Closed Bug 53838 Opened 24 years ago Closed 24 years ago

all keybindings which close windows crash the browser

Categories

(Core :: DOM: UI Events & Focus Handling, defect, P1)

Product:
Core
Component:
DOM: UI Events & Focus Handling
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: bugzilla, Assigned: hyatt)

References

Details

(Keywords: crash, regression, Whiteboard: [nsbeta3++]FIX IN HAND)

Attachments

(1 file)

my two cents
1.23 KB, patch
Details | Diff | Splinter Review
occurs on the 3 platforms, using 2000.09.22.08 opt comm bits (also occurs in mozilla). 1. open Prefs dialog. 2. dismiss it by hitting Esc key. not a problem with other dialogs (at least with the Open Web Location one and Find). guessing this is xbl, so over to hyatt --but do reassign as needed. thx! trace from winNT: Incident ID 17882689 Trigger Time 2000-09-22 15:50:11 Email Address sairuh@netscape.com User Comments exiting prefs Build ID 2000092208 Product ID Netscape6 Platform ID Win32 0x00000010 DefineProperty [d:\builds\seamonkey\mozilla\js\src\jsapi.c, line 1912] JS_DefineProperty [d:\builds\seamonkey\mozilla\js\src\jsapi.c, line 2004] nsJSContext::BindCompiledEventHandler [d:\builds\seamonkey\mozilla\dom\src\base\nsJSEnvironment.cpp, line 942] nsXBLPrototypeHandler::ExecuteHandler [d:\builds\seamonkey\mozilla\layout\xbl\src\nsXBLPrototypeHandler.cpp, line 309] nsXBLWindowKeyHandler::WalkHandlersInternal [d:\builds\seamonkey\mozilla\layout\xbl\src\nsXBLWindowKeyHandler.cpp, line 215] nsXBLWindowKeyHandler::WalkHandlers [d:\builds\seamonkey\mozilla\layout\xbl\src\nsXBLWindowKeyHandler.cpp, line 252] nsXBLWindowKeyHandler::KeyPress [d:\builds\seamonkey\mozilla\layout\xbl\src\nsXBLWindowKeyHandler.cpp, line 268] nsEventListenerManager::HandleEvent [d:\builds\seamonkey\mozilla\layout\events\src\nsEventListenerManager.cpp, line 1123] nsXULDocument::HandleDOMEvent [d:\builds\seamonkey\mozilla\rdf\content\src\nsXULDocument.cpp, line 2112] nsXULElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\rdf\content\src\nsXULElement.cpp, line 3348] nsXULElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\rdf\content\src\nsXULElement.cpp, line 3340] nsXULElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\rdf\content\src\nsXULElement.cpp, line 3340] PresShell::HandleEventInternal [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 4257] PresShell::HandleEvent [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 4192] nsView::HandleEvent [d:\builds\seamonkey\mozilla\view\src\nsView.cpp, line 379] nsViewManager2::DispatchEvent [d:\builds\seamonkey\mozilla\view\src\nsViewManager2.cpp, line 1429] HandleEvent [d:\builds\seamonkey\mozilla\view\src\nsView.cpp, line 68] nsWindow::DispatchEvent [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 685] nsWindow::DispatchWindowEvent [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 702] nsWindow::DispatchKeyEvent [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 2285] nsWindow::OnChar [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 2408] nsWindow::ProcessMessage [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 2836] nsWindow::WindowProc [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 951] USER32.dll + 0x1820 (0x77e71820) 0x00010001
nominate for beta3 --very annoying regression for a commonly used shortcut... also, traces for the other platforms for your viewing pleasure. Mac OS: 0xffc10000 JS_DefineProperty() [jsapi.c, line 2001] DOM_DLL + 0xf17c (0x0581ad7c) nsXBLPrototypeHandler::ExecuteHandler() [nsXBLPrototypeHandler.cpp, line 307] nsXBLWindowKeyHandler::WalkHandlersInternal() [nsXBLWindowKeyHandler.cpp, line 223] nsXBLWindowKeyHandler::WalkHandlers() [nsXBLWindowKeyHandler.cpp, line 250] nsXBLWindowKeyHandler::KeyPress() [nsXBLWindowKeyHandler.cpp, line 266] nsEventListenerManager::HandleEvent() [nsEventListenerManager.cpp, line 1118] nsXULDocument::HandleDOMEvent() [nsXULDocument.cpp, line 2111] nsXULElement::HandleDOMEvent() [nsXULElement.cpp, line 3343] Linux: 0x006f0063 libmozjs.so + 0x10310 (0x40107310) nsJSContext::BindCompiledEventHandler() nsXBLPrototypeHandler::ExecuteHandler() nsXBLWindowKeyHandler::WalkHandlersInternal() nsXBLWindowKeyHandler::WalkHandlers() nsXBLWindowKeyHandler::KeyPress() nsEventListenerManager::HandleEvent() nsXULDocument::HandleDOMEvent() nsXULElement::HandleDOMEvent() PresShell::HandleEventInternal() PresShell::HandleEvent() nsView::HandleEvent() nsViewManager2::DispatchEvent() HandleEvent() nsWidget::DispatchEvent() nsWidget::DispatchWindowEvent() nsWidget::OnInput() handle_key_press_event() dispatch_superwin_event() handle_gdk_event() libgdk-1.2.so.0 + 0x174db (0x408b14db) libglib-1.2.so.0 + 0x10186 (0x408de186) libglib-1.2.so.0 + 0x10751 (0x408de751) libglib-1.2.so.0 + 0x108f1 (0x408de8f1) libgtk-1.2.so.0 + 0x8c5b9 (0x408065b9) nsAppShell::Run() nsAppShellService::Run() main1() main() libc.so.6 + 0x189cb (0x4025e9cb)
Keywords: crash, nsbeta3, regression
oh, yeah: Enter key also kills the app.
