297079 - [FIX]Firefox Deer Park Alpha 1 crashes on specific click sequence with ScrapBook extension [@ 0x00000000][@ nsBoxObject::GetOffsetRect]

Status: RESOLVED FIXED

(Core :: XUL, defect, P1)

Description

[IU]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050608 Firefox/1.0+
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050608 Firefox/1.0+

If you have the ScrapBook extension installed and you perform a particular click
sequence, Deer Park Alpha 1 will crash.

Note: You will need to follow these instructions *precisely* to be able to
reproduce this. It is reproducibly, but only with certain specific sequences of
actions (right down to the mouse click and location of clicking).

Firefox 1.0.4 is not affected.  Reproduced with ScrapBook versions 0.15.3 or
0.15.4 (latest)

Reproducible: Always

Steps to Reproduce:
1. Install Firefox Deer Park Alpha 1
2. Create a new profile and install ScrapBook - either 0.15.3 or 0.15.4 (latest)
3. After restarting to browser, select Tools --> SrapBook
4. Now is when you need to be precise:
5. In the ScrapBook side panel, single click (and release) the search icon so
that the menu pops up
6. While that menu is still up, move your mouse pointer to a blank region on the
Firefox main menu bar and single click (and release)
7. Select Tools --> ScrapBook
8. At this point, Firefox should have crashed.

Actual Results:  
Firefox crashed

Expected Results:  
The ScrapBook sidebar should have disappeared, and Firefox should not have crashed.



I originally reported this to the ScrapBook extension developer, on June 3;
however, I have received no feedback.  It is difficult for me to tell if this is
a purely ScrapBook issue or if this is a case where a particular combination has
revealed a flaw in Deer Park.

OS version:
Microsoft Windows XP, SP2 + all patches

Reporduced with latest trunk: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.8b2) Gecko/20050608 Firefox/1.0+

Comment 1

[Jaime Mitchell (use bugmail@jaimem.org.uk for email)]

Can you provide a Talk Back ID please.

Comment 2

[IU]

> Can you provide a Talk Back ID please.

Talk Back ID? Where from and how?  I normally don't use Talk Back, but I just
installed it to capture the crash and I cannot find this Talk Back ID you
mention.  I have not sent the crash information; however, if you are unable to
reproduce it and you need such information, please let me know.

Note that I am using Windows XP, SP2; thus, you may need that platform to
reproduce this.

Comment 3

[Jaime Mitchell (use bugmail@jaimem.org.uk for email)]

You need to send the crash information when Talk back popups after the crash,
then go to the /components sub direcotry of the firefox program folder and click
on talkback.exe. Then paste the ID number to this bug.

Comment 4

[IU]

Done.  Talk Back ID: TB6497692G

Comment 5

[Peter van der Woude [:Peter6]]

can you produce a few talkbacks ?

Comment 6

[IU]

> can you produce a few talkbacks ?

How many do you need?  Was no one else able to reproduce this?

Comment 7

[Peter van der Woude [:Peter6]]

just to see if the crashes are all the same.
Nope i haven't tried, not using scrapbook

Comment 8

[Robert Strong (they/them - no direct email)]

I'm not positive but the talkback looks like this may be due to the changes
introduced by bug 281988.

Comment 9

[IU]

I have uploaded two more Talk Backs: TB6508183Y and TB6508212Q

However, I would recommend running through the test scenario.  It is not time
consuming, and it doesn't require that you install ScrapBook in your current
profile, but under a new profile.  At least this way, I would imagine, you
should be better able to eliminate my system from the equation.

Comment 10

[timeless]

reporter: not all developers are willing to trust foreign extensions, as such a
testcase that does not require one is appreciated.

Incident ID: 6508183
Stack Signature	nsBoxObject::GetOffsetRect cbf825fd
Product ID	FirefoxTrunk
Build ID	2005060806
Trigger Time	2005-06-08 16:59:29.0
Platform	Win32
Operating System	Windows NT 5.1 build 2600
Module	firefox.exe + (00191128)
URL visited	
User Comments	See Bug 297079 https://bugzilla.mozilla.org/show_bug.cgi?id=297079
Since Last Crash	19457 sec
Total Uptime	20762 sec
Trigger Reason	Access violation
Source File, Line No.
c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxObject.cpp,
line 196
Stack Trace 	
nsBoxObject::GetOffsetRect 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxObject.cpp,
line 196]
nsBoxObject::GetHeight 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxObject.cpp,
line 326]
XPTC_InvokeByIndex 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp,
line 102]
XPCWrappedNative::CallMethod 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp,
line 2105]
XPC_WN_GetterSetter 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp,
line 1380]
js_Invoke 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1178]
js_InternalInvoke 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1275]
js_InternalGetOrSet 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1318]
js_GetProperty 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 2805]
js_Interpret 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 3295]
js_Invoke 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1198]
js_InternalInvoke 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1275]
js_InternalGetOrSet 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1318]
js_SetProperty 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 2891]
JS_SetProperty 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 2686]
nsXPCWrappedJSClass::CallMethod 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp,
line 1321]
nsXPCWrappedJS::CallMethod 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappedjs.cpp,
line 450]
SharedStub 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp,
line 147]
nsAutoCompleteController::ClosePopup 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/toolkit/components/autocomplete/src/nsAutoCompleteController.cpp,
line 857]
nsAutoCompleteController::SetInput 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/toolkit/components/autocomplete/src/nsAutoCompleteController.cpp,
line 115]
XPTC_InvokeByIndex 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp,
line 102]
XPCWrappedNative::CallMethod 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp,
line 2105]
XPC_WN_GetterSetter 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp,
line 1372]
js_Invoke 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1178]
js_InternalInvoke 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1275]
js_InternalGetOrSet 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1318]
js_SetProperty 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 2975]
js_Interpret 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 3306]
js_Invoke 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1198]
js_InternalInvoke 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1275]
JS_CallFunctionValue 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 3862]
nsJSContext::CallEventHandler 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp,
line 1396]
nsJSEventListener::HandleEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/dom/src/events/nsJSEventListener.cpp,
line 184]
nsXBLPrototypeHandler::ExecuteHandler 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/xbl/src/nsXBLPrototypeHandler.cpp,
line 500]
nsXBLEventHandler::HandleEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/xbl/src/nsXBLEventHandler.cpp,
line 85]
nsEventListenerManager::HandleEventSubType 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/events/src/nsEventListenerManager.cpp,
line 1568]
nsEventListenerManager::HandleEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/events/src/nsEventListenerManager.cpp,
line 1669]
nsXULElement::HandleDOMEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2193]
nsXULElement::HandleDOMEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2172]
nsXULElement::HandleDOMEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2172]
nsGenericElement::HandleDOMEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp,
line 2068]
nsHTMLInputElement::HandleDOMEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/html/content/src/nsHTMLInputElement.cpp,
line 1382]
nsEventStateManager::PreHandleEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/events/src/nsEventStateManager.cpp,
line 555]
PresShell::HandleEventInternal 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp,
line 6321]
PresShell::HandleEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp,
line 6167]
nsViewManager::HandleEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp,
line 2457]
nsViewManager::DispatchEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp,
line 2224]
HandleEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/view/src/nsView.cpp, line
174]
nsWindow::DispatchEvent 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 1180]
nsWindow::DispatchFocus 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 6111]
nsWindow::ProcessMessage 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 4731]
nsWindow::WindowProc 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 1472]
USER32.dll + 0x8734 (0x77d48734)
USER32.dll + 0x8816 (0x77d48816)
USER32.dll + 0xb4c0 (0x77d4b4c0)
USER32.dll + 0xb50c (0x77d4b50c)
ntdll.dll + 0xeae3 (0x7c90eae3)
nsGlobalWindow::Focus 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp,
line 2605]
XPTC_InvokeByIndex 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp,
line 102]
XPCWrappedNative::CallMethod 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp,
line 2105]
XPC_WN_CallMethod 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp,
line 1348]
js_Invoke 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1178]
js_InternalInvoke 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1275]
JS_CallFunctionValue 
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 3862]

Comment 11

[Peter van der Woude [:Peter6]]

setting New

Comment 12

[Martijn Wargers (dead)]

I managed to reduce the code to this:
<?xml version="1.0" ?>
<window xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
<textbox type="autocomplete"></textbox></window>
This crashes for me, when focusing the textbox and then closing the sidebar.
The type="autocomplete" is necessary to trigger the crash.

Comment 13

[Martijn Wargers (dead)]

It seems to have something to do with this:
http://lxr.mozilla.org/seamonkey/source/toolkit/content/widgets/autocomplete.xml#514
The calling of this.tree.treeBoxObject.height is causing the crash.

Comment 14

[Martijn Wargers (dead)]

Boris, any ideas?
If you ask, I'll try to make a testcase (but it is going to be hard and the
testcase should probably loaded from chrome).

Comment 15

[Boris Zbarsky [:bzbarsky]]

Attachment: Fix

Comment 16

[Boris Zbarsky [:bzbarsky]]

Comment on attachment 193611 [details] [diff] [review]
Fix

Simple crash fix

Comment 17

[Boris Zbarsky [:bzbarsky]]

Fixed on trunk.

Comment 18

[Boris Zbarsky [:bzbarsky]]

Fixed on branch.

Comment 19

[IU]

Not resolved.  Can reproduce bug with Branch build: Mozilla/5.0 (Windows; U;
Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050824 Firefox/1.0+ ID:2005082414

I have tested with both Scrapbook 0.15.5 and 0.17.5 alpha and I get the same
crash behavior.  Note: Scrapbook 0.16.0 and 0.17.5 introduce additional problems
like killing the forward/back and refresh toolbar navigation buttons (a bfcache
conflict perchance?).  This is a pretty harsh extension.

I realize, from an earlier comment, that some of you have reservations about
installing extension, but you may very well have to install this one to properly
diagnoze and resolve the issue.

Talkback ID: TB8685675M

Comment 20

[Jaime Mitchell (use bugmail@jaimem.org.uk for email)]

(In reply to comment #19)
> Not resolved.  Can reproduce bug with Branch build: Mozilla/5.0 (Windows; U;
> Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050824 Firefox/1.0+ ID:2005082414

That build doesn't have the checkin, it was built 2 hours before comment 18 and
bonsai shows the fix is not included in your build. 

Re resolving. Please reopen if you can reproduce with tomorrows nightly build as
that will defently include this fix.