Closed
Bug 264873
Opened 20 years ago
Closed 20 years ago
[FIXr]onblur="window.close <-- pressing tab makes it crash [@ PresShell::ScrollFrameIntoView]
Categories
(Core :: Layout, defect, P1)
Core
Layout
Tracking
()
RESOLVED
FIXED
mozilla1.8beta1
People
(Reporter: ed, Assigned: bzbarsky)
References
()
Details
(Keywords: crash)
Crash Data
Attachments
(1 file)
1.31 KB,
patch
|
MatsPalmgren_bugz
:
review+
bryner
:
superreview+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20040910 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20040910 guess the same as https://bugzilla.mozilla.org/show_bug.cgi?id=239563 , but on tab press Reproducible: Always Steps to Reproduce: 1. open a window using window.open 2. make sure the popup contains OnBlur="javascript:window.close()" 3. press TAB having the popup focussed Actual Results: mozilla exited, error occured Expected Results: window close or stay, dont really matter tried on 1.7.2, 1.7.3 and 2 other pc's
Confirmed Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.7.3) Gecko/20041001 Firefox/0.10.1 StumbleUpon/1.998
Comment 2•20 years ago
|
||
I crash with the URL testcase with Mozilla 1.7. Talkback ID: TB1373520M http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=TB1373520M But I don't crash with: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8a5) Gecko/20041017 Firefox/0.9.1+
Comment 3•20 years ago
|
||
Happening on Aviary too. Confirming. Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3) Gecko/20041017 Firefox/1.0 Talkback submitted but talkback-public "quick search" seems totally broken, so I can't get the ID. You MUST load the pop-up as a pop-up. There is no crash if you load http://home.hccnet.nl/de.graaff/popup.html directly in the main window. Load http://home.hccnet.nl/de.graaff/popupcaller.html then manually open the pop-up from the "blocked pop-up" status or info bars. Mousing in and out of the window calls the onblur, but there is no crash.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee: general → nobody
Component: Browser-General → Layout: Misc Code
QA Contact: general → core.layout.misc-code
Summary: onblur="window.close <-- pressing tab makes it crash → onblur="window.close <-- pressing tab makes it crash [@ PresShell::ScrollFrameIntoView]
Assignee | ||
Comment 4•20 years ago
|
||
The basic problem here is that the ShiftFocusInternal() code goes through, gets the nextFocusFrame, then calls: SetContentState(nsnull, NS_EVENT_STATE_FOCUS); presShell->ScrollFrameIntoView(nextFocusFrame, NS_PRESSHELL_SCROLL_ANYWHERE, NS_PRESSHELL_SCROLL_ANYWHERE); (this the the "if (sub_shell)" case). The problem is that SetContentState fires focus/blur event handlers, which can destroy nextFocusFrame (and for that matter, destroy presShell, since we're not holding a strong ref to it). So we're calling ScrollFrameIntoView on a deleted destroyed frame, and end up crashing when we try to call aFrame->GetContent()->GetDocument() because aFrame->mContnet is 0xdddddddd. This code really should not be holding pointers to non-refcounted objects across event dispatch. In particular, it should reget nextFocusFrame after calling SetContentState(). And it needs to hold a strong ref to the presshell.
OS: Windows XP → All
Hardware: PC → All
Comment 5•20 years ago
|
||
In reply to comment #4) > SetContentState(nsnull, NS_EVENT_STATE_FOCUS); > presShell->ScrollFrameIntoView(nextFocusFrame, > NS_PRESSHELL_SCROLL_ANYWHERE, > NS_PRESSHELL_SCROLL_ANYWHERE); > I think we should just try reversing the order of these two calls. I can't think of any particular reason why the scrolling has to happen have to the setcontentstate call.
Assignee | ||
Comment 6•20 years ago
|
||
That makes sense to me...
Assignee | ||
Updated•20 years ago
|
Attachment #163324 -
Flags: superreview?(bryner)
Attachment #163324 -
Flags: review?(mats.palmgren)
Comment 7•20 years ago
|
||
Comment on attachment 163324 [details] [diff] [review] Patch to that effect Looks good to me too.
Attachment #163324 -
Flags: review?(mats.palmgren) → review+
Assignee | ||
Updated•20 years ago
|
Assignee: nobody → bzbarsky
Priority: -- → P1
Summary: onblur="window.close <-- pressing tab makes it crash [@ PresShell::ScrollFrameIntoView] → [FIX]onblur="window.close <-- pressing tab makes it crash [@ PresShell::ScrollFrameIntoView]
Target Milestone: --- → mozilla1.8beta
Comment 8•20 years ago
|
||
Comment on attachment 163324 [details] [diff] [review] Patch to that effect Sure, looks fine. I'd love to have a generic solution to the problem of holding weak pointers to objects across event dispatch. There are just too many places that this comes up for us to find them all. Maybe we could make all object destruction (dom nodes, frames, presentation objects) be deleted on an event, after we've unwound from the event handling code.
Attachment #163324 -
Flags: superreview?(bryner) → superreview+
Assignee | ||
Updated•20 years ago
|
Summary: [FIX]onblur="window.close <-- pressing tab makes it crash [@ PresShell::ScrollFrameIntoView] → [FIXr]onblur="window.close <-- pressing tab makes it crash [@ PresShell::ScrollFrameIntoView]
Assignee | ||
Comment 9•20 years ago
|
||
Fixed for 1.8b
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Updated•13 years ago
|
Crash Signature: [@ PresShell::ScrollFrameIntoView]
Updated•6 years ago
|
Product: Core → Core Graveyard
Updated•6 years ago
|
Component: Layout: Misc Code → Layout
Product: Core Graveyard → Core
You need to log in
before you can comment on or make changes to this bug.
Description
•