The default bug view has changed. See this FAQ.

Calling method on another window crashes when the function uses XMLHttpRequest and alert() [@ js_FreeStack]

RESOLVED FIXED in mozilla1.9alpha1

Status

()

Core
DOM
P1
critical
RESOLVED FIXED
12 years ago
11 years ago

People

(Reporter: jst, Assigned: mrbkap)

Tracking

({crash, fixed1.8.1, verified1.8.0.2})

Trunk
mozilla1.9alpha1
crash, fixed1.8.1, verified1.8.0.2
Points:
---
Bug Flags:
blocking1.8.0.2 +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [patch][rft-dl], crash signature)

Attachments

(3 attachments, 1 obsolete attachment)

(Reporter)

Description

12 years ago
Not sure what's going on here, but I get a reproducable crash with the testcase
I'm about to attach. The testcase opens a new window and loads a page in it that
has a JS function in it that creates a XMLHttpRequest object and then calls
alert(), and that ends up crashing in JS_FreeStack() called from the window
watcher. The problem seems to be that the context passed to JS_FreeStack() has
been deleted...
(Reporter)

Comment 1

12 years ago
Created attachment 197931 [details]
File used by the testcase
(Reporter)

Comment 2

12 years ago
Created attachment 197932 [details]
Testcase.

This is the testcase. Load this, click "open", then "close" and the new window
should close after two alerts, but instead we crash either when closing the
first or second alert.
(Reporter)

Updated

12 years ago
Attachment #197932 - Attachment is obsolete: true
(Reporter)

Comment 3

12 years ago
Created attachment 197933 [details]
Testcase

Right URL this time, I hope...
(Reporter)

Comment 4

12 years ago
Note that I've only seen this in debug builds so far, 1.8 branch.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b5) Gecko/20050929
Firefox/1.4 ID:2005092922

I could only reproduce this once but never again: TB9890886W

Comment 6

12 years ago
Incident ID: 9890886 
Stack Signature js_FreeStack 799b5d0d 
Product ID Firefox15 
Build ID 2005092906 
Trigger Time 2005-09-30 03:28:55.0 
Platform Win32 
Operating System Windows NT 5.1 build 2600 
Module js3250.dll + (0001e1a2) 
URL visited https://bugzilla.mozilla.org/attachment.cgi?id=197933 
User Comments  
Since Last Crash 4111 sec 
Total Uptime 4111 sec 
Trigger Reason Access violation 
Source File, Line No. c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 427 
Stack Trace  

js_FreeStack  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 427]
nsWindowWatcher::OpenWindowJS  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/embedding/components/windowwatcher/src/nsWin
dowWatcher.cpp, line 565]
nsJSConsoleService::Open  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/embedding/components/jsconsole/src/nsJSConso
leService.cpp, line 71]
nsPromptService::Confirm  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/embedding/components/windowwatcher/src/nsPro
mptService.cpp, line 185]
nsPrompt::PromptUsernameAndPassword  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/embedding/components/windowwatcher/src/nsPro
mpt.cpp, line 325]
nsGlobalWindow::Alert  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp, line 3234]
XPTC_InvokeByIndex  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvok
e.cpp, line 102]
XPCWrappedNative::CallMethod  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, 
line 2173]
XPC_WN_GetterSetter  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.c
pp, line 1422]
js_Invoke  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1163]
js_Interpret  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 3468]
js_Invoke  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1183]
js_InternalInvoke  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1260]
JS_CallFunctionValue  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 4017]
nsJSContext::CallEventHandler  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1406]
nsJSEventListener::HandleEvent  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/dom/src/events/nsJSEventListener.cpp, line 
134]
nsEventListenerManager::HandleEventSubType  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/content/events/src/nsEventListenerManager.cp
p, line 1655]
DispatchToInterface  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/content/events/src/nsEventListenerManager.cp
p, line 135]
nsGenericElement::HandleDOMEvent  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 
2152]
nsHTMLInputElement::HandleDOMEvent  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/content/html/content/src/nsHTMLInputElement.
cpp, line 1353]
PresShell::HandleEventInternal  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6373]
PresShell::HandleEventInternal  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6283]
nsEventStateManager::GenerateDragDropEnterExit  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/content/events/src/nsEventStateManager.cpp, 
line 2830]
nsEventStateManager::DoScrollText  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/content/events/src/nsEventStateManager.cpp, 
line 1797]
PresShell::HandleEventInternal  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6443]
PresShell::HandleEvent  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6134]
nsViewManager::HandleEvent  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 2536]
nsViewManager::DispatchEvent  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 2217]
nsIView::CreateWidget  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/view/src/nsView.cpp, line 638]
nsWindow::DispatchWindowEvent  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1277]
nsWindow::DispatchMouseEvent  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 6010]
PromiseFlatString  [../../../dist/include/string/nsTPromiseFlatString.h, line 
145]
nsWindow::DefaultWindowProc  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1456]
USER32.dll + 0x8709 (0x77d18709)
USER32.dll + 0x87eb (0x77d187eb)
USER32.dll + 0x89a5 (0x77d189a5)
USER32.dll + 0x89e8 (0x77d189e8)
nsAppShell::GetNativeEvent  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsAppShell.cpp, line 181]
nsAppStartup::Quit  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.
cpp, line 164]
main  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 61]
kernel32.dll + 0x16d4f (0x7c816d4f)
Keywords: crash

