crash If I hit the search button on that page.

VERIFIED DUPLICATE of bug 76694

Status

()

--
critical
VERIFIED DUPLICATE of bug 76694
18 years ago
7 years ago

People

(Reporter: Matti, Assigned: rods)

Tracking

({crash, regression, top100})

Trunk
mozilla0.9.1
x86
All
crash, regression, top100
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: 0.9 blocker?, URL)

Attachments

(2 attachments)

(Reporter)

Description

18 years ago
using build 20010417.. (early CVS build).

Go to the URL.
Type something in the search (suchen) field at the right top corner.
Hit "Finden" - crash

A part of the Stack:

nsXULElement::HandleDOMEvent(nsXULElement * const 0x02d5ecb8, nsIPresContext * 
0x03773008, nsEvent * 0x00034ca4, nsIDOMEvent * * 0x00034c10, unsigned int 4, 
nsEventStatus * 0x00034cd0) line 3526 + 3 bytes
nsXULElement::HandleDOMEvent(nsXULElement * const 0x02d5c248, nsIPresContext * 
0x03773008, nsEvent * 0x00034ca4, nsIDOMEvent * * 0x00034c10, unsigned int 4, 
nsEventStatus * 0x00034cd0) line 3654
nsXULElement::HandleDOMEvent(nsXULElement * const 0x02d5c480, nsIPresContext * 
0x03773008, nsEvent * 0x00034ca4, nsIDOMEvent * * 0x00034c10, unsigned int 4, 
nsEventStatus * 0x00034cd0) line 3654
nsXULElement::HandleDOMEvent(nsXULElement * const 0x02d5c5e0, nsIPresContext * 
0x03773008, nsEvent * 0x00034ca4, nsIDOMEvent * * 0x00034c10, unsigned int 4, 
nsEventStatus * 0x00034cd0) line 3654
nsXULElement::HandleChromeEvent(nsXULElement * const 0x02d5c5f4, nsIPresContext 
* 0x03773008, nsEvent * 0x00034ca4, nsIDOMEvent * * 0x00034c10, unsigned int 4, 
nsEventStatus * 0x00034cd0) line 4630 + 39 bytes
GlobalWindowImpl::HandleDOMEvent(GlobalWindowImpl * const 0x0368c000, 
nsIPresContext * 0x03773008, nsEvent * 0x00034ca4, nsIDOMEvent * * 0x00034c10, 
unsigned int 4, nsEventStatus * 0x00034cd0) line 568
nsDocument::HandleDOMEvent(nsDocument * const 0x04b1b8d8, nsIPresContext * 
0x03773008, nsEvent * 0x00034ca4, nsIDOMEvent * * 0x00034c10, unsigned int 4, 
nsEventStatus * 0x00034cd0) line 2817
nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x04b18580, 
nsIPresContext * 0x03773008, nsEvent * 0x00034ca4, nsIDOMEvent * * 0x00034c10, 
unsigned int 4, nsEventStatus * 0x00034cd0) line 1488 + 39 bytes
nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x039a1618, 
nsIPresContext * 0x03773008, nsEvent * 0x00034ca4, nsIDOMEvent * * 0x00034c10, 
unsigned int 4, nsEventStatus * 0x00034cd0) line 1486
nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x03889720, 
nsIPresContext * 0x03773008, nsEvent * 0x00034ca4, nsIDOMEvent * * 0x00034c10, 
unsigned int 4, nsEventStatus * 0x00034cd0) line 1486
nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x037f4578, 
nsIPresContext * 0x03773008, nsEvent * 0x00034ca4, nsIDOMEvent * * 0x00034c10, 
unsigned int 4, nsEventStatus * 0x00034cd0) line 1486
nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x036db688, 
nsIPresContext * 0x03773008, nsEvent * 0x00034ca4, nsIDOMEvent * * 0x00034c10, 
unsigned int 4, nsEventStatus * 0x00034cd0) line 1486
nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x036db6f0, 
nsIPresContext * 0x03773008, nsEvent * 0x00034ca4, nsIDOMEvent * * 0x00034c10, 
unsigned int 4, nsEventStatus * 0x00034cd0) line 1486
nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x04a72278, 
nsIPresContext * 0x03773008, nsEvent * 0x00034ca4, nsIDOMEvent * * 0x00034c10, 
unsigned int 4, nsEventStatus * 0x00034cd0) line 1486
nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x04a725d8, 
nsIPresContext * 0x03773008, nsEvent * 0x00034ca4, nsIDOMEvent * * 0x00034c10, 
unsigned int 1, nsEventStatus * 0x00034cd0) line 1486
nsHTMLFormElement::HandleDOMEvent(nsHTMLFormElement * const 0x04a725d8, 
nsIPresContext * 0x03773008, nsEvent * 0x00034ca4, nsIDOMEvent * * 0x00000000, 
unsigned int 1, nsEventStatus * 0x00034cd0) line 426 + 29 bytes
nsHTMLFormElement::Submit(nsHTMLFormElement * const 0x04a72604) line 340 + 40 
bytes
HTMLFormElementSubmit(JSContext * 0x0368c190, JSObject * 0x03824d98, unsigned 
int 0, long * 0x039a5b90, long * 0x00034dd4) line 426 + 15 bytes
js_Invoke(JSContext * 0x0368c190, unsigned int 0, unsigned int 0) line 813 + 23 
bytes
js_Interpret(JSContext * 0x0368c190, long * 0x00035b54) line 2706 + 15 bytes
js_Invoke(JSContext * 0x0368c190, unsigned int 1, unsigned int 2) line 830 + 13 
bytes
js_InternalInvoke(JSContext * 0x0368c190, JSObject * 0x03824d98, long 59955784, 
unsigned int 0, unsigned int 1, long * 0x00035cec, long * 0x00035c7c) line 902 + 
20 bytes
JS_CallFunctionValue(JSContext * 0x0368c190, JSObject * 0x03824d98, long 
59955784, unsigned int 1, long * 0x00035cec, long * 0x00035c7c) line 3334 + 31 
bytes
nsJSContext::CallEventHandler(nsJSContext * const 0x0368c128, void * 0x03824d98, 
void * 0x0392da48, unsigned int 1, void * 0x00035cec, int * 0x00035ce8, int 0) 
line 940 + 33 bytes
nsJSEventListener::HandleEvent(nsIDOMEvent * 0x039e69dc) line 154 + 64 bytes
(Reporter)

