Closed
Bug 20193
Opened 25 years ago
Closed 25 years ago
[dogfood]Ctrl-W to close window crashes
Categories
(Core :: XUL, defect, P2)
Tracking
()
VERIFIED
FIXED
M12
People
(Reporter: warrensomebody, Assigned: danm.moz)
References
Details
(Whiteboard: [PDT+])
I tried typing ctrl-W to close a window and got the following crash. The void array was deleted 0xdddddddd: nsVoidArray::Count() line 43 + 3 bytes nsEventListenerManager::HandleEvent(nsIPresContext * 0x02b4e800, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x0012f914, unsigned int 0x00000004, nsEventStatus * 0x0012fb14) line 911 + 33 bytes nsXULDocument::HandleDOMEvent(nsXULDocument * const 0x01b6fda0, nsIPresContext * 0x02b4e800, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x0012f914, unsigned int 0x00000004, nsEventStatus * 0x0012fb14) line 1738 nsXULElement::HandleDOMEvent(nsXULElement * const 0x01e421c0, nsIPresContext * 0x02b4e800, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x0012f914, unsigned int 0x00000004, nsEventStatus * 0x0012fb14) line 2576 + 39 bytes nsXULElement::HandleDOMEvent(nsXULElement * const 0x01eebfa0, nsIPresContext * 0x02b4e800, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x0012f914, unsigned int 0x00000004, nsEventStatus * 0x0012fb14) line 2574 nsXULElement::HandleDOMEvent(nsXULElement * const 0x01eebbf0, nsIPresContext * 0x02b4e800, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x0012f914, unsigned int 0x00000004, nsEventStatus * 0x0012fb14) line 2574 nsXULElement::HandleDOMEvent(nsXULElement * const 0x01eeb8e0, nsIPresContext * 0x02b4e800, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x0012f914, unsigned int 0x00000004, nsEventStatus * 0x0012fb14) line 2574 nsXULElement::HandleDOMEvent(nsXULElement * const 0x01eeb5d0, nsIPresContext * 0x02b4e800, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x0012f914, unsigned int 0x00000004, nsEventStatus * 0x0012fb14) line 2574 nsXULElement::HandleChromeEvent(nsXULElement * const 0x01eeb5f4, nsIPresContext * 0x02b4e800, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x0012f914, unsigned int 0x00000004, nsEventStatus * 0x0012fb14) line 3489 GlobalWindowImpl::HandleDOMEvent(GlobalWindowImpl * const 0x022a4a24, nsIPresContext * 0x02b4e800, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x0012f914, unsigned int 0x00000004, nsEventStatus * 0x0012fb14) line 2975 nsDocument::HandleDOMEvent(nsDocument * const 0x02b4aad0, nsIPresContext * 0x02b4e800, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x0012f914, unsigned int 0x00000001, nsEventStatus * 0x0012fb14) line 2379 nsHTMLHtmlElement::HandleDOMEvent(nsHTMLHtmlElement * const 0x02b4ef5c, nsIPresContext * 0x02b4e800, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x00000000, unsigned int 0x00000001, nsEventStatus * 0x0012fb14) line 192 + 41 bytes PresShell::HandleEvent(PresShell * const 0x025dff64, nsIView * 0x025fcb10, nsGUIEvent * 0x0012fba8, nsEventStatus * 0x0012fb14) line 2444 + 39 bytes nsView::HandleEvent(nsView * const 0x025fcb10, nsGUIEvent * 0x0012fba8, unsigned int 0x00000008, nsEventStatus * 0x0012fb14, int & 0x00000000) line 841 nsView::HandleEvent(nsView * const 0x025f8320, nsGUIEvent * 0x0012fba8, unsigned int 0x00000008, nsEventStatus * 0x0012fb14, int & 0x00000000) line 826 nsView::HandleEvent(nsView * const 0x025de4c0, nsGUIEvent * 0x0012fba8, unsigned int 0x0000001c, nsEventStatus * 0x0012fb14, int & 0x00000000) line 826 nsViewManager::DispatchEvent(nsViewManager * const 0x025de640, nsGUIEvent * 0x0012fba8, nsEventStatus * 0x0012fb14) line 1725 HandleEvent(nsGUIEvent * 0x0012fba8) line 69 nsWindow::DispatchEvent(nsWindow * const 0x025da284, nsGUIEvent * 0x0012fba8, nsEventStatus & nsEventStatus_eIgnore) line 438 + 10 bytes nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012fba8) line 459 nsWindow::DispatchKeyEvent(unsigned int 0x00000083, unsigned short 0x0077, unsigned int 0x00000000) line 2184 + 15 bytes nsWindow::OnChar(unsigned int 0x00000017, unsigned int 0x00000000, unsigned char 0x00) line 2493 nsWindow::ProcessMessage(unsigned int 0x00000102, unsigned int 0x00000017, long 0x00110001, long * 0x0012fde0) line 2665 + 32 bytes nsWindow::WindowProc(HWND__ * 0x0072083a, unsigned int 0x00000102, unsigned int 0x00000017, long 0x00110001) line 625 + 27 bytes USER32! 77e7 That was running after visiting a few pages. I then tried it again just after launching the browser and got a different crash. To reproduce, launch the browser, type Cntl-N to create a new window, and then Cntl-W to close it. Here the comptr is deleted 0xdddddddd (mTerminationFunction in nsJSContext): nsCOMPtr_base::assign_assuming_AddRef(nsISupports * 0x00000000) line 391 + 3 bytes nsCOMPtr_base::assign_with_AddRef(nsISupports * 0x00000000) line 54 nsCOMPtr<nsISupports>::operator=(nsISupports * 0x00000000) line 675 nsJSContext::ScriptEvaluated(nsJSContext * const 0x0279f1a0) line 642 nsJSContext::CallFunction(nsJSContext * const 0x0279f1a0, void * 0x01f058a8, void * 0x02954490, unsigned int 0x00000001, void * 0x0012daf8, int * 0x0012daf4) line 476 nsJSEventListener::HandleEvent(nsIDOMEvent * 0x02954554) line 133 + 51 bytes nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x02883f30, nsIDOMEvent * 0x02954554, unsigned int 0x00000004) line 623 + 19 bytes nsEventListenerManager::HandleEvent(nsIPresContext * 0x027c8d80, nsEvent * 0x0012e89c, nsIDOMEvent * * 0x0012df10, unsigned int 0x00000007, nsEventStatus * 0x0012e8dc) line 1357 + 31 bytes nsXULElement::HandleDOMEvent(nsXULElement * const 0x0281bc70, nsIPresContext * 0x027c8d80, nsEvent * 0x0012e89c, nsIDOMEvent * * 0x0012df10, unsigned int 0x00000001, nsEventStatus * 0x0012e8dc) line 2588 nsXULKeyListenerImpl::DoKey(nsIDOMEvent * 0x02954964, eEventType eKeyPress) line 675 nsXULKeyListenerImpl::KeyPress(nsIDOMEvent * 0x02954964) line 337 nsEventListenerManager::HandleEvent(nsIPresContext * 0x02966f10, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x0012f91c, unsigned int 0x00000004, nsEventStatus * 0x0012fb14) line 927 + 17 bytes nsXULDocument::HandleDOMEvent(nsXULDocument * const 0x027c6350, nsIPresContext * 0x02966f10, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x0012f91c, unsigned int 0x00000004, nsEventStatus * 0x0012fb14) line 1738 nsXULElement::HandleDOMEvent(nsXULElement * const 0x027e4240, nsIPresContext * 0x02966f10, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x0012f91c, unsigned int 0x00000004, nsEventStatus * 0x0012fb14) line 2576 + 39 bytes nsXULElement::HandleDOMEvent(nsXULElement * const 0x02817230, nsIPresContext * 0x02966f10, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x0012f91c, unsigned int 0x00000004, nsEventStatus * 0x0012fb14) line 2574 nsXULElement::HandleDOMEvent(nsXULElement * const 0x020f4d70, nsIPresContext * 0x02966f10, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x0012f91c, unsigned int 0x00000004, nsEventStatus * 0x0012fb14) line 2574 nsXULElement::HandleDOMEvent(nsXULElement * const 0x0260fa20, nsIPresContext * 0x02966f10, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x0012f91c, unsigned int 0x00000004, nsEventStatus * 0x0012fb14) line 2574 nsXULElement::HandleDOMEvent(nsXULElement * const 0x02818db0, nsIPresContext * 0x02966f10, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x0012f91c, unsigned int 0x00000004, nsEventStatus * 0x0012fb14) line 2574 nsXULElement::HandleChromeEvent(nsXULElement * const 0x02818dd4, nsIPresContext * 0x02966f10, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x0012f91c, unsigned int 0x00000004, nsEventStatus * 0x0012fb14) line 3489 GlobalWindowImpl::HandleDOMEvent(GlobalWindowImpl * const 0x02904d34, nsIPresContext * 0x02966f10, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x0012f91c, unsigned int 0x00000004, nsEventStatus * 0x0012fb14) line 2975 nsDocument::HandleDOMEvent(nsDocument * const 0x029649a0, nsIPresContext * 0x02966f10, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x0012f91c, unsigned int 0x00000004, nsEventStatus * 0x0012fb14) line 2379 nsHTMLHtmlElement::HandleDOMEvent(nsHTMLHtmlElement * const 0x02965cac, nsIPresContext * 0x02966f10, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x0012f91c, unsigned int 0x00000004, nsEventStatus * 0x0012fb14) line 192 + 41 bytes nsGenericElement::HandleDOMEvent(nsIPresContext * 0x02966f10, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x0012f91c, unsigned int 0x00000004, nsEventStatus * 0x0012fb14) line 778 nsHTMLBodyElement::HandleDOMEvent(nsHTMLBodyElement * const 0x0291ed2c, nsIPresContext * 0x02966f10, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x0012f91c, unsigned int 0x00000004, nsEventStatus * 0x0012fb14) line 723 nsGenericElement::HandleDOMEvent(nsIPresContext * 0x02966f10, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x0012f91c, unsigned int 0x00000004, nsEventStatus * 0x0012fb14) line 778 nsHTMLTableElement::HandleDOMEvent(nsHTMLTableElement * const 0x0296e76c, nsIPresContext * 0x02966f10, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x0012f91c, unsigned int 0x00000004, nsEventStatus * 0x0012fb14) line 1303 nsGenericElement::HandleDOMEvent(nsIPresContext * 0x02966f10, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x0012f91c, unsigned int 0x00000004, nsEventStatus * 0x0012fb14) line 778 nsHTMLTableSectionElement::HandleDOMEvent(nsHTMLTableSectionElement * const 0x0296e3ec, nsIPresContext * 0x02966f10, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x0012f91c, unsigned int 0x00000004, nsEventStatus * 0x0012fb14) line 374 nsGenericElement::HandleDOMEvent(nsIPresContext * 0x02966f10, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x0012f91c, unsigned int 0x00000004, nsEventStatus * 0x0012fb14) line 778 nsHTMLTableRowElement::HandleDOMEvent(nsHTMLTableRowElement * const 0x0296e36c, nsIPresContext * 0x02966f10, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x0012f91c, unsigned int 0x00000004, nsEventStatus * 0x0012fb14) line 739 nsGenericElement::HandleDOMEvent(nsIPresContext * 0x02966f10, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x0012f91c, unsigned int 0x00000004, nsEventStatus * 0x0012fb14) line 778 nsHTMLTableCellElement::HandleDOMEvent(nsHTMLTableCellElement * const 0x0296e1a0, nsIPresContext * 0x02966f10, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x0012f91c, unsigned int 0x00000004, nsEventStatus * 0x0012fb14) line 559 nsGenericElement::HandleDOMEvent(nsIPresContext * 0x02966f10, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x0012f91c, unsigned int 0x00000001, nsEventStatus * 0x0012fb14) line 778 nsHTMLImageElement::HandleDOMEvent(nsHTMLImageElement * const 0x0296fe2c, nsIPresContext * 0x02966f10, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x00000000, unsigned int 0x00000001, nsEventStatus * 0x0012fb14) line 334 PresShell::HandleEvent(PresShell * const 0x02930644, nsIView * 0x0293e930, nsGUIEvent * 0x0012fba8, nsEventStatus * 0x0012fb14) line 2444 + 39 bytes nsView::HandleEvent(nsView * const 0x0293e930, nsGUIEvent * 0x0012fba8, unsigned int 0x00000008, nsEventStatus * 0x0012fb14, int & 0x00000000) line 841 nsView::HandleEvent(nsView * const 0x0293d090, nsGUIEvent * 0x0012fba8, unsigned int 0x00000008, nsEventStatus * 0x0012fb14, int & 0x00000000) line 826 nsView::HandleEvent(nsView * const 0x02930a20, nsGUIEvent * 0x0012fba8, unsigned int 0x0000001c, nsEventStatus * 0x0012fb14, int & 0x00000000) line 826 nsViewManager::DispatchEvent(nsViewManager * const 0x02930df0, nsGUIEvent * 0x0012fba8, nsEventStatus * 0x0012fb14) line 1725 HandleEvent(nsGUIEvent * 0x0012fba8) line 69 nsWindow::DispatchEvent(nsWindow * const 0x029308e4, nsGUIEvent * 0x0012fba8, nsEventStatus & nsEventStatus_eIgnore) line 438 + 10 bytes nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012fba8) line 459 nsWindow::DispatchKeyEvent(unsigned int 0x00000083, unsigned short 0x0077, unsigned int 0x00000000) line 2184 + 15 bytes nsWindow::OnChar(unsigned int 0x00000017, unsigned int 0x00000000, unsigned char 0x00) line 2493 nsWindow::ProcessMessage(unsigned int 0x00000102, unsigned int 0x00000017, long 0x00110001, long * 0x0012fde0) line 2665 + 32 bytes nsWindow::WindowProc(HWND__ * 0x006e0820, unsigned int 0x00000102, unsigned int 0x00000017, long 0x00110001) line 625 + 27 bytes USER32! 77e71820()
|
||
Updated•25 years ago
|
Severity: normal → critical
|
||
Updated•25 years ago
|
Assignee: trudelle → saari
Priority: P3 → P2
|
|
||
Comment 1•25 years ago
|
||
Verified that Ctrl-Q crashes on Win98, and that File>Quit does not. assigning to saari as p2 for m13
|
|
||
Updated•25 years ago
|
Summary: [crash] ctrl-W to close window crashes → [dogfood][crash] ctrl-W to close window crashes
Target Milestone: M13
|
|
||
Comment 2•25 years ago
|
||
putting on dogfood radar. Do we really need the word 'crash' twice in the summary?
|
||
Updated•25 years ago
|
Whiteboard: [PDT+] → [PDT+] Why do I have this one?
|
|
||
Comment 4•25 years ago
|
||
You might want to give this to someone less doomed...
|
|
||
Updated•25 years ago
|
Assignee: saari → danm
Summary: [dogfood][crash] ctrl-W to close window crashes → [dogfood]Ctrl-W to close window crashes
Whiteboard: [PDT+] Why do I have this one? → [PDT+]12/10
|
|
||
Comment 5•25 years ago
|
||
reassigning to danm, cuz saari is doomed, and danm is already familiar with the seamy world of window-closing. also adding tentative fix date.
|
||
Comment 7•25 years ago
|
||
The problem here is pretty obvious but solution ( at least to me ) isn't all that obvious. The problem is that the document will dispatch the key event down to the DOM handlers and when it gets into nsEventListenerManager::HandleEvent() the key event will cause the document to go out of scope, invalidating the nsIEventListener object that the event was dispatched from. The actual crash is caused because it tries to call into the list of key listeners which is null. So, the question here is where does the addref / release pair go? You shouldn't destroy a document while it stil has active events passing through it but it passes through so many levels of code that I'm not familiar with I'm not sure where it should go.
|
|
||
Updated•25 years ago
|
Target Milestone: M13 → M12
|
|
||
Comment 9•25 years ago
|
||
moving to m12, since it is going out later now.
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
|
Assignee | |
Comment 10•25 years ago
|
||
Added a kungFuDeathGrip to the JSContext.
|
||
Updated•25 years ago
|
Status: RESOLVED → REOPENED
|
|
||
Comment 11•25 years ago
|
||
must've been one helluva kungFuGrip. sigh. now the second window won't close with Crtl-W, or quit with Ctrl-Q, or anything with Ctrl-anything. If that's a different bug and you want to claim tihs is fixed b/c it no longer 'crashes' I won't protest but in the meantime, i'm reopening.
|
||
Updated•25 years ago
|
Status: REOPENED → RESOLVED
Closed: 25 years ago → 25 years ago
|
|
||
Comment 12•25 years ago
|
||
lets open a new bug and mark that one dogfood if you think its so..
|
|
Assignee | |
Comment 13•25 years ago
|
||
I fixed the crash and at the time, ctrl-W was working to close the window. There's been work done on event handling recently that may have broken that. As Chris says, though, that'd be a different bug.
|
|
||
Updated•25 years ago
|
Status: RESOLVED → VERIFIED
|
|
||
Comment 14•25 years ago
|
||
okay this bug is fixed, it no longer crashes. i've verified that with the 1999120715 build. Marking VERIFIED.
|
||
Comment 15•25 years ago
|
||
nsCOMPtr should be wrapping and interface reference as opposed to wrapping a class reference. Since this breaks AIX, I am reopening, checking in the following change (r=chofmann@netscape.com & danm@netscape.com). We need to verify that this additional change still fixes the original bug. Index: nsJSEnvironment.cpp =================================================================== RCS file: /cvsroot/mozilla/dom/src/base/nsJSEnvironment.cpp,v retrieving revision 1.62 diff -r1.62 nsJSEnvironment.cpp 539c539 < nsCOMPtr<nsJSContext> kungFuDeathGrip(this); --- > nsCOMPtr<nsIScriptContext> kungFuDeathGrip(this);
|
|
||
Comment 16•25 years ago
|
||
I just checked in the change, should be able to re-verify on the next set of builds.
|
||
Comment 17•25 years ago
|
||
Setting to Resolved/Fixed per last comments
|
|
||
Updated•25 years ago
|
Status: RESOLVED → REOPENED
|
|
||
Comment 18•25 years ago
|
||
now according to jdunn's comments I shouldn't be able to notice possible repurcussions from HIS checkins in an opt build until later or tomorrow. Nonetheless, i'm looking at the 1999120910 opt comm builds and they are crashing left and right with Crtl-W on all 3 platforms. So looks like someone else broke that?
|
|
||
Comment 19•25 years ago
|
||
The Call stack from my WinNT talkback report with the 1999120908 build. I also
repo'd this with the corresponding Mac build and the newest linux
build(1999120912). These are all comm. opt builds.
0x0e1ef5a4
ViewportFrame::Destroy
[d:\builds\seamonkey\
mozilla\layout\html\base\src\nsViewportFrame.cpp, line 138]
FrameManager::~FrameManager
[d:\builds\seamonkey\
mozilla\layout\html\base\src\nsFrameManager.cpp, line 341]
FrameManager::`scalar deleting destructor'
FrameManager::Release
[d:\builds\seamonkey\
mozilla\layout\html\base\src\nsFrameManager.cpp, line 329]
PresShell::~PresShell
[d:\builds\seamonkey\
mozilla\layout\html\base\src\nsPresShell.cpp, line 685]
PresShell::`scalar deleting destructor'
PresShell::Release
[d:\builds\seamonkey\
mozilla\layout\html\base\src\nsPresShell.cpp, line 618]
nsCOMPtr_base::~nsCOMPtr_base
[d:\builds\seamonkey\
mozilla\xpcom\base\nsCOMPtr.cpp, line 45]
nsXULKeyListenerImpl::HandleEventUsingKeyset
[d:\builds\seamonkey\
mozilla\rdf\content\src\nsXULKeyListener.cpp, line 563]
gkhtml.dll + 0xfa4c0 (0x0126a4c0)|
|
Assignee | |
Comment 20•25 years ago
|
||
Alright. I see the new crasher. The original one remains fixed, but a new way to crash was introduced with the "massive rewrite of the key binding system" on 8 Dec. Working on it.
Status: ASSIGNED → RESOLVED
Closed: 25 years ago → 25 years ago
Resolution: --- → FIXED
Whiteboard: [PDT+]12/10 → [PDT+]
|
|
Assignee | |
Comment 21•25 years ago
|
||
New key binding system now more carefully follows what turns out to be a rule: never let a PresShell outlive the ViewManager it's using. The second avatar of this bug is now fixed. However, for more non-stop crashing action, see related bug 21397.
|
|
||
Updated•25 years ago
|
Status: RESOLVED → VERIFIED
|
|
||
Comment 22•25 years ago
|
||
VERFIED Fixed with the 1999121308 builds on all platforms.
You need to log in
before you can comment on or make changes to this bug.
Description
•