crash [@ IsChildOfDomWindow]

VERIFIED FIXED

Status

--
critical
VERIFIED FIXED
13 years ago
2 years ago

People

(Reporter: timeless, Assigned: timeless)

Tracking

(4 keywords)

1.8 Branch
x86
Windows XP
crash, topcrash, verified1.8.0.5, verified1.8.1
Bug Flags:
blocking1.8.1 +
blocking1.8.0.4 -
blocking1.8.0.5 +

Firefox Tracking Flags

(Not tracked)

Details

(crash signature, URL)

Attachments

(2 obsolete attachments)

(Assignee)

Description

13 years ago
I think it's possible for document->GetWindow() to return null.

Incident ID: 16892675 
Stack Signature IsChildOfDomWindow 889912a0 
Product ID Firefox15 
Build ID 2006011112 
Trigger Time 2006-03-26 22:54:40.0 
Platform Win32 
Operating System Windows NT 5.1 build 2600 
Module firefox.exe + (00411c98) 
URL visited dslextreme.com 
User Comments I was loging in to check my e-mail at dslextreme.com. 
Since Last Crash 192841 sec 
Total Uptime 192841 sec 
Trigger Reason Access violation 
Source File, Line No. c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/security/manager/boot/src/nsSecureBrowserUIImpl.cpp, line 303 
Stack Trace  

IsChildOfDomWindow  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/security/manager/boot/src/nsSecureBrowserUIImpl.cpp, line 303]
nsSecureBrowserUIImpl::Notify  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/security/manager/boot/src/nsSecureBrowserUIImpl.cpp, line 360]
nsHTMLFormElement::NotifySubmitObservers  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/html/content/src/nsHTMLFormElement.cpp, line 1020]
nsHTMLFormElement::SubmitSubmission  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/html/content/src/nsHTMLFormElement.cpp, line 929]
nsHTMLFormElement::DoSubmit  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/html/content/src/nsHTMLFormElement.cpp, line 851]
nsHTMLFormElement::DoSubmitOrReset  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/html/content/src/nsHTMLFormElement.cpp, line 776]
nsHTMLFormElement::HandleDOMEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/html/content/src/nsHTMLFormElement.cpp, line 734]
PresShell::HandleDOMEventWithTarget  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6473]
nsHTMLInputElement::HandleDOMEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/html/content/src/nsHTMLInputElement.cpp, line 1682]
PresShell::HandleDOMEventWithTarget  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6473]
nsHTMLInputElement::MaybeSubmitForm  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/html/content/src/nsHTMLInputElement.cpp, line 977]
nsHTMLInputElement::HandleDOMEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/html/content/src/nsHTMLInputElement.cpp, line 1617]
PresShell::HandleEventInternal  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6374]
PresShell::HandleEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6210]
nsViewManager::HandleEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 2514]
nsViewManager::DispatchEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 2246]
HandleEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/view/src/nsView.cpp, line 174]
nsWindow::DispatchEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1252]
nsWindow::DispatchKeyEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 3448]
nsWindow::OnKeyDown  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 3586]
nsWindow::ProcessMessage  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 4492]
nsWindow::WindowProc  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1434]
USER32.dll + 0x8734 (0x77d48734)
USER32.dll + 0x8816 (0x77d48816)
USER32.dll + 0x89cd (0x77d489cd)
USER32.dll + 0x8a10 (0x77d48a10)
nsAppShell::Run  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/widget/src/windows/nsAppShell.cpp, line 159]
nsAppStartup::Run  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 151]
main  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 61]
kernel32.dll + 0x16d4f (0x7c816d4f)
Hmm...  Yeah, GetWindow() will return null if the document is no longer loaded in a window (e.g. if the document is in the middle of being torn down).

What does hitting that situation mean from the point of view of the security UI?
Blocks: 296639
Flags: blocking1.9a1?
Flags: blocking1.8.1?
Flags: blocking1.8.0.3?
This looks like a safe null-deref crash. Preventing the crash should be simple and safe, so we'd probably approve a patch should one appear.
Flags: blocking1.8.0.3? → blocking1.8.0.3-
Summary: [@ IsChildOfDomWindow] → crash [@ IsChildOfDomWindow]
(Assignee)

Comment 3

13 years ago
Created attachment 216970 [details] [diff] [review]
don't crash
Assignee: kengert → timeless
Status: NEW → ASSIGNED
Attachment #216970 - Flags: superreview?(bzbarsky)
Attachment #216970 - Flags: review?(kengert)
Comment on attachment 216970 [details] [diff] [review]
don't crash

Why ignore rather than deny?

Put another way, in what cases do we (or could we) hit this?

Comment 5

13 years ago
Comment on attachment 216970 [details] [diff] [review]
don't crash

Timeless, your code will allow the submit.

Based on Boris' comment, IMHO we should cancel the submit.

I propose to set
 *cancelSubmit = PR_TRUE;
Attachment #216970 - Flags: review?(kengert) → review-
(Assignee)

Comment 6

13 years ago
Created attachment 217414 [details] [diff] [review]
cancel
Attachment #216970 - Attachment is obsolete: true
Attachment #217414 - Flags: superreview?(bzbarsky)
Attachment #217414 - Flags: review?(kengert)
Attachment #216970 - Flags: superreview?(bzbarsky)

Comment 7

13 years ago
Comment on attachment 217414 [details] [diff] [review]
cancel

thanks
Attachment #217414 - Flags: review?(kengert) → review+
Attachment #217414 - Flags: superreview?(bzbarsky) → superreview+
*** Bug 326836 has been marked as a duplicate of this bug. ***
*** Bug 333209 has been marked as a duplicate of this bug. ***
(Assignee)

Comment 11

13 years ago
Comment on attachment 217414 [details] [diff] [review]
cancel

mozilla/security/manager/boot/src/nsSecureBrowserUIImpl.cpp 	1.57
Attachment #217414 - Attachment is obsolete: true
(Assignee)

Updated

13 years ago
Status: ASSIGNED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → FIXED
Verified FIXED using SeaMonkey 1.5a;Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060417 SeaMonkey/1.5a
Status: RESOLVED → VERIFIED
This is a mid-level topcrash for Firefox 1.5.0.2.
Keywords: topcrash

Comment 14

13 years ago
*** Bug 338431 has been marked as a duplicate of this bug. ***

Updated

13 years ago
Flags: blocking1.8.0.5?
Comment on attachment 217414 [details] [diff] [review]
cancel

approved for 1.8.0 branch, a=dveditz for drivers
Attachment #217414 - Flags: approval1.8.0.5+
Attachment #217414 - Flags: approval-branch-1.8.1+
Flags: blocking1.8.1?
Flags: blocking1.8.1+
Flags: blocking1.8.0.5?
Flags: blocking1.8.0.5+
(Assignee)

Comment 16

13 years ago
Comment on attachment 217414 [details] [diff] [review]
cancel

1.8.0:
mozilla/security/manager/boot/src/nsSecureBrowserUIImpl.cpp 	1.48.2.2.2.2
1.8:
mozilla/security/manager/boot/src/nsSecureBrowserUIImpl.cpp 	1.48.2.7
Keywords: fixed1.8.0.5, fixed1.8.1
verified with:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.5) Gecko/20060620 Firefox/1.5.0.5
Keywords: fixed1.8.0.5, fixed1.8.1 → verified1.8.0.5, verified1.8.1
Flags: blocking1.9a1?
Crash Signature: [@ IsChildOfDomWindow]
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.