Closed Bug 1407700 Opened 7 years ago Closed 7 years ago

onmouseover alert() crashes browser tab

Categories

(Core :: DOM: Events, defect, P1)

Product:
Core
Component:
DOM: Events
Version:
58 Branch
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla58
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox56 --- unaffected
firefox57 --- unaffected
firefox58 --- fixed

People

(Reporter: george, Assigned: stone)

References

Details

(Keywords: crash, crashreportid)

Attachments

(3 files, 1 obsolete file)

crash.html
79 bytes, text/html
Details
Part1: Revise CoalescedInputData interfaces.
2.98 KB, patch
smaug
: review+
Details | Diff | Splinter Review
Part2: Handle the case to re-entry event loop for mousemove coalescing
13.41 KB, patch
smaug
: review+
Details | Diff | Splinter Review
Attached file crash.html 
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0
Build ID: 20171010220102

Steps to reproduce:

1. Open the attached HTML file.
2. Hover your mouse over the text.
3. Click 'OK' to close the alert dialog that appears.


Actual results:

The browser tab crashes.

Crash reports:
  * Ubuntu 17.04: https://crash-stats.mozilla.com/report/index/5a666d3f-ffad-4046-aa8d-d78240171011
  * Windows 10: https://crash-stats.mozilla.com/report/index/f0456dc1-9102-4a00-a177-16fdd0171011


Expected results:

The tab shouldn't have crashed.
Component: Untriaged → DOM: Events
Keywords: crash, crashreportid
Product: Firefox → Core
Flags: needinfo?(sshih)
Something to do with MaybeDispatchCoalescedMouseMoveEvents -> stone
Assignee: nobody → sshih
Flags: needinfo?(sshih)
Comment on attachment 8917688 [details] [diff] [review]
Part2: Handle the case to re-entry event loop for mousemove coalescing

Dropping events may be a bad idea. Trying to revise it.
Attachment #8917688 - Flags: review?(bugs)
Attachment #8917687 - Flags: review?(bugs)
(In reply to George Pîrlea from comment #0)
> Created attachment 8917458 [details]
> crash.html
Thanks for identifying the steps and creating the test case.
Attachment #8917687 - Flags: review?(bugs)
Attachment #8918067 - Flags: review?(bugs)
We might have a similar problem of wheel event coalescing that dispatches disorder events while reentrying the event loop. Created bug 1408232 to fix it.
See Also: → 1408232
(In reply to Ming-Chou Shih [:stone] from comment #7)
> Created attachment 8918067 [details] [diff] [review]
> Part2: Handle the case to re-entry event loop for mousemove coalescing

This is caused by reentrying the event loop and touch the same hash table while traversing it and dispatching an event. When dispatching the coalesced events, move them to another queue first and then start dispatching events.

When receiving a new mousemove which we can't coalesce, we should dispatch the coalesced event with the same pointer id. When receiving a new mouse event other than mouse move, we should dispatch all coalesced events. We could put the new mouse event (other than mousemove) in the same queue to make sure we won't dispatch it with incorrect order while reentrying the event loop.
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0

I have tested this issue on Windows 10 x64, using the STR provided in comment 0, performed a regression, the result as follows:

Last good revision: 212ceaf885b0d8750201f816030ad0db8391c7d7
First bad revision: 5e0a1d82ef670c537b7b5c60ba0f2606a9f04ef7
Pushlog:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=212ceaf885b0d8750201f816030ad0db8391c7d7&tochange=5e0a1d82ef670c537b7b5c60ba0f2606a9f04ef7

Looks like the following bug has the changes which introduced the regression:
https://bugzilla.mozilla.org/show_bug.cgi?id=1404273
Keywords: regressionwindow-wanted
Comment on attachment 8917687 [details] [diff] [review]
Part1: Revise CoalescedInputData interfaces.

>+  UniquePtr<InputEventType> GetCoalescedEvent()
>   {
>-    return mCoalescedInputEvent.get();
>+    return Move(mCoalescedInputEvent);
>   }
The method should be called something like
TakeCoalescedEvent to hint that it actually clears the member variable on the object.
Attachment #8917687 - Flags: review?(bugs) → review+
Sorry about delay with review.
Attachment #8918067 - Flags: review?(bugs) → review+
(In reply to Olli Pettay [:smaug] (work week Oct 16-20) from comment #12)
> Sorry about delay with review.

It's okay. I know you are in the work week and thanks for the review.
Pushed by sshih@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/78041b59b1a1
Part1: Revise CoalescedInputData interfaces. r=smaug.
https://hg.mozilla.org/integration/mozilla-inbound/rev/9b9629c68575
Part2: Handle the case to re-entry event loop for mousemove coalescing. r=smaug.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: