Closed Bug 303981 Opened 19 years ago Closed 19 years ago

crash after following javascript link to open new window

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: franklin, Unassigned)

References

(
URL
)

Details

(Keywords: crash, regression, verified1.8)

Attachments

(2 files)

Make sure document always points to the current document. Also fixes bug 304459.
14.66 KB, patch
mrbkap
: review+
Details | Diff | Splinter Review
Updated diff
15.69 KB, patch
brendan
: superreview+
brendan
: approval1.8b4+
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050806 Firefox/1.0+ Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050806 Firefox/1.0+ When you go to the page http://www.costco.com/Tires/SearchResult.aspx?IV=true&YW=2000&MA=HONDA&MD=Accord+DX+4+Dr.&SP=0&MN=3095&cat=3962&MNo=0 and click the link entitled "Click here for information on tire sizing or if you are unsure of your vehicle's fitment requirements" it calls function ShowWindow() which promptly crashes Firefox. It spawns a popup window but crashes before loading the intended page. This is filed under Javascript because the page that the JS link is supposed to open in the new window (http://www.costco.com/Tires/SizeInformation.aspx) does not cause any problems. Reproducible: Always Steps to Reproduce: 1. Go to http://www.costco.com/Tires/SearchResult.aspx?IV=true&YW=2000&MA=HONDA&MD=Accord+DX+4+Dr.&SP=0&MN=3095&cat=3962&MNo=0 2. Click link near top of page "Click here for information on tire sizing or if you are unsure of your vehicle's fitment requirements" Actual Results: Program crashed Expected Results: Page should have opened in popup window Talkback ID numbers: TB8205791E and TB8205725Y
Not JS Engine afaict, over to to DOM Core since the crashing line is PRInt32 namespaceID = aContent->GetCurrentDoc()->GetDefaultNamespaceID(); but that is just a guess. nsHTMLDocument::MatchLinks(nsIContent * 0x041b9b48, int 0x00000000, nsIAtom * 0x00000000, const nsAString_internal & {...}) line 1700 + 14 bytes nsContentList::Match(nsIContent * 0x041b9b48) line 699 + 36 bytes nsContentList::PopulateWith(nsIContent * 0x041b9b48, int 0x00000001, unsigned int & 0xffffffff) line 771 + 12 bytes nsContentList::PopulateSelf(unsigned int 0xffffffff) line 868 nsContentList::BringSelfUpToDate(int 0x00000001) line 973 nsContentList::Length(int 0x00000001) line 418 nsContentList::GetLength(nsContentList * const 0x041ba458, unsigned int * 0x0012e7b0) line 489 + 10 bytes XPTC_InvokeByIndex(nsISupports * 0x041ba458, unsigned int 0x00000004, unsigned int 0x00000001, nsXPTCVariant * 0x0012e7b0) line 102 XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode CALL_GETTER) line 2119 + 43 bytes XPCWrappedNative::GetAttribute(XPCCallContext & {...}) line 1918 + 14 bytes XPC_WN_GetterSetter(JSContext * 0x03df0d40, JSObject * 0x0398ad20, unsigned int 0x00000000, long * 0x04248e10, long * 0x0012ea94) line 1433 + 12 bytes js_Invoke(JSContext * 0x03df0d40, unsigned int 0x00000000, unsigned int 0x00000002) line 1173 + 23 bytes js_InternalInvoke(JSContext * 0x03df0d40, JSObject * 0x0398ad20, long 0x0398ad40, unsigned int 0x00000000, unsigned int 0x00000000, long * 0x00000000, long * 0x0012f528) line 1270 + 20 bytes js_InternalGetOrSet(JSContext * 0x03df0d40, JSObject * 0x0398ad20, long 0x00b2ea68, long 0x0398ad40, int 0x00000004, unsigned int 0x00000000, long * 0x00000000, long * 0x0012f528) line 1313 + 31 bytes js_GetProperty(JSContext * 0x03df0d40, JSObject * 0x0398ad20, long 0x00b2ea68, long * 0x0012f528) line 2843 + 51 bytes js_Interpret(JSContext * 0x03df0d40, unsigned char * 0x04209735, long * 0x0012f61c) line 3290 + 1641 bytes js_Execute(JSContext * 0x03df0d40, JSObject * 0x041ba930, JSScript * 0x04279d38, JSStackFrame * 0x00000000, unsigned int 0x00000000, long * 0x0012f724) line 1403 + 19 bytes JS_EvaluateUCScriptForPrincipals(JSContext * 0x03df0d40, JSObject * 0x041ba930, JSPrincipals * 0x037e4efc, const unsigned short * 0x04200338, unsigned int 0x00003e78, const char * 0x03e235c8, unsigned int 0x00000001, long * 0x0012f724) line 3854 + 25 bytes nsJSContext::EvaluateString(const nsAString_internal & {...}, void * 0x041ba930, nsIPrincipal * 0x037e4ef8, const char * 0x03e235c8, unsigned int 0x00000001, const char * 0x100da83c _js_default_str, nsAString_internal * 0x00000000, int * 0x0012f788) line 1060 + 67 bytes nsScriptLoader::EvaluateScript(nsScriptLoadRequest * 0x03a82cc8, const nsString & {...