crash with nativescrollbar inside tabpanels [@ nsView::SetTopMost] [@ HandleEvent] [@ nsViewManager::UpdateWidgetArea]

RESOLVED FIXED

Status

()

Core
XUL
--
critical
RESOLVED FIXED
12 years ago
5 years ago

People

(Reporter: Bernd, Assigned: Mats Palmgren (vacation - back in August))

Tracking

(Blocks: 1 bug, 4 keywords)

1.8 Branch
crash, testcase, verified1.8.0.13, verified1.8.1.5
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.8.1.5 +
wanted1.8.1.x +
blocking1.8.0.13 +
wanted1.8.0.x +
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical] using freed view; fixed by bug 374102, crash signature)

Attachments

(1 attachment)

(Reporter)

Description

12 years ago
see upcoming testcase
crashes Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051221 Firefox/1.6a1
but I dont get a nice stacktrace in a debug build, if it does not crash immeadetely reload does fix it. The load triggers:
###!!! ASSERTION: We already have a window for this view? BAD: '!mWindow', file
d:/moz_src/mozilla/view/src/nsView.cpp, line 657
(Reporter)

Comment 1

12 years ago
Created attachment 206596 [details]
testcase crash onload or reload
(Reporter)

Updated

12 years ago
Keywords: testcase
It crashes also 1.0.7 and branch, always after closing the browser. Currently problems with the talkback server.
(Reporter)

Comment 3

12 years ago
<deck><nativescrollbar/></deck> is equally efficient
(Reporter)

Comment 4

12 years ago
nativescrollbars seem to be implemented only on MAC

Updated

12 years ago
OS: Windows XP → All
Hardware: PC → All

Comment 5

12 years ago
Can confirm on Windows XP Home, Firefox 1.5 Final

Comment 6

12 years ago
TB13192392H, TB13192279G

HandleEvent  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/view/src/nsView.cpp, line 173]
nsWindow::DispatchEvent  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1162]
nsWindow::DispatchStandardEvent  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1202]
nsWindow::OnDestroy  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 5652]
ChildWindow::`vftable'
nsWindow::StandardWindowCreate  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1399]
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a1) Gecko/20051223 Firefox/1.6a1 ID:2005122313

Incident ID: 13216053
Stack Signature	nsView::SetTopMost 6393c0f1
Product ID	FirefoxTrunk
Build ID	2005122305
Trigger Time	2005-12-23 16:17:30.0
Platform	Win32
Operating System	Windows NT 5.0 build 2195
Module	FIREFOX.EXE + (00234478)
URL visited	https://bugzilla.mozilla.org/attachment.cgi?id=206596
User Comments	
Since Last Crash	11193 sec
Total Uptime	11193 sec
Trigger Reason	Access violation
Source File, Line No.	c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/view/src/nsView.h, line 281
Stack Trace 	
nsView::SetTopMost  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/view/src/nsView.h, line 281]
nsWindow::DispatchAppCommandEvent  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1214]
nsWindow::CaptureRollupEvents  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1236]
nsWindow::OnPaint  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 5743]
ChildWindow::`vftable'
nsWindow::StandardWindowCreate  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1449]
0x8bf63356

Comment 8

11 years ago
Still crashes on Windows.  TB19459617X just has nsViewManager::UpdateWidgetArea, no rest-of-the-stack.
Summary: crash with nativescrollbar inside tabpanels → crash with nativescrollbar inside tabpanels [@ nsView::SetTopMost] [@ HandleEvent] [@ nsViewManager::UpdateWidgetArea]

Comment 9

11 years ago
No crash with a Mac trunk nightly.

Comment 10

11 years ago
With a Mac trunk debug build, I don't see a crash, but I do see the assertion from comment 0:

###!!! ASSERTION: We already have a window for this view? BAD: '!mWindow', file /Users/admin/trunk/mozilla/view/src/nsView.cpp, line 621
Based on the assertion I think this is the same underlying cause as
bug 374102.  The patches on that bug made the crash go away for the
attached testcase.  Haven't really analyzed this crash though.
Assignee: nobody → mats.palmgren
Depends on: 374102

Comment 12

10 years ago
xul:nativescrollbar is gone now, isn't it?
(In reply to comment #12)
> xul:nativescrollbar is gone now, isn't it?

Yes, on trunk.  Branches still crash, using freed memory.
I'm pretty sure it's the same underlying cause as bug 374102 - 
a branch version of those patches fixes this crash.
Group: security
Whiteboard: [sg:critical] using freed view
Version: Trunk → 1.8 Branch
Flags: in-testsuite?
This doesn't crash anymore, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a5pre) Gecko/20070514 Minefield/3.0a5pre
So I'm marking this fixed (by the patch from bug 374102).
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Flags: blocking1.8.1.5?
Flags: blocking1.8.0.13?
Whiteboard: [sg:critical] using freed view → [sg:critical] using freed view; fixed by bug 374102
Flags: blocking1.8.1.5?
Flags: blocking1.8.1.5+
Flags: blocking1.8.0.13?
Flags: blocking1.8.0.13+
Now also fixed on branches, by bug 374102.
Keywords: fixed1.8.0.13, fixed1.8.1.5
verified fixed 1.8.1.5 using Mozilla/5.0
(X11; U; Linux i686; en-US; rv:1.8.1.5pre) Gecko/2007070403 BonEcho/2.0.0.5pre
on Linux Fedora F7 and Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1.5pre) Gecko/20070704 BonEcho/2.0.0.5pre ID:2007070403 - no crash on testcase - adding verified keyword.
Keywords: fixed1.8.1.5 → verified1.8.1.5

Comment 17

10 years ago
verified fixed
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.1.5pre) Gecko/20070704 BonEcho/2.0.0.5pre

Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.0.13pre) Gecko/20070703 SeaMonkey/1.0.9
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.1.5pre) Gecko/20070703 SeaMonkey/1.1.2
Verified fixed in Thunderbird(rc1) version 1.5.0.13 (20070809) in MacIntel using the testcase in comment#1. No crash observed. 
Keywords: fixed1.8.0.13 → verified1.8.0.13
Group: security

Updated

9 years ago
Component: XP Toolkit/Widgets: XUL → XUL
QA Contact: xptoolkit.xul → xptoolkit.widgets

Comment 19

8 years ago
mats, if nativescrollbar is gone on 1.9.0 and later is there point in adding a crash test?
Crash Signature: [@ nsView::SetTopMost] [@ HandleEvent] [@ nsViewManager::UpdateWidgetArea]
Added crashtest:
https://hg.mozilla.org/integration/mozilla-inbound/rev/3f5d453c4a28
Crash Signature: [@ nsView::SetTopMost] [@ HandleEvent] [@ nsViewManager::UpdateWidgetArea] → [@ nsView::SetTopMost] [@ HandleEvent] [@ nsViewManager::UpdateWidgetArea]
Flags: in-testsuite? → in-testsuite+
https://hg.mozilla.org/mozilla-central/rev/3f5d453c4a28
You need to log in before you can comment on or make changes to this bug.