Closed
Bug 332324
Opened 19 years ago
Closed 19 years ago
crash [@ IsChildOfDomWindow]
Categories
(Core Graveyard :: Security: UI, defect)
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: timeless, Assigned: timeless)
References
()
Details
(4 keywords)
Crash Data
Attachments
(2 obsolete files)
I think it's possible for document->GetWindow() to return null.
Incident ID: 16892675
Stack Signature IsChildOfDomWindow 889912a0
Product ID Firefox15
Build ID 2006011112
Trigger Time 2006-03-26 22:54:40.0
Platform Win32
Operating System Windows NT 5.1 build 2600
Module firefox.exe + (00411c98)
URL visited dslextreme.com
User Comments I was loging in to check my e-mail at dslextreme.com.
Since Last Crash 192841 sec
Total Uptime 192841 sec
Trigger Reason Access violation
Source File, Line No. c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/security/manager/boot/src/nsSecureBrowserUIImpl.cpp, line 303
Stack Trace
IsChildOfDomWindow [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/security/manager/boot/src/nsSecureBrowserUIImpl.cpp, line 303]
nsSecureBrowserUIImpl::Notify [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/security/manager/boot/src/nsSecureBrowserUIImpl.cpp, line 360]
nsHTMLFormElement::NotifySubmitObservers [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/html/content/src/nsHTMLFormElement.cpp, line 1020]
nsHTMLFormElement::SubmitSubmission [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/html/content/src/nsHTMLFormElement.cpp, line 929]
nsHTMLFormElement::DoSubmit [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/html/content/src/nsHTMLFormElement.cpp, line 851]
nsHTMLFormElement::DoSubmitOrReset [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/html/content/src/nsHTMLFormElement.cpp, line 776]
nsHTMLFormElement::HandleDOMEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/html/content/src/nsHTMLFormElement.cpp, line 734]
PresShell::HandleDOMEventWithTarget [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6473]
nsHTMLInputElement::HandleDOMEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/html/content/src/nsHTMLInputElement.cpp, line 1682]
PresShell::HandleDOMEventWithTarget [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6473]
nsHTMLInputElement::MaybeSubmitForm [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/html/content/src/nsHTMLInputElement.cpp, line 977]
nsHTMLInputElement::HandleDOMEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/html/content/src/nsHTMLInputElement.cpp, line 1617]
PresShell::HandleEventInternal [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6374]
PresShell::HandleEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6210]
nsViewManager::HandleEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 2514]
nsViewManager::DispatchEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 2246]
HandleEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/view/src/nsView.cpp, line 174]
nsWindow::DispatchEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1252]
nsWindow::DispatchKeyEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 3448]
nsWindow::OnKeyDown [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 3586]
nsWindow::ProcessMessage [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 4492]
nsWindow::WindowProc [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1434]
USER32.dll + 0x8734 (0x77d48734)
USER32.dll + 0x8816 (0x77d48816)
USER32.dll + 0x89cd (0x77d489cd)
USER32.dll + 0x8a10 (0x77d48a10)
nsAppShell::Run [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/widget/src/windows/nsAppShell.cpp, line 159]
nsAppStartup::Run [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 151]
main [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 61]
kernel32.dll + 0x16d4f (0x7c816d4f)
|
||
Comment 1•19 years ago
|
||
Hmm... Yeah, GetWindow() will return null if the document is no longer loaded in a window (e.g. if the document is in the middle of being torn down).
What does hitting that situation mean from the point of view of the security UI?
|
||
Comment 2•19 years ago
|
||
This looks like a safe null-deref crash. Preventing the crash should be simple and safe, so we'd probably approve a patch should one appear.
Flags: blocking1.8.0.3? → blocking1.8.0.3-
Summary: [@ IsChildOfDomWindow] → crash [@ IsChildOfDomWindow]
Assignee: kengert → timeless
Status: NEW → ASSIGNED
Attachment #216970 -
Flags: superreview?(bzbarsky)
Attachment #216970 -
Flags: review?(kengert)
|
|
||
Comment 4•19 years ago
|
||
Comment on attachment 216970 [details] [diff] [review]
don't crash
Why ignore rather than deny?
Put another way, in what cases do we (or could we) hit this?
|
||
Comment 5•19 years ago
|
||
Comment on attachment 216970 [details] [diff] [review]
don't crash
Timeless, your code will allow the submit.
Based on Boris' comment, IMHO we should cancel the submit.
I propose to set
*cancelSubmit = PR_TRUE;
Attachment #216970 -
Flags: review?(kengert) → review-
Attachment #216970 -
Attachment is obsolete: true
Attachment #217414 -
Flags: superreview?(bzbarsky)
Attachment #217414 -
Flags: review?(kengert)
Attachment #216970 -
Flags: superreview?(bzbarsky)
|
|
||
Comment 7•19 years ago
|
||
Comment on attachment 217414 [details] [diff] [review]
cancel
thanks
Attachment #217414 -
Flags: review?(kengert) → review+
|
|
||
Updated•19 years ago
|
Attachment #217414 -
Flags: superreview?(bzbarsky) → superreview+
|
||
Comment 8•19 years ago
|
||
*** Bug 326836 has been marked as a duplicate of this bug. ***
|
|
||
Comment 9•19 years ago
|
||
*** Bug 333209 has been marked as a duplicate of this bug. ***
|
|
||
Comment 10•19 years ago
|
||
|
Assignee | |
Comment 11•19 years ago
|
||
Comment on attachment 217414 [details] [diff] [review]
cancel
mozilla/security/manager/boot/src/nsSecureBrowserUIImpl.cpp 1.57
Attachment #217414 -
Attachment is obsolete: true
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Verified FIXED using SeaMonkey 1.5a;Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060417 SeaMonkey/1.5a
Status: RESOLVED → VERIFIED
|
||
Comment 14•19 years ago
|
||
*** Bug 338431 has been marked as a duplicate of this bug. ***
|
|
||
Updated•19 years ago
|
Flags: blocking1.8.0.5?
|
|
||
Comment 15•18 years ago
|
||
Comment on attachment 217414 [details] [diff] [review]
cancel
approved for 1.8.0 branch, a=dveditz for drivers
Attachment #217414 -
Flags: approval1.8.0.5+
Attachment #217414 -
Flags: approval-branch-1.8.1+
|
|
||
Updated•18 years ago
|
Flags: blocking1.8.1?
Flags: blocking1.8.1+
Flags: blocking1.8.0.5?
Flags: blocking1.8.0.5+
|
|
Assignee | |
Comment 16•18 years ago
|
||
Comment on attachment 217414 [details] [diff] [review]
cancel
1.8.0:
mozilla/security/manager/boot/src/nsSecureBrowserUIImpl.cpp 1.48.2.2.2.2
1.8:
mozilla/security/manager/boot/src/nsSecureBrowserUIImpl.cpp 1.48.2.7
Keywords: fixed1.8.0.5,
fixed1.8.1
|
||
Comment 17•18 years ago
|
||
verified with:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.5) Gecko/20060620 Firefox/1.5.0.5
|
|
||
Updated•18 years ago
|
Flags: blocking1.9a1?
|
||
Updated•13 years ago
|
Crash Signature: [@ IsChildOfDomWindow]
|
|
||
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•