380716 - Crash [@ nsContentUtils::ContentIsDescendantOf] with document.activeElement setting to display: none on event with input

Status: VERIFIED FIXED

(Core :: DOM: UI Events & Focus Handling, defect)

Description

[Martijn Wargers (dead)]

Attachment: testcase

See testcase, when clicking on the input, current trunk Mozilla builds crash.
Branch builds don't crash (probably because they don't have document.activeElement implemented).
If wanted, I can look for a regression range.

Talkback ID: TB32152681W
nsContentUtils::ContentIsDescendantOf  [mozilla/content/base/src/nscontentutils.cpp, line 1149]
nsGenericDOMDataNode::PreHandleEvent  [mozilla/content/base/src/nsgenericdomdatanode.cpp, line 694]
nsEventStateManager::DispatchMouseEvent  [mozilla/content/events/src/nseventstatemanager.cpp, line 2701]
nsEventStateManager::NotifyMouseOver  [mozilla/content/events/src/nseventstatemanager.cpp, line 2822]
nsEventStateManager::GenerateMouseEnterExit  [mozilla/content/events/src/nseventstatemanager.cpp, line 2855]
nsEventStateManager::PreHandleEvent  [mozilla/content/events/src/nseventstatemanager.cpp, line 718]

A different talkback ID, I got was: TB32098835Q (I just saw it once thus far)
0x05aff698
XPTC_InvokeByIndex  [mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp, line 102]
XPCWrappedNative::CallMethod  [mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2169]
XPC_WN_GetterSetter  [mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 1487]
js_Invoke  [mozilla/js/src/jsinterp.c, line 1375]
js_InternalInvoke  [mozilla/js/src/jsinterp.c, line 1469]
js_InternalGetOrSet  [mozilla/js/src/jsinterp.c, line 1540]
js_NativeGet  [mozilla/js/src/jsobj.c, line 3409]
js_GetProperty  [mozilla/js/src/jsobj.c, line 3556]
js_Interpret  [mozilla/js/src/jsinterp.c, line 3690]
js_Invoke  [mozilla/js/src/jsinterp.c, line 1394]
js_InternalInvoke  [mozilla/js/src/jsinterp.c, line 1469]
JS_CallFunctionValue  [mozilla/js/src/jsapi.c, line 4351]
nsJSContext::CallEventHandler  [mozilla/dom/src/base/nsJSEnvironment.cpp, line 1493]
nsGlobalWindow::RunTimeout  [mozilla/dom/src/base/nsGlobalWindow.cpp, line 6790]
nsGlobalWindow::TimerCallback  [mozilla/dom/src/base/nsGlobalWindow.cpp, line 7162]
nsAppStartup::Run  [mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 152]
main  [mozilla/browser/app/nsBrowserApp.cpp, line 61]
kernel32.dll + 0x16d4f (0x7c816d4f)

Comment 1

[Olli Pettay [:smaug][bugs@pettay.fi]]

I think this might be a regression from Sunday

Comment 2

[Martijn Wargers (dead)]

Yeah, seems to have regressed between 2007-05-12 and 2007-05-14, so I guess a regression from bug 363089.

Comment 3

[Olli Pettay [:smaug][bugs@pettay.fi]]

Attachment: add null checks, -w patch

Comment 6

[Johnny Stenback (:jst)]

Comment on attachment 264866 [details] [diff] [review]
add null checks, -w patch

         nsIContent* nonAnon = FindFirstNonAnonContent(aContent);
+        if (nonAnon) {
         nsIContent* nonAnonRelated = FindFirstNonAnonContent(relatedTarget);
+          if (nonAnonRelated) {

Could both those calls be done before checking the results, and then checking both results in a single if check?

r+sr=jst either way.

Comment 7

[Olli Pettay [:smaug][bugs@pettay.fi]]

That could be done, but it would be slower. So I prefer using 2 ifs

Comment 8

[Olli Pettay [:smaug][bugs@pettay.fi]]

Checked in. Sorry about this topcrasher.

Comment 9

[Martijn Wargers (dead)]

Verified fixed, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a5pre) Gecko/20070518 Minefield/3.0a5pre