Closed
Bug 1368554
Opened 9 years ago
Closed 9 years ago
Crash in mozilla::ContentCacheInParent::OnCompositionEvent
Categories
(Core :: Widget: Win32, defect, P2)
Tracking
()
RESOLVED
FIXED
mozilla55
People
(Reporter: philipp, Assigned: masayuki)
References
Details
(Keywords: crash, inputmethod, regression, Whiteboard: tpi:+)
Crash Data
Attachments
(2 files)
|
59 bytes,
text/x-review-board-request
|
m_kato
:
review+
|
Details |
|
12.70 KB,
patch
|
Details | Diff | Splinter Review |
This bug was filed from the Socorro interface and is
report bp-da39123c-cfce-48b9-a95c-b79650170521.
=============================================================
Crashing Thread (0)
Frame Module Signature Source
0 xul.dll mozilla::ContentCacheInParent::OnCompositionEvent(mozilla::WidgetCompositionEvent const&) widget/ContentCache.cpp:1106
1 xul.dll mozilla::dom::TabParent::SendCompositionEvent(mozilla::WidgetCompositionEvent&) dom/ipc/TabParent.cpp:2051
2 xul.dll mozilla::TextComposition::DispatchCompositionEvent(mozilla::WidgetCompositionEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, bool) dom/events/TextComposition.cpp:252
3 xul.dll mozilla::IMEStateManager::DispatchCompositionEvent(nsINode*, nsPresContext*, mozilla::WidgetCompositionEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, bool) dom/events/IMEStateManager.cpp:1171
4 xul.dll mozilla::PresShell::DispatchEventToDOM(mozilla::WidgetEvent*, nsEventStatus*, nsPresShellEventCB*) layout/base/PresShell.cpp:8179
5 xul.dll mozilla::PresShell::HandleEventInternal(mozilla::WidgetEvent*, nsEventStatus*, bool) layout/base/PresShell.cpp:8056
6 xul.dll mozilla::PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*, nsIContent**) layout/base/PresShell.cpp:7758
7 xul.dll nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*) view/nsViewManager.cpp:814
8 xul.dll nsView::HandleEvent(mozilla::WidgetGUIEvent*, bool) view/nsView.cpp:1125
9 xul.dll nsWindow::DispatchEvent(mozilla::WidgetGUIEvent*, nsEventStatus&) widget/windows/nsWindow.cpp:4102
10 xul.dll mozilla::widget::TextEventDispatcher::DispatchEvent(nsIWidget*, mozilla::WidgetGUIEvent&, nsEventStatus&) widget/TextEventDispatcher.cpp:186
11 xul.dll mozilla::widget::TextEventDispatcher::StartComposition(nsEventStatus&, mozilla::WidgetEventTime const*) widget/TextEventDispatcher.cpp:237
12 xul.dll mozilla::widget::TSFTextStore::FlushPendingActions() widget/windows/TSFTextStore.cpp:1775
13 xul.dll mozilla::widget::TSFTextStore::DidLockGranted() widget/windows/TSFTextStore.cpp:1685
14 xul.dll mozilla::widget::TSFTextStore::RequestLock(unsigned long, long*) widget/windows/TSFTextStore.cpp:1639
15 msctf.dll CInputContext::_QueueItem(_TS_QUEUE_ITEM*, int, long*)
16 msctf.dll CInputContext::RequestEditSession(unsigned long, ITfEditSession*, unsigned long, long*)
17 imetip.dll CTipFnEditSessionHandler::Invoke(__MIDL___MIDL_itf_tipfunc_0000_0009_0001, __MIDL___MIDL_itf_tipfunc_0000_0009_0002, ITipEditSessionProcedure*, IUnknown*, long*)
18 imetip.dll CTipFnCompose::OnApplyComposition(CTipComposition*, int)
19 imetip.dll CTipComposition::ApplyToContext(int)
20 imetip.dll CTipFnProductStringHandler::UpdateComposition(int)
21 imetip.dll CTipFnProductStringHandler::_OnProductObjectChanged(unsigned long, void*)
22 imetip.dll Imeapiutil::CImeReconversionEndNotify::OnReconversionEnded(__MIDL___MIDL_itf_imeapi_0000_0043_0001)
23 imjkapi.dll CImeProductObject_JK::EndUpdateProductObject(int)
24 imjpapi.dll CImeIPointCallBack::GenerateMessage()
25 imjpapi.dll CIImeIPoint::UpdateContext(int)
