Closed Bug 310508 Opened 20 years ago Closed 19 years ago

Calling method on another window crashes when the function uses XMLHttpRequest and alert() [@ js_FreeStack]

Categories

(Core :: DOM: Core & HTML, defect, P1)

defect

Tracking

()

RESOLVED FIXED
mozilla1.9alpha1

People

(Reporter: jst, Assigned: mrbkap)

References

Details

(Keywords: crash, fixed1.8.1, verified1.8.0.2, Whiteboard: [patch][rft-dl])

Crash Data

Attachments

(3 files, 1 obsolete file)

Not sure what's going on here, but I get a reproducable crash with the testcase I'm about to attach. The testcase opens a new window and loads a page in it that has a JS function in it that creates a XMLHttpRequest object and then calls alert(), and that ends up crashing in JS_FreeStack() called from the window watcher. The problem seems to be that the context passed to JS_FreeStack() has been deleted...
Attached file Testcase. (obsolete) —
This is the testcase. Load this, click "open", then "close" and the new window should close after two alerts, but instead we crash either when closing the first or second alert.
Attachment #197932 - Attachment is obsolete: true
Attached file Testcase
Right URL this time, I hope...
Note that I've only seen this in debug builds so far, 1.8 branch.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b5) Gecko/20050929 Firefox/1.4 ID:2005092922 I could only reproduce this once but never again: TB9890886W
Incident ID: 9890886 Stack Signature js_FreeStack 799b5d0d Product ID Firefox15 Build ID 2005092906 Trigger Time 2005-09-30 03:28:55.0 Platform Win32 Operating System Windows NT 5.1 build 2600 Module js3250.dll + (0001e1a2) URL visited https://bugzilla.mozilla.org/attachment.cgi?id=197933 User Comments Since Last Crash 4111 sec Total Uptime 4111 sec Trigger Reason Access violation Source File, Line No. c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 427 Stack Trace js_FreeStack [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 427] nsWindowWatcher::OpenWindowJS [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/embedding/components/windowwatcher/src/nsWin dowWatcher.cpp, line 565] nsJSConsoleService::Open [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/embedding/components/jsconsole/src/nsJSConso leService.cpp, line 71] nsPromptService::Confirm [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/embedding/components/windowwatcher/src/nsPro mptService.cpp, line 185] nsPrompt::PromptUsernameAndPassword [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/embedding/components/windowwatcher/src/nsPro mpt.cpp, line 325] nsGlobalWindow::Alert [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp, line 3234] XPTC_InvokeByIndex [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvok e.cpp, line 102] XPCWrappedNative::CallMethod [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2173] XPC_WN_GetterSetter [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.c pp, line 1422] js_Invoke [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1163] js_Interpret [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 3468] js_Invoke [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1183] js_InternalInvoke [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1260] JS_CallFunctionValue [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 4017] nsJSContext::CallEventHandler [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1406] nsJSEventListener::HandleEvent [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/dom/src/events/nsJSEventListener.cpp, line 134] nsEventListenerManager::HandleEventSubType [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/content/events/src/nsEventListenerManager.cp p, line 1655] DispatchToInterface [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/content/events/src/nsEventListenerManager.cp p, line 135] nsGenericElement::HandleDOMEvent [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 2152] nsHTMLInputElement::HandleDOMEvent [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/content/html/content/src/nsHTMLInputElement. cpp, line 1353] PresShell::HandleEventInternal [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6373] PresShell::HandleEventInternal [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6283] nsEventStateManager::GenerateDragDropEnterExit [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/content/events/src/nsEventStateManager.cpp, line 2830] nsEventStateManager::DoScrollText [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/content/events/src/nsEventStateManager.cpp, line 1797] PresShell::HandleEventInternal [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6443] PresShell::HandleEvent [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6134] nsViewManager::HandleEvent [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 2536] nsViewManager::DispatchEvent [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 2217] nsIView::CreateWidget [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/view/src/nsView.cpp, line 638] nsWindow::DispatchWindowEvent [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1277] nsWindow::DispatchMouseEvent [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 6010] PromiseFlatString [../../../dist/include/string/nsTPromiseFlatString.h, line 145] nsWindow::DefaultWindowProc [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1456] USER32.dll + 0x8709 (0x77d18709) USER32.dll + 0x87eb (0x77d187eb) USER32.dll + 0x89a5 (0x77d189a5) USER32.dll + 0x89e8 (0x77d189e8) nsAppShell::GetNativeEvent [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsAppShell.cpp, line 181] nsAppStartup::Quit [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup. cpp, line 164] main [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 61] kernel32.dll + 0x16d4f (0x7c816d4f)
Keywords: crash
Severity: normal → critical
Summary: Calling method on another window crashes when the function uses XMLHttpRequest and alert() → Calling method on another window crashes when the function uses XMLHttpRequest and alert() [@ js_FreeStack]
Blocks: 315254
talkback: TB11693607G may be this
is bug 314974 duplicate?
Status: NEW → ASSIGNED
Priority: -- → P1
Whiteboard: [patch]
Target Milestone: --- → mozilla1.9alpha
Attached patch Potential fixSplinter Review
In the middle of displaying the dialog, our window is having SetDocShell(nsnull) called on it, causing it to destroy its script context. The window watcher needs to hold onto said script context until after it really is done with the context.
Attachment #212955 - Flags: review?(jst)
Comment on attachment 212955 [details] [diff] [review] Potential fix r=jst
Attachment #212955 - Flags: review?(jst) → review+
Attachment #212955 - Flags: superreview?(bzbarsky)
Comment on attachment 212955 [details] [diff] [review] Potential fix s/truely/truly/ please.
Attachment #212955 - Flags: superreview?(bzbarsky) → superreview+
Fix checked into trunk.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Comment on attachment 212955 [details] [diff] [review] Potential fix I know that time is short for 1.8.0.2, but this does block blocker bug 315254. Do we want this on the 1.8.0 branch or should it wait for more trunk baking?
Attachment #212955 - Flags: approval1.8.0.2?
Attachment #212955 - Flags: approval-branch-1.8.1?(jst)
Comment on attachment 212955 [details] [diff] [review] Potential fix approved for 1.8.0 branch, a=dveditz for drivers
Attachment #212955 - Flags: approval1.8.0.2? → approval1.8.0.2+
Flags: blocking1.8.0.2+
Fix checked into the 1.8 branches.
Attachment #212955 - Flags: approval-branch-1.8.1?(jst) → approval-branch-1.8.1+
Whiteboard: [patch] → [patch][rft-dl]
Using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060302 Firefox/1.5.0.1, I don't crash with the testcase, but I am also not seeing the second alert after closing the first one ("foo"). I don't see anything in the JS console, so I'm wondering if the second part is executed at all var result_html = xmlhttp.responseText; alert(result_html); That would be bad, no? Johnny is going to try to reproduce with today's 1.8.0 build as well.
v.fixed on 1.8.0 branch, no crash. Second alert not popping up is expected behavior on Windows (more from mrbkap soon).
jst and I looked into this and we found that the script was actually continuing to execute as expected, however on Windows, the alert was simply failing to show, probably because it was a modal alert and it didn't have a parent to display on. Linux probably doesn't require a parent window for modal dialogs, so it was displaying the alert anyway.
Crash Signature: [@ js_FreeStack]
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: