Closed Bug 1246404 Opened 4 years ago Closed 4 years ago

crash in nsINode::IsInComposedDoc when doubleclick Titlebar or window border

Categories

(Core :: DOM: Core & HTML, defect, critical)

47 Branch
All
Windows
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla47
Tracking Status
firefox46 --- unaffected
firefox47 + fixed

People

(Reporter: alice0775, Assigned: TYLin)

References

(Blocks 1 open bug)

Details

(4 keywords)

Crash Data

Attachments

(1 file)

[Tracking Requested - why for this release]: Crash bug due to regression

This bug was filed from the Socorro interface and is 
report bp-b64f9dc4-e809-4671-aebf-50e4e2160206.
=============================================================

Build Identifier:
https://hg.mozilla.org/mozilla-central/rev/4295f9951e9331a2f2bd0a8ea8c4ad73af141a7b
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0 ID:20160206030207

Tested 
on Windows7 x64 SP1 Home Premium, Classic style, Windows8.1.

If enabled the TitleBar,
When doubleclick Titlebar, then browser crashes.

The crash happens with new profile + enabled TitleBar.
This seems windows only problem.

Reproducible: always

Steps To Reproduce:
1. Enable TitleBar
2. Double click the TitleBar

Actual Results:
Browser crashes

Expected Results:
Should not crash
Should toggle window size mode.

Regression window:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=db95299f4d30b9516ddc76c23402cbb3120be97c&tochange=c9585cb5a3cf9d59b8c1a13db5f9aa5776a18e14

Regressed by: Bug 591737
Flags: needinfo?(tlin)
Flags: needinfo?(ehsan)
Flags: needinfo?(bzbarsky)
And also Nightly crashes on Windows10 IP build14257.
bp-5448b2f4-9ea8-45ab-8062-09bc02160206
Component: Widget: Win32 → DOM
Also crash when doubleclick TitleBar of Page Info, Library and about Nightly.
And also crash when doubleclick window border
Summary: crash in nsINode::IsInComposedDoc when doubleclick Titlebar → crash in nsINode::IsInComposedDoc when doubleclick Titlebar or window border
From the callstack, it looks like first presShell->HandleEventWithTarget() makes mouseContent became nullptr. We have to null check mouseContent before calling mouseContent->IsInComposedDoc().

[1] http://hg.mozilla.org/mozilla-central/annotate/4295f9951e93/dom/events/EventStateManager.cpp#l4686
Assignee: nobody → tlin
Flags: needinfo?(tlin)
Flags: needinfo?(ehsan)
Flags: needinfo?(bzbarsky)
It's possible that PresShell::HandleEventWithTarget() above will make
mouseContent become nullptr. We should check the validity of
mouseContent before calling its method.
Attachment #8716718 - Flags: review?(bugs)
Comment on attachment 8716718 [details] [diff] [review]
Check mouseContent before calling IsInComposedDoc().

(I wonder if we should just make this method to return void and return early
in  if (!mouseContent && !mCurrentTarget) { by dropping the latter condition.)

But this is fine now.
Attachment #8716718 - Flags: review?(bugs) → review+
Thanks. Let's land this first to fix the crash.

https://treeherder.mozilla.org/#/jobs?repo=try&revision=84a7232f0a05
https://hg.mozilla.org/mozilla-central/rev/a674340dc97e
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla47
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.