Closed Bug 337219 Opened 19 years ago Closed 19 years ago

onfocus="window.close()" in body of popup causes crash [@ nsXULElement::`vftable']

Tracking

()

Status:

VERIFIED FIXED

People

(Reporter: moron, Assigned: smaug)

References

(
URL
)

Details

(4 keywords)

Crash Data

Attachments

(3 files, 1 obsolete file)

file for testcase 19 years ago Adam Guthrie 72 bytes, text/html		Details
testcase 19 years ago Adam Guthrie 282 bytes, text/html		Details
testcase 19 years ago Adam Guthrie 282 bytes, text/html		Details
proposed patch 19 years ago Olli Pettay [:smaug][bugs@pettay.fi] 1.10 KB, patch	bzbarsky : review+ bzbarsky : superreview+ bzbarsky : approval-branch-1.8.1+ dveditz : approval1.8.0.5+	Details \| Diff \| Splinter Review

moron

Reporter

Description

•

19 years ago

User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.3) Gecko/20060503 Firefox/1.5.0.3 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.3) Gecko/20060503 Firefox/1.5.0.3 On both Windows XP (SP2) and Linux (Gentoo 2.6.*) with Firefox 1.0.5.3 embedding the following code in a page that has been launched via a pop causes an immediate crash: <html> <head></head> <body onfocus="window.close()"> </body> </html> Here is the code for the calling page: <html> <head></head> <body> <p> <a href='javascript:;' onclick='window.open( "crash2.html", "popup", "height=19 0,width=520,scrollbars,resizable" ); return false'>click me to crash your brows er</a> </p> </body> </html> Reproducible: Always Steps to Reproduce: 1. create a page with Javascript that launches a separate page in a new window 2. have the new page called 'onfocus="window.close()"' in the body tag Actual Results: immediate crash of all open browser sessions Expected Results: popup window closes The XP machine had no plugins installed to my knowlegde. The Linux one has a few, the main one being the web developer extension. Very simple to reproduce, does not seem to be platform specific.

Adam Guthrie

Comment 1

•

19 years ago

Incident ID: 18462083 Stack Signature nsXULElement::`vftable' 645dbcec Product ID Firefox15 Build ID 2006030804 Trigger Time 2006-05-08 21:09:06.0 Platform Win32 Operating System Windows NT 5.1 build 2600 Module firefox.exe + (005e615b) URL visited <a href='https://bugzilla.mozilla.org/show_bug.cgi?id=337219'>https://bugzilla.mozilla.org/show_bug.cgi?id=337219</a> User Comments Since Last Crash 336 sec Total Uptime 336 sec Trigger Reason Access violation Source File, Line No. N/A Stack Trace nsXULElement::`vftable' PresShell::UnsuppressAndInvalidate [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 5050] PresShell::UnsuppressPainting [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 5077] nsDocShell::EndPageLoad [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/docshell/base/nsDocShell.cpp, line 4800] nsWebShell::EndPageLoad [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/docshell/base/nsWebShell.cpp, line 664] nsDocShell::OnStateChange [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/docshell/base/nsDocShell.cpp, line 4726] nsDocLoader::FireOnStateChange [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/uriloader/base/nsDocLoader.cpp, line 1210] nsDocLoader::doStopDocumentLoad [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/uriloader/base/nsDocLoader.cpp, line 844] nsDocLoader::OnStopRequest [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/uriloader/base/nsDocLoader.cpp, line 665] nsLoadGroup::RemoveRequest [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/netwerk/base/src/nsLoadGroup.cpp, line 732] PresShell::RemoveDummyLayoutRequest [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 7120] DummyLayoutRequestEvent::HandleEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 7020] 0x778b0c24 nsHTMLFormElement::DoSubmitOrReset [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/html/content/src/nsHTMLFormElement.cpp, line 763] 0xf845d8d4

Component: General → Layout

Product: Firefox → Core

QA Contact: general → layout

Summary: onfocus="window.close()" in body of popup causes crash → onfocus="window.close()" in body of popup causes crash [@ nsXULElement::`vftable']

