280928 - crash when right-clicking a popup window with onmousedown=window.close

Status: RESOLVED FIXED

(Core :: Widget: Gtk, defect)

Description

[Christian Persch (GNOME) (away; not receiving bug mail)]

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20050106 Galeon/1.3.19 (Debian package 1.3.19-1ubuntu1)
Build Identifier: 	

Mozilla 1.8b

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8b) Gecko/20050125

(Forwarded from http://bugzilla.gnome.org/show_bug.cgi?id=166157).

Reproducible: Always

Steps to Reproduce:
1. Load the url
2. Click on the first image
3. In the popup, right-click the image

Actual Results:  
Crash.

Expected Results:  
Context menu should appear.

This crashes in my trunk debug build:
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8b) Gecko/20050125
and also firefox
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20050128 Firefox/1.0
(Ubuntu) (Ubuntu package 1.0+dfsg.1-2ubuntu5)
and
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20050106
Debian/1.7.5-1ubuntu1
as well as in Epiphany (v 1.5.5.90).

Here's a trace (from Epiphany, using the mozilla debug build):
#0  0xffffe410 in __kernel_vsyscall ()
#1  0xb74ac135 in raise () from /lib/tls/i686/cmov/libc.so.6
#2  0xb74ad798 in abort () from /lib/tls/i686/cmov/libc.so.6
#3  0xb766df47 in __cxa_call_unexpected () from /usr/lib/libstdc++.so.5
#4  0xb766df84 in std::terminate () from /usr/lib/libstdc++.so.5
#5  0xb766e4a8 in __cxa_pure_virtual () from /usr/lib/libstdc++.so.5
#6  0xb54aaba9 in nsWindow::OnButtonPressEvent (this=0x859d7e8,
aWidget=0x8581da0, aEvent=0x840a9a0) at nsWindow.cpp:1423
#7  0xb54afe07 in button_press_event_cb (widget=0x8581da0, event=0x840a9a0) at
nsWindow.cpp:3536
#8  0xb7bbd4f2 in _gtk_marshal_BOOLEAN__BOXED () from /usr/lib/libgtk-x11-2.0.so.0
#9  0xb7876351 in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#10 0xb78867e2 in g_signal_emit_by_name () from /usr/lib/libgobject-2.0.so.0
#11 0xb78856ef in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0
#12 0xb7885b75 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0
#13 0xb7c9f0fc in gtk_widget_send_expose () from /usr/lib/libgtk-x11-2.0.so.0
#14 0xb7bbc106 in gtk_propagate_event () from /usr/lib/libgtk-x11-2.0.so.0
#15 0xb7bbb0e3 in gtk_main_do_event () from /usr/lib/libgtk-x11-2.0.so.0
#16 0xb795696b in _gdk_events_queue () from /usr/lib/libgdk-x11-2.0.so.0
#17 0xb76b8c8b in g_main_depth () from /usr/lib/libglib-2.0.so.0
#18 0xb76b9c31 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#19 0xb76b9f53 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#20 0xb76ba49a in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
#21 0xb7bbaa37 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
#22 0x08074d54 in main (argc=6, argv=0x6) at ../../src/ephy-main.c:217

Trace from mozilla debug build itself:
#0  0x00000000 in ?? ()
#1  0xb5a81ba9 in nsWindow::OnButtonPressEvent (this=0x8991528,
aWidget=0x87f5640, aEvent=0x8246590) at nsWindow.cpp:1423
#2  0xb5a86e07 in button_press_event_cb (widget=0x87f5640, event=0x8246590) at
nsWindow.cpp:3536
[then same as above]

1419        // right menu click on linux should also pop up a context menu
1420        if (eventType == NS_MOUSE_RIGHT_BUTTON_DOWN) {
1421            nsMouseEvent contextMenuEvent(NS_CONTEXTMENU, this);
1422            InitButtonEvent(contextMenuEvent, aEvent);
1423            DispatchEvent(&contextMenuEvent, status);
1424        }

I think what happens is that first the right-click is dispatched, onmousedown
closes the window, and then nsWindow tries to dispatch the context menu event,
but the widget is gone.

The trace is similar to the one from attachment 145421 [details] from bug 239563, but also
sufficiently different that I think these bugs are unrelated.

Comment 1

[Christopher Blizzard (:blizzard)]

-> marco

Comment 2

[Marco Pesenti Gritti]

This is reproducable in Firefox too, likely a widget bug.

Comment 3

[Marco Pesenti Gritti]

Attachment: possible fix from gtk1

Comment 4

[Christopher Blizzard (:blizzard)]

Comment on attachment 173852 [details] [diff] [review]
possible fix from gtk1

sr=blizzard, with a caveat.  Do we need to do this for all events?  If so, this
is a one-off that should be done in the function that dispatches all events,
not just this one event.

Comment 5

[Marco Pesenti Gritti]

The code that can cause a segfault is like:

1 DispatchEvent(...)
     -> Destroy the window

2 try to access nsWindow methods
     -> Segfault

So, even if it would be nicer, I dont think we can solve the problem in the
event dispatcher method. We need to keep a reference until after 2.

I had a look to all the DispatchEvent calls in nsWindow/nsCommonWidget. There
are 2 other cases like this: nsWindow::OnKeyPressEvent (onkeydown=window.close
effectively cause a crash) and nsWindow::ThemeChanged. I guess we can assume
NS_THEMECHANGED event will not destroy the window.

Comment 6

[Marco Pesenti Gritti]

Attachment: fix both onmousedown and onkeydown

Comment 7

[Asa Dotzler [:asa]]

Comment on attachment 174036 [details] [diff] [review]
fix both onmousedown and onkeydown

a=asa for 1.8b checkin

Comment 8

[Marco Pesenti Gritti]

Checking in nsWindow.cpp;
/cvsroot/mozilla/widget/src/gtk2/nsWindow.cpp,v  <--  nsWindow.cpp
new revision: 1.131; previous revision: 1.130
done

Comment 9

[Daniel Veditz [:dveditz]]

Comment on attachment 174036 [details] [diff] [review]
fix both onmousedown and onkeydown

please use the -p diff option in the future.

a=dveditz for the branches if landed asap. Please add fixed-aviary1.0.1 and
fixed1.7.6 keywords when landed

Comment 10

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

Checked in to AVIARY_1_0_1_20050124_BRANCH, 2005-02-18 17:12 -0800.
Checked in to MOZILLA_1_7_BRANCH, 2005-02-18 17:13 -0800.

Comment 11

[sairuh (rarely reading bugmail)]

using 2005022207-1.0.1 firefox build on fedora core 3, when I go through the
test case in comment 0 right-clicking the image closes the window --no context
menu appears, but it doesn't crash. is this expected (fixed) behavior?