80996 - M09 & Trunk topcrash [@ nsEventListenerManager::HandleEvent]

Status: VERIFIED FIXED

(Core :: DOM: UI Events & Focus Handling, defect)

Description

[greer]

This topcrash has a lot of users crashing while using secure sites. It has been 
showing up both in M09 and Trunk, most often with a stack trace like this:

nsEventListenerManager::HandleEvent() 
GlobalWindowImpl::HandleDOMEvent() 
DocumentViewerImpl::LoadComplete() 
nsDocShell::EndPageLoad() 
nsWebShell::EndPageLoad() 
nsDocShell::OnStateChange() 
nsWebShell::OnStateChange() 
nsDocLoaderImpl::FireOnStateChange() 
nsDocLoaderImpl::doStopDocumentLoad() 
nsDocLoaderImpl::DocLoaderIsEmpty() 
nsDocLoaderImpl::OnStopRequest() 
nsLoadGroup::RemoveRequest() 
PresShell::RemoveDummyLayoutRequest() 
PresShell::DoneRemovingReflowCommands() 
PresShell::ProcessReflowCommands() 
HandlePLEvent() 
PL_HandleEvent() 
PL_ProcessEventsBeforeID() 
processQueue() 
nsVoidArray::EnumerateForwards() 
nsAppShell::ProcessBeforeID() 
handle_gdk_event() 
libgdk-1.2.so.0 + 0x17162 (0x406c9162) 
libglib-1.2.so.0 + 0x10716 (0x406f4716) 
libglib-1.2.so.0 + 0x10d43 (0x406f4d43) 
libglib-1.2.so.0 + 0x10ef3 (0x406f4ef3) 
libgtk-1.2.so.0 + 0x8f1dd (0x4061a1dd) 
nsAppShell::Run() 
nsAppShellService::Run() 
main1() 
main() 
libc.so.6 + 0x1d72c (0x401f972c) 

Some user comments to lep repro:
(30359970) Comments: Everytime I surf to www.tvtv.de Mozilla crashes.
(30151223) Comments: ericcson.com/products/   and i click on mobiles
(30137733) Comments: i was opening a list of ericsson's mobile phones
(30310238) URL:
http://www.ericsson.com/consumers/spg.jsp?page=frames&redirectpage=W1F&GridName=
Grid_Image1&CatID=50

(30161057) Comments: Clicked on a link within banking site. This previously 
worked
(30166295) Comments: Logging in to a secure website
(30251818) Comments: Logging into my bank account. It's got a lot of javascript 
on the page so that's probably what crashed the browser. It's also framed.
(30277473) Comments: I was logging in to 5/3 bank's online banking site.  Upon 
entering my SSN and PIN

(30289200) URL: www.netbank.com
(30289797) URL: http://www.53.com
(30270932) URL: Secure site via www.unibank.com
(30184560) URL: https://bmo.com
(30170872) URL: http://kurier.tvtv.at
(30151916) URL: http://www.mercedes-benz.de

Comment 1

[greer]

Adding crash and topcrash keywords for tracking. Also qawanted until firm repro 
steps are found.

Comment 2

[joki (gone)]

We think we have a good lead on this.  Working on a fix now.

Comment 3

[joki (gone)]

My local machine is having some issues right now so I'm having some problems 
testing but I believe this patch fixes at least some of these cases, if not all. 
 A number of the pages seem to be rapidly loading through a few pages to get to 
the final page.  For those situations this patch should work.  There may be 
other cases as well, I'm not sure.

Index: dom/src/base/nsGlobalWindow.cpp
===================================================================
RCS file: /cvsroot/mozilla/dom/src/base/nsGlobalWindow.cpp,v
retrieving revision 1.404
diff -u -r1.404 nsGlobalWindow.cpp
--- nsGlobalWindow.cpp  2001/05/18 00:02:52     1.404
+++ nsGlobalWindow.cpp  2001/05/21 18:29:43
@@ -374,8 +374,10 @@
           mSidebar = nsnull;
         }
 
-        if (mListenerManager)
+        if (mListenerManager) {
           mListenerManager->RemoveAllListeners(PR_FALSE);
+          mListenerManager = nsnull;
+        }
 
         if (mContext && mJSObject) {
 //      if (mContext && mJSObject && aDocument) {

Comment 4

[Johnny Stenback (:jst)]

sr=jst

Comment 5

[joki (gone)]

Adding r=nisheeth per my phone call with him this evening.

This fix definitely fixes some of the cases listed here.  Since they don't each 
include individual steps I want a little more testing before I close this as 
fixed.  Its entirely possible there is more than one codepath causing this crash 
that this patch doesn't cover.

Comment 6

[joki (gone)]

(30151223) Comments: ericsson.com/products/   and i click on mobiles
(30289200) URL: www.netbank.com
(30289797) URL: http://www.53.com
(30270932) URL: Secure site via www.unibank.com
(30184560) URL: https://bmo.com
(30170872) URL: http://kurier.tvtv.at
(30151916) URL: http://www.mercedes-benz.de

So of these I'm still seeing a crash on www.53.com but not on the others, though 
I may not be hitting the right steps to reproduce.

Comment 7

[chris hofmann]

using the win32 2001052504 build on win98 I'm not able to crash 
on any of these sites over a dialup connection.  wonder if
timing or connection speed is involved?  joki, is the stack
trace the same for the www.53.com crash you still see...

I also notice that I get a funny "security error: domain name mismatch" 
error message telling me that I attempted to connect to bmo.com but
the cert presented is for www.bmo.com...   I wonder if variations
of the hosts names with and without 'www.' makes a difference in
trying to reproduce..

Comment 8

[joki (gone)]

Okay, I rebuilt today and tried to today's build and I'm not seeing the crash I 
was.  I haven't changed any of my stuff but it could either have been something 
else or old profile info or registry or something.  In any case, I'm going to 
mark this one fixed.  If we continue to see it showing up in the topcrash list 
on new builds then it should be reopened.  But without new info, at the moment, 
I don't see the problem.

Comment 9

[lchiang]

perhaps we can email the users from the talkback reports to see if they can
download the latest mozilla nightly build to see if the problem is gone.  This
way, if the issue is a timing/configuration item, then the users who experienced
the crash may be able to tell us if latest nightlies are ok.

Comment 10

[greer]

All of the users reporting crashes were using Trunk builds from the old product 
ID: Netscape6.50. The product name change and joki's fix checkin both happened 
on the 22nd. Since then we have gotten no new reports of this crash under the 
MozillaTrunk product ID. Verified fixed.