crash when visiting www.jeep.com

VERIFIED FIXED in M17

Status

()

Core
HTML: Form Submission
P3
critical
VERIFIED FIXED
19 years ago
19 years ago

People

(Reporter: dougt, Assigned: Eric Pollmann)

Tracking

({crash})

Trunk
crash
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [PDT+] w/b minus on 3/10 - Need build later than 3/9 to verify)

(Reporter)

Description

19 years ago
I am trying to get a price for a jeep, and I crash:

nsVoidArray::Count() line 43 + 3 bytes
nsEventListenerManager::HandleEvent(nsIPresContext * 0x04b6bf10, nsEvent * 
0x0012f780, nsIDOMEvent * * 0x0012f734, unsigned int 0x00000007, nsEventStatus * 
0x0012f7a0) line 1124 + 42 bytes
nsGenericElement::HandleDOMEvent(nsIPresContext * 0x04b6bf10, nsEvent * 
0x0012f780, nsIDOMEvent * * 0x0012f734, unsigned int 0x00000001, nsEventStatus * 
0x0012f7a0) line 1010
nsHTMLFormElement::HandleDOMEvent(nsHTMLFormElement * const 0x049be0d0, 
nsIPresContext * 0x04b6bf10, nsEvent * 0x0012f780, nsIDOMEvent * * 0x00000000, 
unsigned int 0x00000001, nsEventStatus * 0x0012f7a0) line 465
nsImageControlFrame::MouseClicked(nsIPresContext * 0x04b6bf10) line 456
nsImageControlFrame::HandleEvent(nsImageControlFrame * const 0x032a9e9c, 
nsIPresContext * 0x04b6bf10, nsGUIEvent * 0x0012fad4, nsEventStatus * 
0x0012f9e0) line 305
PresShell::HandleEvent(PresShell * const 0x04b66be4, nsIView * 0x04a592f0, 
nsGUIEvent * 0x0012fad4, nsEventStatus * 0x0012f9e0) line 2950 + 38 bytes
nsView::HandleEvent(nsView * const 0x04a592f0, nsGUIEvent * 0x0012fad4, unsigned 
int 0x00000008, nsEventStatus * 0x0012f9e0, int & 0x00000000) line 799
nsView::HandleEvent(nsView * const 0x04bb1a40, nsGUIEvent * 0x0012fad4, unsigned 
int 0x00000008, nsEventStatus * 0x0012f9e0, int & 0x00000000) line 784
nsView::HandleEvent(nsView * const 0x04bb0230, nsGUIEvent * 0x0012fad4, unsigned 
int 0x00000008, nsEventStatus * 0x0012f9e0, int & 0x00000000) line 784
nsView::HandleEvent(nsView * const 0x04b657a0, nsGUIEvent * 0x0012fad4, unsigned 
int 0x0000001c, nsEventStatus * 0x0012f9e0, int & 0x00000000) line 784
nsViewManager2::DispatchEvent(nsViewManager2 * const 0x04b65a20, nsGUIEvent * 
0x0012fad4, nsEventStatus * 0x0012f9e0) line 1216
HandleEvent(nsGUIEvent * 0x0012fad4) line 69
nsWindow::DispatchEvent(nsWindow * const 0x04bb0114, nsGUIEvent * 0x0012fad4, 
nsEventStatus & nsEventStatus_eIgnore) line 493 + 10 bytes
nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012fad4) line 514
nsWindow::DispatchMouseEvent(unsigned int 0x0000012d, nsPoint * 0x00000000) line 
2938 + 21 bytes
ChildWindow::DispatchMouseEvent(unsigned int 0x0000012d, nsPoint * 0x00000000) 
line 3156
nsWindow::ProcessMessage(unsigned int 0x00000202, unsigned int 0x00000000, long 
0x007a004b, long * 0x0012fd60) line 2243 + 24 bytes
nsWindow::WindowProc(HWND__ * 0x009504e4, unsigned int 0x00000202, unsigned int 
0x00000000, long 0x007a004b) line 671 + 27 bytes
USER32! 77e71820()
00



Steps to reproduce:

1. goto http://www.jeepunpaved.com/grand_cherokee/frameset_grand_cherokee.html
2. click CA in popdown list
3. click the select button.
(Reporter)

Comment 1

19 years ago
moving to form submission after looking at the stack.
Component: Browser-General → Form Submission

Comment 2

19 years ago
updating component owner 
Assignee: cbegle → karnaze
QA Contact: asadotzler → ckritzer

Comment 3

19 years ago
Reassigning to Joki.
Assignee: karnaze → joki

Updated

19 years ago
Severity: normal → critical
Keywords: crash
Marking M17.
Target Milestone: M17
(Reporter)

Comment 5

19 years ago
I can't buy my jeep until m17?!  Adding beta1 to the keywords.  
Keywords: beta1

Comment 6

19 years ago
I'm sorry, I'm not seeing a dropdown with CA in it at that URL?  Little help?
(Reporter)

Comment 7

19 years ago
click on "Price" at the top of the page.

Comment 8

19 years ago
This works in today's debug build
(Reporter)

Comment 9

19 years ago
I am using this morning commercial build, and the crash still happens.

Comment 10

19 years ago
[PDT+] w/b minus on 3/10
Whiteboard: [PDT+] w/b minus on 3/10

Comment 11

19 years ago
I've looked at this a bit and can add some detail:

When we get to the loop at nsEventListenerManager.cpp:1124,
mFormListeners->Count() is 1.  But when we get to the end of the loop at line
1195 after calling HandleEventSubType(), things have gotten fouled up, and when
we get back to the loop to check, mFormListeners is now null and we crash when
we dereference it.

Guarding against that by storing the count in a local variable doesn't help;
then we crash a bit later, after asserting " No document found in Form Submit!"
followed by an assertion about dereferencing a null nsCOMPtr.  So I guess
mFormListeners isn't the only thing getting stomped.

Comment 12

19 years ago
Okay, fix in hand.  Looking for checkin approval person.
Status: NEW → ASSIGNED
Whiteboard: [PDT+] w/b minus on 3/10 → [PDT+] fix in hand, w/b minus on 3/10

Comment 13

19 years ago
*** Bug 29175 has been marked as a duplicate of this bug. ***

Comment 14

19 years ago
Okay, closing a window during onsubmit, or any other event should be okay now.
Status: ASSIGNED → RESOLVED
Last Resolved: 19 years ago
Resolution: --- → FIXED
Whiteboard: [PDT+] fix in hand, w/b minus on 3/10 → [PDT+] w/b minus on 3/10

Comment 15

19 years ago
This sucks but I have to reopen this.  When I put the the fix for the crashing 
stack listed below I ran into another crash in nsFormFrame::OnSubmit due to a 
null document.  I thought I could fix that by mucking with the event's 
consumption state but I was wrong.  Painfully wrong.  Anyway, I'm reopening this 
and giving it to the 'owner' of the nsFormFrame stuff.  Seems like its either 
pollmann or karnaze.  Since I've given pollmann a fair number of bugs this one 
goes to karnaze.  I'll just cc pollmann.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---

Comment 16

19 years ago
Actually, I changed my mind.  Giving to pollmann after all.  
nsFormFrame::OnSubmit needs to be made safe in the case where the document has 
disappeared.
Assignee: joki → pollmann
Status: REOPENED → NEW
(Assignee)

Comment 17

19 years ago
I think it might be safest to just exit when we realize there is no document in
form submit (return NS_OK);  There is not going to be any way to determine what
URL we should submit to anyway.  I've remove the assert there, and turned it
into return NS_OK.  I'll test this and see if it fixes the crash.
Status: NEW → ASSIGNED
(Assignee)

Comment 18

19 years ago
Yep, that does the trick - no more assertions/crashes.

The problem was that after we updated the opening window's URL and then closed
ourself, we still tried to submit because they didn't return FALSE in the
OnSubmit handler like they should have.  The check-for-null I just added in
nsFormFrame::OnSubmit prevents this from happening.
Whiteboard: [PDT+] w/b minus on 3/10 → [PDT+] w/b minus on 3/10, fix in hand, need approval
(Assignee)

Comment 19

19 years ago
Fix checked in.  To verify, go to the jeep page in question and go get a price
quit, you should not see a crash.  Thanks!
Status: ASSIGNED → RESOLVED
Last Resolved: 19 years ago19 years ago
Resolution: --- → FIXED
Whiteboard: [PDT+] w/b minus on 3/10, fix in hand, need approval → [PDT+] w/b minus on 3/10
(Assignee)

Comment 20

19 years ago
s/quit/quote/.  Apparently my typing skills could use some improvement. ;)

Updated

19 years ago
Whiteboard: [PDT+] w/b minus on 3/10 → [PDT+] w/b minus on 3/10 - Need build later than 3/9 to verify
(Reporter)

Comment 21

19 years ago
awesome, now I can buy a jeep... wonder if I can expense this for testing
purposes...  :-)
(Assignee)

Comment 22

19 years ago
If you find out you can, let me know, because I had two buy three in the course
of fixing this bug.  ;)

Comment 23

19 years ago
Verified with 03-10-09
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.