Closed Bug 278019 Opened 20 years ago Closed 20 years ago

FF10 crash [@ nsPasswordManager::Notify]

Categories

(Toolkit :: Password Manager, defect)

Product:
Toolkit
Component:
Password Manager
Version:
1.7 Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: jay, Assigned: shaver)

References

(
URL
)

Details

(Keywords: crash, fixed-aviary1.0.1, topcrash)

Crash Data

Attachments

(2 files)

Use GetOwnerDoc instead of GetDocument, to avoid crashing if the document has been torn down before we get here.
629 bytes, patch
jst
: review+
bryner
: superreview+
Details | Diff | Splinter Review
Same thing for the 1.0.1 branch
1.21 KB, patch
shaver
: review+
dveditz
: approval-aviary1.0.1+
Details | Diff | Splinter Review 
This is a topcrasher with Firefox 1.0 and although the user comments and urls
vary, this seems to be a consistent crash according to the stack traces.  

A few of the comments mention going from a secure site to an unencrypted page
and I have tried a few of the cases, but have not seen any problems.

Here is a Talkback query for all nsPasswordManager::Notify crashes:
http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=1&searchby=stacksig&match=contains&searchfor=+nsPasswordManager%3A%3ANotify&vendor=All&product=All&platform=All&buildid=&sdate=&stime=&edate=&etime=&sortby=bbid

And a recent incident with stack:
Incident ID: 2981472
Stack Signature	nsPasswordManager::Notify 57c26fff
Product ID	Firefox10
Build ID	2004110711
Trigger Time	2005-01-10 08:21:19.0
Platform	Win32
Operating System	Windows NT 5.1 build 2600
Module	firefox.exe + (003ea98c)
URL visited	fidelity.com
User Comments	in going from a secure Fidelity site to a non-secure Fidelity
site, it asks if it's ok, when I click OK, Firefox "must close". This has
happened several times. If I remember and click Cancel, it seems to work fine.
Since Last Crash	460247 sec
Total Uptime	532203 sec
Trigger Reason	Access violation
Source File, Line No.
d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/toolkit/components/passwordmgr/base/nsPasswordManager.cpp,
line 1001
Stack Trace 	
nsPasswordManager::Notify 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/toolkit/components/passwordmgr/base/nsPasswordManager.cpp,
line 1001]
nsHTMLFormElement::NotifySubmitObservers 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLFormElement.cpp,
line 1029]
nsHTMLFormElement::SubmitSubmission 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLFormElement.cpp,
line 942]
nsHTMLFormElement::DoSubmit 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLFormElement.cpp,
line 870]
nsHTMLFormElement::DoSubmitOrReset 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLFormElement.cpp,
line 797]
nsHTMLFormElement::HandleDOMEvent 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLFormElement.cpp,
line 756]
PresShell::HandleDOMEventWithTarget 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp,
line 6139]
nsHTMLInputElement::HandleDOMEvent 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLInputElement.cpp,
line 1612]
PresShell::HandleDOMEventWithTarget 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp,
line 6139]
nsHTMLInputElement::MaybeSubmitForm 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLInputElement.cpp,
line 991]
nsHTMLInputElement::HandleDOMEvent 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLInputElement.cpp,
line 1539]
PresShell::HandleEventInternal 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp,
line 6059]
PresShell::HandleEvent 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp,
line 5921]
nsViewManager::HandleEvent 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp,
line 2280]
nsViewManager::DispatchEvent 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp,
line 2066]
HandleEvent 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/view/src/nsView.cpp,
line 77]
nsWindow::DispatchEvent 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 1067]
nsWindow::DispatchKeyEvent 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 2978]
nsWindow::OnChar 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 3162]
nsWindow::ProcessMessage 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 3878]
nsWindow::WindowProc 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 1349]
USER32.dll + 0x8709 (0x77d48709)
USER32.dll + 0x87eb (0x77d487eb)
USER32.dll + 0x89a5 (0x77d489a5)
USER32.dll + 0x89e8 (0x77d489e8)
nsAppShell::Run 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsAppShell.cpp,
line 159]
nsAppShellService::Run 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/xpfe/appshell/src/nsAppShellService.cpp,
line 495]
main 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/browser/app/nsBrowserApp.cpp,
line 58]
kernel32.dll + 0x16d4f (0x7c816d4f)
nominating topcrash
Flags: blocking-aviary1.0.1?
Assignee: bryner → shaver
Status: NEW → ASSIGNED

        Attachment #173401 -
        Flags: superreview?(bryner)

        Attachment #173401 -
        Flags: review?(jst)

    
    

    
  
blocking 1.0.1.  Is this needed for the 1.7 branch?
Flags: blocking-aviary1.0.1? → blocking-aviary1.0.1+

    
    

    
  
Comment on attachment 173401 [details] [diff] [review]
Use GetOwnerDoc instead of GetDocument, to avoid crashing if the document has been torn down before we get here.

r=jst

        Attachment #173401 -
        Flags: review?(jst) → review+

    
    

    
  
(In reply to comment #2)
> Created an attachment (id=173401) [edit]
> Use GetOwnerDoc instead of GetDocument, to avoid crashing if the document has
> been torn down before we get here.
> 

1. Going on the theory that the secure -> insecure form submission dialog causes
the document to be torn down prematurely... please file a bug on fixing that
underlying problem.

2. I think I'd rather have this use GetCurrentDoc() and null-check the result. 
That will cause form data capture for this case to fail until (1) is fixed.  But
it seems more correct than capturing data for a form that was perhaps
constructed via script and never inserted into the document.  For now, it may be
more important to get this working without a fix for (1), so I'd be ok with this
patch and a comment referencing the bug about the premature teardown.


        Attachment #173401 -
        Flags: superreview?(bryner) → superreview+

    
    

    
  


  
I initially thought we'd need to do this through the DOM interfaces on the
branch (since there is no GetOwnerDoc() method in nsIContent there, but after
looking at the code it seems safe to assume that aFormNode is an element, and
then it's safe to get to the owner document through the elements nodeinfo
(which is what GetOwnerDoc() does too). So that's what this patch does...

    
    

    
  
Comment on attachment 173675 [details] [diff] [review]
Same thing for the 1.0.1 branch

Thanks!

        Attachment #173675 -
        Flags: review+

        Attachment #173675 -
        Flags: approval-aviary1.0.1?

    
    

    
  
Comment on attachment 173675 [details] [diff] [review]
Same thing for the 1.0.1 branch

a=dveditz for the 1.0.1 branch.

        Attachment #173675 -
        Flags: approval-aviary1.0.1? → approval-aviary1.0.1+

    
    

    
  
Fix landed on the 1.0.1 branch.
Keywords: fixed-aviary1.0.1

    
    

    
  
shaver, has this landed on the trunk ?

    
    

    
  
yusufg: sure looks like it from
http://lxr.mozilla.org/mozilla/source/toolkit/components/passwordmgr/base/nsPasswordManager.cpp#998
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED

    
    

    
  
Verified Fixed based on latest Firefox 1.0.1 Talkback data.
Status: RESOLVED → VERIFIED
Product: Firefox → Toolkit
Crash Signature: [@ nsPasswordManager::Notify]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: