Last Comment Bug 319732 - [@ nsTextEditorKeyListener::KeyPress] crash typing string to search for in page (find as you type) right after page is loaded; or in MailNews/emailCompose
: [@ nsTextEditorKeyListener::KeyPress] crash typing string to search for in pa...
Status: VERIFIED FIXED
[rft-dl]
: crash, fixed1.7.13, fixed1.8.1, regression, verified1.8.0.2
Product: Core
Classification: Components
Component: Editor (show other bugs)
: Trunk
: All All
: -- critical with 2 votes (vote)
: mozilla1.9alpha1
Assigned To: neil@parkwaycc.co.uk
:
: Makoto Kato [:m_kato]
Mentors:
: 319791 319832 319966 320213 320365 320366 321113 321194 (view as bug list)
Depends on:
Blocks: 303713
  Show dependency treegraph
 
Reported: 2005-12-09 13:32 PST by Myk Melez [:myk] [@mykmelez]
Modified: 2006-03-12 19:03 PST (History)
31 users (show)
dveditz: blocking1.7.13+
dveditz: blocking‑aviary1.0.8+
dveditz: blocking1.8.0.2+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Possible patch (1.63 KB, patch)
2005-12-09 15:55 PST, neil@parkwaycc.co.uk
dbaron: review+
dbaron: superreview+
dveditz: approval‑aviary1.0.8+
dveditz: approval1.7.13+
dveditz: approval1.8.0.1-
dveditz: approval1.8.0.2+
dveditz: approval1.8.1+
Details | Diff | Splinter Review
Fix RemoveEventListener (673 bytes, patch)
2005-12-12 03:57 PST, neil@parkwaycc.co.uk
jst: review+
jst: superreview+
dveditz: approval‑aviary1.0.8+
dveditz: approval1.7.13+
dveditz: approval1.8.0.1-
dveditz: approval1.8.0.2+
dveditz: approval1.8.1+
Details | Diff | Splinter Review

Description Myk Melez [:myk] [@mykmelez] 2005-12-09 13:32:44 PST
In today's nightly, when I load a page and then start typing a string to search for, Firefox crashes after I type the first character.  I can reproduce consistently, and it seems to happen on arbitrary pages (reproduced on a b.m.o bug list and the bouncer admin page).

My Firefox is:

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9a1) Gecko/20051209 Firefox/1.6a1

Note that if I click in the page after loading it and then type the string to search, Firefox doesn't crash.  The crash only happens if typing to search is the very next thing I do after loading the page.
Comment 1 :Gavin Sharp [email: gavin@gavinsharp.com] 2005-12-09 14:13:04 PST
WFM on 1208 windows trunk build, so it's either a recent regression or Linux only I suppose.
(is there a linux machine available in the office that I can test this on?)
Comment 2 :Gavin Sharp [email: gavin@gavinsharp.com] 2005-12-09 15:13:15 PST
Looks like this may have been caused by bug 303713.

TB12788714A:

