crash on Gmail - Trunk [@ nsDocShell::SetCanvasHasFocus]

VERIFIED FIXED

Status

()

Core
Layout: View Rendering
--
critical
VERIFIED FIXED
13 years ago
13 years ago

People

(Reporter: Peter6, Assigned: roc)

Tracking

({regression, topcrash+})

Trunk
regression, topcrash+
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

13 years ago
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b2) Gecko/20050330
Firefox/1.0+

repro:
1.Open FF
2.go to Gmail and log in
3.press compose mail
4.crash

(reproduced on 2 machines)

Talkback:TB4732227W

regressed between:
20050330 06:16 PST build and
20050330 22:01 PST build

Comment 1

13 years ago
confirming using a build from today:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050331
Firefox/1.0+
The stack in that talkback is clearly bogus (NS_NewXBLEventHandler never calls
nsDocShell::CloneAndReplace and nsXULDocument::ContentRemoved never calls any
sort of HandleDOMEvent, for examples)...

Comment 3

13 years ago
Crashed on a Mac and a PC. TB incidents won't send right now. Setting All/All.
OS: Windows 2000 → All
Hardware: PC → All
Also, please retest a build from this morning -- a patch that was causing half
the tinderboxes to crash during tests was backed out around 6am pacific time.
(Reporter)

Comment 5

13 years ago
(In reply to comment #4)
> Also, please retest a build from this morning -- a patch that was causing half
> the tinderboxes to crash during tests was backed out around 6am pacific time.

That patch was checked in AFTER the 22:01 build was released Boris
Darin checked in at 22:22  PST
(Reporter)

Comment 6

13 years ago
finally managed to get more talkbacks out

TB4738536M
TB4738534Z

hopefully these will be more usefull
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b2) Gecko/20050331
Firefox/1.0+
My gmail talkback crashes if it helps
TB4738034E & TB4738350E
No, those have the same exact stack.  I looked further up the stack, and the
first place where it clearly becomes bogus is 

nsView::ResetWidgetBounds 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/view/src/nsView.cpp, line
405]
nsWindow::ScreenToWidget 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 1030]

(The Windows version of ScreenToWidget never calls ResetWidgetBounds).

My most likely working hypothesis at this point is that the talkback server is
just confused (wrong symbols or something)....

Peter, do you build yourself by any chance?  If so, do you have a self-build
that reproduces the crash?
Comment 8 was about the stacks in comment 6.

The stacks in comment 7 are different from those in comment 6, identical to each
other, and not obviously bogus....  It points to a crash in
nsDocShell::SetCanvasHasFocus, and if the line number is right the crash ought
to be happening because the canvas frame has no view.  roc, any idea why that
would happen?
(Reporter)

Comment 10

13 years ago
(In reply to comment #8)
> Peter, do you build yourself by any chance?  If so, do you have a self-build
> that reproduces the crash?
No I don't build myself.
I can mail you this build though

I do NOT get a crash loggin into Gmail , in contrast to the others
I crash if:
1. I press "compose mail" (see my previous 3 TB's)
2. I change tabs (and 1 of them is Gmail) , new talkback -> TB4739201M
That last stack from comment 10 is identical to those from comment 6....
(Reporter)

Comment 12

13 years ago
ok, I disabled all extensions
TB4739700Q - compose mail in gmail
TB4739661Z - switch tabs when one of them is gmail
Same stack there.  Like I said, that just looks like talkback having the wrong
symbols...
(Reporter)

Comment 14

13 years ago
Just to rule out a corruption of the 20050330 22:01 PST build I downloaded the
latest one, 20050331 09:51 PST (just minutes old)

->TB4740229H for switchings tabs... 

Finally, nsDocShell::SetCanvasHasFocus

So the 22:01 build is somehow corrupt
Should I close this bug and open a new one for nsDocShell::SetCanvasHasFocus
or will you change the Summary ?
I think it's simplest to just change the summary and reassign to the right
place... This looks like it's all yours, roc.
Assignee: firefox → roc
Component: General → Layout: View Rendering
Product: Firefox → Core
QA Contact: general → ian
Summary: crash on Gmail [@nsDocShell::GetRootSessionHistory] → crash on Gmail [@ nsDocShell::SetCanvasHasFocus]
Probably a regression from bug 288117.
Blocks: 288117
Severity: major → critical
Flags: blocking1.8b2?
Nightly 2005033106 Crashs also on the Talkcrash Crash Analysis Report Site
http://talkback-public.mozilla.org/reports/mozilla/

Steps to reproduce : Go to http://talkback-public.mozilla.org/reports/mozilla/
and click on one link (Development : MozillaTrunk) or so -> Crash.

Crashs on Win2000 & XP SP2 
TB4739948E
(Reporter)

Comment 18

13 years ago
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b2) Gecko/20050331
Firefox/1.0+ 11:13 PST build (incl 288117 backout)

Now that bug 288117 is backed out the crashing problem is gone

Comment 19

13 years ago
*** Bug 288505 has been marked as a duplicate of this bug. ***
I have a fix for this. nsDocShell::SetCanvasHasFocus assumes that the canvas
frame always has a view, but in fact it sometimes doesn't now.

Comment 21

13 years ago
I just crashed with this stack signature trying to do a view source on the
talkback reports website with today's build:

Incident ID: 4746552
Stack Signature	nsDocShell::SetCanvasHasFocus 283b03e8
Email Address	jay@mozilla.org
Product ID	FirefoxTrunk
Build ID	2005033106
Trigger Time	2005-03-31 14:23:48.0
Platform	Win32
Operating System	Windows NT 5.1 build 2600
Module	firefox.exe + (002e9f63)
URL visited	talkback-public
User Comments	doing a view source on the talkback reports page
Since Last Crash	369 sec
Total Uptime	369 sec
Trigger Reason	Access violation
Source File, Line No.
c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/docshell/base/nsDocShell.cpp,
line 7137
Stack Trace 	
nsDocShell::SetCanvasHasFocus 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/docshell/base/nsDocShell.cpp,
line 7137]
nsDocShell::SetHasFocus 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/docshell/base/nsDocShell.cpp,
line 7108]
nsFocusController::Focus 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/dom/src/base/nsFocusController.cpp,
line 323]
DispatchToInterface 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/content/events/src/nsEventListenerManager.cpp,
line 136]
nsEventListenerManager::HandleEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/content/events/src/nsEventListenerManager.cpp,
line 1635]
nsWindowRoot::HandleChromeEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/dom/src/base/nsWindowRoot.cpp,
line 227]
nsGlobalWindow::HandleDOMEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp,
line 897]
nsXULDocument::HandleDOMEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/content/xul/document/src/nsXULDocument.cpp,
line 1233]
nsEventStateManager::PreHandleEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/content/events/src/nsEventStateManager.cpp,
line 609]
PresShell::HandleEventInternal 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsPresShell.cpp,
line 6285]
PresShell::HandleEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsPresShell.cpp,
line 6132]
nsViewManager::HandleEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/view/src/nsViewManager.cpp,
line 2454]
nsViewManager::DispatchEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/view/src/nsViewManager.cpp,
line 2221]
HandleEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/view/src/nsView.cpp, line
174]
nsWindow::DispatchEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 1150]
nsWindow::DispatchFocus 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 5957]
nsWindow::ProcessMessage 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 4582]
nsWindow::WindowProc 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 1442]
USER32.dll + 0x8709 (0x77d48709)
USER32.dll + 0x87eb (0x77d487eb)
USER32.dll + 0xb368 (0x77d4b368)
USER32.dll + 0xb3b4 (0x77d4b3b4)
ntdll.dll + 0xeae3 (0x7c90eae3)
nsGlobalWindow::Focus 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp,
line 2594]
nsEventStateManager::PreHandleEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/content/events/src/nsEventStateManager.cpp,
line 784]
PresShell::HandleEventInternal 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsPresShell.cpp,
line 6285]
PresShell::HandleEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/layout/base/nsPresShell.cpp,
line 6132]
nsViewManager::HandleEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/view/src/nsViewManager.cpp,
line 2454]
nsViewManager::DispatchEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/view/src/nsViewManager.cpp,
line 2221]
nsGlobalWindow::Activate 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp,
line 4406]
nsWebShellWindow::HandleEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/xpfe/appshell/src/nsWebShellWindow.cpp,
line 438]
nsWindow::DispatchEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 1150]
nsWindow::DispatchFocus 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 5957]
nsWindow::ProcessMessage 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 4585]
nsWindow::WindowProc 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 1442]
USER32.dll + 0x8709 (0x77d48709)
USER32.dll + 0x87eb (0x77d487eb)
USER32.dll + 0xb368 (0x77d4b368)
USER32.dll + 0xb3b4 (0x77d4b3b4)
ntdll.dll + 0xeae3 (0x7c90eae3)
USER32.dll + 0xb2a1 (0x77d4b2a1)
USER32.dll + 0xb23c (0x77d4b23c)
nsWindow::DefaultWindowProc 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 1468]
USER32.dll + 0x8709 (0x77d48709)
USER32.dll + 0x87eb (0x77d487eb)
USER32.dll + 0xc00e (0x77d4c00e)
USER32.dll + 0xc034 (0x77d4c034)
nsWindow::WindowProc 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 1449]
USER32.dll + 0x8709 (0x77d48709)
USER32.dll + 0x87eb (0x77d487eb)
USER32.dll + 0xb368 (0x77d4b368)
USER32.dll + 0xb3b4 (0x77d4b3b4)
ntdll.dll + 0xeae3 (0x7c90eae3)
nsGlobalWindow::Focus 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp,
line 2594]
XPTC_InvokeByIndex 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp,
line 102]
XPCWrappedNative::CallMethod 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp,
line 2065]
XPC_WN_CallMethod 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp,
line 1287]
js_Invoke 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1293]
js_Interpret 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 3568]
js_Invoke 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1313]
js_InternalInvoke 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsinterp.c, line 1390]
JS_CallFunctionValue 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/js/src/jsapi.c, line 3804]
nsJSContext::CallEventHandler 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp,
line 1384]
nsJSEventListener::HandleEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Depend/mozilla/dom/src/events/nsJSEventListener.cpp,
line 184]

Adding topcrash and zt4newcrash keyword since we seem to have a handle on this
regression, lets get the fix in quickly.   It is a topcrasher with builds
starting 3/31:
http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=1&searchby=stacksig&match=contains&searchfor=nsDocShell%3A%3ASetCanvasHasFocus&vendor=All&product=All&platform=All&buildid=&sdate=&stime=&edate=&etime=&sortby=bbid
Keywords: topcrash+, zt4newcrash
Summary: crash on Gmail [@ nsDocShell::SetCanvasHasFocus] → crash on Gmail - Trunk [@ nsDocShell::SetCanvasHasFocus]
*** Bug 288531 has been marked as a duplicate of this bug. ***
*** Bug 288548 has been marked as a duplicate of this bug. ***
Here's another TB I sent in when investigating recent bugs. IT's got the same
signature too. Hope it helps.

TB4751476Q

nsDocShell::SetCanvasHasFocus 68d24caa
Trunkbuild 2005033115 (on W2k & XP) worked on the Talkback-Url and Gmail.
Crashing Problem gone.
*** Bug 288653 has been marked as a duplicate of this bug. ***
-> RESOLVED FIXED
Status: NEW → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → FIXED
assuming this was a mistake.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
wrong bug, sorry.
Status: REOPENED → RESOLVED
Last Resolved: 13 years ago13 years ago
Resolution: --- → FIXED

Updated

13 years ago
Flags: blocking1.8b2?
Verified FIXED using build 2005-04-11-06 on Windows XP Seamonkey trunk.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.