308025 - Crash if JavaScript Window.close() is executed within field onchange [@ nsEventStateManager::ShiftFocusInternal]

Status: VERIFIED FIXED

(Core :: DOM: UI Events & Focus Handling, defect)

Description

[Dave Gardner]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2

A JavaScript like the following causes all instances of the browser to crash:
<input type="text" name="bogus" onchange="window.close();"/>
In my case I actually executed a seperate JavaScript function which had a
window.close() within it.

Reproducible: Always

Steps to Reproduce:
1.Enter something in the field and press tab to move to another field.

Actual Results:  
All instances of the browser crashed.

Expected Results:  
Gracefully close just the browser window the field was in.

Comment 1

[Peter van der Woude [:Peter6]]

Attachment: testcase

Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b4) Gecko/20050910
Firefox/1.4 ID:2005091004

WFM

Comment 2

[Hermann Schwab]

testcase wfm Firefox 1.0.6, Seamonkey trunk.
Mozilla/5.0 (Windows; U; Win98; de-DE; rv:1.7.10) Gecko/20050715 Firefox/1.0.6
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.9a1) Gecko/20050910 SeaMonkey/1.1a

I'm closing this bug as 'invalid', as you are using a more than half year old
Firefox 1.0.2. Feel free to reopen, if you can demonstrate a testcase crashing
on a current branch 1.0.6, or current beta, or current trunk nightlie.

http://www.mozilla.org/quality/bug-writing-guidelines.html

Comment 3

[Dave Gardner]

Ok, I downloaded and tested the same scenario under Firefox 1.5 beta 1. Still
blows the browser shutting down all instances. Below are two short HTML pages
that demonstrate the error.
testa.html:
<html>
  <script language="JavaScript">
    function doOpen() {
     
newwin=window.open('testb.html','dd','top=150,left=150,width=325,height=300',false);
      if (!newwin.opener) newwin.opener=self;
      newwin.focus();
    }
  </script>
  <body>
    <form action="test">
      <input type="button" value="Open Subwindow" onclick="doOpen();"/>
    </form>
  </body>
</html>

and testb.html:
<html>
  <body>
    <form action="test">
      <input type="text" onchange="window.close();"/>
    </form>
  </body>
</html>

Comment 4

[Peter van der Woude [:Peter6]]

(In reply to comment #3)
> Ok, I downloaded and tested the same scenario under Firefox 1.5 beta 1. Still
> blows the browser shutting down all instances. Below are two short HTML pages
> that demonstrate the error.
> testa.html:
> <html>
>   <script language="JavaScript">
>     function doOpen() {
>      
>
newwin=window.open('testb.html','dd','top=150,left=150,width=325,height=300',false);
>       if (!newwin.opener) newwin.opener=self;
>       newwin.focus();
>     }
>   </script>
>   <body>
>     <form action="test">
>       <input type="button" value="Open Subwindow" onclick="doOpen();"/>
>     </form>
>   </body>
> </html>
> 
> and testb.html:
> <html>
>   <body>
>     <form action="test">
>       <input type="text" onchange="window.close();"/>
>     </form>
>   </body>
> </html>
> 

Your testcase tasta.html->testb.html still WFM

try in -safemode because it's most probably an extension that messes things up

Comment 5

[Erik Fabert]

Attachment: another testcase

Crashes for me, too and I don't have any extensions except DOMI and Reporter
installed. Talkback id TB9250679Z.

Comment 6

[Gérard Talbot]

No crash when trying attachment 195670 [details] with Seamonkey 1.1a rv: 1.9a1 build
2005091105 under XP Pro SP2 here.
WFM

Comment 7

[Mats Palmgren (inactive)]

Attachment: stack + data

Comment 8

[Mats Palmgren (inactive)]

Attachment: Patch rev. 1

Comment 9

[Mats Palmgren (inactive)]

Attachment: Patch rev. 1 (diff -w)

Comment 10

[Boris Zbarsky [:bzbarsky]]

So why can't you pop out if GetCurrentDoc() is false?

Comment 11

[Mats Palmgren (inactive)]

Attachment: Patch rev. 2

(In reply to comment #10)
> So why can't you pop out if GetCurrentDoc() is false?

ShiftFocus() with a start element that has been removed from the document
isn't useful, I think it will just degenerate into focusing the first element
in the document which probably isn't the right element in most situations.
In the past, we have favored not focusing anything at all rather than
possibly focusing the wrong element.

Here is an alternative patch that fixes the crash but still tries ShiftFocus
from possibly removed content.
I prefer the first patch though, or a combination of the two.

Comment 12

[Mats Palmgren (inactive)]

Attachment: Patch rev. 2 (diff -w)

Comment 13

[Boris Zbarsky [:bzbarsky]]

The point is that just because GetCurrentDoc() is true doesn't mean the node
wasn't removed from the document then reinserted in a different location, or
even in a different document.  So whether you check GetCurrentDoc() or not it
would seem that you have the same problems...

Comment 14

[Mats Palmgren (inactive)]

Ok, so this should cover it then:
if (parentContainer && docContent && docContent->GetCurrentDoc() == parent_doc)

That would shift focus based on the new location in case it moved within the
document but I think we can live with that.

Comment 15

[Boris Zbarsky [:bzbarsky]]

Yeah, if we're willing to move focus based on the new location that would work.

I still want to figure out a way to not fire events completely sync in cases
like this....

Comment 16

[Mats Palmgren (inactive)]

Attachment: Patch rev. 3

Comment 17

[Mats Palmgren (inactive)]

Attachment: Patch rev. 3 (diff -w)

Comment 18

[Mats Palmgren (inactive)]

Checked in to trunk at 2005-09-13 22:03 PDT

-> FIXED

Comment 19

[Stephen Donner [:stephend] Not actively reading bugmail]

Verified FIXED using the testcase at
https://bugzilla.mozilla.org/attachment.cgi?id=195670 with Mozilla/5.0 (Windows;
U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20050915 Firefox/1.6a1