Stack Signature	 nsTextEditorKeyListener::KeyPress() ae1116ed
Product ID	FirefoxTrunk
Build ID	2005120904
Trigger Time	2005-12-09 13:25:53.0
Platform	LinuxIntel
Operating System	Linux 2.6.14-1.1637_FC4
Module	firefox-bin + (00584bcd)
URL visited	http://download.mozilla.org/admin/
Trigger Reason	SIGSEGV: Segmentation Fault: (signal 11)
Source File, Line No.	mozilla/editor/libeditor/text/nsEditorEventListeners.cpp, line 154
Stack Trace 	
nsTextEditorKeyListener::KeyPress()  [mozilla/editor/libeditor/text/nsEditorEventListeners.cpp, line 154]
DispatchToInterface(nsIDOMEvent*, nsIDOMEventListener*, unsigned (nsIDOMEventListener::*)()  [mozilla/content/events/src/nsEventListenerManager.cpp, line 143]
nsEventListenerManager::HandleEvent()  [mozilla/content/events/src/nsEventListenerManager.cpp, line 1034]
nsGenericElement::HandleDOMEvent()  [mozilla/content/base/src/nsGenericElement.cpp, line 2196]
nsHTMLInputElement::HandleDOMEvent()  [mozilla/content/html/content/src/nsHTMLInputElement.cpp, line 1369]
nsEventStateManager::DispatchNewEvent()  [mozilla/content/events/src/nsEventStateManager.cpp, line 848]
nsEventListenerManager::DispatchEvent()  [mozilla/content/events/src/nsEventListenerManager.cpp, line 412]
nsDOMEventRTTearoff::DispatchEvent()  [mozilla/content/base/src/nsGenericElement.cpp, line 848]
XPTC_InvokeByIndex()
XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode)()  [mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2138]
XPC_WN_CallMethod()  [mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 1444]
js_Invoke()  [mozilla/js/src/jsinterp.c, line 1211]
js_Interpret()  [mozilla/js/src/jsinterp.c, line 3757]
js_Invoke()  [mozilla/js/src/jsinterp.c, line 1231]
nsXPCWrappedJSClass::CallMethod()  [mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp, line 1376]
nsXPCWrappedJS::CallMethod()  [mozilla/js/src/xpconnect/src/xpcwrappedjs.cpp, line 466]
PrepareAndDispatch()  [mozilla/xpcom/reflect/xptcall/src/md/unix/xptcstubs_gcc_x86_unix.cpp, line 100]
nsEventListenerManager::HandleEventSubType()  [mozilla/content/events/src/nsEventListenerManager.cpp, line 1685]
nsEventListenerManager::HandleEvent()  [mozilla/content/events/src/nsEventListenerManager.cpp, line 1034]
nsXULElement::HandleDOMEvent()  [mozilla/content/xul/content/src/nsXULElement.cpp, line 1931]
nsXULElement::HandleDOMEvent()  [mozilla/content/xul/content/src/nsXULElement.cpp, line 848]
nsXULElement::HandleDOMEvent()  [mozilla/content/xul/content/src/nsXULElement.cpp, line 848]
nsXULElement::HandleDOMEvent()  [mozilla/content/xul/content/src/nsXULElement.cpp, line 848]
nsXULElement::HandleDOMEvent()  [mozilla/content/xul/content/src/nsXULElement.cpp, line 848]
nsXULElement::HandleChromeEvent()  [mozilla/content/xul/content/src/nsXULElement.cpp, line 2590]
nsGlobalWindow::HandleDOMEvent()  [mozilla/dom/src/base/nsGlobalWindow.cpp, line 848]
nsGlobalWindow::HandleDOMEvent()  [mozilla/dom/src/base/nsGlobalWindow.cpp, line 265]
nsDocument::HandleDOMEvent()  [mozilla/content/base/src/nsDocument.cpp, line 4237]
nsGenericElement::HandleDOMEvent()  [mozilla/content/base/src/nsGenericElement.cpp, line 2227]
PresShell::HandleEventInternal()  [mozilla/layout/base/nsPresShell.cpp, line 848]
PresShell::HandleEvent()  [mozilla/layout/base/nsPresShell.cpp, line 5862]
nsViewManager::HandleEvent()  [mozilla/view/src/nsViewManager.cpp, line 848]
nsViewManager::DispatchEvent()  [mozilla/view/src/nsViewManager.cpp, line 2242]
HandleEvent()  [mozilla/view/src/nsView.cpp, line 251]
nsCommonWidget::DispatchEvent()  [mozilla/widget/src/gtk2/nsCommonWidget.cpp, line 219]
nsWindow::OnKeyPressEvent()  [mozilla/widget/src/gtk2/nsWindow.cpp, line 1801]
key_press_event_cb()  [mozilla/widget/src/gtk2/nsWindow.cpp, line 3916]
Comment 3 Wevah 2005-12-09 15:20:34 PST
I see this in Camino also, so -> All/All.
Comment 4 neil@parkwaycc.co.uk 2005-12-09 15:55:13 PST
Created attachment 205433 [details] [diff] [review]
Possible patch

If this was a regression from bug 303713 then this might or might not fix it.
Comment 5 Wevah 2005-12-09 16:43:58 PST
Hmm; I just re-read the subject, and I haven't been crashing in FAYT, but rather when trying to type in a textarea on a particular page. The stack trace is almost identical, but I figured I should post this comment just in case.
Comment 6 Stephen Donner [:stephend] 2005-12-10 08:32:58 PST
*** Bug 319791 has been marked as a duplicate of this bug. ***
Comment 7 Serge Gautherie (:sgautherie) 2005-12-10 08:48:47 PST
Oops, I did not mean to Assign this bug :-/
Comment 8 Steve England [:stevee] 2005-12-10 09:54:14 PST
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a1) Gecko/20051210 Firefox/1.6a1 ID:2005121005
Seeing this too, trying to use find.
- TB12809630H
- TB12809667M
Comment 9 Pavel Cvrcek [:JasnaPaka] 2005-12-10 17:29:20 PST
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051210 Firefox/1.6a1
- TB12825487X
Comment 10 Adam Guthrie 2005-12-10 18:24:46 PST
*** Bug 319832 has been marked as a duplicate of this bug. ***
Comment 11 Edward 2005-12-10 18:54:22 PST
Bug 319832 has been marked as a duplicate of this bug.

I am adding two additional Talkback crash ID's related to bug 319832:

TB12827182H
TB12827212X

Due to the number of crashes relating to bug 319832, I have decided not to use this on the web sites listed in Bug 319832.
Comment 12 Adam Guthrie 2005-12-10 19:10:31 PST
We've already got enough talkback IDs to last us a lifetime here. No more are needed.
Comment 13 neil@parkwaycc.co.uk 2005-12-11 01:28:58 PST
Fix checked in to the trunk.
Comment 14 neil@parkwaycc.co.uk 2005-12-11 01:30:47 PST
Comment on attachment 205433 [details] [diff] [review]
Possible patch

Need this on the same branches as bug 303713.
Comment 16 Steve England [:stevee] 2005-12-11 10:22:36 PST
There's reports of this still happening on trunk (2005121105), even after the checkin.

TB12842788X, TB12842768Z, TB12843474K, TB12843393Q
Comment 17 Serge Gautherie (:sgautherie) 2005-12-11 12:35:03 PST
(In reply to comment #16)
> There's reports of this still happening on trunk (2005121105), even after the
> checkin.

[Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.9a1) Gecko/20051211 SeaMonkey/1.5a] (nightly) (W98SE)

Not fixed confirmed: TB12848241G.
Comment 18 Adam Guthrie 2005-12-11 13:47:04 PST
Wevah, could you see if you could create a minimized testcase with a <textarea> that causes the crash?
Comment 19 gabe 2005-12-11 13:53:02 PST
the crash happens when you type in the serch box relly fast
Comment 20 Robert Claypool 2005-12-11 14:58:11 PST
Typing in wikipedia, placing the cursor in the main editing textbox causes typing to appear in the edit summary textbox, and vice=versa
Comment 21 neil@parkwaycc.co.uk 2005-12-12 03:52:34 PST
So confusingly you can't specify NS_PRIV_EVENT_UNTRUSTED_PERMITTED when removing an event listener because nsEventListenerManager.cpp only masks the flag on the listener struct before performing the compare, so if aFlags includes that flag then the removal never happens. If this is intended behaviour, then I obviously need to exclude that flag in the call to remove the event listener, but I feel that looks ugly.
Comment 22 neil@parkwaycc.co.uk 2005-12-12 03:57:17 PST
Created attachment 205611 [details] [diff] [review]
Fix RemoveEventListener
Comment 23 Steve England [:stevee] 2005-12-12 05:46:37 PST
*** Bug 319966 has been marked as a duplicate of this bug. ***
Comment 24 Serge Gautherie (:sgautherie) 2005-12-12 12:53:32 PST
Comment on attachment 205611 [details] [diff] [review]
Fix RemoveEventListener

>Index: nsEventListenerManager.cpp

>@@ -806,6 +806,7 @@ nsEventListenerManager::RemoveEventListener
> 
>   PRBool listenerRemoved = PR_FALSE;

Nit: Here and a few lines below, this var is useless as it is currently.
Comment 25 :Gavin Sharp [email: gavin@gavinsharp.com] 2005-12-13 23:37:37 PST
*** Bug 320213 has been marked as a duplicate of this bug. ***
Comment 26 Johnny Stenback (:jst, jst@mozilla.com) 2005-12-14 15:01:57 PST
Comment on attachment 205611 [details] [diff] [review]
Fix RemoveEventListener

r+sr=jst, and yeah, remove listenerRemoved while you're at it.
Comment 27 neil@parkwaycc.co.uk 2005-12-14 15:59:04 PST
Fix checked in. Fingers crossed!
Comment 28 neil@parkwaycc.co.uk 2005-12-14 16:00:15 PST
Comment on attachment 205611 [details] [diff] [review]
Fix RemoveEventListener

Ditto from previous patch.
Comment 29 Stephen Donner [:stephend] 2005-12-15 08:07:34 PST
*** Bug 320365 has been marked as a duplicate of this bug. ***
Comment 30 Adam Guthrie 2005-12-16 12:45:40 PST
*** Bug 320366 has been marked as a duplicate of this bug. ***
Comment 31 Stephen Donner [:stephend] 2005-12-16 23:32:56 PST
Talkback shows the last crash with MozillaOrgThunderbirdTrunkWin322005121407, which makes sense.  The fix landed post-landing of that build.

Thunderbird trunk version 1.6a1 (20051216)

SeaMonkey 1.5a;Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051216 Mozilla/1.0

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051216 Firefox/1.6a1

This is now Verified FIXED.

http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=1&searchby=stacksig&match=contains&searchfor=nsTextEditorKeyListener%3A%3AKeyPress&vendor=MozillaOrg&product=All&platform=All&buildid=&sdate=&stime=&edate=&etime=&sortby=build
Comment 32 Serge Gautherie (:sgautherie) 2005-12-17 17:17:40 PST
(In reply to comment #28)
> (From update of attachment 205611 [details] [diff] [review] [edit])
> Ditto from previous patch.

[Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8) Gecko/20051217 SeaMonkey/1.0b] (nightly) (W98SE)

While having theses patches on the branch(es) would seem fine,
I wanted to mention that I don't get (duplicated) bug 319791 with SMv1.0b nightlies.
Comment 33 Sergei Dolgov 2005-12-17 17:56:32 PST
i think that BeOS dup (https://bugzilla.mozilla.org/show_bug.cgi?id=320213) is gone with last patch. At least SeaMonkey build from 2005-12-15 trunk sources don't crash on BeOS anymore
Comment 34 Doug Shelton 2005-12-17 18:07:09 PST
confirming Sergei's comments.  last patch fixed Firefox bug under BeOS.
Comment 35 Brendan Eich [:brendan] 2005-12-19 16:09:46 PST
See bug 303713 comment 26.

/be
Comment 36 Kevin Brosnan 2005-12-21 08:24:54 PST
*** Bug 321113 has been marked as a duplicate of this bug. ***
Comment 37 Adam Guthrie 2005-12-22 14:40:01 PST
*** Bug 321194 has been marked as a duplicate of this bug. ***
Comment 38 Daniel Veditz [:dveditz] 2006-01-05 11:31:07 PST
Comment on attachment 205611 [details] [diff] [review]
Fix RemoveEventListener

a=dveditz for 1.8/1.8.0.1 branches. Please add the fixed1.8.1 and fixed1.8.0.1 keywords when checked in.
Comment 39 Daniel Veditz [:dveditz] 2006-01-05 11:31:17 PST
Comment on attachment 205433 [details] [diff] [review]
Possible patch

a=dveditz for 1.8/1.8.0.1 branches. Please add the fixed1.8.1 and fixed1.8.0.1 keywords when checked in.
Comment 40 Daniel Veditz [:dveditz] 2006-01-11 11:34:41 PST
Comment on attachment 205433 [details] [diff] [review]
Possible patch

Missed 1.8.0.1 code freeze -> 1.8.0.2
Comment 41 neil@parkwaycc.co.uk 2006-01-20 16:23:15 PST
Fix checked into the branches (no fixed 1.8.0.2 yet?)
Comment 42 Daniel Veditz [:dveditz] 2006-02-02 15:16:39 PST
Comment on attachment 205433 [details] [diff] [review]
Possible patch

a=dveditz for drivers, please add fixed-aviary1.0.8 and fixed1.7.13 keywords when checked in.
Comment 43 Daniel Veditz [:dveditz] 2006-02-02 15:16:50 PST
Comment on attachment 205611 [details] [diff] [review]
Fix RemoveEventListener

a=dveditz for drivers, please add fixed-aviary1.0.8 and fixed1.7.13 keywords when checked in.
Comment 44 neil@parkwaycc.co.uk 2006-02-03 07:27:22 PST
Fix checked into the aviary and 1.7 branches.
Comment 45 Jay Patel [:jay] 2006-02-13 11:45:21 PST
v.fixed on 1.0.1 Aviary branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060213 Firefox/1.0.8, per Talkback data and also because I was unable to reproduce using various cases mentioned here.

Note You need to log in before you can comment on or make changes to this bug.