Summary: hitting Esc in Prefs dialog crashes browser → hitting Esc or Enter keys in Prefs dialog crashes browser
cc brendan
another case: open a new browser window, then close it using Command+W on mac or Control+W on win32 (strangely, i cannot repro on linux). also crashes with the same trace.
Summary: hitting Esc or Enter keys in Prefs dialog crashes browser → hitting Esc or Enter keys in Prefs dialog crashes browser; or ctrl+W
Just snooping around... We're passing nsnull to nsJSContext::BindCompiledEventHandler at nsXBLPrototypeHandler.cpp:307. Not sure if that's okay or not as a way of unbinding. In BindCompiledEventHandler (nsJSContext.cpp) we do this: 930 if (funobj && ::JS_GetParent(mContext, funobj) != target) { 931 funobj = ::JS_CloneFunctionObject(mContext, funobj, target); 932 if (!funobj) 933 return NS_ERROR_OUT_OF_MEMORY; 934 } I think this code might assume that the compiler necessarily optimizes by not evaluating ::JS_GetParent(mContext, funobj) after finding funobj to be null... If not, that could cause a segfault if JS_GetParent has problems with null... That feels to me like barking up the wrong tree, though. Maybe OBJECT_TO_JSVAL is dying... I'm not sure. My gut feeling is that we're not supposed to be calling a function called "bind" to unbind, or we're calling it wrong. I don't think I'll be able to contribute any real knowledge to this :)
nsbeta3+, p1 for M18. assigning to dr to baby sit till hyatt gets back. cc hyatt.
Assignee: hyatt → dr
Priority: P3 → P1
Whiteboard: [nsbeta3+]
Target Milestone: --- → M18
>930 if (funobj && ::JS_GetParent(mContext, funobj) != target) { >931 funobj = ::JS_CloneFunctionObject(mContext, funobj, target); >932 if (!funobj) >933 return NS_ERROR_OUT_OF_MEMORY; >934 } > >I think this code might assume that the compiler necessarily optimizes by not >evaluating ::JS_GetParent(mContext, funobj) after finding funobj to be null... Uh, that's not an optimization, it is a requirement of C and C++'s so-called "short-circuiting" && and || logical connectives. Count on it. It's not a bug. (Optimization describes what the compiler can do at compile-time, btw, and it can't know that a particular funobj value is null at runtime.) The crash stacktraces here lack argument values, but if someone makes this happen in a debugger, look at obj in DefineProperty -- I bet it's bad. If so, update the bug with its value, and try to trace where that value came from in memory. /be
*** Bug 53767 has been marked as a duplicate of this bug. ***
Here is a 'where full' stack backtrace from gdb from a recent Linux CVS pull and build (with debugging, obviously): (gdb) where full #0 0x10 in ?? () No symbol table info available. #1 0x401786f8 in JS_DefineProperty (cx=0x83ae088, obj=0x84a0eb0, name=0xbfffbc60 "onxblkeypress", value=0, getter=0, setter=0, attrs=5) at /g/misc/cks/code/mozilla/js/src/jsapi.c:2003 name = 0xbfffbc6e "\023@¬Ìf\bÈ\234xA¤¼ÿ¿¤¼ÿ¿¨¼ÿ¿`\030nA¨Ìf\b4»cA$¿ÿ¿ ¿ÿ¿ü\004\026@¨Ìf\bä¿ÿ¿Pÿ=Aø~L\b°\016J\b¨Ìf\b" value = 5 getter = 0x84de378 attrs = 138076296 #2 0x41682a18 in nsJSContext::BindCompiledEventHandler (this=0x84c7ef8, aTarget=0x84a0eb0, aName=0x866cca8, aHandler=0x0) at /g/misc/cks/code/mozilla/dom/src/base/nsJSEnvironment.cpp:938 aTarget = (void *) 0x84a0eb0 aName = (nsIAtom *) 0x10 aHandler = (void *) 0x0 charName = "onxblkeypress\000\023@¬Ìf\bÈ\234xA¤¼ÿ¿¤¼ÿ¿¨¼ÿ¿`\030nA¨Ìf\b4»cA$¿ÿ¿ ¿ÿ¿ü\004\026@¨Ìf\b" funobj = (struct JSObject *) 0x0 target = (struct JSObject *) 0x84a0eb0 #3 0x413dff50 in nsXBLPrototypeHandler::ExecuteHandler (this=0x844e5a8, aReceiver=0x84e5d28, aEvent=0x8603c40) at /g/misc/cks/code/mozilla/layout/xbl/src/nsXBLPrototypeHandler.cpp:307 ---Type <return> to continue, or q <return> to quit--- command = {<nsString> = {<basic_nsAWritableString<short unsigned int>> = {<basic_nsAReadableString<short unsigned int>> = {<nsPrivateSharableString<short unsigned int>> = { _vptr. = 0x4015c160 <nsAutoString virtual table>}, <No data fields>}, <No data fields>}, <nsStr> = {mLength = 0, mCapacity = 63, mCharSize = eTwoByte, mOwnsBuffer = 0, {mStr = 0xbfffbf64 "", mUStr = 0xbfffbf64}}, <No data fields>}, mBuffer = "\000\000\215A\020ú:\b\t\000\000\000=Û\227Aø\001\000\000¦9$@È-#@\020ú:\b\230¿ÿ¿´H\"@\000\000\000\000VS\020@¸T\231A\020ú:\bxÁÿ¿04\026@È¿ÿ¿_U\215A\020ú:\b\a\000\000\000=Û\227A\030H\006\b\037Û\227A4»cA0ú:\bä¿ÿ¿¡ªJA\020ú:\b4»cAxÁÿ¿|Áÿ¿(]N\b"} onEvent = {<nsString> = {<basic_nsAWritableString<short unsigned int>> = {<basic_nsAReadableString<short unsigned int>> = {<nsPrivateSharableString<short unsigned int>> = { _vptr. = 0x4015c160 <nsAutoString virtual table>}, <No data fields>}, <No data fields>}, <nsStr> = {mLength = 13, mCapacity = 63, mCharSize = eTwoByte, mOwnsBuffer = 0, {mStr = 0xbfffbe8c "o", mUStr = 0xbfffbe8c}}, <No data fields>}, mBuffer = "o\000n\000x\000b\000l\000k\000e\000y\000p\000r\000e\000s\000s\000\000\000|¿ÿ¿ì¾ÿ¿ð¾ÿ¿Ü¾ÿ¿\013\000\000\000.d\n@TÀÿ¿\220$ÆB¦9$@È-#@¦9$@¦9$@È-#@ ]N\bô¾ÿ¿´H\"@\212Q\020@¸T\231A ]N\b ]N\b\034<\020@$¿ÿ¿\231­\212A ]N\b\004\000\000"} str = {<nsString> = {<basic_nsAWritableString<short unsigned int>> = {<basic_nsAReadableString<short unsigned int>> = {<nsPrivateSharableString<short un---Type <return> to continue, or q <return> to quit--- signed int>> = { _vptr. = 0x4015c160 <nsAutoString virtual table>}, <No data fields>}, <No data fields>}, <nsStr> = {mLength = 8, mCapacity = 63, mCharSize = eTwoByte, mOwnsBuffer = 0, {mStr = 0xbfffbdf4 "k", mUStr = 0xbfffbdf4}}, <No data fields>}, mBuffer = "k\000e\000y\000p\000r\000e\000s\000s\000\000\000\020@¦9$@È-#@(ÑD\b(¾ÿ¿´H\"@\212Q\020@4»cA(ÑD\b(ÑD\b\034<\020@X¾ÿ¿\000\020BA(ÑD\b¦9$@È-#@\230ÉC\b\\¾ÿ¿´H\"@\212Q\020@4»cA\230ÉC\b_\212Ý2\034<\020@\214¾ÿ¿(ÕEA\210¾ÿ¿\016\032\013@"} onEventAtom = {mRawPtr = 0x866cca8} handler = (void *) 0x84a0eb8 handlerText = {<nsString> = {<basic_nsAWritableString<short unsigned int>> = {<basic_nsAReadableString<short unsigned int>> = {<nsPrivateSharableString<short unsigned int>> = { _vptr. = 0x4015c160 <nsAutoString virtual table>}, <No data fields>}, <No data fields>}, <nsStr> = {mLength = 14, mCapacity = 63, mCharSize = eTwoByte, mOwnsBuffer = 0, {mStr = 0xbfffbd5c "B", mUStr = 0xbfffbd5c}}, <No data fields>}, mBuffer = "B\000r\000o\000w\000s\000e\000r\000C\000l\000o\000s\000e\000(\000)\000\000\000ÿ¿^×\232A\b+D\b\005\000\000\00091\236A\030\001\000\000D+D\b°ÿ\236A\b+D\b\020M]A°½ÿ¿ »\234A\b+D\b°ÿ\236Aнÿ¿.Ý\232A\b+D\b°ÿ\236A\020M]A\b+D\b\001\000\000\000¦9$@È-#@h\202:\bì½ÿ¿"} boundGlobal = {mRawPtr = 0x83a8268} boundContext = {mRawPtr = 0x84c7ef8} ---Type <return> to continue, or q <return> to quit--- owner = {mRawPtr = 0x84e5d30} scriptObject = (void *) 0x84a0eb0 eventListener = {mRawPtr = 0x866bfa8} jsListener = {mRawPtr = 0x866bfac} #4 0x413dceb4 in nsXBLWindowKeyHandler::WalkHandlersInternal (this=0x84cd398, aKeyEvent=0x8603c40, aEventType=0x8377f10, aHandler=0x844eb08) at /g/misc/cks/code/mozilla/layout/xbl/src/nsXBLWindowKeyHandler.cpp:214 rec = {mRawPtr = 0x84e5d28} disabled = {<nsString> = {<basic_nsAWritableString<short unsigned int>> = {<basic_nsAReadableString<short unsigned int>> = {<nsPrivateSharableString<short unsigned int>> = { _vptr. = 0x4015c160 <nsAutoString virtual table>}, <No data fields>}, <No data fields>}, <nsStr> = {mLength = 0, mCapacity = 63, mCharSize = eTwoByte, mOwnsBuffer = 0, {mStr = 0xbfffc0f0 "", mUStr = 0xbfffc0f0}}, <No data fields>}, mBuffer = "\000\000\"@\212Q\020@4»cA@<`\b\203\2121#\034<\020@0Áÿ¿íÂ\fA@<`\b\003\000\000\000:POA@\000\000\000\030H\006\b\037POA4»cA@<`\bHÁÿ¿\035Æ\fA@<`\b04\026@°Áÿ¿¼Áÿ¿dÁÿ¿àY\020@@<`\b²W\020@4»cA\000\000\000\000¼Áÿ¿\210Áÿ¿\210Áÿ¿Â§MA"} elt = {mRawPtr = 0x84e5d20} stopped = 0 privateEvent = {mRawPtr = 0x8603c4c} matched = 1 nextHandler = {mRawPtr = 0x84e5d20} ---Type <return> to continue, or q <return> to quit--- aHandler = (nsIXBLPrototypeHandler *) 0xbfffc178 rv = 138076296 currHandler = {mRawPtr = 0x844e5a8} #5 0x413dd41a in nsXBLWindowKeyHandler::WalkHandlers (this=0x84cd398, aKeyEvent=0x8603c44, aEventType=0x8377f10) at /g/misc/cks/code/mozilla/layout/xbl/src/nsXBLWindowKeyHandler.cpp:250 evt = {mRawPtr = 0x8603c48} prevent = 0 keyEvent = {mRawPtr = 0x8603c40} #6 0x413dd53c in nsXBLWindowKeyHandler::KeyPress (this=0x84cd398, aKeyEvent=0x8603c44) at /g/misc/cks/code/mozilla/layout/xbl/src/nsXBLWindowKeyHandler.cpp:267 this = (nsXBLWindowKeyHandler *) 0x10 aKeyEvent = (nsIDOMEvent *) 0x84de378 #7 0x410b70ba in nsEventListenerManager::HandleEvent (this=0x83b00c8, aPresContext=0x843c998, aEvent=0xbfffe6c0, aDOMEvent=0xbfffe2b8, aCurrentTarget=0x83afa30, aFlags=2, aEventStatus=0xbfffe5ec) at /g/misc/cks/code/mozilla/layout/events/src/nsEventListenerManager.cpp:1118 ls = (nsListenerStruct *) 0x84cd3c0 mKeyListener = (nsIDOMKeyListener *) 0x84cd398 i = 0 ret = 0 ---Type <return> to continue, or q <return> to quit--- kungFuDeathGrip = {mRawPtr = 0x83b00c8} empty = {<nsString> = {<basic_nsAWritableString<short unsigned int>> = {<basic_nsAReadableString<short unsigned int>> = {<nsPrivateSharableString<short unsigned int>> = { _vptr. = 0x4015c160 <nsAutoString virtual table>}, <No data fields>}, <No data fields>}, <nsStr> = {mLength = 0, mCapacity = 63, mCharSize = eTwoByte, mOwnsBuffer = 0, {mStr = 0xbfffc270 "", mUStr = 0xbfffc270}}, <No data fields>}, mBuffer = "\000\000\020@È\234xAø~L\b\004\000\000\00004\026@¨Âÿ¿÷ôgAø~L\b\f\000\000\000ÆVsA\030H\006\bªVsAÈ\234xAôÂÿ¿\bÃÿ¿ïriAø~L\b¸T\231A\004\000\000\000¸âÿ¿ôÂÿ¿ðÂÿ¿ç²i@\000\000\000\000\230H«B\000\000\000\000Ø\rq@\bE \b\230H«B\000\000\000\000\b\000\000\000\004Ãÿ¿"} #8 0x418dac30 in nsXULDocument::HandleDOMEvent (this=0x83afa10, aPresContext=0x843c998, aEvent=0xbfffe6c0, aDOMEvent=0xbfffe2b8, aFlags=2, aEventStatus=0xbfffe5ec) at /g/misc/cks/code/mozilla/rdf/content/src/nsXULDocument.cpp:2111 aDOMEvent = (nsIDOMEvent **) 0xbfffe2b8 aFlags = 2 ret = 0 domEvent = (nsIDOMEvent *) 0x0 #9 0x418bcf19 in nsXULElement::HandleDOMEvent (this=0x848b7f0, aPresContext=0x843c998, aEvent=0xbfffe6c0, aDOMEvent=0xbfffe2b8, aFlags=2, aEventStatus=0xbfffe5ec) ---Type <return> to continue, or q <return> to quit--- at /g/misc/cks/code/mozilla/rdf/content/src/nsXULElement.cpp:3344 ret = 0 retarget = 0 oldTarget = {mRawPtr = 0x0} domEvent = (nsIDOMEvent *) 0x0 bindingParent = {mRawPtr = 0x0} #10 0x418bcf19 in nsXULElement::HandleDOMEvent (this=0x84e4ea0, aPresContext=0x843c998, aEvent=0xbfffe6c0, aDOMEvent=0xbfffe2b8, aFlags=2, aEventStatus=0xbfffe5ec) at /g/misc/cks/code/mozilla/rdf/content/src/nsXULElement.cpp:3344 ret = 0 retarget = 0 oldTarget = {mRawPtr = 0x0} domEvent = (nsIDOMEvent *) 0x0 bindingParent = {mRawPtr = 0x0} #11 0x418bcf19 in nsXULElement::HandleDOMEvent (this=0x84e5010, aPresContext=0x843c998, aEvent=0xbfffe6c0, aDOMEvent=0xbfffe2b8, aFlags=2, aEventStatus=0xbfffe5ec) at /g/misc/cks/code/mozilla/rdf/content/src/nsXULElement.cpp:3344 ret = 0 retarget = 0 oldTarget = {mRawPtr = 0x0} domEvent = (nsIDOMEvent *) 0x0 ---Type <return> to continue, or q <return> to quit--- bindingParent = {mRawPtr = 0x0} #12 0x418bcf19 in nsXULElement::HandleDOMEvent (this=0x84e51a8, aPresContext=0x843c998, aEvent=0xbfffe6c0, aDOMEvent=0xbfffe2b8, aFlags=2, aEventStatus=0xbfffe5ec) at /g/misc/cks/code/mozilla/rdf/content/src/nsXULElement.cpp:3344 ret = 0 retarget = 0 oldTarget = {mRawPtr = 0x0} domEvent = (nsIDOMEvent *) 0x0 bindingParent = {mRawPtr = 0x0} #13 0x418bcf19 in nsXULElement::HandleDOMEvent (this=0x84e5250, aPresContext=0x843c998, aEvent=0xbfffe6c0, aDOMEvent=0xbfffe2b8, aFlags=2, aEventStatus=0xbfffe5ec) at /g/misc/cks/code/mozilla/rdf/content/src/nsXULElement.cpp:3344 ret = 0 retarget = 0 oldTarget = {mRawPtr = 0x0} domEvent = (nsIDOMEvent *) 0x0 bindingParent = {mRawPtr = 0x0} #14 0x418c2cb7 in nsXULElement::HandleChromeEvent (this=0x84e5250, aPresContext=0x843c998, aEvent=0xbfffe6c0, aDOMEvent=0xbfffe2b8, aFlags=2, aEventStatus=0xbfffe5ec) at /g/misc/cks/code/mozilla/rdf/content/src/nsXULElement.cpp:4296 ---Type <return> to continue, or q <return> to quit--- aPresContext = (nsIPresContext *) 0x83ae088 aEvent = (nsEvent *) 0x83ae088 aDOMEvent = (nsIDOMEvent **) 0x83ae088 aFlags = 138076296 aEventStatus = (nsEventStatus *) 0x83ae088 kungFuDeathGrip = {mRawPtr = 0x83afa10} #15 0x416971ea in GlobalWindowImpl::HandleDOMEvent (this=0x85cdbe8, aPresContext=0x843c998, aEvent=0xbfffe6c0, aDOMEvent=0xbfffe2b8, aFlags=2, aEventStatus=0xbfffe5ec) at /g/misc/cks/code/mozilla/dom/src/base/nsGlobalWindow.cpp:516 ret = 0 domEvent = (nsIDOMEvent *) 0x0 kungFuDeathGrip1 = {mRawPtr = 0x84e5264} kungFuDeathGrip2 = {mRawPtr = 0x85cdcc8} #16 0x41418809 in nsDocument::HandleDOMEvent (this=0x84d1800, aPresContext=0x843c998, aEvent=0xbfffe6c0, aDOMEvent=0xbfffe2b8, aFlags=2, aEventStatus=0xbfffe5ec) at /g/misc/cks/code/mozilla/layout/base/src/nsDocument.cpp:3051 aDOMEvent = (nsIDOMEvent **) 0xbfffe2b8 aFlags = 2 mRet = 0 domEvent = (nsIDOMEvent *) 0x0 #17 0x4144d768 in nsGenericElement::HandleDOMEvent (this=0x85c1734, ---Type <return> to continue, or q <return> to quit--- aPresContext=0x843c998, aEvent=0xbfffe6c0, aDOMEvent=0xbfffe2b8, aFlags=1, aEventStatus=0xbfffe5ec) at /g/misc/cks/code/mozilla/layout/base/src/nsGenericElement.cpp:1433 ret = 0 retarget = 0 oldTarget = {mRawPtr = 0x0} domEvent = (nsIDOMEvent *) 0x8603c44 bindingParent = {mRawPtr = 0x0} #18 0x411a1e29 in nsHTMLHtmlElement::HandleDOMEvent (this=0x85c1720, aPresContext=0x843c998, aEvent=0xbfffe6c0, aDOMEvent=0x0, aFlags=1, aEventStatus=0xbfffe5ec) at /g/misc/cks/code/mozilla/layout/html/content/src/nsHTMLHtmlElement.cpp:185 aPresContext = (nsIPresContext *) 0x843c998 aEvent = (nsEvent *) 0xbfffe6c0 aDOMEvent = (nsIDOMEvent **) 0x84de378 aFlags = 16 aEventStatus = (nsEventStatus *) 0x83ae088 #19 0x4112f106 in PresShell::HandleEventInternal (this=0x82e18e8, aEvent=0xbfffe6c0, aView=0x867fd38, aFlags=1, aStatus=0xbfffe5ec) at /g/misc/cks/code/mozilla/layout/html/base/src/nsPresShell.cpp:4255 this = (PresShell *) 0x82e18e8 rv = 0 ---Type <return> to continue, or q <return> to quit--- manager = (nsIEventStateManager *) 0x861c760 #20 0x4112ee00 in PresShell::HandleEvent (this=0x82e18e8, aView=0x867fd38, aEvent=0xbfffe6c0, aEventStatus=0xbfffe5ec, aForceHandle=0, aHandled=@0xbfffe580) at /g/misc/cks/code/mozilla/layout/html/base/src/nsPresShell.cpp:4190 manager = (nsIEventStateManager *) 0x861c760 this = (PresShell *) 0x82e18e8 aEventStatus = (nsEventStatus *) 0x83ae088 clientData = (void *) 0x86195f4 frame = (nsIFrame *) 0x82e1914 rv = 0 #21 0x40d70e1b in nsView::HandleEvent (this=0x867fd38, event=0xbfffe6c0, aEventFlags=8, aStatus=0xbfffe5ec, aForceHandle=0, aHandled=@0xbfffe580) at /g/misc/cks/code/mozilla/view/src/nsView.cpp:366 event = (nsGUIEvent *) 0xbfffe6c0 aForceHandle = 138076296 obs = (nsIViewObserver *) 0x82e18ec #22 0x40d70dbe in nsView::HandleEvent (this=0x867f578, event=0xbfffe6c0, aEventFlags=8, aStatus=0xbfffe5ec, aForceHandle=0, aHandled=@0xbfffe580) at /g/misc/cks/code/mozilla/view/src/nsView.cpp:350 pKid = (nsIView *) 0x867fd38 cnt = 0 numkids = 