}) line 757 nsScriptLoader::ProcessRequest(nsScriptLoadRequest * 0x03a82cc8) line 658 + 22 bytes nsScriptLoader::OnStreamComplete(nsScriptLoader * const 0x0420f73c, nsIStreamLoader * 0x03886b18, nsISupports * 0x03a82cc8, unsigned int 0x00000000, unsigned int 0x00003e78, const unsigned char * 0x04255018) line 1020 nsStreamLoader::OnStopRequest(nsStreamLoader * const 0x03886b1c, nsIRequest * 0x03bca778, nsISupports * 0x03a82cc8, unsigned int 0x00000000) line 137 nsHttpChannel::OnStopRequest(nsHttpChannel * const 0x03bca780, nsIRequest * 0x03d57458, nsISupports * 0x03a82cc8, unsigned int 0x00000000) line 4061 nsInputStreamPump::OnStateStop() line 507 nsInputStreamPump::OnInputStreamReady(nsInputStreamPump * const 0x03d5745c, nsIAsyncInputStream * 0x04236160) line 343 + 11 bytes nsInputStreamReadyEvent::EventHandler(PLEvent * 0x041b952c) line 120 PL_HandleEvent(PLEvent * 0x041b952c) line 688 + 10 bytes PL_ProcessPendingEvents(PLEventQueue * 0x00b3d790) line 623 + 9 bytes _md_EventReceiverProc(HWND__ * 0x003d017c, unsigned int 0x0000c0ee, unsigned int 0x00000000, long 0x00b3d790) line 1408 + 9 bytes USER32! 77d48734() USER32! 77d48816() USER32! 77d489cd() USER32! 77d48a10() nsAppShell::Run(nsAppShell * const 0x00da8680) line 135 nsAppStartup::Run(nsAppStartup * const 0x00da85e0) line 145 + 26 bytes XRE_main(int 0x00000003, char * * 0x003f7830, const nsXREAppData * 0x0042201c kAppData) line 2324 + 35 bytes main(int 0x00000003, char * * 0x003f7830) line 61 + 18 bytes mainCRTStartup() line 338 + 17 bytes namespaceID 0x0012e5b4 - aContent 0x041b9b48 + [nsHTMLHtmlElement] {...} + nsISupports {...} sTabFocusModel 0x00000007 sTabFocusModelAppliesToXUL 0x00000000 mParentPtrBits 0x00000000 aNamespaceID 0x00000000 - aAtom 0x00000000 + nsISupports {...} - aData {...} mVTable 0x00343bb0 const nsObsoleteAStringThunk::`vftable' + mData 0x00343ba4 "" mLength 0x00000000 mFlags 0x00000001 - ni 0x041b9aa8 + [nsNodeInfo] {...} + nsISupports {...} + mInner {...} + mIDAttributeAtom {...} + mOwnerManager 0x03db9730
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash
err, really assigning to dom core this time.
Assignee: general → general
Component: JavaScript Engine → DOM: Core
QA Contact: general → ian
offhand, i believe this means GetCurrentDoc() is 0 and that'd be fairly unhappy
Works in 2005-07-30 build, crashes in 2005-07-31 build. Probably a fall-out from bug 296639.
Blocks: splitwindows
Keywords: regression
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8b4) Gecko/20050806 SeaMonkey/1.0a Firefox 1.0.6 opens a pop-up, Seamonkey opens a new tab and resizes and positions itself like the pop-up seen on Firefox 1.0.6. I also noticed the page didn't stop loading first time. view-source:http://www.costco.com/Tires/SizeInformation.aspx shows JS preceding the HTML: <script language="javascript1.1" src="/Coremetrics/v40/eluminate.js" type="text/javascript"></script><script language="javascript1.1" src="/Coremetrics/cmdatatagutils.inc" type="text/javascript"></script><script language="javascript1.1" type="text/javascript">cmSetProduction();cmCreatePageviewTag('/Tires/SizeInformation.aspx','','BC-Misc');</script><!-- page rendered by: 14 , at time: 8/9/2005 4:28:39 AM //--> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" > <HTML> ..... http://www.costco.com/Coremetrics/v40/eluminate.js http://www.costco.com/Coremetrics/cmdatatagutils.inc First file is a long one-liner seen only on horizontal scrolling, 2nd file is of type application/octet-stream.
Blocks: 304093
The reason for this crash was that the site ended up using a document object that's no longer the current document, the reason for that was that we ended up reusing the inner window here, but we never cleared the cached "document" property, so the site was stuck with a reference to an old (about:blank) document. This also fixes bug 304459 which is not really related, but since I had to move the same scope clearing code around in both bugs I didn't see a good way to post two separate patches. The Freeze/Thaw/IsFrozen changes are specific to the fix for bug 304459.
Attachment #193083 - Flags: superreview?(brendan)
Attachment #193083 - Flags: review?(mrbkap)