26 imjpapi.dll CCmdUpdateContext::ExecuteWithParam(IImeEMManager*, __int64)
27 imjpapi.dll CImeEMManager::Execute(_GUID const*)
28 imjpapi.dll CImeCommonAPI_JPN_Desktop_V1::EndBulkChange(int)
29 imjpapi.dll CImeKeyEventHandler_JPN_Desktop_V1::ProcessKey(__MIDL___MIDL_itf_imeapi_0000_0001_0001 const*, unsigned short)
30 imjpapi.dll CImeKeyEventHandler_JPN_Desktop_V1::OnKeyDown(__MIDL___MIDL_itf_imeapi_0000_0001_0001 const*, int*)
31 imetip.dll CTipFnKeyEventHandler::OnKeyDown(unsigned __int64, __int64, int*)
32 imetip.dll CTipContextEditorMgr::OnKeyboardEvent(unsigned int, ITfContext*, unsigned __int64, __int64, int*)
33 imetip.dll CTipContextEditorMgr::_OnKeyboardEvent(unsigned int, ITfContext*, unsigned __int64, __int64, int*, void*)
34 imetip.dll Tsfutil::CTfKeyEventSink::OnKeyDown(ITfContext*, unsigned __int64, __int64, int*)
35 msctf.dll CThreadInputMgr::_CallKeyEventSink(unsigned long, CInputContext*, KSEnum, unsigned __int64, __int64, int*)
36 msctf.dll CheckKnownModuleOnWinlogonDesktop()
37 msctf.dll CThreadInputMgr::KeyDown(unsigned __int64, __int64, int*)
38 xul.dll mozilla::widget::TSFTextStore::ProcessRawKeyMessage(tagMSG const&) widget/windows/TSFTextStore.cpp:5878
39 xul.dll nsAppShell::ProcessNextNativeEvent(bool) widget/windows/nsAppShell.cpp:369
40 xul.dll nsBaseAppShell::DoProcessNextNativeEvent(bool) widget/nsBaseAppShell.cpp:138
41 xul.dll nsBaseAppShell::OnProcessNextEvent(nsIThreadInternal*, bool) widget/nsBaseAppShell.cpp:289
42 xul.dll nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:1213
43 xul.dll NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp:390
44 xul.dll mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:124
45 xul.dll MessageLoop::RunHandler() ipc/chromium/src/base/message_loop.cc:231
46 xul.dll MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:211
47 xul.dll nsBaseAppShell::Run() widget/nsBaseAppShell.cpp:156
48 xul.dll nsAppShell::Run() widget/windows/nsAppShell.cpp:262
49 xul.dll nsAppStartup::Run() toolkit/components/startup/nsAppStartup.cpp:283
50 xul.dll XREMain::XRE_mainRun() toolkit/xre/nsAppRunner.cpp:4477
51 xul.dll XREMain::XRE_main(int, char** const, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:4654
52 xul.dll XRE_main(int, char** const, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:4745
53 firefox.exe NS_internal_main(int, char**, char**) browser/app/nsBrowserApp.cpp:305
54 firefox.exe wmain toolkit/xre/nsWindowsWMain.cpp:115
55 firefox.exe __scrt_common_main_seh f:/dd/vctools/crt/vcstartup/src/startup/exe_common.inl:253
Ø 56 kernel32.dll kernel32.dll@0x159cc
Ø 57 ntdll.dll ntdll.dll@0x2a560
Ø 58 kernel32.dll kernel32.dll@0x9baaf
Ø 59 kernel32.dll kernel32.dll@0x9baaf
this cross-platform crash is appearing in firefox 52 and subsequent versions (next to en-us mostly in ja, zh & ko locales) with MOZ_RELEASE_ASSERT(mPendingCompositionCount < 0xffui8) that got added in bug 1304620.
|
||
Comment 1•9 years ago
|
||
not bad crash volume, something todo with text composition. Masayuki, care to take a look?
Flags: needinfo?(masayuki)
Priority: -- → P2
Whiteboard: tpi:+
|
Assignee | |
Comment 2•9 years ago
|
||
Oh, mPendingCompositionCount reaches 255... it means that the main process dispatched 255 composition events were sent to a remote process but they are not set back yet. If it's true, the child process is really stopped.
However, I bet that this is caused by other bug. Perhaps, mPendingCompositionCount isn't reset in some cases or decreased from 0?
Flags: needinfo?(masayuki)
Keywords: inputmethod
|
|
Assignee | |
Comment 3•9 years ago
|
||
Ah, I see that when composition is committed forcibly in a remote process, it sends a request to commit to the parent process. However, the parent process won't send composition events to the remote process. Therefore, mContentCacheInParent in TabParent doesn't have a chance to reset mPendingCompositionCount.
Assignee: nobody → masayuki
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 4•9 years ago
|
||
|
|
Assignee | |
Comment 5•9 years ago
|
||
| Comment hidden (mozreview-request) |
|
||
Comment 7•9 years ago
|
||
| mozreview-review | ||
Comment on attachment 8876327 [details]
Bug 1368554 ContentCacheInParent::mPendingCompositionCount should be decreased when TextCompositin which has dispatched composition events to corresponding remote process
https://reviewboard.mozilla.org/r/147660/#review152222
Attachment #8876327 -
Flags: review?(m_kato) → review+
Pushed by masayuki@d-toybox.com:
https://hg.mozilla.org/integration/autoland/rev/401127e8ba3b
ContentCacheInParent::mPendingCompositionCount should be decreased when TextCompositin which has dispatched composition events to corresponding remote process r=m_kato
|
|
||
Comment 9•9 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
|
||
Comment 10•9 years ago
|
||
Too late for 54.
|
||
Comment 11•9 years ago
|
||
Is this worth nominating for ESR52 uplift or should we let it ride the trains?
status-firefox-esr52:
--- → affected
status-thunderbird_esr52:
affected → ---
Flags: needinfo?(masayuki)
|
|
Assignee | |
Comment 12•9 years ago
|
||
I think that the crash volume isn't so high but this might be reproduced a lot for some specific users. If you keep open a tab which supports autocomplete during composition during a browser session and you often use such input field with IME, you will meat this crash after autocomplete commits composition forcibly 255 times.
I don't think we need to fix this bug urgently due to the rate, but I think that we should take this to 52ESR:
https://crash-stats.mozilla.com/signature/?product=Firefox&version=52.0esr&version=52.0.1esr&version=52.0.2esr&version=52.1.0esr&version=52.1.1esr&version=52.1.2esr&version=52.2.0esr&signature=mozilla%3A%3AContentCacheInParent%3A%3AOnCompositionEvent&date=%3E%3D2016-12-14T05%3A13%3A16.000Z&_columns=date&_columns=product&_columns=version&_columns=build_id&_columns=platform&_columns=reason&_columns=address&_columns=install_time&_sort=-date&page=1#reports
I'll check if they can be uplifted cleanly.
Flags: needinfo?(masayuki)
|
|
Assignee | |
Comment 13•8 years ago
|
||
# Unfortunately, the patch conflicts a line in logging code. So, actual code isn't touched in this patch.
[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration:
Fixing a crash bug of e10s.
User impact if declined:
If user or web page commits IME composition forcibly (e.g., clicking somewhere during composition or web page commits composition for autocomplete), TabParent's counter of number of composition won't be decreased. The counter is uint8_t. Therefore, when the counter reaches 254 and user tries to use IME, then, the main process crashes itself.
So, this can be problem if a tab is opened a long time. E.g., some users may meet this bug in Gmail.
Fix Landed on Version:
55
Risk to taking this patch (and alternatives if risky):
Not so risky. The counter was managed with composition events (when TabParent sends compositionstart, incremented and when composiitonend, decremented). This patch makes that TextComposition class which creates for every composition notify TabParent. Therefore, TabParent can decrement the counter in any cases.
String or UUID changes made by this patch:
No.
Attachment #8880010 -
Flags: approval-mozilla-esr52?
|
|
Assignee | |
Comment 14•8 years ago
|
||
Comment on attachment 8880010 [details] [diff] [review]
Patch for ESR52
Oops, I found a regression of this. This may cause setting current TextComposition instance to old composition's start offset. So, this patch is really buggy only when the child process is really slow.
Attachment #8880010 -
Flags: approval-mozilla-esr52?
|
|
||
Comment 15•8 years ago
|
||
Is this something you still were hoping to land on ESR52 or should we wontfix?
Flags: needinfo?(masayuki)
|
|
Assignee | |
Comment 16•8 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM] from comment #15)
> Is this something you still were hoping to land on ESR52 or should we
> wontfix?
I think that we should take only part1 of bug 1376424 instead.
Flags: needinfo?(masayuki)
|
|
||
Updated•8 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•