Version: unspecified → 1.8 Branch

Adam Guthrie

Comment 2

•

19 years ago

Attached file file for testcase — Details

Adam Guthrie

Comment 3

•

19 years ago

Attached file testcase (obsolete) — Details

Adam Guthrie

Updated

•

19 years ago

Keywords: crash, testcase

Adam Guthrie

Comment 4

•

19 years ago

Attached file testcase — Details

Attachment #221404 - Attachment is obsolete: true

Martijn Wargers (dead)

Comment 5

•

19 years ago

Confirmed with current trunk build. Maybe this will get fixed by the patch(es) in bug 336582? (although the stack here is quite different from that bug)

Assignee: nobody → events

Status: UNCONFIRMED → NEW

Component: Layout → Event Handling

Depends on: 336582

Ever confirmed: true

QA Contact: layout → ian

Version: 1.8 Branch → Trunk

Olli Pettay [:smaug][bugs@pettay.fi]

Assignee

Comment 6

•

19 years ago

Attached patch proposed patch — Details — Splinter Review

The stack is really quite different. Keeping the focuscontroller alive seems to help here.

Assignee: events → Olli.Pettay

Status: NEW → ASSIGNED

Attachment #221451 - Flags: superreview?(bzbarsky)

Attachment #221451 - Flags: review?(bzbarsky)

Boris Zbarsky [:bzbarsky]

Updated

•

19 years ago

Flags: blocking1.9a1?

Flags: blocking1.8.1?

Flags: blocking1.8.0.5?

Boris Zbarsky [:bzbarsky]

Comment 7

•

19 years ago

Comment on attachment 221451 [details] [diff] [review] proposed patch Looks good to me. Add a comment explaining why we're using a strong ref here (as in, DOM events can fire under this code)? And request approval for the 1.8.0 branch too?

Attachment #221451 - Flags: superreview?(bzbarsky)

Attachment #221451 - Flags: superreview+

Attachment #221451 - Flags: review?(bzbarsky)

Attachment #221451 - Flags: review+

Attachment #221451 - Flags: approval-branch-1.8.1+

Olli Pettay [:smaug][bugs@pettay.fi]

Assignee

Updated

•

19 years ago

Attachment #221451 - Flags: approval1.8.0.5?

Olli Pettay [:smaug][bugs@pettay.fi]

Assignee

Comment 8

•

19 years ago

Checking in nsPresShell.cpp; /cvsroot/mozilla/layout/base/nsPresShell.cpp,v <-- nsPresShell.cpp new revision: 3.915; previous revision: 3.914 done Checked in to trunk

Status: ASSIGNED → RESOLVED

Closed: 19 years ago

Resolution: --- → FIXED

Olli Pettay [:smaug][bugs@pettay.fi]

Assignee

Updated

•

19 years ago

Keywords: fixed1.8.1

Daniel Veditz [:dveditz] back 2026-04-08

Updated

•

19 years ago

Flags: blocking1.8.1?

Flags: blocking1.8.1+

Flags: blocking1.8.0.5?

Flags: blocking1.8.0.5+

Daniel Veditz [:dveditz] back 2026-04-08

Comment 9

•

19 years ago

Comment on attachment 221451 [details] [diff] [review] proposed patch approved for 1.8.0 branch, a=dveditz for drivers

Attachment #221451 - Flags: approval1.8.0.5? → approval1.8.0.5+

Olli Pettay [:smaug][bugs@pettay.fi]

Assignee

Updated

•

19 years ago

Flags: blocking1.9a1?

Keywords: fixed1.8.0.5

Tracy Walker [:tracy]

Comment 10

•

19 years ago

verified with: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.5) Gecko/20060620 Firefox/1.5.0.5

Status: RESOLVED → VERIFIED

Keywords: fixed1.8.0.5 → verified1.8.0.5

Ed Lee :Mardak

Updated

•

18 years ago

Depends on: 426425

Nobody; OK to take it and work on it

Updated

•

14 years ago

Crash Signature: [@ nsXULElement::`vftable']

Nobody; OK to take it and work on it

Updated

•

7 years ago

Component: Event Handling → User events and focus handling

You need to log in before you can comment on or make changes to this bug.