213247 - Dragging bookmark over tab bar causes crash [@ nsXULElement::HandleDOMEvent ]

Status: RESOLVED WORKSFORME

(SeaMonkey :: Tabbed Browser, defect)

Description

[Robin Green]

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030714
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030714

Dragging bookmark over tab bar causes crash

Reproducible: Always

Steps to Reproduce:
1. Ensure that the tab bar is visible
2. Drag a bookmark over the tab bar

Actual Results:  
Mouse cursor is locked in "drag and drop state". It moves but does not respond
to clicks. After a few seconds, Mozilla dies, and mouse cursor returns to normal.

Expected Results:  
Let me continue with the drag and drop operation.

I have Piro's tabbed browser extensions installed (
http://white.sakura.ne.jp/~piro/ ); this may be a factor. However this is a
non-native plugin so it should not cause the entire application to crash.

Comment 1

[Olivier Cahagne]

can you post Talkback ID for this crash
"mozilla/bin/components/talkback/talkback" or a GDB stack trace (with a debug
build) ?

Comment 2

[Andrew Schultz]

please try without the extension.  I don't know what a "non-native" extension is
or why it wouldn't cause problems.

Comment 3

[Robin Green]

Attachment: Gzipped backtrace

OK, this only occurs with the tabbed browser extension (
http://white.sakura.ne.jp/~piro/xul/_tabextensions.html.en 
) installed. Since it is an XPI (i.e. all interpreted code) it is a bug in
mozilla if it crashes (as well as possibly a bug in the XPI).

Gzipped backtrace attached (1.3Mb uncompressed).

Comment 4

[Boris Zbarsky [:bzbarsky]]

The extension goes into an infinite recursive loop that blows the stack.... 
Here is one iteration of the loop:

#25 0x41559edf in nsDragService::GetTargetDragData(_GdkAtom*) (this=0x80925d8,
aFlavor=0x86)
    at nsDragService.cpp:774
#26 0x415587cc in nsDragService::GetNumDropItems(unsigned*) (this=0x8399680, 
    aNumItems=0xbfe0e0a4) at nsDragService.cpp:276
#27 0x40bc2bc3 in XPTC_InvokeByIndex () at xptcinvoke_gcc_x86_unix.cpp:65
#28 0x40ca2581 in XPCWrappedNative::CallMethod(XPCCallContext&,
XPCWrappedNative::CallMode) (
    ccx=Reading in symbols for xpccallcontext.cpp...done.
@0xbfe0e184, mode=3219185828) at xpcwrappednative.cpp:2022
#29 0x40ca96b4 in XPC_WN_GetterSetter(JSContext*, JSObject*, unsigned, long*,
long*) (
    cx=0x828a668, obj=0xbfe0c0c0, argc=0, argv=0x8c49300, vp=0xbfe0e2c4) at
xpcprivate.h:1884
#30 0x4004b397 in js_Invoke (cx=0x828a668, argc=0, flags=2) at jsinterp.c:843
#31 0x4004b823 in js_InternalInvoke (cx=0x828a668, obj=0xbfe0c0c0,
fval=-1075789632, flags=2, 
    argc=0, argv=0x0, rval=0xbfe0c0c0) at jsinterp.c:935
#32 0x4004b967 in js_InternalGetOrSet (cx=0x828a668, obj=0x8770a18, id=137025264, 
    fval=141400024, mode=3219177664, argc=3219177664, argv=0xbfe0c0c0,
rval=0xbfe0c0c0)
    at jsinterp.c:978
#33 0x40061c69 in js_GetProperty (cx=0x828a668, obj=0x8770a18, id=137025264,
vp=0xbfe0e6bc)
    at jsobj.c:2554
#34 0x4005118c in js_Interpret (cx=0x828a668, result=0xbfe0e7a0) at jsinterp.c:2684
#35 0x4004b50c in js_Invoke (cx=0x828a668, argc=1, flags=2) at jsinterp.c:860
#36 0x4004b823 in js_InternalInvoke (cx=0x828a668, obj=0xbfe0c0c0,
fval=-1075789632, flags=2, 
    argc=1, argv=0xbfe0ea40, rval=0xbfe0c0c0) at jsinterp.c:935
#37 0x4002844d in JS_CallFunctionValue (cx=0x828a668, obj=0xbfe0c0c0,
fval=-1075789632, 
    argc=3219177664, argv=0xbfe0c0c0, rval=0xbfe0c0c0) at jsapi.c:3527
#38 0x4165c06f in nsJSContext::CallEventHandler(void*, void*, unsigned, void*,
int*, int) (
    this=0x8176498, aTarget=0x89eb2f0, aHandler=0x86d9998, argc=3219177664,
argv=0xbfe0c0c0, 
    aBoolResult=0xbfe0ea24, aReverseReturnResult=0) at nsJSEnvironment.cpp:1110
#39 0x4169124b in nsJSEventListener::HandleEvent(nsIDOMEvent*) (this=0x89d07d0, 
    aEvent=Reading in symbols for nsDOMMutationEvent.cpp...done.
0x8b4be60) at nsCOMPtr.h:690
#40 0x4101142f in nsEventListenerManager::HandleEventSubType(nsListenerStruct*,
nsIDOMEvent*, nsIDOMEventTarget*, unsigned, unsigned) (this=0xbfe0c0c0,
aListenerStruct=0x89c8890, 
    aDOMEvent=0x8b4be60, aCurrentTarget=0x8b4be40, aSubType=4,
aPhaseFlags=3219177664)
    at nsEventListenerManager.cpp:1191
#41 0x410137cc in nsEventListenerManager::HandleEvent(nsIPresContext*, nsEvent*,
nsIDOMEvent**, nsIDOMEventTarget*, unsigned, nsEventStatus*) (this=0x89d0640,
aPresContext=0xbfe0eca8, 
    aEvent=0xbfe0fdc4, aDOMEvent=0xbfe0f730, aCurrentTarget=0x8b4be40, aFlags=2, 
    aEventStatus=0xbfe0fbd0) at nsEventListenerManager.cpp:2015
#42 0x411f0c8b in nsXULElement::HandleDOMEvent(nsIPresContext*, nsEvent*,
nsIDOMEvent**, unsigned, nsEventStatus*) (this=0x89a72b8,
aPresContext=0x8400610, aEvent=0xbfe0fdc4, 
    aDOMEvent=0xbfe0f730, aFlags=0, aEventStatus=0xbfe0fbd0) at nsCOMPtr.h:690
#43 0x411f0b06 in nsXULElement::HandleDOMEvent(nsIPresContext*, nsEvent*,
nsIDOMEvent**, unsigned, nsEventStatus*) (this=0x89d6438,
aPresContext=0x8400610, aEvent=0xbfe0fdc4, 
    aDOMEvent=0xbfe0f730, aFlags=2, aEventStatus=0xbfe0fbd0) at nsCOMPtr.h:690
#44 0x411f0b06 in nsXULElement::HandleDOMEvent(nsIPresContext*, nsEvent*,
nsIDOMEvent**, unsigned, nsEventStatus*) (this=0x89a7568,
aPresContext=0x8400610, aEvent=0xbfe0fdc4, 
    aDOMEvent=0xbfe0f730, aFlags=7, aEventStatus=0xbfe0fbd0) at nsCOMPtr.h:690
#45 0x40e7761e in PresShell::HandleEventInternal(nsEvent*, nsIView*, unsigned,
nsEventStatus*) (
    this=0x8400c60, aEvent=0xbfe0fdc4, aView=0x8c58b38, aFlags=1,
aStatus=0xbfe0fbd0)
    at nsCOMPtr.h:684
#46 0x40e76e98 in PresShell::HandleEvent(nsIView*, nsGUIEvent*, nsEventStatus*,
int, int&) (
    this=0x8400c60, aView=0x8c58b38, aEvent=0xbfe0fdc4, aEventStatus=0xbfe0fbd0,
aForceHandle=0, 
    aHandled=@0xbfe0fbd4) at nsPresShell.cpp:6284
#47 0x411c6b6c in nsViewManager::HandleEvent(nsView*, nsGUIEvent*, int)
(this=0x8370670, 
    aView=0x8a2db6c, aEvent=0xbfe0fdc4, aCaptured=-1075789632) at nsCOMPtr.h:690
#48 0x411be1f4 in nsView::HandleEvent(nsViewManager*, nsGUIEvent*, int)
(this=0xbfe0c0c0, 
    aVM=0xbfe0c0c0, aEvent=0xbfe0c0c0, aCaptured=-1075789632) at nsView.cpp:307
#49 0x411c5fbc in nsViewManager::DispatchEvent(nsGUIEvent*, nsEventStatus*)
(this=0x8370670, 
    aEvent=0xbfe0fdc4, aStatus=0xbfe0fd70) at nsViewManager.cpp:2044
#50 0x411bd946 in HandleEvent (aEvent=0xbfe0fdc4) at nsView.cpp:79
#51 0x415540c5 in nsCommonWidget::DispatchEvent(nsGUIEvent*, nsEventStatus&)
(this=0x8c58830, 
    aEvent=0xbfe0fdc4, aStatus=@0xbfe0fdc4) at nsCommonWidget.cpp:295
#52 0x4154d16c in nsWindow::OnDragLeave() (this=0xbfe0fdc4) at nsWindow.cpp:1926
#53 0x4154c890 in nsWindow::OnDragMotionEvent(_GtkWidget*, _GdkDragContext*,
int, int, unsigned, void*) (this=0x8122328, aWidget=0x80dc4f0,
aDragContext=0x8fcd0c8, aX=687, aY=205, 
    aTime=51863595, aData=0x8122328) at nsWindow.cpp:1701
#54 0x41550966 in nsWindow::FireDragMotionTimer() (this=0x8122328) at
nsWindow.cpp:3564
#55 0x41550adf in nsWindow::DragMotionTimerCallback(void*) (aClosure=0xbfe0c0c0)
    at nsWindow.cpp:3593
#56 0x404df8bc in g_timeout_dispatch () from /usr/lib/libglib-2.0.so.0
#57 0x404dd185 in g_main_dispatch () from /usr/lib/libglib-2.0.so.0
#58 0x404ddf9c in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#59 0x404de2a5 in g_main_context_iterate () from /usr/lib/libglib-2.0.so.0
#60 0x404de4ec in g_main_context_iteration () from /usr/lib/libglib-2.0.so.0
#61 0x40209e50 in gtk_main_iteration () from /usr/lib/libgtk-x11-2.0.so.0
#62 0x41559edf in nsDragService::GetTargetDragData(_GdkAtom*) (this=0x80925d8,
aFlavor=0x86)
    at nsDragService.cpp:774

Sounds basically like an event handler that invokes itself.... I thought we had
protection against such recursion?

Comment 5

[Adam Guthrie]

Robin, is this still reproducible in current trunk builds?

Comment 6

[Andrew Schultz]

Tabbed browser extension is no longer compatible with SeaMonkey
no testcase, resolving WFM