146255 - [FIX]Typing CTRL+TAB shortly after opening a new tab will crash the browser [@ nsEventStateManager::IsIFrameDoc]

Status: VERIFIED FIXED

(Core :: DOM: Events, defect, P1)

Description

[Keith Luter]

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.0+)
Gecko/20020522
BuildID:    2002052204

If I click on a link while pressing CTRL to open it in a new tab and very
quickly thereafter press CTRL+TAB, Mozilla will crash. It will not crash if I
have first switched between tabs after opening the new ones, and it will not
crash if I wait too long to press CTRL+TAB.

Reproducible: Always
Steps to Reproduce:
1. Be sure you can control-click links into a new tab (Preferences > Navigator >
Tabbed Browsing).

2. Go to a website with a link, hold down the CTRL key, and clikc on a link to
open it in a new tab.

3. Press CTRL+TAB very shortly after performing step 2.

Actual Results:  Mozilla crashes.

Expected Results:  Focus should have moved from the browser to the address bar.

Comment 1

[Phil Miller]

I confirm this crash occurs under Windows 98 with the following agent string:
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.1a) Gecko/20020608

Also, in step 2, it is not necessary to open the window via the CTRL-click
method. The same crash occurs after clicking the middle mouse button on a link.

Comment 2

[Phil Miller]

This bug still exists in build-ID 2002-06-17-12 under Windows 98. For reference,
here is a Talkback Incident ID: TB71442583W.

Comment 3

[jag (Peter Annema)]

Correct ID is TB7442583W.

nsEventStateManager::IsIFrameDoc
[c:/builds/seamonkey/mozilla/content/events/src/nsEventStateManager.cpp, line 4771]
nsEventStateManager::ShiftFocusByDoc
[c:/builds/seamonkey/mozilla/content/events/src/nsEventStateManager.cpp, line 5023]
nsEventStateManager::PostHandleEvent
[c:/builds/seamonkey/mozilla/content/events/src/nsEventStateManager.cpp, line 1901]
PresShell::HandleEventInternal
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 6189]
PresShell::HandleEvent
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 6091]
nsViewManager::HandleEvent
[c:/builds/seamonkey/mozilla/view/src/nsViewManager.cpp, line 2039]
nsView::HandleEvent [c:/builds/seamonkey/mozilla/view/src/nsView.cpp, line 306]
nsViewManager::DispatchEvent
[c:/builds/seamonkey/mozilla/view/src/nsViewManager.cpp, line 1896]
HandleEvent [c:/builds/seamonkey/mozilla/view/src/nsView.cpp, line 83]
nsWindow::DispatchEvent
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 1029]
nsWindow::DispatchWindowEvent
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 1046]
nsWindow::DispatchKeyEvent
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 2824]
nsWindow::OnKeyDown
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 2900]
nsWindow::ProcessMessage
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 3721]
0x22eb84b1 

Comment 4

[timeless]

.

Comment 5

[Brian Ryner (not reading)]

This should be mine.

Comment 6

[Jonas Jørgensen]

*** Bug 155519 has been marked as a duplicate of this bug. ***

Comment 7

[Mel Reyes]

Same thing happening on Windows XP on two of my systems, here's one of the
talkback id's TB9003204W.

Comment 8

[timeless]

*** Bug 141807 has been marked as a duplicate of this bug. ***

Comment 9

[Jay Patel [:jay]]

This is a current topcrasher for the MozillaTrunk.  Adding topcrash and qawanted
keywords to see if we can get a solid reproducible testcase.  Here is the latest
info from Talkback:

Rank    StackSignature    Count  

20   nsEventStateManager::IsIFrameDoc   16 

 
 	Source File :
c:/builds/seamonkey/mozilla/content/events/src/nsEventStateManager.cpp line : 4824
 
====================================================================================================
     Count   Offset    Real Signature
[ 12   nsEventStateManager::IsIFrameDoc 3e5222ff -
nsEventStateManager::IsIFrameDoc ]
 
     Crash date range: 2002-08-01 to 2002-08-07
     Min/Max Seconds since last crash: 192 - 163210
     Min/Max Runtime: 7809 - 344589
     Keyword List :  
     Count   Platform List 
     12   Windows NT 5.1 build 2600
 
     Count   Build Id List 
     5   2002080508
     2   2002080408
     1   2002080308
     1   2002080218
     1   2002080108
     1   2002080104
     1   2002072904
 
     No of Unique Users         9
 
 Stack trace(Frame) 

	 nsEventStateManager::IsIFrameDoc
[c:/builds/seamonkey/mozilla/content/events/src/nsEventStateManager.cpp  line 4824] 
	 nsEventStateManager::ShiftFocusByDoc
[c:/builds/seamonkey/mozilla/content/events/src/nsEventStateManager.cpp  line 5076] 
	 nsEventStateManager::PostHandleEvent
[c:/builds/seamonkey/mozilla/content/events/src/nsEventStateManager.cpp  line 1905] 
	 PresShell::HandleEventInternal
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp  line 6129] 
	 PresShell::HandleEvent
[c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp  line 6031] 
	 nsViewManager::HandleEvent
[c:/builds/seamonkey/mozilla/view/src/nsViewManager.cpp  line 2054] 
	 nsView::HandleEvent	[c:/builds/seamonkey/mozilla/view/src/nsView.cpp  line 306] 
	 nsViewManager::DispatchEvent
[c:/builds/seamonkey/mozilla/view/src/nsViewManager.cpp  line 1911] 
	 HandleEvent	[c:/builds/seamonkey/mozilla/view/src/nsView.cpp  line 83] 
	 nsWindow::DispatchEvent
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp  line 1038] 
	 nsWindow::DispatchWindowEvent
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp  line 1055] 
	 nsWindow::DispatchKeyEvent
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp  line 2886] 
	 nsWindow::OnKeyDown
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp  line 2975] 
	 nsWindow::ProcessMessage
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp  line 3800] 
	 nsWindow::WindowProc
[c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp  line 1304] 
	 USER32.dll + 0x3a5f (0x77d43a5f)  
	 USER32.dll + 0x3b2e (0x77d43b2e)  
	 USER32.dll + 0x3d6a (0x77d43d6a)  
	 USER32.dll + 0x41fd (0x77d441fd)  
	 nsAppShellService::Run
[c:/builds/seamonkey/mozilla/xpfe/appshell/src/nsAppShellService.cpp  line 452] 
	 main1	[c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp  line 1534] 
	 main	[c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp  line 1881] 
	 WinMain	[c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp  line 1899] 
	 WinMainCRTStartup()  
	 kernel32.dll + 0x1eb69 (0x77e7eb69)   
 
     (9036907)	URL: espn.com
     (9036907)	Comments: bastards! did it again
     (9036800)	URL: espn.com
     (9036800)	Comments: just loaded it
     (9036526)	URL: drudgereport.com
     (9036526)	Comments: just went to that page
     (9007412)	URL: drudgereport.com
     (9007412)	Comments: bah! just gave focus to the window
     (9003204)	Comments: - Open browser- Go to any site- Open up about 4-8
tabbed pages in one window- while one of these is still loading press ctrl-tab-
bam  browser crashesNote this works fine if no page is loading.I've been able to
reproduce this during
     (9003204)	Comments:  critical multi pages research  just mix up alt-tab and
ctrl-tab by mistake.Current behavior: Crashes browserExpected behavior: Nothing
or focus/cursor moves to url location
     (8989182)	URL: ezh@infonet.ee
     (8878928)	Comments: Pressed Alt-F6 by mistake.

Comment 10

[Brian Ryner (not reading)]

I just tried several times to reproduce this on Linux and Windows XP and was not
able to.

Comment 11

[Johannes Fitz]

I just got nearly the same bug with build 2002082814, Windows NT4, SP6

After typing the URL into the address field (e.g. http://www.vol.at) the 
browser starts to load the page.
Now I press Ctrl-Tab rapidly a few times and suddenly I get my favourite, Dr. 
Watson.

Don't need additional opened Tabs to reproduce the bug.

Johannes

Comment 12

[Lorenzo Colitti]

Yep, I was able to reproduce this on 1.1 on WinME. I used Johannes' method in
comment #11.

Comment 13

[Olivier Cahagne]

*** Bug 166035 has been marked as a duplicate of this bug. ***

Comment 14

[Olivier Cahagne]

There's a testcase (with 100% reproducible crash) within bug 166035.

Comment 15

[Adam Hauner]

*** Bug 165336 has been marked as a duplicate of this bug. ***

Comment 16

[Adam Hauner]

Adding keyword testcase - see comment 14.

Comment 17

[greer]

Per Adam and Olivier's comments (#14 & #16) removing "qawanted" and upgrading to
topcrash+

Comment 18

[David Gerard]

I get this absolutely reliably with 2002090415 (trunk). The key is to hit
ctrl+tab while the other tab is still loading.

Talkbacks:
TB10420918M
TB01421031Q
TB10421081E
TB10421192Q

Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.1b) Gecko/20020904

Comment 19

[Olivier Cahagne]

*** Bug 167397 has been marked as a duplicate of this bug. ***

Comment 20

[Boris Zbarsky [:bzbarsky]]

Attachment: proposed patch

This fixes the crash in the testcases from bug 167397 and bug 166035.  I
suspect it'll fix this crash in all cases.

Comment 21

[Boris Zbarsky [:bzbarsky]]

This happens on Linux too, of course.

Comment 22

[Brian Ryner (not reading)]

Comment on attachment 98359 [details] [diff] [review]
proposed patch

sr=bryner

Comment 23

[Aaron Leventhal]

Comment on attachment 98359 [details] [diff] [review]
proposed patch

r=aaronl

Comment 24

[Asa Dotzler [:asa]]

Comment on attachment 98359 [details] [diff] [review]
proposed patch

a=asa (on behalf of drivers) for checkin to 1.2a. Who will land this for us?
Time is short.

Comment 25

[Boris Zbarsky [:bzbarsky]]

taking.

Comment 26

[Boris Zbarsky [:bzbarsky]]

Checked in

Comment 27

[greer]

*** Bug 169965 has been marked as a duplicate of this bug. ***

Comment 28

[greer]

*** Bug 170815 has been marked as a duplicate of this bug. ***

Comment 29

[Vladimir Ermakov]

verifying.