31048 - browser crashes after second javascript error

Status: VERIFIED WORKSFORME

(Core :: DOM: UI Events & Focus Handling, defect, P3)

Description

[Ryan Massie]

BuildID: 2000030516

rpgmaer.com creates javascript errors when you open a link due to the 
advertisement bar at the top of the page. The javascript error dosen't always 
show, but when it does, moz crashes.

Steps to reproduce:
1. open rpgamer.com
2. click on a link
3. repeat until 2 javascript errors have shown
4. crash

Windows 98 dump:
MOZILLA caused a stack fault in module XPCOM.DLL at 0167:60c60f3e.
Registers:
EAX=00000000 CS=0167 EIP=60c60f3e EFLGS=00010293
EBX=00592030 SS=016f ESP=00592000 EBP=0059200c
ECX=00000001 DS=016f ESI=00592088 FS=7c27
EDX=00000025 ES=016f EDI=00000025 GS=0000
Bytes at CS:EIP:
57 ff 75 10 8d 04 41 ff 73 10 ff 36 ff 76 10 ff 
Stack dump:
60c9360c 00000025 00592084 00592044 60c57028 00592088 00592030 00000000 00000025 
00592084 00592084 034506e0 00000025 00000000 00000000 00000000 

Comment: I'm not sure if this is the right component. Sorry if it isn't.

Comment 1

[rogerl (gone)]

I used a debug build from 3/7 and was able to navigate most links back and 
forth for quite a while before finally getting a crash. I finally got this crash 
when following an image link from one of the many 'screens' links from the 
'Legend of Zelda' link on the main page, right hand column.

cdcd0000()
nsGenericElement::HandleDOMEvent(nsIPresContext * 0x03350990, nsEvent * 
0x0012d9e0, nsIDOMEvent * * 0x0012d5c4, unsigned int 0x00000001, nsEventStatus * 
0x0012da04) line 997
nsGenericHTMLElement::HandleDOMEventForAnchors(nsIPresContext * 0x03350990, 
nsEvent * 0x0012d9e0, nsIDOMEvent * * 0x00000000, unsigned int 0x00000001, 
nsEventStatus * 0x0012da04) line 804 + 31 bytes
nsHTMLAnchorElement::HandleDOMEvent(nsHTMLAnchorElement * const 0x032d187c, 
nsIPresContext * 0x03350990, nsEvent * 0x0012d9e0, nsIDOMEvent * * 0x00000000, 
unsigned int 0x00000001, nsEventStatus * 0x0012da04) line 342
nsEventStateManager::SendFocusBlur(nsEventStateManager * const 0x03308410, 
nsIPresContext * 0x03350990, nsIContent * 0x032d187c) line 2380
nsEventStateManager::SetContentState(nsEventStateManager * const 0x03308410, 
nsIContent * 0x032d187c, int 0x00000002) line 2164
nsHTMLAnchorElement::SetFocus(nsHTMLAnchorElement * const 0x032d1880, 
nsIPresContext * 0x03350990) line 244
nsEventStateManager::PreHandleEvent(nsEventStateManager * const 0x02cadf70, 
nsIPresContext * 0x02771350, nsGUIEvent * 0x0012df64, nsIFrame * 0x013610d0, 
nsEventStatus * 0x0012decc, nsIView * 0x02773940) line 563
PresShell::HandleEvent(PresShell * const 0x02773274, nsIView * 0x02773940, 
nsGUIEvent * 0x0012df64, nsEventStatus * 0x0012decc) line 3026 + 43 bytes
nsView::HandleEvent(nsView * const 0x02773940, nsGUIEvent * 0x0012df64, unsigned 
int 0x0000001c, nsEventStatus * 0x0012decc, int & 0x00000000) line 799
nsViewManager2::DispatchEvent(nsViewManager2 * const 0x02773c00, nsGUIEvent * 
0x0012df64, nsEventStatus * 0x0012decc) line 1216
HandleEvent(nsGUIEvent * 0x0012df64) line 69
nsWindow::DispatchEvent(nsWindow * const 0x02773814, nsGUIEvent * 0x0012df64, 
nsEventStatus & nsEventStatus_eIgnore) line 493 + 10 bytes
nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012df64) line 514
nsWindow::DispatchFocus(unsigned int 0x0000006a) line 3103 + 15 bytes
nsWindow::ProcessMessage(unsigned int 0x00000007, unsigned int 0x035b0126, long 
0x00000000, long * 0x0012e1c8) line 2335 + 19 bytes
nsWindow::WindowProc(HWND__ * 0x1a9201b2, unsigned int 0x00000007, unsigned int 
0x035b0126, long 0x00000000) line 671 + 27 bytes
USER32! 77e719d0()
USER32! 77e71982()
NTDLL! 77f763a3()
GlobalWindowImpl::Focus(GlobalWindowImpl * const 0x023ae7c8) line 1222 + 23 
bytes
nsWebShellWindow::HandleEvent(nsGUIEvent * 0x0012e428) line 519
nsWindow::DispatchEvent(nsWindow * const 0x023ae954, nsGUIEvent * 0x0012e428, 
nsEventStatus & nsEventStatus_eIgnore) line 493 + 10 bytes
nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012e428) line 514
nsWindow::DispatchFocus(unsigned int 0x00000068) line 3103 + 15 bytes
nsWindow::ProcessMessage(unsigned int 0x00000007, unsigned int 0x00000000, long 
0x00000000, long * 0x0012e68c) line 2332 + 19 bytes
nsWindow::WindowProc(HWND__ * 0x035b0126, unsigned int 0x00000007, unsigned int 
0x00000000, long 0x00000000) line 671 + 27 bytes
USER32! 77e719d0()
USER32! 77e71982()
NTDLL! 77f763a3()
USER32! 77e718d2()
nsWindow::DefaultWindowProc(HWND__ * 0x035b0126, unsigned int 0x00000006, 
unsigned int 0x00000001, long 0x00000000) line 698
USER32! 77e727fe()
USER32! 77e72889()
nsWindow::WindowProc(HWND__ * 0x035b0126, unsigned int 0x00000006, unsigned int 
0x00000001, long 0x00000000) line 678 + 31 bytes
USER32! 77e719d0()
USER32! 77e71982()
NTDLL! 77f763a3()
USER32! 77e89050()
USER32! 77e8ad30()
USER32! 77e8b044()
USER32! 77e8aed8()
USER32! 77e8b203()
USER32! 77e8a5a6()
nsDebug::Assertion(const char * 0x0217e3dc, const char * 0x0217e3b4, const char 
* 0x0217e374, int 0x00000070) line 172 + 22 bytes
ImageListener::AddRef(ImageListener * const 0x03353c20) line 112 + 74 bytes
ImageListener::QueryInterface(ImageListener * const 0x03353c20, const nsID & 
{...}, void * * 0x0012fb68) line 112 + 139 bytes
CallQueryInterface(nsISupports * 0x03353c20, nsIStreamListener * * 0x0012fb68) 
line 1225
nsCOMPtr<nsIStreamListener>::Assert_NoQueryNeeded() line 445 + 15 bytes
nsGetterAddRefs<nsIStreamListener>::~nsGetterAddRefs<nsIStreamListener>() line 
842
nsDocumentOpenInfo::DispatchContent(nsIChannel * 0x0334d440, nsISupports * 
0x00000000) line 392
nsDocumentOpenInfo::OnStartRequest(nsDocumentOpenInfo * const 0x03348920, 
nsIChannel * 0x0334d440, nsISupports * 0x00000000) line 252 + 16 bytes
InterceptStreamListener::OnStartRequest(InterceptStreamListener * const 
0x03356da0, nsIChannel * 0x0334d440, nsISupports * 0x00000000) line 1102
nsHTTPServerListener::FinishedResponseHeaders() line 680 + 48 bytes
nsHTTPServerListener::OnDataAvailable(nsHTTPServerListener * const 0x03351cc0, 
nsIChannel * 0x03339454, nsISupports * 0x0334d440, nsIInputStream * 0x03356ccc, 
unsigned int 0x00000000, unsigned int 0x00000000) line 309 + 8 bytes
nsOnDataAvailableEvent::HandleEvent(nsOnDataAvailableEvent * const 0x03356d50) 
line 388 + 47 bytes
nsStreamListenerEvent::HandlePLEvent(PLEvent * 0x03352a40) line 97 + 12 bytes
PL_HandleEvent(PLEvent * 0x03352a40) line 556 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x0143b870) line 501 + 9 bytes
_md_EventReceiverProc(HWND__ * 0x446d0112, unsigned int 0x0000c0c1, unsigned int 
0x00000000, long 0x0143b870) line 1011 + 9 bytes
USER32! 77e71820()
0143b87

Comment 2

[joki (gone)]

*** Bug 27660 has been marked as a duplicate of this bug. ***

Comment 3

[rickg]

Moving to m16 due to severity

Comment 4

[joki (gone)]

Comments indicate this is not occurring frequently.  Moving out of M16 to finish 
investigating later.

Comment 5

[Andreas Franke (gone)]

Attachment: stack of different crash in nsGenericElement::HandleDOMEvent

Comment 6

[Andreas Franke (gone)]

I crashed the PC/Linux 2000052109 build somehow, and got a different stack
that also ends in nsGenericElement::HandleDOMEvent. I didn't try to reproduce.
I found bug 27660 "crash in nsGenericElement::HandleDOMEvent" be a duplicate
of this one, and since I do not want to open a new bug without any steps to
reproduce, I added the stack trace here.
If you want to file a new bug for the new stack trace, feel free to do so.

Comment 7

[Andreas Franke (gone)]

Bug 40422 describes a freeze, followed by a crash, on http://www.w3c.org/DOM .
When trying to reproduce it, I crashed in nsGenericElement::HandleDOMEvent ,
the stack trace is attached there. 
It is marked dup of bug 39520, bug I could not find my stack trace there.

Comment 8

[joki (gone)]

Hmm.  Well a few fixes went in along these lines in the last month or so.  I 
can't get this thing to crash at the url mentioned here so I'm going to take a 
shot at WORKSFORME.

Comment 9

[Andreas Franke (gone)]

For the records: The crash on http://www.w3c.org/DOM has gone, too.
(PC/Linux, build 2000062220).

Comment 10

[John Unruh]

Verified worksforme.