Comment 1

18 years ago
Created attachment 31292 [details]
complete Stack trace
(Reporter)

Updated

18 years ago
Keywords: crash

Comment 2

18 years ago
Confirming using today's moz bits on Win98, but this is Form Submission, 
reassigning to component owner.
Assignee: trudelle → rods
Status: UNCONFIRMED → NEW
Component: XP Toolkit/Widgets: XUL → Form Submission
Ever confirmed: true
QA Contact: jrgm → vladimire

Comment 3

18 years ago
Created attachment 31303 [details]
Testcase HTML

Comment 4

18 years ago
Pls try the testcase.

You'll find that it's not Form Submission's fault.

Probably JavaScript-related.

Seeing this on Linux build 2001-04-17-08 too.

Reading the JS, here's what's happening.  The form has a onSubmit handler that
does some parsing of the data in the form and unless it fits some _very_ narrow
constraints calls form.submit()

This gets us into an infinite recursion and eventually we just blow the runtime
stack.

For an even simpler testcase, try this:

<form onsubmit="form.submit(); return false;">

So it would seem that the right thing is to prevent a form from being submitted
from its own onsubmit handler... would that make sense?

Certainly looks like form submission (or maybe event handling) to me...

What NS4.x seems to be doing is completely bypassing the onsubmit handler if
form.submit() is called inside the onsubmit handler.
OS: Windows 2000 → All
(Reporter)

Comment 6

18 years ago
See also bug 76608
Keywords: regression
(Reporter)

Comment 7

18 years ago
Another URL
http://pages.ebay.com/catindex/computers.html
hit search and boom.
I think this should be fixed in moz0.9 !

Comment 8

18 years ago
Matti says "go to to Ebay/Computers and hit the search button, crash".  Sounds 
like top100 to me.

Asa: 0.9 blocker?
Keywords: top100
Whiteboard: 0.9 blocker?
(Reporter)

Comment 9

18 years ago
*** Bug 76608 has been marked as a duplicate of this bug. ***
(Assignee)

Comment 10

18 years ago
This works fine for me on WinNT is this a Linux onloy bug?
Status: NEW → ASSIGNED
(Assignee)

Updated

18 years ago
Target Milestone: --- → mozilla0.9.1
(Reporter)

Comment 11

18 years ago
No, I use Win2k.
I see thecrash with an new build (CVS updated ~20min).
You can find me on IRC if you need some Info (Nick:Matti)

Comment 12

18 years ago

*** This bug has been marked as a duplicate of 76694 ***
Status: ASSIGNED → RESOLVED
Last Resolved: 18 years ago
Resolution: --- → DUPLICATE

Comment 13

18 years ago
verifying duplicate
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.