1157195 - crash in mozilla::EventStateManager::FillInEventFromGestureDown(mozilla::WidgetMouseEvent*)

Status: VERIFIED FIXED

(Core :: DOM: UI Events & Focus Handling, defect)

Description

[Jim Mathies [:jimm]]

This has been around in the content process for a while, it just never bubbled to the top because we had a lot of worse offenders above it.

https://crash-stats.mozilla.com/report/list?product=Firefox&range_value=3&range_unit=days&date=2015-04-22&signature=mozilla%3A%3AEventStateManager%3A%3AFillInEventFromGestureDown%28mozilla%3A%3AWidgetMouseEvent*%29&version=Firefox%3A40.0a1#tab-sigsummary

https://crash-stats.mozilla.com/report/index/ca62b095-5cc0-44e5-9173-5fc372150419

0 	xul.dll 	mozilla::EventStateManager::FillInEventFromGestureDown(mozilla::WidgetMouseEvent*) 	dom/events/EventStateManager.cpp
1 	xul.dll 	mozilla::EventStateManager::GenerateDragGesture(nsPresContext*, mozilla::WidgetMouseEvent*) 	dom/events/EventStateManager.cpp
2 	xul.dll 	mozilla::EventStateManager::PreHandleEvent(nsPresContext*, mozilla::WidgetEvent*, nsIFrame*, nsIContent*, nsEventStatus*) 	dom/events/EventStateManager.cpp
3 	xul.dll 	PresShell::HandleEventInternal(mozilla::WidgetEvent*, nsEventStatus*) 	layout/base/nsPresShell.cpp
4 	xul.dll 	PresShell::HandlePositionedEvent(nsIFrame*, mozilla::WidgetGUIEvent*, nsEventStatus*) 	layout/base/nsPresShell.cpp
5 	xul.dll 	PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*, nsIContent**) 	layout/base/nsPresShell.cpp
6 	xul.dll 	PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*, nsIContent**) 	layout/base/nsPresShell.cpp
7 	xul.dll 	nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*) 	view/nsViewManager.cpp
8 	xul.dll 	nsView::HandleEvent(mozilla::WidgetGUIEvent*, bool) 	view/nsView.cpp

Comment 1

[alex_mayorga]

¡Hola Jim!

Am I seeing this bug or a different one?

¡Gracias!
Alex

Report ID 	Date Submitted
bp-ba4556fd-f76a-408f-81b2-d37122150611
	11/06/2015	05:54 p.m.

Crashing Thread
Frame 	Module 	Signature 	Source
0 	xul.dll 	mozilla::EventStateManager::FillInEventFromGestureDown(mozilla::WidgetMouseEvent*) 	dom/events/EventStateManager.cpp
1 	xul.dll 	mozilla::EventStateManager::GenerateDragGesture(nsPresContext*, mozilla::WidgetMouseEvent*) 	dom/events/EventStateManager.cpp
2 	xul.dll 	mozilla::EventStateManager::PreHandleEvent(nsPresContext*, mozilla::WidgetEvent*, nsIFrame*, nsIContent*, nsEventStatus*) 	dom/events/EventStateManager.cpp
3 	xul.dll 	PresShell::HandleEventInternal(mozilla::WidgetEvent*, nsEventStatus*) 	layout/base/nsPresShell.cpp
4 	xul.dll 	PresShell::HandlePositionedEvent(nsIFrame*, mozilla::WidgetGUIEvent*, nsEventStatus*) 	layout/base/nsPresShell.cpp
5 	xul.dll 	PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*, nsIContent**) 	layout/base/nsPresShell.cpp
6 	xul.dll 	PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*, nsIContent**) 	layout/base/nsPresShell.cpp
7 	xul.dll 	nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*) 	view/nsViewManager.cpp
8 	xul.dll 	nsView::HandleEvent(mozilla::WidgetGUIEvent*, bool) 	view/nsView.cpp
9 	xul.dll 	mozilla::widget::PuppetWidget::DispatchEvent(mozilla::WidgetGUIEvent*, nsEventStatus&) 	widget/PuppetWidget.cpp
10 	xul.dll 	mozilla::layers::APZCCallbackHelper::DispatchWidgetEvent(mozilla::WidgetGUIEvent&) 	gfx/layers/apz/util/APZCCallbackHelper.cpp
11 	xul.dll 	mozilla::dom::TabChild::RecvRealMouseButtonEvent(mozilla::WidgetMouseEvent const&) 	dom/ipc/TabChild.cpp
12 	xul.dll 	mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) 	obj-firefox/ipc/ipdl/PBrowserChild.cpp
13 	xul.dll 	mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) 	obj-firefox/ipc/ipdl/PContentChild.cpp
14 	xul.dll 	mozilla::ipc::MessageChannel::OnMaybeDequeueOne() 	ipc/glue/MessageChannel.cpp
15 	xul.dll 	RunnableMethod<SoftwareDisplay, void ( SoftwareDisplay::*)(void), Tuple0>::Run() 	ipc/chromium/src/base/task.h
16 	xul.dll 	MessageLoop::DoWork() 	ipc/chromium/src/base/message_loop.cc
17 	xul.dll 	mozilla::ipc::DoWorkRunnable::Run() 	ipc/glue/MessagePump.cpp
18 	xul.dll 	nsThread::ProcessNextEvent(bool, bool*) 	xpcom/threads/nsThread.cpp
19 	xul.dll 	mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) 	ipc/glue/MessagePump.cpp
20 	xul.dll 	mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) 	ipc/glue/MessagePump.cpp
21 	xul.dll 	MessageLoop::RunHandler() 	ipc/chromium/src/base/message_loop.cc
22 	xul.dll 	MessageLoop::Run() 	ipc/chromium/src/base/message_loop.cc
23 	xul.dll 	nsBaseAppShell::Run() 	widget/nsBaseAppShell.cpp
24 	xul.dll 	nsAppShell::Run() 	widget/windows/nsAppShell.cpp
25 	xul.dll 	XRE_RunAppShell 	toolkit/xre/nsEmbedFunctions.cpp
26 	xul.dll 	mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) 	ipc/glue/MessagePump.cpp
27 	xul.dll 	MessageLoop::RunHandler() 	ipc/chromium/src/base/message_loop.cc
28 	xul.dll 	MessageLoop::Run() 	ipc/chromium/src/base/message_loop.cc
29 	xul.dll 	XRE_InitChildProcess 	toolkit/xre/nsEmbedFunctions.cpp
30 	plugin-container.exe 	content_process_main(int, char** const) 	ipc/contentproc/plugin-container.cpp
31 	plugin-container.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp
32 	plugin-container.exe 	__tmainCRTStartup 	f:/dd/vctools/crt/crtw32/startup/crt0.c:255
33 	kernel32.dll 	BaseThreadInitThunk 	
34 	ntdll.dll 	RtlUserThreadStart 	
35 	kernel32.dll 	BasepReportFault 	
36 	kernel32.dll 	BasepReportFault

Comment 2

[Jim Mathies [:jimm]]

Yep, that's it, do you have steps to reproduce this?

Comment 3

[Jim Mathies [:jimm]]

#9 top aurora crasher

Comment 4

[Olli Pettay [:smaug][bugs@pettay.fi]]

Hmm, nsIFrame::GetNearestWidget(); returns null? Doesn't make much sense to me, but we can try a null pointer check.

Comment 5

[Olli Pettay [:smaug][bugs@pettay.fi]]

Attachment: wip

Sort of a debugging patch to see if this actually helps with the issue. If yes, the real bug is somewhere else.

Comment 6

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)]

Comment on attachment 8630194 [details] [diff] [review]
wip

As a wallpaper, it's okay.

Although, I'm not familiar with the process of destructing views nor widgets, it sounds like that dispatcher dispatches the events when it shouldn't do that.

E.g., PuppetWidget doesn't check if it's already destroyed:
http://hg.mozilla.org/mozilla-central/annotate/bfd82015df48/widget/PuppetWidget.cpp#l317

Comment 7

[Olli Pettay [:smaug][bugs@pettay.fi]]

yeah, and I'd like to check with the patch whether it fixes the issue, or if the issue is somewhere else. AFAIK, we don't have STR for this bug.

Comment 8

[Pulsebot]

https://hg.mozilla.org/integration/mozilla-inbound/rev/18911ac13934

Comment 9

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

https://hg.mozilla.org/mozilla-central/rev/18911ac13934

Comment 10

[Jim Mathies [:jimm]]

Smaug, would it be ok if we uplifted this to aurora?

Comment 11

[Olli Pettay [:smaug][bugs@pettay.fi]]

Comment on attachment 8630194 [details] [diff] [review]
wip

yes

Approval Request Comment
[Feature/regressing bug #]:
[User impact if declined]: null pointer crashes
[Describe test coverage new/current, TreeHerder]: landed to m-c some time ago
[Risks and why]: Should be safe null pointer check
[String/UUID change made/needed]: NA

Comment 12

[Sylvestre Ledru [:Sylvestre]]

Comment on attachment 8630194 [details] [diff] [review]
wip

it is low risk, it fixes a crash, let's take it.

Comment 13

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-aurora/rev/19197bdb5a4a

Comment 14

[[SV Manager] Florin Mezei, QA (:FlorinMezei)]

Socorro [1] shows zero crashes over the past 4 weeks in builds created after this fix landed.

[1] - https://crash-stats.mozilla.com/report/list?range_unit=days&range_value=28&signature=mozilla%3A%3AEventStateManager%3A%3AFillInEventFromGestureDown%28mozilla%3A%3AWidgetMouseEvent%2A%29#tab-reports