Updated

12 years ago
Severity: normal → critical
Summary: Calling method on another window crashes when the function uses XMLHttpRequest and alert() → Calling method on another window crashes when the function uses XMLHttpRequest and alert() [@ js_FreeStack]

Updated

12 years ago
Blocks: 315254

Comment 7

12 years ago
talkback: TB11693607G may be this
is bug 314974 duplicate?
(Assignee)

Updated

11 years ago
Status: NEW → ASSIGNED
Priority: -- → P1
Whiteboard: [patch]
Target Milestone: --- → mozilla1.9alpha
(Assignee)

Comment 9

11 years ago
Created attachment 212955 [details] [diff] [review]
Potential fix

In the middle of displaying the dialog, our window is having SetDocShell(nsnull) called on it, causing it to destroy its script context. The window watcher needs to hold onto said script context until after it really is done with the context.
Attachment #212955 - Flags: review?(jst)
(Reporter)

Comment 10

11 years ago
Comment on attachment 212955 [details] [diff] [review]
Potential fix

r=jst
Attachment #212955 - Flags: review?(jst) → review+
(Assignee)

Updated

11 years ago
Attachment #212955 - Flags: superreview?(bzbarsky)
Comment on attachment 212955 [details] [diff] [review]
Potential fix

s/truely/truly/ please.
Attachment #212955 - Flags: superreview?(bzbarsky) → superreview+
(Assignee)

Comment 12

11 years ago
Fix checked into trunk.
Status: ASSIGNED → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED
(Assignee)

Comment 13

11 years ago
Comment on attachment 212955 [details] [diff] [review]
Potential fix

I know that time is short for 1.8.0.2, but this does block blocker bug 315254. Do we want this on the 1.8.0 branch or should it wait for more trunk baking?
Attachment #212955 - Flags: approval1.8.0.2?
Attachment #212955 - Flags: approval-branch-1.8.1?(jst)
Comment on attachment 212955 [details] [diff] [review]
Potential fix

approved for 1.8.0 branch, a=dveditz for drivers
Attachment #212955 - Flags: approval1.8.0.2? → approval1.8.0.2+
Flags: blocking1.8.0.2+
(Assignee)

Comment 15

11 years ago
Fix checked into the 1.8 branches.
Keywords: fixed1.8.0.2, fixed1.8.1
(Reporter)

Updated

11 years ago
Attachment #212955 - Flags: approval-branch-1.8.1?(jst) → approval-branch-1.8.1+

Updated

11 years ago
Whiteboard: [patch] → [patch][rft-dl]

Comment 16

11 years ago
Using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060302 Firefox/1.5.0.1, I don't crash with the testcase, but I am also not seeing the second alert after closing the first one ("foo").  I don't see anything in the JS console, so I'm wondering if the second part is executed at all

var result_html = xmlhttp.responseText;
alert(result_html);

That would be bad, no?  Johnny is going to try to reproduce with today's 1.8.0 build as well.

Comment 17

11 years ago
v.fixed on 1.8.0 branch, no crash.  Second alert not popping up is expected behavior on Windows (more from mrbkap soon).
Keywords: fixed1.8.0.2 → verified1.8.0.2
(Assignee)

Comment 18

11 years ago
jst and I looked into this and we found that the script was actually continuing to execute as expected, however on Windows, the alert was simply failing to show, probably because it was a modal alert and it didn't have a parent to display on. Linux probably doesn't require a parent window for modal dialogs, so it was displaying the alert anyway.
Crash Signature: [@ js_FreeStack]
You need to log in before you can comment on or make changes to this bug.