[TSF] MS-IME 2012 (Win 8.1) sometimes fails to move candidate window to proper position

RESOLVED FIXED in mozilla35

Status

()

Core
Event Handling
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: masayuki, Assigned: masayuki)

Tracking

({inputmethod})

Trunk
mozilla35
x86_64
Windows 8.1
inputmethod
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

*Sometimes* MS-IME 2012 which is preinstalled on Win8.1 fails to move candidate window to proper position.

The reason why NS_QUERY_CONTENT_TEXT_RECT fails. As I research the cause, it's failed in ContentEventHandler::SetRangeFromFlatTextOffset(). In the method, at setting range start, we use nsRange::SetStart(nsIDOMNode* aDOMNode, int32_t aOffset). However, it sometimes fails with NS_ERROR_DOM_SECURITY_ERR of nsRange::SetStart(nsINode& aNode, uint32_t aOffset, ErrorResult& aRv). I'm not sure the actual reason, though...

I think that we should use nsRange::SetStart(nsINode* aParent, int32_t aOffset) instead of that. Then, we can avoid the security check and redundant QI in ContentEventHandler.
FYI: I can reproduce this bug only in URL bar and search bar. I guess that autocomplete something wrong.

Comment 3

4 years ago
What is throwing the security exception? What is the stack then?
Should we perhaps just use AutoNoJSAPI, so that things behave like it was chrome js calling the API.


(It is not clear to me why nsRange has nsContentUtils::CanCallerAccess checks. Have you perhaps looked at the cvs blame?)

Comment 4

4 years ago
Old stuff, Bug 156452
So, do you think that I should remove the check? Or use AutoNOJSAPI? Anyway, I think that avoiding QI from nsICotent to nsIDOMNode is good thing too, though.

Comment 7

4 years ago
Feel free to remove the checks.
And yes, not using nsIDOMNode but nINode is good.
Created attachment 8483374 [details] [diff] [review]
Remove security checks from nsRange

Hmm, it's odd. Applying this patch causes new orange:
https://tbpl.mozilla.org/?tree=Try&usebuildbot=1&rev=a811bc750ae0

# The patches of bug 1052343 have already been landed on m-i. So, they shouldn't be the cause of this.

http://mxr.mozilla.org/mozilla-central/source/layout/forms/test/test_bug287446.html?force=1 fails as:

> 01:42:00     INFO -  ++DOMWINDOW == 25 (0x9a097400) [pid = 1733] [serial = 25] [outer = 0x9fba7400]
> 01:42:00     INFO -  ++DOCSHELL 0x9ce26800 == 9 [pid = 1733] [id = 9]
> 01:42:00     INFO -  ++DOMWINDOW == 26 (0x99fef200) [pid = 1733] [serial = 26] [outer = (nil)]
> 01:42:00     INFO -  [1733] WARNING: NS_ENSURE_TRUE(nsContentUtils::GetCurrentJSContext()) failed: file /builds/slave/try-lx-d-000000000000000000000/build/docshell/base/nsDocShell.cpp, line 8847
> 01:42:00     INFO -  ++DOMWINDOW == 27 (0x9a09ba00) [pid = 1733] [serial = 27] [outer = 0x99fef200]
> 01:42:01     INFO -  System JS : ERROR jar:file:///builds/slave/test/build/application/firefox/omni.ja!/components/nsHandlerService.js:891 - NS_ERROR_FAILURE: Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIProperties.get]
> 01:42:01     INFO -  --DOMWINDOW == 26 (0xa92ae000) [pid = 1733] [serial = 2] [outer = 0xa92ad800] [url = about:blank]
> 01:42:01     INFO -  --DOMWINDOW == 25 (0x9a1b2200) [pid = 1733] [serial = 21] [outer = 0x9a1b0800] [url = about:blank]
> 01:42:01     INFO -  --DOMWINDOW == 24 (0x9e86ac00) [pid = 1733] [serial = 9] [outer = 0x9e868c00] [url = about:blank]
> 01:42:01     INFO -  [1733] WARNING: NS_ENSURE_TRUE(aSelection->GetRangeCount()) failed: file /builds/slave/try-lx-d-000000000000000000000/build/editor/libeditor/nsEditor.cpp, line 3731
> 01:42:01     INFO -  [1733] WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0x80004005: file /builds/slave/try-lx-d-000000000000000000000/build/editor/libeditor/nsEditor.cpp, line 3710
> 01:42:01     INFO -  [1733] WARNING: NS_ENSURE_SUCCESS(res, res) failed with result 0x80004005: file /builds/slave/try-lx-d-000000000000000000000/build/editor/libeditor/nsTextEditRules.cpp, line 441
> 01:42:01     INFO -  [1733] WARNING: NS_ENSURE_TRUE(aSelection->GetRangeCount()) failed: file /builds/slave/try-lx-d-000000000000000000000/build/editor/libeditor/nsEditor.cpp, line 3731
> 01:42:01     INFO -  [1733] WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0x80004005: file /builds/slave/try-lx-d-000000000000000000000/build/editor/libeditor/nsEditor.cpp, line 3710
> 01:42:01     INFO -  [1733] WARNING: NS_ENSURE_SUCCESS(res, res) failed with result 0x80004005: file /builds/slave/try-lx-d-000000000000000000000/build/editor/libeditor/nsTextEditRules.cpp, line 441
> 01:42:01     INFO -  [1733] WARNING: '!sPresContext', file /builds/slave/try-lx-d-000000000000000000000/build/dom/events/IMEStateManager.cpp, line 644
> 01:42:01     INFO -  [1733] WARNING: '!sPresContext', file /builds/slave/try-lx-d-000000000000000000000/build/dom/events/IMEStateManager.cpp, line 644
> 01:42:01     INFO -  dumping last 10 message(s)
> 01:42:01     INFO -  if you need more context, please use SimpleTest.requestCompleteLog() in your test
> 01:42:01     INFO -  4 INFO TEST-PASS | /tests/layout/forms/test/test_bug287446.html | test is not testing cross-site
> 01:42:01     INFO -  5 INFO TEST-PASS | /tests/layout/forms/test/test_bug287446.html | Shouldn't be able to access cross-site
> 01:42:01     INFO -  6 INFO TEST-PASS | /tests/layout/forms/test/test_bug287446.html | toggling display failed
> 01:42:01     INFO -  7 INFO TEST-PASS | /tests/layout/forms/test/test_bug287446.html | toggling display back failed
> 01:42:01     INFO -  8 INFO TEST-PASS | /tests/layout/forms/test/test_bug287446.html | Shouldn't have lost our initial value
> 01:42:01     INFO -  9 INFO TEST-PASS | /tests/layout/forms/test/test_bug287446.html | Typing should work
> 01:42:01     INFO -  10 INFO TEST-PASS | /tests/layout/forms/test/test_bug287446.html | toggling display second time failed
> 01:42:01     INFO -  11 INFO TEST-PASS | /tests/layout/forms/test/test_bug287446.html | toggling display back second time failed
> 01:42:01     INFO -  12 INFO TEST-PASS | /tests/layout/forms/test/test_bug287446.html | Unexpected message
> 01:42:01     INFO -  13 INFO TEST-PASS | /tests/layout/forms/test/test_bug287446.html | Shouldn't have lost our typed value
> 01:42:01     INFO -  14 INFO TEST-UNEXPECTED-FAIL | /tests/layout/forms/test/test_bug287446.html | Typing should still work - got FooBarTest, expected BarFooTest

Any ideas?
Attachment #8483374 - Flags: feedback?(bugs)
Comment on attachment 8482840 [details] [diff] [review]
Patch

Only with this patch, we won't have any problems.
https://tbpl.mozilla.org/?tree=Try&usebuildbot=1&rev=4a3e4e061b2d
Attachment #8482840 - Flags: review?(bugs)
Comment on attachment 8483374 [details] [diff] [review]
Remove security checks from nsRange

Odd, let's do this change then in some other bug and figure out why it causes issues.
Attachment #8483374 - Flags: feedback?(bugs)
Comment on attachment 8482840 [details] [diff] [review]
Patch

I'd still like to see the stack when the security exception is thrown without this patch. But looks ok.
Attachment #8482840 - Flags: review?(bugs) → review+
(In reply to Olli Pettay [:smaug] from comment #11)
> Comment on attachment 8482840 [details] [diff] [review]
> Patch
> 
> I'd still like to see the stack when the security exception is thrown
> without this patch. But looks ok.

It's difficult. But I'll try it before landing.
>>	xul.dll!nsRange::SetStart(nsINode & aNode, unsigned int aOffset, mozilla::ErrorResult & aRv)  Line 1105	C++
>  	xul.dll!nsRange::SetStart(nsIDOMNode * aParent, int aOffset)  Line 1123	C++
>  	xul.dll!mozilla::ContentEventHandler::SetRangeFromFlatTextOffset(nsRange * aRange, unsigned int aOffset, unsigned int aLength, mozilla::LineBreakType aLineBreakType, bool aExpandToClusterBoundaries, unsigned int * aNewOffset)  Line 533 + 0xf bytes	C++
>  	xul.dll!mozilla::ContentEventHandler::OnQueryTextRect(mozilla::WidgetQueryContentEvent * aEvent)  Line 737	C++
>  	xul.dll!mozilla::EventStateManager::PreHandleEvent(nsPresContext * aPresContext, mozilla::WidgetEvent * aEvent, nsIFrame * aTargetFrame, nsEventStatus * aStatus)  Line 733	C++
>  	xul.dll!PresShell::HandleEventInternal(mozilla::WidgetEvent * aEvent, nsEventStatus * aStatus)  Line 7744 + 0x1c bytes	C++
>  	xul.dll!PresShell::HandleEvent(nsIFrame * aFrame, mozilla::WidgetGUIEvent * aEvent, bool aDontRetargetEvents, nsEventStatus * aEventStatus)  Line 7380 + 0xd bytes	C++
>  	xul.dll!nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent * aEvent, nsView * aView, nsEventStatus * aStatus)  Line 776	C++
>  	xul.dll!nsView::HandleEvent(mozilla::WidgetGUIEvent * aEvent, bool aUseAttachedEvents)  Line 1098	C++
>  	xul.dll!nsWindow::DispatchEvent(mozilla::WidgetGUIEvent * event, nsEventStatus & aStatus)  Line 3699 + 0x10 bytes	C++
>  	xul.dll!nsWindow::DispatchWindowEvent(mozilla::WidgetGUIEvent * event)  Line 3737	C++
>  	xul.dll!nsTextStore::GetTextExt(unsigned long vcView, long acpStart, long acpEnd, tagRECT * prc, int * pfClipped)  Line 2848	C++
>  	msctf.dll!75477477() 	
>  	[Frames below may be incorrect and/or missing, no symbols loaded for msctf.dll]	
>  	msctf.dll!754690ba() 	
>  	MSCAND20.DLL!2258bf01() 	
>  	MSCAND20.DLL!2256bbe3() 	
>  	msctf.dll!7546d058() 	
>  	msctf.dll!7546cfcc() 	
>  	msctf.dll!7545ba8d() 	
>  	msctf.dll!7546cf9b() 	
>  	msvcrt.dll!771b9ad1() 	
>  	msctf.dll!7546ce10() 	
>  	MSCAND20.DLL!22566254() 	
>  	MSCAND20.DLL!2258be44() 	
>  	MSCAND20.DLL!2257863d() 	
>  	MSCAND20.DLL!2256c972() 	
>  	msctf.dll!754573a7() 	
>  	msctf.dll!7545727e() 	
>  	msctf.dll!754695c6() 	
>  	xul.dll!nsTextStore::OnLayoutChangeInternal()  Line 3855	C++
>  	xul.dll!mozilla::widget::IMEHandler::NotifyIME(nsWindow * aWindow, const mozilla::widget::IMENotification & aIMENotification)  Line 191	C++
>  	xul.dll!nsWindow::NotifyIME(const mozilla::widget::IMENotification & aIMENotification)  Line 6823 + 0xb bytes	C++
>  	xul.dll!mozilla::PositionChangeEvent::Run()  Line 399 + 0x20 bytes	C++
>  	xul.dll!nsContentUtils::AddScriptRunner(nsIRunnable * aRunnable)  Line 5075	C++
>  	xul.dll!mozilla::IMEContentObserver::FlushMergeableNotifications()  Line 1100 + 0x1e bytes	C++
>  	xul.dll!mozilla::IMEContentObserver::Reflow(double aStart, double aEnd)  Line 419	C++
>  	xul.dll!nsDocShell::NotifyReflowObservers(bool aInterruptible, double aStart, double aEnd)  Line 2366	C++
>  	xul.dll!PresShell::DidDoReflow(bool aInterruptible, bool aWasInterrupted)  Line 8641	C++
>  	xul.dll!PresShell::ProcessReflowCommands(bool aInterruptible)  Line 8998	C++
>  	xul.dll!PresShell::FlushPendingNotifications(mozilla::ChangesToFlush aFlush)  Line 4265 + 0x15 bytes	C++
>  	xul.dll!PresShell::FlushPendingNotifications(mozFlushType aType)  Line 4104	C++
>  	xul.dll!nsDocument::FlushPendingNotifications(mozFlushType aType)  Line 7880	C++
>  	xul.dll!nsGlobalWindow::EnsureSizeUpToDate()  Line 12899	C++
>  	xul.dll!nsGlobalWindow::GetScrollXY(bool aDoFlush)  Line 5783	C++
>  	xul.dll!nsGlobalWindow::GetScrollY(mozilla::ErrorResult & aError)  Line 5819 + 0xc bytes	C++
>  	xul.dll!mozilla::dom::WindowBinding::get_pageYOffset(JSContext * cx, JS::Handle<JSObject *> obj, nsGlobalWindow * self, JSJitGetterCallArgs args)  Line 2893 + 0x19 bytes	C++
>  	xul.dll!mozilla::dom::WindowBinding::genericGetter(JSContext * cx, unsigned int argc, JS::Value * vp)  Line 12091 + 0x1b bytes	C++
>  	mozjs.dll!js::CallJSNative(JSContext * cx, bool (JSContext *, unsigned int, JS::Value *)* native, const JS::CallArgs & args)  Line 231 + 0xf bytes	C++
>  	mozjs.dll!js::Invoke(JSContext * cx, JS::CallArgs args, js::MaybeConstruct construct)  Line 481 + 0x10 bytes	C++
>  	mozjs.dll!js::Invoke(JSContext * cx, const JS::Value & thisv, const JS::Value & fval, unsigned int argc, const JS::Value * argv, JS::MutableHandle<JS::Value> rval)  Line 537 + 0x2d bytes	C++
>  	mozjs.dll!js::InvokeGetterOrSetter(JSContext * cx, JSObject * obj, JS::Value fval, unsigned int argc, JS::Value * argv, JS::MutableHandle<JS::Value> rval)  Line 609 + 0x28 bytes	C++
>  	mozjs.dll!js::Shape::get(JSContext * cx, JS::Handle<JSObject *> receiver, JSObject * obj, JSObject * pobj, JS::MutableHandle<JS::Value> vp)  Line 46 + 0x1f bytes	C++
>  	mozjs.dll!NativeGetInline<1>(JSContext * cx, JS::Handle<JSObject *> obj, JS::Handle<JSObject *> receiver, JS::Handle<JSObject *> pobj, JS::Handle<js::Shape *> shape, JS::MutableHandle<JS::Value> vp)  Line 4856 + 0x1f bytes	C++
>  	mozjs.dll!GetPropertyHelperInline<1>(JSContext * cx, JS::Handle<JSObject *> obj, JS::Handle<JSObject *> receiver, JS::Handle<jsid> id, JS::MutableHandle<JS::Value> vp)  Line 5047 + 0x23 bytes	C++
>  	mozjs.dll!js::baseops::GetProperty(JSContext * cx, JS::Handle<JSObject *> obj, JS::Handle<JSObject *> receiver, JS::Handle<jsid> id, JS::MutableHandle<JS::Value> vp)  Line 5057 + 0x18 bytes	C++
>  	mozjs.dll!JSObject::getGeneric(JSContext * cx, JS::Handle<JSObject *> obj, JS::Handle<JSObject *> receiver, JS::Handle<jsid> id, JS::MutableHandle<JS::Value> vp)  Line 1023 + 0x16 bytes	C++
>  	mozjs.dll!js::DirectProxyHandler::get(JSContext * cx, JS::Handle<JSObject *> proxy, JS::Handle<JSObject *> receiver, JS::Handle<jsid> id, JS::MutableHandle<JS::Value> vp)  Line 608 + 0x1a bytes	C++
>  	xul.dll!nsOuterWindowProxy::get(JSContext * cx, JS::Handle<JSObject *> proxy, JS::Handle<JSObject *> receiver, JS::Handle<jsid> id, JS::MutableHandle<JS::Value> vp)  Line 909 + 0x15 bytes	C++
>  	mozjs.dll!js::Proxy::get(JSContext * cx, JS::Handle<JSObject *> proxy, JS::Handle<JSObject *> receiver, JS::Handle<jsid> id, JS::MutableHandle<JS::Value> vp)  Line 2376 + 0x1a bytes	C++
>  	mozjs.dll!js::proxy_GetGeneric(JSContext * cx, JS::Handle<JSObject *> obj, JS::Handle<JSObject *> receiver, JS::Handle<jsid> id, JS::MutableHandle<JS::Value> vp)  Line 2739 + 0x19 bytes	C++
>  	mozjs.dll!JSObject::getGeneric(JSContext * cx, JS::Handle<JSObject *> obj, JS::Handle<JSObject *> receiver, JS::Handle<jsid> id, JS::MutableHandle<JS::Value> vp)  Line 1020 + 0x13 bytes	C++
>  	mozjs.dll!js::GetObjectElementOperation(JSContext * cx, JSOp op, JSObject * objArg, bool wasObject, JS::Handle<JS::Value> rref, JS::MutableHandle<JS::Value> res)  Line 390 + 0x6b bytes	C++
>  	mozjs.dll!js::jit::GetElementIC::update(JSContext * cx, unsigned int cacheIndex, JS::Handle<JSObject *> obj, JS::Handle<JS::Value> idval, JS::MutableHandle<JS::Value> res)  Line 3458 + 0x1d bytes	C++
>  	3e472351()	
>  	0e68e710()	
>  	3c2d4c51()	
>  	0e99be10()	
>  	3e47074c()	
>  	3c2d4c51()	
>  	16a8f668()	
>  	3c2d4c51()	
>  	16adee10()	
>  	3c2d4c51()	
>  	16af5e10()	
>  	3c2d4c51()	
>  	16acd738()	
>  	3e470a09()	
>  	mozjs.dll!EnterBaseline(JSContext * cx, js::jit::EnterJitData & data)  Line 118	C++
>  	mozjs.dll!js::jit::EnterBaselineMethod(JSContext * cx, js::RunState & state)  Line 147 + 0xc bytes	C++
>  	mozjs.dll!js::RunScript(JSContext * cx, js::RunState & state)  Line 418 + 0x7 bytes	C++
>  	mozjs.dll!js::Invoke(JSContext * cx, JS::CallArgs args, js::MaybeConstruct construct)  Line 500 + 0xd bytes	C++
>  	mozjs.dll!js::CallOrConstructBoundFunction(JSContext * cx, unsigned int argc, JS::Value * vp)  Line 1585 + 0x27 bytes	C++
>  	mozjs.dll!js::CallJSNative(JSContext * cx, bool (JSContext *, unsigned int, JS::Value *)* native, const JS::CallArgs & args)  Line 231 + 0xf bytes	C++
>  	mozjs.dll!js::Invoke(JSContext * cx, JS::CallArgs args, js::MaybeConstruct construct)  Line 481 + 0x10 bytes	C++
>  	mozjs.dll!js_fun_apply(JSContext * cx, unsigned int argc, JS::Value * vp)  Line 1325 + 0x27 bytes	C++
>  	mozjs.dll!js::CallJSNative(JSContext * cx, bool (JSContext *, unsigned int, JS::Value *)* native, const JS::CallArgs & args)  Line 231 + 0xf bytes	C++
>  	mozjs.dll!js::Invoke(JSContext * cx, JS::CallArgs args, js::MaybeConstruct construct)  Line 481 + 0x10 bytes	C++
>  	mozjs.dll!js::Invoke(JSContext * cx, const JS::Value & thisv, const JS::Value & fval, unsigned int argc, const JS::Value * argv, JS::MutableHandle<JS::Value> rval)  Line 537 + 0x2d bytes	C++
>  	mozjs.dll!js::jit::DoCallFallback(JSContext * cx, js::jit::BaselineFrame * frame, js::jit::ICCall_Fallback * stub_, unsigned int argc, JS::Value * vp, JS::MutableHandle<JS::Value> res)  Line 8415	C++
>  	3e476d2a()	
>  	0e02a080()	
>  	3e470a09()	
>  	mozjs.dll!EnterBaseline(JSContext * cx, js::jit::EnterJitData & data)  Line 118	C++
>  	mozjs.dll!js::jit::EnterBaselineMethod(JSContext * cx, js::RunState & state)  Line 147 + 0xc bytes	C++
>  	mozjs.dll!js::RunScript(JSContext * cx, js::RunState & state)  Line 418 + 0x7 bytes	C++
>  	mozjs.dll!js::Invoke(JSContext * cx, JS::CallArgs args, js::MaybeConstruct construct)  Line 500 + 0xd bytes	C++
>  	mozjs.dll!js_fun_apply(JSContext * cx, unsigned int argc, JS::Value * vp)  Line 1325 + 0x27 bytes	C++
>  	mozjs.dll!js::CallJSNative(JSContext * cx, bool (JSContext *, unsigned int, JS::Value *)* native, const JS::CallArgs & args)  Line 231 + 0xf bytes	C++
>  	mozjs.dll!js::Invoke(JSContext * cx, JS::CallArgs args, js::MaybeConstruct construct)  Line 481 + 0x10 bytes	C++
>  	mozjs.dll!js::Invoke(JSContext * cx, const JS::Value & thisv, const JS::Value & fval, unsigned int argc, const JS::Value * argv, JS::MutableHandle<JS::Value> rval)  Line 537 + 0x2d bytes	C++
>  	mozjs.dll!js::jit::DoCallFallback(JSContext * cx, js::jit::BaselineFrame * frame, js::jit::ICCall_Fallback * stub_, unsigned int argc, JS::Value * vp, JS::MutableHandle<JS::Value> res)  Line 8415	C++
>  	3e476d2a()	
>  	16ac82a8()	
>  	3da1bb38()	
>  	15d05568()	
>  	3e47074c()	
>  	3c2d4c51()	
>  	16ac6578()	
>  	0cf37e7c()	
>  	16ac5fe0()	
>  	3e47074c()	
>  	3c2d4c51()	
>  	16ac5bc8()	
>  	3c2d4c51()	
>  	16acbb50()	
>  	3c2d4c51()	
>  	16acc3a0()	
>  	3c2d4c51()	
>  	16acc098()	
>  	3c2d4c51()	
>  	0de43cd8()	
>  	15bf8fbe()	
>  	079ae588()	
>  	3c2d4c51()	
>  	079721a8()	
>  	0d03db6d()	
>  	16acbdc8()	
>  	3e470a09()	
>  	mozjs.dll!EnterBaseline(JSContext * cx, js::jit::EnterJitData & data)  Line 118	C++
>  	mozjs.dll!js::jit::EnterBaselineMethod(JSContext * cx, js::RunState & state)  Line 147 + 0xc bytes	C++
>  	mozjs.dll!js::RunScript(JSContext * cx, js::RunState & state)  Line 418 + 0x7 bytes	C++
>  	mozjs.dll!js::Invoke(JSContext * cx, JS::CallArgs args, js::MaybeConstruct construct)  Line 500 + 0xd bytes	C++
>  	mozjs.dll!js::CallOrConstructBoundFunction(JSContext * cx, unsigned int argc, JS::Value * vp)  Line 1585 + 0x27 bytes	C++
>  	mozjs.dll!js::CallJSNative(JSContext * cx, bool (JSContext *, unsigned int, JS::Value *)* native, const JS::CallArgs & args)  Line 231 + 0xf bytes	C++
>  	mozjs.dll!js::Invoke(JSContext * cx, JS::CallArgs args, js::MaybeConstruct construct)  Line 481 + 0x10 bytes	C++
>  	mozjs.dll!js::Invoke(JSContext * cx, const JS::Value & thisv, const JS::Value & fval, unsigned int argc, const JS::Value * argv, JS::MutableHandle<JS::Value> rval)  Line 537 + 0x2d bytes	C++
>  	mozjs.dll!JS::Call(JSContext * cx, JS::Handle<JS::Value> thisv, JS::Handle<JS::Value> fval, const JS::HandleValueArray & args, JS::MutableHandle<JS::Value> rval)  Line 5007 + 0x19 bytes	C++
>  	xul.dll!mozilla::dom::Function::Call(JSContext * cx, JS::Handle<JS::Value> aThisVal, const nsTArray<JS::Value> & arguments, JS::MutableHandle<JS::Value> aRetVal, mozilla::ErrorResult & aRv)  Line 36 + 0x55 bytes	C++
>  	xul.dll!mozilla::dom::Function::Call<nsCOMPtr<nsISupports> >(const nsCOMPtr<nsISupports> & thisObjPtr, const nsTArray<JS::Value> & arguments, JS::MutableHandle<JS::Value> aRetVal, mozilla::ErrorResult & aRv, mozilla::dom::CallbackObject::ExceptionHandling aExceptionHandling)  Line 58 + 0x29 bytes	C++
>  	xul.dll!nsGlobalWindow::RunTimeoutHandler(nsTimeout * aTimeout, nsIScriptContext * aScx)  Line 12305	C++
>  	xul.dll!nsGlobalWindow::RunTimeout(nsTimeout * aTimeout)  Line 12530	C++
>  	xul.dll!nsGlobalWindow::TimerCallback(nsITimer * aTimer, void * aClosure)  Line 12775	C++
>  	xul.dll!nsTimerImpl::Fire()  Line 618 + 0x6 bytes	C++
>  	xul.dll!nsTimerEvent::Run()  Line 716	C++
>  	xul.dll!nsThread::ProcessNextEvent(bool aMayWait, bool * aResult)  Line 823 + 0xe bytes	C++
>  	xul.dll!NS_ProcessNextEvent(nsIThread * aThread, bool aMayWait)  Line 265 + 0xd bytes	C++
>  	xul.dll!mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate * aDelegate)  Line 99 + 0xa bytes	C++
>  	xul.dll!MessageLoop::RunInternal()  Line 229 + 0x9 bytes	C++
>  	xul.dll!MessageLoop::RunHandler()  Line 223	C++
>  	xul.dll!MessageLoop::Run()  Line 197	C++
>  	xul.dll!nsBaseAppShell::Run()  Line 166	C++
>  	xul.dll!nsAppShell::Run()  Line 193	C++
>  	xul.dll!nsAppStartup::Run()  Line 281	C++
>  	xul.dll!XREMain::XRE_mainRun()  Line 4101 + 0x11 bytes	C++
>  	xul.dll!XREMain::XRE_main(int argc, char * * argv, const nsXREAppData * aAppData)  Line 4172 + 0x7 bytes	C++
>  	xul.dll!XRE_main(int argc, char * * argv, const nsXREAppData * aAppData, unsigned int aFlags)  Line 4386 + 0x12 bytes	C++
>  	firefox.exe!do_main(int argc, char * * argv, nsIFile * xreDirectory)  Line 282 + 0x12 bytes	C++
>  	firefox.exe!NS_internal_main(int argc, char * * argv)  Line 643 + 0xe bytes	C++
>  	firefox.exe!wmain(int argc, wchar_t * * argv)  Line 120	C++
>  	firefox.exe!__tmainCRTStartup()  Line 278 + 0x12 bytes	C
>  	kernel32.dll!7556919f() 	
>  	ntdll.dll!77a7a22b() 	
>  	ntdll.dll!77a7a201() 	

I succeeded to get the log!

Looks like that changing text in untrusted JS context causes TextChange notification. Then, it causes TSF accesses us for retrieving the new text.
oops, not text change, layout change causes it.
sorry had to back this out for crashes in XPCShell Tests like https://tbpl.mozilla.org/php/getParsedLog.php?id=47398003&tree=Mozilla-Inbound
Odd...

> 04:48:47     INFO -  Crash dump filename: c:\users\cltbld\appdata\local\temp\tmpncazdu\0d31dc7e-7f33-46b9-b580-249cd00697d2.dmp
> 04:48:47     INFO -  Operating system: Windows NT
> 04:48:47     INFO -                    6.1.7601 Service Pack 1
> 04:48:47     INFO -  CPU: x86
> 04:48:47     INFO -       GenuineIntel family 6 model 30 stepping 5
> 04:48:47     INFO -       8 CPUs
> 04:48:47     INFO -  Crash reason:  EXCEPTION_ACCESS_VIOLATION_READ
> 04:48:47     INFO -  Crash address: 0x0
> 04:48:47     INFO -  Thread 0 (crashed)
> 04:48:47     INFO -   0  xul.dll!mozilla::Preferences::GetRoot(char * *) [Preferences.h:53a069425e00 : 49 + 0xb]
> 04:48:47     INFO -      eip = 0x6311c2f6   esp = 0x00139f3c   ebp = 0x00139f40   ebx = 0x00000000
> 04:48:47     INFO -      esi = 0x00139f90   edi = 0x009ba340   eax = 0x00000000   ecx = 0x009b8188
> 04:48:47     INFO -      edx = 0x64c7afc0   efl = 0x00010246
> 04:48:47     INFO -      Found by: given as instruction pointer in context
> 04:48:47     INFO -   1  xul.dll!NS_InvokeByIndex [xptcinvoke.cpp:53a069425e00 : 70 + 0x2]
> 04:48:47     INFO -      eip = 0x630f7fb4   esp = 0x00139f48   ebp = 0x00139f54
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -   2  xul.dll!CallMethodHelper::Invoke() [XPCWrappedNative.cpp:53a069425e00 : 2369 + 0xe]
> 04:48:47     INFO -      eip = 0x636329dd   esp = 0x00139f5c   ebp = 0x00139f80
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -   3  xul.dll!CallMethodHelper::Call() [XPCWrappedNative.cpp:53a069425e00 : 1730 + 0x6]
> 04:48:47     INFO -      eip = 0x63646247   esp = 0x00139f70   ebp = 0x00139f80
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -   4  xul.dll!XPCWrappedNative::CallMethod(XPCCallContext &,XPCWrappedNative::CallMode) [XPCWrappedNative.cpp:53a069425e00 : 1697 + 0x11]
> 04:48:47     INFO -      eip = 0x63649b12   esp = 0x00139f88   ebp = 0x0013a058
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -   5  nss3.dll!_MD_CURRENT_THREAD [w95thred.c:53a069425e00 : 312 + 0xb]
> 04:48:47     INFO -      eip = 0x67f1128c   esp = 0x00139ff0   ebp = 0x0013a058
> 04:48:47     INFO -      Found by: stack scanning
> 04:48:47     INFO -   6  mozjs.dll!JSFunction::toExtended() [jsfun.h:53a069425e00 : 589 + 0x4]
> 04:48:47     INFO -      eip = 0x6764b2b8   esp = 0x0013a004   ebp = 0x0013a058
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -   7  mozjs.dll!JSFunction::getExtendedSlot(unsigned int) [jsfun.h:53a069425e00 : 621 + 0x6]
> 04:48:47     INFO -      eip = 0x6764b38f   esp = 0x0013a00c   ebp = 0x0013a058
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -   8  xul.dll!XPC_WN_GetterSetter(JSContext *,unsigned int,JS::Value *) [XPCWrappedNativeJSOps.cpp:53a069425e00 : 1324 + 0xc]
> 04:48:47     INFO -      eip = 0x6364acbf   esp = 0x0013a060   ebp = 0x0013a12c
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -   9  mozjs.dll!js::CallJSNative(JSContext *,bool (*)(JSContext *,unsigned int,JS::Value *),JS::CallArgs const &) [jscntxtinlines.h:53a069425e00 : 231 + 0xe]
> 04:48:47     INFO -      eip = 0x67b3a101   esp = 0x0013a134   ebp = 0x0013a154
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  10  mozjs.dll!js::Invoke(JSContext *,JS::CallArgs,js::MaybeConstruct) [Interpreter.cpp:53a069425e00 : 481 + 0xf]
> 04:48:47     INFO -      eip = 0x67b5326d   esp = 0x0013a15c   ebp = 0x0013a3b0
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  11  mozjs.dll!js::Invoke(JSContext *,JS::Value const &,JS::Value const &,unsigned int,JS::Value const *,JS::MutableHandle<JS::Value>) [Interpreter.cpp:53a069425e00 : 537 + 0x2c]
> 04:48:47     INFO -      eip = 0x67b535c9   esp = 0x0013a3b8   ebp = 0x0013a488
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  12  mozjs.dll!js::InvokeGetterOrSetter(JSContext *,JSObject *,JS::Value,unsigned int,JS::Value *,JS::MutableHandle<JS::Value>) [Interpreter.cpp:53a069425e00 : 609 + 0x27]
> 04:48:47     INFO -      eip = 0x67b53673   esp = 0x0013a490   ebp = 0x0013a4b4
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  13  mozjs.dll!js::Shape::get(JSContext *,JS::Handle<JSObject *>,JSObject *,JSObject *,JS::MutableHandle<JS::Value>) [Shape-inl.h:53a069425e00 : 46 + 0x1e]
> 04:48:47     INFO -      eip = 0x67a1d36d   esp = 0x0013a4bc   ebp = 0x0013a500
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  14  mozjs.dll!NativeGetInline<1> [jsobj.cpp:53a069425e00 : 4887 + 0x1e]
> 04:48:47     INFO -      eip = 0x67a49bdd   esp = 0x0013a508   ebp = 0x0013a528
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  15  mozjs.dll!GetPropertyHelperInline<1> [jsobj.cpp:53a069425e00 : 5082 + 0x22]
> 04:48:47     INFO -      eip = 0x67a88747   esp = 0x0013a530   ebp = 0x0013a5ac
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  16  mozjs.dll!js::baseops::GetProperty(JSContext *,JS::Handle<JSObject *>,JS::Handle<JSObject *>,JS::Handle<jsid>,JS::MutableHandle<JS::Value>) [jsobj.cpp:53a069425e00 : 5092 + 0x17]
> 04:48:47     INFO -      eip = 0x67a89dcb   esp = 0x0013a5b4   ebp = 0x0013a5c4
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  17  mozjs.dll!JSObject::getGeneric(JSContext *,JS::Handle<JSObject *>,JS::Handle<JSObject *>,JS::Handle<jsid>,JS::MutableHandle<JS::Value>) [jsobj.h:53a069425e00 : 1026 + 0x15]
> 04:48:47     INFO -      eip = 0x675a89a0   esp = 0x0013a5cc   ebp = 0x0013a5e4
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  18  mozjs.dll!JO [json.cpp:53a069425e00 : 355 + 0x23]
> 04:48:47     INFO -      eip = 0x67a9249d   esp = 0x0013a5ec   ebp = 0x0013a700
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  19  mozjs.dll!Str [json.cpp:53a069425e00 : 517 + 0xf]
> 04:48:47     INFO -      eip = 0x67a92ad6   esp = 0x0013a708   ebp = 0x0013a734
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  20  mozjs.dll!JO [json.cpp:53a069425e00 : 377 + 0x53]
> 04:48:47     INFO -      eip = 0x67a92594   esp = 0x0013a73c   ebp = 0x0013a848
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  21  mozjs.dll!Str [json.cpp:53a069425e00 : 517 + 0xf]
> 04:48:47     INFO -      eip = 0x67a92ad6   esp = 0x0013a850   ebp = 0x0013a87c
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  22  mozjs.dll!JO [json.cpp:53a069425e00 : 377 + 0x53]
> 04:48:47     INFO -      eip = 0x67a92594   esp = 0x0013a884   ebp = 0x0013a990
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  23  mozjs.dll!Str [json.cpp:53a069425e00 : 517 + 0xf]
> 04:48:47     INFO -      eip = 0x67a92ad6   esp = 0x0013a998   ebp = 0x0013a9c4
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  24  mozjs.dll!js_Stringify(JSContext *,JS::MutableHandle<JS::Value>,JSObject *,JS::Value,js::StringBuffer &) [json.cpp:53a069425e00 : 686 + 0x10]
> 04:48:47     INFO -      eip = 0x67a96e20   esp = 0x0013a9cc   ebp = 0x0013ac14
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  25  mozjs.dll!json_stringify(JSContext *,unsigned int,JS::Value *) [json.cpp:53a069425e00 : 874 + 0x29]
> 04:48:47     INFO -      eip = 0x67a97121   esp = 0x0013ac1c   ebp = 0x0013ad14
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  26  mozjs.dll!js::CallJSNative(JSContext *,bool (*)(JSContext *,unsigned int,JS::Value *),JS::CallArgs const &) [jscntxtinlines.h:53a069425e00 : 231 + 0xe]
> 04:48:47     INFO -      eip = 0x67b3a101   esp = 0x0013ad1c   ebp = 0x0013ad3c
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  27  mozjs.dll!js::Invoke(JSContext *,JS::CallArgs,js::MaybeConstruct) [Interpreter.cpp:53a069425e00 : 481 + 0xf]
> 04:48:47     INFO -      eip = 0x67b5326d   esp = 0x0013ad44   ebp = 0x0013af98
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  28  mozjs.dll!Interpret [Interpreter.cpp:53a069425e00 : 2563 + 0x26]
> 04:48:47     INFO -      eip = 0x67b501cc   esp = 0x0013afa0   ebp = 0x0013b2cc
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  29  mozjs.dll!js::RunScript(JSContext *,js::RunState &) [Interpreter.cpp:53a069425e00 : 428 + 0x7]
> 04:48:47     INFO -      eip = 0x67b53068   esp = 0x0013b2d4   ebp = 0x0013b2f0
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  30  mozjs.dll!js::Invoke(JSContext *,JS::CallArgs,js::MaybeConstruct) [Interpreter.cpp:53a069425e00 : 500 + 0xc]
> 04:48:47     INFO -      eip = 0x67b53321   esp = 0x0013b2f8   ebp = 0x0013b548
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  31  mozjs.dll!js::Invoke(JSContext *,JS::Value const &,JS::Value const &,unsigned int,JS::Value const *,JS::MutableHandle<JS::Value>) [Interpreter.cpp:53a069425e00 : 537 + 0x2c]
> 04:48:47     INFO -      eip = 0x67b535c9   esp = 0x0013b550   ebp = 0x0013b620
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  32  mozjs.dll!js::jit::DoCallFallback [BaselineIC.cpp:53a069425e00 : 8555 + 0x19]
> 04:48:47     INFO -      eip = 0x67846715   esp = 0x0013b628   ebp = 0x0013b6d0
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  33  0x14c86d39
> 04:48:47     INFO -      eip = 0x14c86d3a   esp = 0x0013b6d8   ebp = 0x0013b73c
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  34  0x7ad280f
> 04:48:47     INFO -      eip = 0x07ad2810   esp = 0x0013b744   ebp = 0x0013b7a8
> 04:48:47     INFO -      Found by: previous frame's frame pointer
> 04:48:47     INFO -  35  0x14c80a18
> 04:48:47     INFO -      eip = 0x14c80a19   esp = 0x0013b7b0   ebp = 0x0013b7e0
> 04:48:47     INFO -      Found by: previous frame's frame pointer
> 04:48:47     INFO -  36  mozjs.dll!EnterBaseline [BaselineJIT.cpp:53a069425e00 : 116 + 0x21]
> 04:48:47     INFO -      eip = 0x677e329e   esp = 0x0013b7e8   ebp = 0x0013b8c8
> 04:48:47     INFO -      Found by: previous frame's frame pointer
> 04:48:47     INFO -  37  mozjs.dll!js::jit::EnterBaselineMethod(JSContext *,js::RunState &) [BaselineJIT.cpp:53a069425e00 : 147 + 0xb]
> 04:48:47     INFO -      eip = 0x67829f30   esp = 0x0013b8d0   ebp = 0x0013b9b8
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  38  mozjs.dll!Interpret [Interpreter.cpp:53a069425e00 : 2600 + 0xc]
> 04:48:47     INFO -      eip = 0x67b50081   esp = 0x0013b9c0   ebp = 0x0013bce0
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  39  mozjs.dll!js::RunScript(JSContext *,js::RunState &) [Interpreter.cpp:53a069425e00 : 428 + 0x7]
> 04:48:47     INFO -      eip = 0x67b53068   esp = 0x0013bce8   ebp = 0x0013bd04
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  40  mozjs.dll!js::Invoke(JSContext *,JS::CallArgs,js::MaybeConstruct) [Interpreter.cpp:53a069425e00 : 500 + 0xc]
> 04:48:47     INFO -      eip = 0x67b53321   esp = 0x0013bd0c   ebp = 0x0013bf5c
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  41  mozjs.dll!js::Invoke(JSContext *,JS::Value const &,JS::Value const &,unsigned int,JS::Value const *,JS::MutableHandle<JS::Value>) [Interpreter.cpp:53a069425e00 : 537 + 0x2c]
> 04:48:47     INFO -      eip = 0x67b535c9   esp = 0x0013bf64   ebp = 0x0013c034
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  42  mozjs.dll!js::DirectProxyHandler::call(JSContext *,JS::Handle<JSObject *>,JS::CallArgs const &) [jsproxy.cpp:53a069425e00 : 478 + 0x1f]
> 04:48:47     INFO -      eip = 0x67a38549   esp = 0x0013c03c   ebp = 0x0013c078
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  43  mozjs.dll!js::CrossCompartmentWrapper::call(JSContext *,JS::Handle<JSObject *>,JS::CallArgs const &) [jswrapper.cpp:53a069425e00 : 431 + 0xd]
> 04:48:47     INFO -      eip = 0x67ae9003   esp = 0x0013c080   ebp = 0x0013c0bc
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  44  mozjs.dll!js::Proxy::call(JSContext *,JS::Handle<JSObject *>,JS::CallArgs const &) [jsproxy.cpp:53a069425e00 : 2507 + 0xe]
> 04:48:47     INFO -      eip = 0x67a86e7f   esp = 0x0013c0c4   ebp = 0x0013c11c
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  45  mozjs.dll!js::proxy_Call(JSContext *,unsigned int,JS::Value *) [jsproxy.cpp:53a069425e00 : 2909 + 0x11]
> 04:48:47     INFO -      eip = 0x67a87c42   esp = 0x0013c124   ebp = 0x0013c154
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  46  mozjs.dll!js::CallJSNative(JSContext *,bool (*)(JSContext *,unsigned int,JS::Value *),JS::CallArgs const &) [jscntxtinlines.h:53a069425e00 : 231 + 0xe]
> 04:48:47     INFO -      eip = 0x67b3a101   esp = 0x0013c15c   ebp = 0x0013c17c
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  47  mozjs.dll!js::Invoke(JSContext *,JS::CallArgs,js::MaybeConstruct) [Interpreter.cpp:53a069425e00 : 474 + 0x7]
> 04:48:47     INFO -      eip = 0x67b5321c   esp = 0x0013c184   ebp = 0x0013c3d8
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  48  mozjs.dll!Interpret [Interpreter.cpp:53a069425e00 : 2563 + 0x26]
> 04:48:47     INFO -      eip = 0x67b501cc   esp = 0x0013c3e0   ebp = 0x0013c70c
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  49  mozjs.dll!js::RunScript(JSContext *,js::RunState &) [Interpreter.cpp:53a069425e00 : 428 + 0x7]
> 04:48:47     INFO -      eip = 0x67b53068   esp = 0x0013c714   ebp = 0x0013c730
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  50  mozjs.dll!js::Invoke(JSContext *,JS::CallArgs,js::MaybeConstruct) [Interpreter.cpp:53a069425e00 : 500 + 0xc]
> 04:48:47     INFO -      eip = 0x67b53321   esp = 0x0013c738   ebp = 0x0013c988
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  51  mozjs.dll!js_fun_call(JSContext *,unsigned int,JS::Value *) [jsfun.cpp:53a069425e00 : 1253 + 0x17]
> 04:48:47     INFO -      eip = 0x67a33c92   esp = 0x0013c990   ebp = 0x0013c9c8
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  52  mozjs.dll!js::CallJSNative(JSContext *,bool (*)(JSContext *,unsigned int,JS::Value *),JS::CallArgs const &) [jscntxtinlines.h:53a069425e00 : 231 + 0xe]
> 04:48:47     INFO -      eip = 0x67b3a101   esp = 0x0013c9d0   ebp = 0x0013c9f0
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  53  mozjs.dll!js::Invoke(JSContext *,JS::CallArgs,js::MaybeConstruct) [Interpreter.cpp:53a069425e00 : 481 + 0xf]
> 04:48:47     INFO -      eip = 0x67b5326d   esp = 0x0013c9f8   ebp = 0x0013cc4c
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  54  mozjs.dll!js::Invoke(JSContext *,JS::Value const &,JS::Value const &,unsigned int,JS::Value const *,JS::MutableHandle<JS::Value>) [Interpreter.cpp:53a069425e00 : 537 + 0x2c]
> 04:48:47     INFO -      eip = 0x67b535c9   esp = 0x0013cc54   ebp = 0x0013cd24
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  55  mozjs.dll!js::DirectProxyHandler::call(JSContext *,JS::Handle<JSObject *>,JS::CallArgs const &) [jsproxy.cpp:53a069425e00 : 478 + 0x1f]
> 04:48:47     INFO -      eip = 0x67a38549   esp = 0x0013cd2c   ebp = 0x0013cd68
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  56  mozjs.dll!js::CrossCompartmentWrapper::call(JSContext *,JS::Handle<JSObject *>,JS::CallArgs const &) [jswrapper.cpp:53a069425e00 : 431 + 0xd]
> 04:48:47     INFO -      eip = 0x67ae9003   esp = 0x0013cd70   ebp = 0x0013cdac
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  57  mozjs.dll!js::Proxy::call(JSContext *,JS::Handle<JSObject *>,JS::CallArgs const &) [jsproxy.cpp:53a069425e00 : 2507 + 0xe]
> 04:48:47     INFO -      eip = 0x67a86e7f   esp = 0x0013cdb4   ebp = 0x0013ce0c
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  58  mozjs.dll!js::proxy_Call(JSContext *,unsigned int,JS::Value *) [jsproxy.cpp:53a069425e00 : 2909 + 0x11]
> 04:48:47     INFO -      eip = 0x67a87c42   esp = 0x0013ce14   ebp = 0x0013ce44
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  59  mozjs.dll!js::CallJSNative(JSContext *,bool (*)(JSContext *,unsigned int,JS::Value *),JS::CallArgs const &) [jscntxtinlines.h:53a069425e00 : 231 + 0xe]
> 04:48:47     INFO -      eip = 0x67b3a101   esp = 0x0013ce4c   ebp = 0x0013ce6c
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  60  mozjs.dll!js::Invoke(JSContext *,JS::CallArgs,js::MaybeConstruct) [Interpreter.cpp:53a069425e00 : 474 + 0x7]
> 04:48:47     INFO -      eip = 0x67b5321c   esp = 0x0013ce74   ebp = 0x0013d0c8
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  61  mozjs.dll!js::Invoke(JSContext *,JS::Value const &,JS::Value const &,unsigned int,JS::Value const *,JS::MutableHandle<JS::Value>) [Interpreter.cpp:53a069425e00 : 537 + 0x2c]
> 04:48:47     INFO -      eip = 0x67b535c9   esp = 0x0013d0d0   ebp = 0x0013d1a0
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  62  mozjs.dll!js::jit::DoCallFallback [BaselineIC.cpp:53a069425e00 : 8555 + 0x19]
> 04:48:47     INFO -      eip = 0x67846715   esp = 0x0013d1a8   ebp = 0x0013d250
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  63  0x14c86d39
> 04:48:47     INFO -      eip = 0x14c86d3a   esp = 0x0013d258   ebp = 0x0013d2bc
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  64  0x7acce37
> 04:48:47     INFO -      eip = 0x07acce38   esp = 0x0013d2c4   ebp = 0x0013d330
> 04:48:47     INFO -      Found by: previous frame's frame pointer
> 04:48:47     INFO -  65  0x3e601900
> 04:48:47     INFO -      eip = 0x3e601901   esp = 0x0013d338   ebp = 0x0013d34c
> 04:48:47     INFO -      Found by: previous frame's frame pointer
> 04:48:47     INFO -  66  0x7ac549f
> 04:48:47     INFO -      eip = 0x07ac54a0   esp = 0x0013d354   ebp = 0x0013d398
> 04:48:47     INFO -      Found by: previous frame's frame pointer
> 04:48:47     INFO -  67  0x14c80a18
> 04:48:47     INFO -      eip = 0x14c80a19   esp = 0x0013d3a0   ebp = 0x0013d3c4
> 04:48:47     INFO -      Found by: previous frame's frame pointer
> 04:48:47     INFO -  68  mozjs.dll!EnterBaseline [BaselineJIT.cpp:53a069425e00 : 116 + 0x21]
> 04:48:47     INFO -      eip = 0x677e329e   esp = 0x0013d3cc   ebp = 0x0013d4ac
> 04:48:47     INFO -      Found by: previous frame's frame pointer
> 04:48:47     INFO -  69  mozjs.dll!js::jit::EnterBaselineMethod(JSContext *,js::RunState &) [BaselineJIT.cpp:53a069425e00 : 147 + 0xb]
> 04:48:47     INFO -      eip = 0x67829f30   esp = 0x0013d4b4   ebp = 0x0013d59c
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  70  mozjs.dll!js::RunScript(JSContext *,js::RunState &) [Interpreter.cpp:53a069425e00 : 418 + 0x6]
> 04:48:47     INFO -      eip = 0x67b52ffe   esp = 0x0013d5a4   ebp = 0x0013d5c4
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  71  mozjs.dll!js::Invoke(JSContext *,JS::CallArgs,js::MaybeConstruct) [Interpreter.cpp:53a069425e00 : 500 + 0xc]
> 04:48:47     INFO -      eip = 0x67b53321   esp = 0x0013d5cc   ebp = 0x0013d81c
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  72  mozjs.dll!js::CallOrConstructBoundFunction(JSContext *,unsigned int,JS::Value *) [jsfun.cpp:53a069425e00 : 1585 + 0x26]
> 04:48:47     INFO -      eip = 0x67a5b263   esp = 0x0013d824   ebp = 0x0013d920
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  73  mozjs.dll!js::CallJSNative(JSContext *,bool (*)(JSContext *,unsigned int,JS::Value *),JS::CallArgs const &) [jscntxtinlines.h:53a069425e00 : 231 + 0xe]
> 04:48:47     INFO -      eip = 0x67b3a101   esp = 0x0013d928   ebp = 0x0013d948
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  74  mozjs.dll!js::Invoke(JSContext *,JS::CallArgs,js::MaybeConstruct) [Interpreter.cpp:53a069425e00 : 481 + 0xf]
> 04:48:47     INFO -      eip = 0x67b5326d   esp = 0x0013d950   ebp = 0x0013dba4
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  75  mozjs.dll!js::Invoke(JSContext *,JS::Value const &,JS::Value const &,unsigned int,JS::Value const *,JS::MutableHandle<JS::Value>) [Interpreter.cpp:53a069425e00 : 537 + 0x2c]
> 04:48:47     INFO -      eip = 0x67b535c9   esp = 0x0013dbac   ebp = 0x0013dc7c
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  76  mozjs.dll!JS_CallFunctionValue(JSContext *,JS::Handle<JSObject *>,JS::Handle<JS::Value>,JS::HandleValueArray const &,JS::MutableHandle<JS::Value>) [jsapi.cpp:53a069425e00 : 4995 + 0x37]
> 04:48:47     INFO -      eip = 0x679e1a77   esp = 0x0013dc84   ebp = 0x0013dcbc
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  77  xul.dll!nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS *,unsigned short,XPTMethodDescriptor const *,nsXPTCMiniVariant *) [XPCWrappedJSClass.cpp:53a069425e00 : 1258 + 0x4d]
> 04:48:47     INFO -      eip = 0x63645485   esp = 0x0013dcc4   ebp = 0x0013e048
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  78  xul.dll!nsXPCWrappedJS::CallMethod(unsigned short,XPTMethodDescriptor const *,nsXPTCMiniVariant *) [XPCWrappedJS.cpp:53a069425e00 : 519 + 0x12]
> 04:48:47     INFO -      eip = 0x63630000   esp = 0x0013e050   ebp = 0x0013e064
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  79  xul.dll!PrepareAndDispatch [xptcstubs.cpp:53a069425e00 : 85 + 0x22]
> 04:48:47     INFO -      eip = 0x630f81f4   esp = 0x0013e06c   ebp = 0x0013e128
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  80  xul.dll!SharedStub [xptcstubs.cpp:53a069425e00 : 112 + 0x4]
> 04:48:47     INFO -      eip = 0x630f826e   esp = 0x0013e130   ebp = 0x0013e144
> 04:48:47     INFO -      Found by: call frame info
> 04:48:47     INFO -  81  xul.dll!nsThread::ProcessNextEvent(bool,bool *) [nsThread.cpp:53a069425e00 : 823 + 0xd]
> 04:48:47     INFO -      eip = 0x630f3584   esp = 0x0013e14c   ebp = 0x0013e144
> 04:48:47     INFO -      Found by: call frame info

I don't understand:

1. why it causes a crash of xpcshell test because the code runs only when it's queried by IME.
2. why it occurs only on Windows but both XP (IMM) and others (TSF).
3. why it causes a crash at Preferences API rather than related classes of ContentEventHandler.

I have no idea in which case, content and domNode QI'ed from the content could be different.
Hmm, I cannot reproduce the orange with today's m-c. I'll reland it to m-i.
https://tbpl.mozilla.org/?tree=Try&usebuildbot=1&rev=dff120533da9
https://hg.mozilla.org/mozilla-central/rev/cd8f35af9d66
Status: ASSIGNED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla35
You need to log in before you can comment on or make changes to this bug.