Comment on attachment 193083 [details] [diff] [review] Make sure document always points to the current document. Also fixes bug 304459. >+ // Make sure to clear scope on the outer window *before* we >+ // initialize the new inner window. If we don't, things >+ // (Object.prototype etc) could leak from the old outer to the new >+ // inner scope. >+ ::JS_ClearScope(cx, mJSObject); >+ ::JS_ClearWatchPointsForObject(cx, mJSObject); Nit: extra newline here. >+ // Clear the regexp statics for the new page unconditionally. >+ // XXX They don't get restored on the inner window when we go back. >+ ::JS_ClearRegExpStatics(cx); That way this paragraph stands out better. So which bug was fixed by this JS_Clear* movement up to earlier in SetNewDocument? >+ // [This happens with Object.prototype when XPConnect creates >+ // a temporary global while initializing classes; the reason >+ // being that xpconnect creates the temp global w/o a parent >+ // and proto, which makes the JS engine look up classes in >+ // cx->globalObject, i.e. this outer windo]. Missing w in "windo". >+ >+ Freeze(); >+ >+ mInnerWindow = nsnull; Spacey! Would it hurt to lose one of the blank lines here, and after the InitClasses... call? >+ > nsresult rv = xpc-> > InitClassesWithNewWrappedGlobal(cx, sgo, NS_GET_IID(nsISupports), > flags, > getter_AddRefs(mInnerWindowHolder)); >+ >+ Thaw(); >+ > NS_ENSURE_SUCCESS(rv, rv); > > mInnerWindowHolder->GetJSObject(&newInnerWindow->mJSObject); > } > > if (currentInner && currentInner->mJSObject) { > if (mNavigator && !aState) { > // Hold on to the navigator wrapper so that we can set > // window.navigator in the new window to point to the same [snip...] > // Give the new inner window our chrome event handler (since it > // doesn't have one). > newInnerWindow->mChromeEventHandler = mChromeEventHandler; > } >- } > >- if (scx && IsOuterWindow()) { Isn't scx potentially null throughout its live extent? > // Add an extra ref in case we release mContext during GC. > nsCOMPtr<nsIScriptContext> kungFuDeathGrip = scx; > scx->GC(); > > scx->DidInitializeContext(); > } Clearing sr request pending answers -- sorry if I'm not reading enough, I didn't get enough sleep last night! /be
Attachment #193083 - Flags: superreview?(brendan)
Comment on attachment 193083 [details] [diff] [review] Make sure document always points to the current document. Also fixes bug 304459. >Index: dom/src/base/nsGlobalWindow.cpp >+ // cx->globalObject, i.e. this outer windo]. Nit: "outer window" >Index: dom/src/base/nsGlobalWindow.h >+ // This member is also used on both, but for slightly different rep ,"on both windows", perhaps? ?spahrep , r=mrbkap
Attachment #193083 - Flags: review?(mrbkap) → review+
Um, what? :)
New patch coming up with brendan's comments addressed later today (hopefully).
(In reply to comment #7) > So which bug was fixed by this JS_Clear* movement up to earlier in > SetNewDocument? That's needed for both, conceptually at least. For this bug we need to make sure to clear a possibly cached "document" property on the outer (not that I've verified that that's actually needed), for the other bug we need to clear scope early to prevent Object.prototype from leaking through to the new inner. New patch coming up that fixes the rest of your comments.
Attached patch Updated diffSplinter Review
Attachment #193129 - Flags: superreview?(brendan)
Comment on attachment 193129 [details] [diff] [review] Updated diff Thanks, this makes more sense now, although I am looking forward to a 1.9-soon patch to clean up control flow in SetNewDocument as discussed the other day! /be
Attachment #193129 - Flags: superreview?(brendan)
Attachment #193129 - Flags: superreview+
Attachment #193129 - Flags: approval1.8b4+
Fixed on trunk and branch.
Status: NEW → RESOLVED
Closed: 19 years ago
Keywords: fixed1.8
Resolution: --- → FIXED
(In reply to comment #9) > Um, what? :) I think the weird comment you're seeing in comment 8, could be bug 305239
Depends on: 305288
I think this patch broke the preferences dialog on Mac OS X for Thunderbird and Firefox. See Bug 305288 for more details. I haven't started to figure out why it broke preferences yet.
Depends on: 305421
Blocks: 307255
Johnny, can you look at the regression over at bug 307255?
Status: RESOLVED → VERIFIED
Keywords: fixed1.8verified1.8
Component: DOM: Core → DOM: Core & HTML
QA Contact: ian → general
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: