113193 - Crash in nsView::GetChild

Status: RESOLVED DUPLICATE of bug 113121

(Core :: Web Painting, defect)

Description

[Stuart Parmenter]

I was in the bookmark manager trying to change the name of a bookmark folder.. 
when I hit ok, I crash.

stack trace:
nsView::GetNextSibling() line 143 + 10 bytes
nsView::GetChild(int 4) line 845 + 21 bytes
nsView::HandleEvent(nsView * const 0x04223b30, nsGUIEvent * 0x0012f8a0, 
unsigned int 28, nsEventStatus * 0x0012f810, int 1, int & 1) line 360 + 12 bytes
nsViewManager::DispatchEvent(nsViewManager * const 0x042238f0, nsGUIEvent * 
0x0012f8a0, nsEventStatus * 0x0012f810) line 1887
HandleEvent(nsGUIEvent * 0x0012f8a0) line 84
nsWindow::DispatchEvent(nsWindow * const 0x04293c5c, nsGUIEvent * 0x0012f8a0, 
nsEventStatus & nsEventStatus_eIgnore) line 845 + 10 bytes
nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012f8a0) line 866
nsWindow::DispatchKeyEvent(unsigned int 131, unsigned short 0, unsigned int 13) 
line 2530 + 15 bytes
nsWindow::OnChar(unsigned int 13, unsigned int 13, unsigned char 1) line 2663
nsWindow::ProcessMessage(unsigned int 258, unsigned int 13, long 1835009, long 
* 0x0012fce8) line 3223 + 51 bytes
nsWindow::WindowProc(HWND__ * 0x0009027a, unsigned int 258, unsigned int 13, 
long 1835009) line 1113 + 27 bytes
USER32! 77e12e98()
USER32! 77e130e0()
USER32! 77e15824()
nsAppShellService::Run(nsAppShellService * const 0x00f7be60) line 303
main1(int 1, char * * 0x00352860, nsISupports * 0x00000000) line 1269 + 32 bytes
main(int 1, char * * 0x00352860) line 1599 + 37 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 77e97d08()

The crash seems to be due to mFirstChild (returned from GetFirstChild()) 
pointing to deleted memory (its 0xdddddddd) in nsView::GetChild().  I didn't 
see any place in the view code that ever set mFirstChild to null.

Comment 1

[James Kelly]

Same thing happens to me on solaris8 on ultrasparc.  Very similar backtrace. 
Leaving platform and os until someone can confirm this for all.

#0  0xfd21a798 in nsView::GetChild () from
/usr/local/src/mozilla-goodbuild/mozilla/components/libgkview.so
#1  0xfd218db8 in nsView::HandleEvent () from
/usr/local/src/mozilla-goodbuild/mozilla/components/libgkview.so
#2  0xfd224388 in nsViewManager::DispatchEvent () from
/usr/local/src/mozilla-goodbuild/mozilla/components/libgkview.so
#3  0xfd21a030 in nsView::GetClippedRect () from
/usr/local/src/mozilla-goodbuild/mozilla/components/libgkview.so
#4  0xfe86b538 in nsWidget::DispatchEvent () from
/usr/local/src/mozilla-goodbuild/mozilla/components/libwidget_gtk.so
#5  0xfe86b434 in nsWidget::DispatchWindowEvent () from
/usr/local/src/mozilla-goodbuild/mozilla/components/libwidget_gtk.so
#6  0xfe86aa3c in nsWidget::OnInput () from
/usr/local/src/mozilla-goodbuild/mozilla/components/libwidget_gtk.so
#7  0xfe863e3c in handle_key_press_event () from
/usr/local/src/mozilla-goodbuild/mozilla/components/libwidget_gtk.so
#8  0xfe86472c in handle_size_allocate () from
/usr/local/src/mozilla-goodbuild/mozilla/components/libwidget_gtk.so
#9  0xfe86422c in handle_gdk_event () from
/usr/local/src/mozilla-goodbuild/mozilla/components/libwidget_gtk.so
#10 0xff05a070 in gdk_event_dispatch (source_data=0x17f338,
current_time=0xffbeec78, user_data=0x0) at gdkevents.c:2129
#11 0xfee35e80 in g_main_dispatch (dispatch_time=0xffbeec78) at gmain.c:656
#12 0xfee3671c in g_main_iterate (block=-18499284, dispatch=1) at gmain.c:877
#13 0xfee36930 in g_main_run (loop=0x182a40) at gmain.c:935
#14 0xfef3fcec in gtk_main () at gtkmain.c:476
#15 0xfe85d6fc in nsAppShell::Run () from
/usr/local/src/mozilla-goodbuild/mozilla/components/libwidget_gtk.so
#16 0xfe8ca8b4 in nsAppShellService::Run () from
/usr/local/src/mozilla-goodbuild/mozilla/components/libnsappshell.so
#17 0x178d0 in _start ()
#18 0x18328 in main ()

Comment 2

[Kevin McCluskey (gone)]

*** This bug has been marked as a duplicate of 113121 ***

Comment 3

[Kevin McCluskey (gone)]

Attachment: Patch - check aHandled after event dispatch before accessing the view's children