConstructor.cpp, line 9535] PresShell::ContentRemoved [nsPresShell.cpp, line 5278] nsGenericElement::doRemoveChild [nsGenericElement.cpp, line 3122] nsXULElement::RemoveChild [nsXULElement.cpp, line 853] XPCWrappedNative::CallMethod [xpcwrappednative.cpp, line 2034] XPC_WN_CallMethod [xpcwrappednativejsops.cpp, line 1287] js_Invoke [jsinterp.c, line 941] js_Interpret [jsinterp.c, line 2972] js_Invoke [jsinterp.c, line 958] js_InternalInvoke [jsinterp.c, line 1035] JS_CallFunctionValue [jsapi.c, line 3698] nsJSContext::CallEventHandler [nsJSEnvironment.cpp, line 1297] nsJSEventListener::HandleEvent [nsJSEventListener.cpp, line 184] nsEventListenerManager::HandleEventSubType [nsEventListenerManager.cpp, line 1436] nsEventListenerManager::HandleEvent [nsEventListenerManager.cpp, line 1516] nsXULElement::HandleDOMEvent [nsXULElement.cpp, line 2841] nsXULElement::HandleDOMEvent [nsXULElement.cpp, line 2860] nsXULElement::HandleDOMEvent [nsXULElement.cpp, line 2860] PresShell::HandleEventInternal [nsPresShell.cpp, line 6059] PresShell::HandleEventWithTarget [nsPresShell.cpp, line 5984] nsEventStateManager::CheckForAndDispatchClick [nsEventStateManager.cpp, line 2985] nsEventStateManager::PostHandleEvent [nsEventStateManager.cpp, line 1973] PresShell::HandleEventInternal [nsPresShell.cpp, line 6111] PresShell::HandleEvent [nsPresShell.cpp, line 5921] nsViewManager::HandleEvent [nsViewManager.cpp, line 2326] nsViewManager::DispatchEvent [nsViewManager.cpp, line 2066] HandleEvent [nsView.cpp, line 77] nsWindow::DispatchEvent [nsWindow.cpp, line 1067] nsWindow::DispatchMouseEvent [nsWindow.cpp, line 5261] ChildWindow::DispatchMouseEvent [nsWindow.cpp, line 5511] nsWindow::WindowProc [nsWindow.cpp, line 1349] So it looks like there might be more than one crash in the code related to windows closing :-(
I'm almost not able to reproduce the crash. Was able to reproduce it 2 times till now, first time I checked and posted a comment here and the second time after a lot of opening and closing for the trace.
(In reply to comment #28) > I'm almost not able to reproduce the crash. Was able to reproduce it 2 times > till now, first time I checked and posted a comment here and the second time > after a lot of opening and closing for the trace. I figure it out. Steps to reproduce: 1. Open a clean (single) Browser window 2. Browse to this bug: https://bugzilla.mozilla.org/show_bug.cgi?id=232356 3. Middle click this link: http://www.niho.com/forsale/detail2.asp?prop=241 4. Open a Map 5. Close it
too late for a non-topcrash fix.
Flags: blocking-aviary1.0? → blocking-aviary1.0-
I think I have the same crash here. Reproducable: always Steps to reproduce: 1. Make sure you have "browser.link.open_newwindow" setting set to "3" (open new window links in new tab). 2. Visit http://www.eagames.com/redesign/home.jsp and vote for Firefox (or click See results, if you already voted) 3. A window with poll results should open in new tab instead of in new window 4. Close the tab Results: Firefox crashes Expected: Firefox should just close the tab with poll results. If Firefox is set to open new window links in new window it doesn't crash. I have tried this also on Firefox 1.0 Final and it has the same problem. I only tested this in Windows XP but I can also test in Linux later.
WFM with 2004112306/trunk/W2K Anybody is able to reproduce with actual builds?
Can't reproduce on the latest trunk builds. Status: FIXED?
If the fix is not known a bug can not be marked as FIXED.
WFM 2004122204, marking such.
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → WORKSFORME
Crash Signature: [@ nsFrameManager::GetPropertyListFor ]
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: