Closed Bug 1433669 Opened 2 years ago Closed 2 years ago

Crash in mozilla::PresShell::DoFlushPendingNotifications

Categories

(Core :: CSS Parsing and Computation, defect, critical)

Unspecified
Windows 10
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla60
Tracking Status
firefox-esr52 --- unaffected
firefox58 --- unaffected
firefox59 --- unaffected
firefox60 --- fixed

People

(Reporter: calixte, Assigned: emilio)

Details

(Keywords: crash)

Crash Data

Attachments

(2 files)

This bug was filed from the Socorro interface and is
report bp-af952ffa-d978-4c73-bb6e-e3b900180127.
=============================================================

Top 10 frames of crashing thread:

0 xul.dll mozilla::PresShell::DoFlushPendingNotifications layout/base/PresShell.cpp:4158
1 xul.dll mozilla::PresShell::DoFlushPendingNotifications layout/base/PresShell.cpp:4089
2 xul.dll mozilla::ContentEventHandler::InitBasic dom/events/ContentEventHandler.cpp:258
3 xul.dll mozilla::ContentEventHandler::InitCommon dom/events/ContentEventHandler.cpp:338
4 xul.dll mozilla::ContentEventHandler::Init dom/events/ContentEventHandler.cpp:426
5 xul.dll mozilla::ContentEventHandler::OnQuerySelectedText dom/events/ContentEventHandler.cpp:1435
6 xul.dll mozilla::IMEContentObserver::UpdateSelectionCache dom/events/IMEContentObserver.cpp:1584
7 xul.dll mozilla::IMEContentObserver::IMENotificationSender::SendSelectionChange dom/events/IMEContentObserver.cpp:2039
8 xul.dll mozilla::IMEContentObserver::IMENotificationSender::Run dom/events/IMEContentObserver.cpp:1913
9 xul.dll nsRefreshDriver::Tick layout/base/nsRefreshDriver.cpp:1831

=============================================================

There are 48 crashes in nightly 60 starting with buildid 20180126035135 so after the patch for bug 1433056 landed.
:emilio, could you investigate please ?
Flags: needinfo?(emilio)
Assignee: nobody → emilio
Status: NEW → ASSIGNED
Flags: needinfo?(emilio)
Comment on attachment 8946218 [details]
Bug 1433669: Flush the document instead of the shell in ContentEventHandler.

https://reviewboard.mozilla.org/r/216190/#review221976

::: dom/events/ContentEventHandler.cpp:2668
(Diff revision 1)
>    rv = nsCopySupport::GetTransferableForSelection(
> -         mSelection, doc, getter_AddRefs(aEvent->mReply.mTransferable));
> +         mSelection, mDocument, getter_AddRefs(aEvent->mReply.mTransferable));

You're removing the check if the document is nullptr or not. So, mDocument might be nullptr here. However, nsCopySupport::GetTransferableForSelection() doesn't check it in release build. So, please keep checking it before here.
https://searchfox.org/mozilla-central/rev/11d0ff9f36465ce19b0c43d1ecc3025791eeb808/dom/base/nsCopySupport.cpp#124-127
Attachment #8946218 - Flags: review?(masayuki) → review+
Comment on attachment 8946218 [details]
Bug 1433669: Flush the document instead of the shell in ContentEventHandler.

https://reviewboard.mozilla.org/r/216190/#review221984

::: dom/events/ContentEventHandler.cpp:2668
(Diff revision 1)
>    rv = nsCopySupport::GetTransferableForSelection(
> -         mSelection, doc, getter_AddRefs(aEvent->mReply.mTransferable));
> +         mSelection, mDocument, getter_AddRefs(aEvent->mReply.mTransferable));

It cannot be null because `Init` has succeeded, unless I'm missing something.
Pushed by ecoal95@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/44b8352bbee0
Remove dead function. r=masayuki
https://hg.mozilla.org/integration/autoland/rev/4a354c4ded06
Flush the document instead of the shell in ContentEventHandler. r=masayuki
Comment on attachment 8946218 [details]
Bug 1433669: Flush the document instead of the shell in ContentEventHandler.

https://reviewboard.mozilla.org/r/216190/#review221984

> It cannot be null because `Init` has succeeded, unless I'm missing something.

Ah, got it. Thanks.
https://hg.mozilla.org/mozilla-central/rev/44b8352bbee0
https://hg.mozilla.org/mozilla-central/rev/4a354c4ded06
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
You need to log in before you can comment on or make changes to this bug.