Closed Bug 24306 Opened 25 years ago Closed 25 years ago

crash from window.close() in anchor onclick()

Categories

(Core :: DOM: Core & HTML, defect, P3)

x86
Windows NT
defect

Tracking

()

VERIFIED WORKSFORME

People

(Reporter: naga, Assigned: vidur)

References

()

Details

(Keywords: crash, Whiteboard: [PDT+])

Hi, Go to www.cnn.com and select related links and go to wall street journal. It asks you for a subscription offer. If you click the no I dont want the offer the browser crashes with a general protection fault. Thanks, Naga.
Severity: normal → critical
Assignee: nobody → gagan
Component: Browser-General → Networking
QA Contact: nobody → tever
tever, another cnn issue. could be related to others. Can you check oiut please?
Adding "crash" keyword to all known open crasher bugs.
Keywords: crash
Keywords: beta1
Target Milestone: M14
To reproduce this you can go directly to www.wsj.com. Select the link 'Looking for regular wsj site' in the lower right hand corner. A small popup window should appear (this will popup if the wsj 'survey' cookie has not been set). Select turn down offer. I think this might be different than the other cnn problems. This happens consistantly and on both NT and Linux. (can't check Mac right now) Supplying a stack trace. Call Stack: (Signature = 0x1028d320 56d08ccf) 0x1028d320 nsWebShell::OnLinkClick [d:\builds\seamonkey\mozilla\webshell\src\nsWebShell.cpp, line 2772] nsGenericElement::TriggerLink [d:\builds\seamonkey\mozilla\layout\base\src\nsGenericElement.cpp, line 1311] nsHTMLAnchorElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\layout\html\content\src\nsHTMLAnchorElement.cpp, line 390] nsGenericElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\layout\base\src\nsGenericElement.cpp, line 814] nsHTMLTableRowElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\layout\html\content\src\nsHTMLTableRowElement.cpp, line 739] nsGenericElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\layout\base\src\nsGenericElement.cpp, line 814] nsHTMLTableRowElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\layout\html\content\src\nsHTMLTableRowElement.cpp, line 739] nsGenericDOMDataNode::HandleDOMEvent [d:\builds\seamonkey\mozilla\layout\base\src\nsGenericDOMDataNode.cpp, line 802] nsXMLCDATASection::HandleDOMEvent [d:\builds\seamonkey\mozilla\layout\xml\content\src\nsXMLCDATASection.cpp, line 241] nsEventStateManager::CheckForAndDispatchClick [d:\builds\seamonkey\mozilla\layout\events\src\nsEventStateManager.cpp, line 1571] nsEventStateManager::PostHandleEvent [d:\builds\seamonkey\mozilla\layout\events\src\nsEventStateManager.cpp, line 787] PresShell::HandleEvent [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 2856] nsView::HandleEvent [d:\builds\seamonkey\mozilla\view\src\nsView.cpp, line 797] nsView::HandleEvent [d:\builds\seamonkey\mozilla\view\src\nsView.cpp, line 782] nsView::HandleEvent [d:\builds\seamonkey\mozilla\view\src\nsView.cpp, line 782] nsViewManager::DispatchEvent [d:\builds\seamonkey\mozilla\view\src\nsViewManager.cpp, line 1705] HandleEvent [d:\builds\seamonkey\mozilla\view\src\nsView.cpp, line 69] nsWindow::DispatchEvent [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 511] nsWindow::DispatchWindowEvent [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 528] nsWindow::DispatchMouseEvent [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 3483] ChildWindow::DispatchMouseEvent [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 3699] nsWindow::ProcessMessage [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 2781] nsWindow::WindowProc [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 688] USER32.dll + 0x1268 (0x77e71268)
tever: this stack trace looks like a DOM problem...
Assignee: gagan → vidur
Component: Networking → DOM Level 0
QA Contact: tever → desale
The problem is the window.close() that happens as a result of an onclick() on a link. This used to work - what changed in the ownership model or codepath? The webshell of the window (and hence the link handler) gets destroyed in the window.close(). As a result we crash when trying to reference the link handler as part of the rest of the event dispatch (in the TriggerLink method of the link).
Status: NEW → ASSIGNED
Summary: Browser crashed with General Protection Fault!I → crash from window.close() in anchor onclick()
Putting on on PDT+ radar for beta1.
Whiteboard: [PDT+]
Fixed on 1/2/2000. Dangling (weak) references to the webshell were left in the PresContext.
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
Vidur, I am still seeing a crash at the wsj site. The steps to reproduce are identical to those listed. The trace is different though so this one may have been hidden by your previous fix. Do you want a new bug on this? Here's the new stack trace: Call Stack: (Signature = nsMenuBarListener::MouseDown c4d5db04) nsMenuBarListener::MouseDown [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsMenuBarListener.cpp, line 196] nsEventListenerManager::HandleEvent [d:\builds\seamonkey\mozilla\layout\events\src\nsEventListenerManager.cpp, line 738] nsXULDocument::HandleDOMEvent [d:\builds\seamonkey\mozilla\rdf\content\src\nsXULDocument.cpp, line 1913] nsXULElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\rdf\content\src\nsXULElement.cpp, line 2961] nsXULElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\rdf\content\src\nsXULElement.cpp, line 2953] nsXULElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\rdf\content\src\nsXULElement.cpp, line 2953] nsXULElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\rdf\content\src\nsXULElement.cpp, line 2953] nsXULElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\rdf\content\src\nsXULElement.cpp, line 2953] nsXULElement::HandleChromeEvent [d:\builds\seamonkey\mozilla\rdf\content\src\nsXULElement.cpp, line 3918] GlobalWindowImpl::HandleDOMEvent [d:\builds\seamonkey\mozilla\dom\src\base\nsGlobalWindow.cpp, line 381] nsDocument::HandleDOMEvent [d:\builds\seamonkey\mozilla\layout\base\src\nsDocument.cpp, line 2477] nsGenericElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\layout\base\src\nsGenericElement.cpp, line 1031] nsHTMLFrameSetElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\layout\html\content\src\nsHTMLFrameSetElement.cpp, line 216] nsGenericElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\layout\base\src\nsGenericElement.cpp, line 1021] nsHTMLFrameSetElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\layout\html\content\src\nsHTMLFrameSetElement.cpp, line 216] nsGenericElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\layout\base\src\nsGenericElement.cpp, line 1021] nsHTMLFrameSetElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\layout\html\content\src\nsHTMLFrameSetElement.cpp, line 216] nsGenericElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\layout\base\src\nsGenericElement.cpp, line 1021] nsHTMLFrameSetElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\layout\html\content\src\nsHTMLFrameSetElement.cpp, line 216] nsGenericElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\layout\base\src\nsGenericElement.cpp, line 1021] nsHTMLFrameSetElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\layout\html\content\src\nsHTMLFrameSetElement.cpp, line 216] nsGenericElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\layout\base\src\nsGenericElement.cpp, line 1021] nsHTMLFrameSetElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\layout\html\content\src\nsHTMLFrameSetElement.cpp, line 216] nsGenericElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\layout\base\src\nsGenericElement.cpp, line 1021] nsHTMLAnchorElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\layout\html\content\src\nsHTMLAnchorElement.cpp, line 344] nsGenericElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\layout\base\src\nsGenericElement.cpp, line 1021] nsHTMLFrameSetElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\layout\html\content\src\nsHTMLFrameSetElement.cpp, line 216] nsGenericElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\layout\base\src\nsGenericElement.cpp, line 1021] nsHTMLFrameSetElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\layout\html\content\src\nsHTMLFrameSetElement.cpp, line 216] nsGenericDOMDataNode::HandleDOMEvent [d:\builds\seamonkey\mozilla\layout\base\src\nsGenericDOMDataNode.cpp, line 804] nsTextNode::HandleDOMEvent [d:\builds\seamonkey\mozilla\layout\base\src\nsTextNode.cpp, line 234] PresShell::HandleEvent [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 2861] nsView::HandleEvent [d:\builds\seamonkey\mozilla\view\src\nsView.cpp, line 799] nsView::HandleEvent [d:\builds\seamonkey\mozilla\view\src\nsView.cpp, line 784] nsView::HandleEvent [d:\builds\seamonkey\mozilla\view\src\nsView.cpp, line 784] nsViewManager::DispatchEvent [d:\builds\seamonkey\mozilla\view\src\nsViewManager.cpp, line 1704] HandleEvent [d:\builds\seamonkey\mozilla\view\src\nsView.cpp, line 69] nsWindow::DispatchEvent [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 502] nsWindow::DispatchWindowEvent [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 519] nsWindow::DispatchMouseEvent [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 3042] ChildWindow::DispatchMouseEvent [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 3258] nsWindow::ProcessMessage [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 2350] nsWindow::WindowProc [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 679] re-assigning QA contact to myself
Status: RESOLVED → REOPENED
QA Contact: desale → tever
Resolution: FIXED → ---
Well...the main wsj page seems to have changed. There's no longer a "Looking for regular wsj site" link and the US home doesn't bring up the popup. I tried other sites that had popups that contain anchors that use window.close() in their onclick() handlers and they seemed to work. Marking WORKSFORME. Please send me more details if you need to reopen.
Status: REOPENED → RESOLVED
Closed: 25 years ago25 years ago
Resolution: --- → WORKSFORME
Yeah, this site changed a bit. You need to select the middle link "Go to US view". A popup window with some deal will show up (if the survey cookie has not been previously set). Select NO to turn down the offer and you will see the crash. Actually, selecting either link will cause the crash.
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
Tried it again and didn't see the crash. Are you sure you have the correct build? This works for me on the 2/11/2000 build.
Status: REOPENED → RESOLVED
Closed: 25 years ago25 years ago
Resolution: --- → WORKSFORME
verified: NT 2000021408
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.