1 ---Type <return> to continue, or q <return> to quit--- trect = {x = 0, y = -3444, width = 11060, height = 12600} x = 0 y = 0 event = (nsGUIEvent *) 0xbfffe6c0 aForceHandle = 138076296 obs = (nsIViewObserver *) 0x82e18ec #23 0x40d70dbe in nsView::HandleEvent (this=0x8231f98, event=0xbfffe6c0, aEventFlags=28, aStatus=0xbfffe5ec, aForceHandle=1, aHandled=@0xbfffe580) at /g/misc/cks/code/mozilla/view/src/nsView.cpp:350 pKid = (nsIView *) 0x867f578 cnt = 0 numkids = 3 trect = {x = 0, y = 0, width = 9506, height = 9156} x = 0 y = 0 event = (nsGUIEvent *) 0xbfffe6c0 aForceHandle = 138076296 obs = (nsIViewObserver *) 0x82e18ec #24 0x40d7b9da in nsViewManager2::DispatchEvent (this=0x846d958, aEvent=0xbfffe6c0, aStatus=0xbfffe5ec) at /g/misc/cks/code/mozilla/view/src/nsViewManager2.cpp:1427 p2t = 14 t2p = 0.0714285746 ---Type <return> to continue, or q <return> to quit--- handled = 1 baseView = (nsIView *) 0x867f578 view = (nsIView *) 0x8231f98 offset = {x = 0, y = 0} sb = (nsIScrollbar *) 0x0 aEvent = (nsGUIEvent *) 0xbfffe6c0 #25 0x40d704f2 in HandleEvent (aEvent=0xbfffe6c0) at /g/misc/cks/code/mozilla/view/src/nsView.cpp:67 vm = (nsIViewManager *) 0x846d958 aEvent = (nsGUIEvent *) 0xbfffe6c0 result = nsEventStatus_eIgnore view = (nsIView *) 0x84de378 #26 0x40dc20fd in nsWidget::DispatchEvent (this=0x867f608, aEvent=0xbfffe6c0, aStatus=@0xbfffe680) at /g/misc/cks/code/mozilla/widget/src/gtk/nsWidget.cpp:1475 gw = (GtkObject *) 0x867f7c0 nativeWidget = (void *) 0x10 #27 0x40dc1e3d in nsWidget::DispatchWindowEvent (this=0x867f608, event=0xbfffe6c0) at /g/misc/cks/code/mozilla/widget/src/gtk/nsWidget.cpp:1366 this = (nsWidget *) 0x867f608 event = (nsGUIEvent *) 0x10 status = nsEventStatus_eIgnore ---Type <return> to continue, or q <return> to quit--- #28 0x40dbf2b4 in nsWidget::OnInput (this=0x867f608, aEvent=@0xbfffe6c0) at /g/misc/cks/code/mozilla/widget/src/gtk/nsWidget.cpp:100 ret = 0 releaseWidget = 1 widget = (nsWidget *) 0x867f608 #29 0x40dbb1a9 in handle_key_press_event (w=0x0, event=0x82487b8, p=0x867f608) at /g/misc/cks/code/mozilla/widget/src/gtk/nsWidget.h:201 this = (nsWidget *) 0x867f608 kevent = {<nsInputEvent> = {<nsGUIEvent> = {<nsEvent> = { eventStructType = 9 '\t', message = 131, point = {x = 0, y = 3444}, refPoint = {x = 0, y = 0}, time = 3301055276, flags = 2, internalAppFlags = 1080310599}, widget = 0x867f608, nativeMsg = 0x40df272e}, isShift = 0, isControl = 1, isAlt = 0, isMeta = 0}, keyCode = 0, charCode = 119, isChar = 1080294665} win = (nsWidget *) 0x867f608 #30 0x40dbb5e9 in dispatch_superwin_event (event=0x82487b8, window=0x867f608) at /g/misc/cks/code/mozilla/widget/src/gtk/nsGtkEventHandler.cpp:990 event = (GdkEvent *) 0x82487b8 window = (nsWindow *) 0x10 #31 0x40dbb49a in handle_gdk_event (event=0x82487b8, data=0x0) at /g/misc/cks/code/mozilla/widget/src/gtk/nsGtkEventHandler.cpp:904 grabbingWindow = (nsWindow *) 0x82487b8 grabbingGdkWindow = (GdkWindow *) 0x83e000c ---Type <return> to continue, or q <return> to quit--- grabbingMozArea = (GtkWidget *) 0x4061746d window = (nsWindow *) 0x867f608 current_grab = (GtkWidget *) 0x0 superwin_grab = 138076296 object = (GtkObject *) 0x867f7c0 event_time = 138076296 #32 0x406174db in gdk_event_dispatch () from /usr/lib/libgdk-1.2.so.0 No symbol table info available. #33 0x40647186 in g_main_dispatch () from /usr/lib/libglib-1.2.so.0 No symbol table info available. #34 0x40647751 in g_main_iterate () from /usr/lib/libglib-1.2.so.0 No symbol table info available. #35 0x406478f1 in g_main_run () from /usr/lib/libglib-1.2.so.0 No symbol table info available. #36 0x4056c5b9 in gtk_main () from /usr/lib/libgtk-1.2.so.0 No symbol table info available. #37 0x40daf453 in nsAppShell::Run (this=0x82053e8) at /g/misc/cks/code/mozilla/widget/src/gtk/nsAppShell.cpp:335 this = (nsAppShell *) 0x82053e8 #38 0x41c4efe0 in nsAppShellService::Run (this=0x821a048) at /g/misc/cks/code/mozilla/xpfe/appshell/src/nsAppShellService.cpp:407 this = (nsAppShellService *) 0x83ae088 #39 0x805260b in main1 (argc=1, argv=0xbfffe9d4, nativeApp=0x0) ---Type <return> to continue, or q <return> to quit--- at /g/misc/cks/code/mozilla/xpfe/bootstrap/nsAppRunner.cpp:1004 argv = (char **) 0x83ae088 rv = 0 eventQService = {mRawPtr = 0x807ab50} obsService = {mRawPtr = 0x807b138} needAutoreg = 1 cmdLineArgs = {mRawPtr = 0x8190580} appShell = {mRawPtr = 0x821a048} walletService = {mRawPtr = 0x81f3200} #40 0x8052b9b in main (argc=1, argv=0xbfffe9d4) at /g/misc/cks/code/mozilla/xpfe/bootstrap/nsAppRunner.cpp:1185 argv = (char **) 0xbfffe9d4 nativeApp = (nsINativeAppSupport *) 0x0 rv = 138076296 splash = (nsISplashScreen *) 0x0 dosplash = 0 mainResult = 0 #41 0x402f29cb in __libc_start_main (main=0x8052a40 <main>, argc=1, argv=0xbfffe9d4, init=0x804c1ac <_init>, fini=0x805ede0 <_fini>, rtld_fini=0x4000ae60 <_dl_fini>, stack_end=0xbfffe9cc) at ../sysdeps/generic/libc-start.c:92 argv = (char **) 0xbfffe9d4 rtld_fini = (void (*)()) 0x4000ae60 <_dl_fini> ---Type <return> to continue, or q <return> to quit--- stack_end = (void *) 0x10 (gdb)
More detail: In JS_DefineProperty() obj itself seems fine. However, while obj->maps->ops appears to be a valid pointer (gdb does not puke on my shoes), the contents are complete garbage: everything is set to 0x10101010. In the hope it helps: (gdb) print *obj $15 = {map = 0x84a0eb8, slots = 0x84a18c6} (gdb) print *(obj->map) $16 = {nrefs = 139071168, ops = 0x84a18c7, nslots = 139071176, freeslot = 139073736} (gdb) print obj->slots $18 = (jsval *) 0x84a18c6 (gdb) print *(obj->slots) $17 = 269488144
cks+netscape.com, anyone: please try the patch at bug 53123 and let us know if this bug reproduces, or not. /be
I repulled, getting the bits that Brendan had checked in. The bug is still reproducing for me (on CTRL+W to close windows). More more info: target->map->ops is smashed (to 0x10) already when we reach nsJSContext::BindCompiledEventHandler() from nsXBLPrototypeHandler::ExecuteHandler. (This is before the SEGV itself.) As another data point, the window that is closing from the CTRL+W has already vanished (at the X level) by the time we hit this point. And as a final, third piece of information: I am running on a SMP system, not a UP system. (I don't know if this makes any important difference, but just in case...)
How does aReceiver look around http://lxr.mozilla.org/mozilla/source/layout/xbl/src/nsXBLPrototypeHandler.cpp#2 90 That's where the JSObject came from, via nsIScriptObjectOwner::GetScriptObject. /be
Since late july and till this crash appeared i've all along been seeing this when closing a window with ctrl+w on linux: Gdk-CRITICAL **: file gdkwindow.c: line 716 (gdk_window_ref): assertion `window != NULL' failed. trudelle and laurel weren't able to repro it, but it kept displaying here. Last tested it two days ago and it was still there. I "gave up" on that bug since it was obviously hard to repro (bug 45947) but mentioning it here for what it's worth.
Info to help people to reproduce this: The site I'm using is http://www.theregister.co.uk/. I go to it in the main browser window, button-2 a story to open it in a new window, and then Ctrl-W the new window closed; it then consistently SEGVs. Other places are only intermittent. More information: with Brendan telling me what to do, I traced the flow of things through nsXBLPrototypeHandler::ExecuteHandler. scriptObject->map->ops is fine before the call 'eventListener->HandleEvent(aEvent);' (line 304) and is DOA afterwards.
I reproduced this on the first try on NT. This is in a branch build that has the patch brendan mentioned. The cx looks good. The obj points into garbage. value (aka funobj) is null. To answer brendan... aReceiver is an nsXULElement that looks reasonable. It has a ref count of 5. It's mScriptObject = mDocument = null. Note that we ignore the return value at line 290 of... void* scriptObject; owner->GetScriptObject(boundContext, &scriptObject); owner here *seems* to be a nsXULElement with a mScriptObject = null. Yet scriptObject is not null. The code does not seem to be able to do that, so this might be only the way to appears at the point of the error. This is funky.
Ah, nsXBLPrototypeHandler::ExecuteHandler nests deeper in its call to eventListener->HandleEvent. When it comes out owner->mScriptObject is null and the value cached in scriptObject points to a JSObject that is no more. We need a deathgrip or another call to GetScriptObject - though we may not want it to be creating a new script object just for us at this point, right? Anyway, I hope this is sufficient clue.
*** Bug 54019 has been marked as a duplicate of this bug. ***
A death grip in JS is called a GC root. If you really need one, use JS_AddNamedRoot and JS_RemoveRoot. But maybe there's a better way: can we take note of the fact that the script object has been finalized? We could call GetScriptObject again, storing its out parameter in a scriptObjectAfter local, and then compare scriptObject == scriptObjectAfter and call the // Now unbind it code (BindCompiledEventHandler(..., nsnull)) only if the pointers match. But that will create a new script object needlessly. Too bad nsIScriptObjectOwner doesn't have a HasScriptObject method that tests without doing lazy construction. Hyatt, anyone: is there another way to tell that we have lost the script object (and the receiver content node, and who knows what else), and avoid either a GC-root-death-grip or a gratuitous second ("after") script object? /be
Question for hyatt: why is nsXBLPrototypeHandler::ExecuteHandler compiling as well as invoking? That oxymoron indicates a performance bug: we should hoist the compilation out to load-time, if possible. Is this do-able? If so, what's the bug number? /be
*** Bug 54177 has been marked as a duplicate of this bug. ***
I haven't tried that patch out (my Win98 machine at home is way out of date, and crashes too much when I try to build -- I'm a Linux guy now all the way), but it will avoid the crash. It costs an extra GC root, temporarily, and it keeps the script object alive past some window-destruction point where otherwise it would become garbage. That may break things due to a screwy finalize dependency, or some such. Anyone, try it out and update this bug, please. /be
Yes! The script object in question can now be for a window, a document or an element. In the past XBL was only dealing with elements (which I believe are good about always being rooted). In this case we're dealing with a document's script object. I believe this is the right fix.
Perhaps we only need to add a named root if the script object in question belongs to a document or window?
*** Bug 10511 has been marked as a duplicate of this bug. ***
Oh baby, this is SO hyatt's bug.
Assignee: dr → hyatt
mass-adding rtm keyword to all open nsbeta3+ xptoolkit bugs
Keywords: rtm
PDT: this is a serious regression, and a very common crasher. we have a fix in hand. this *really* ought to make it into the branch. (cc'ing jar)
Summary: hitting Esc or Enter keys in Prefs dialog crashes browser; or ctrl+W → all keybindings which close windows crash the browser
Whiteboard: [nsbeta3+] → [nsbeta3+]FIX IN HAND
Marking nsbeta3++. Let's get this one in immediately so we don't have to slip the beta.
Whiteboard: [nsbeta3+]FIX IN HAND → [nsbeta3++]FIX IN HAND
And was this checked in? ... It's supposedly blocking 44437.
actually, the fix in hand mentioned (brendan's two cents) isn't right according to hyatt (roots aren't refcounted, so we could do some horrible breakage here). he's going to submit a fix where the offending call just isn't made (things get garbage-collected later rather than sooner, but not a big deal) as soon as the trees open up. this superfluous news update courtesy of dr@zarro.boogs
fixed.
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Huh? Roots aren't refcounted. So what? The root will keep the JSObject alive. Please specify the horrible breakage forseen with my modest patch. BTW, and as I discussed with hyatt, it would be even better to know that the script object had been finalized, and not bother clearing a bound event handler from some old, otherwise useless script object. /be
Fixed without a patch attached here for review? Hmph! /be
The problem that waterson pointed out was that the object could already be rooted. Calling AddRoot would then re-add the root to the table, and calling RemoveRoot would then uncorrectly remove the root all together. In the case where nothing was being torn down/going away (which is most of the time), you'd end up unrooting objects when you didn't intend to. Leaving the bound event handler on the object seems minor to me, since in the "onclick" case for attributes you do that anyway. This makes XBL no worse than an attribute event handler situation.
You guys are forgetting that roots are identified by their addresses, and there can be no other root for &scriptObject where scriptObject is your void* local. So the scenario waterson fears cannot happen. What fix did you go with (and where was the patch attached and reviewed)? /be
vrfy fixed using 2000.09.29.xx-n6 [opt comm branch bits] on mac, linux and winnt.
Keywords: rtmvtrunk
Verified Fixed with win32 mozilla trunk build 100204, linux mozilla trunk build 100208 and mac mozilla trunk build 100208. Keybindings which close windows do not cause crashes. Setting bug status to Verified and removing the vtrunk keyword.
Status: RESOLVED → VERIFIED
Keywords: vtrunk
Component: Keyboard: Navigation → User events and focus handling
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: