Closed Bug 331561 Opened 18 years ago Closed 18 years ago

nsAutoComplete crash on entering URL [@ nsAutoCompleteController::HandleEnter]

Categories

(Firefox :: Address Bar, defect)

Product:
Firefox
Component:
Address Bar
Version:
1.5.0.x Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
Firefox 2 beta1

People

(Reporter: jeanmichel.reghem, Assigned: smaug)

References

Details

(4 keywords, Whiteboard: 181b1+)

Crash Data

Attachments

(1 file)

add few null checks
3.32 KB, patch
bryner
: review+
bryner
: superreview+
jay
: approval1.8.0.5+
mtschrep
: approval1.8.1+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1

i don't really remember what i've done to have this crash.
I think i had an open FF, closing it, trying to reopen immediatly and type an url ...

here is the talkback:

TB16773954Z

Incident ID: 16773954
Stack Signature	nsAutoCompleteController::HandleEnter 4dedd470
Product ID	Firefox15
Build ID	2006011112
Trigger Time	2006-03-24 00:47:38.0
Platform	Win32
Operating System	Windows NT 5.1 build 2600
Module	firefox.exe + (003feb8c)
URL visited	crash after closing firefox
User Comments	
Since Last Crash	265843 sec
Total Uptime	1582755 sec
Trigger Reason	Access violation
Source File, Line No.	c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/toolkit/components/autocomplete/src/nsAutoCompleteController.cpp, line 260
Stack Trace 	
nsAutoCompleteController::HandleEnter  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/toolkit/components/autocomplete/src/nsAutoCompleteController.cpp, line 260]
XPTC_InvokeByIndex  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp, line 102]
XPCWrappedNative::CallMethod  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2152]
XPC_WN_CallMethod  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 1444]
js_Invoke  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1177]
js_Interpret  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 3551]
js_Invoke  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1197]
js_InternalInvoke  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1274]
JS_CallFunctionValue  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 4158]
nsJSContext::CallEventHandler  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1411]
nsJSEventListener::HandleEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/dom/src/events/nsJSEventListener.cpp, line 195]
nsXBLPrototypeHandler::ExecuteHandler  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/xbl/src/nsXBLPrototypeHandler.cpp, line 505]
nsXBLKeyEventHandler::HandleEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/xbl/src/nsXBLEventHandler.cpp, line 151]
nsEventListenerManager::HandleEventSubType  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/events/src/nsEventListenerManager.cpp, line 1685]
nsEventListenerManager::HandleEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/events/src/nsEventListenerManager.cpp, line 1786]
nsXULElement::HandleDOMEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2153]
nsXULElement::HandleDOMEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2132]
nsXULElement::HandleDOMEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/xul/content/src/nsXULElement.cpp, line 2132]
nsGenericElement::HandleDOMEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 2117]
nsHTMLInputElement::HandleDOMEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/html/content/src/nsHTMLInputElement.cpp, line 1395]
PresShell::HandleEventInternal  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6374]
PresShell::HandleEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6210]
nsViewManager::HandleEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 2514]
nsViewManager::DispatchEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 2246]
HandleEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/view/src/nsView.cpp, line 174]
nsWindow::DispatchEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1252]
nsWindow::DispatchKeyEvent  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 3448]
nsWindow::OnKeyDown  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 3586]
nsWindow::ProcessMessage  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 4492]
nsWindow::WindowProc  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1434]
USER32.dll + 0x8734 (0x77d48734)
USER32.dll + 0x8816 (0x77d48816)
USER32.dll + 0x89cd (0x77d489cd)
USER32.dll + 0x8a10 (0x77d48a10)
nsAppShell::Run  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/widget/src/windows/nsAppShell.cpp, line 159]
nsAppStartup::Run  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 151]
main  [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 61]
kernel32.dll + 0x16d4f (0x7c816d4f)

Reproducible: Couldn't Reproduce

Steps to Reproduce:





--> trying to find similar bug

Bug 280084 FF101 nsAutoComplete crash on entering URL [@ nsAutoCompleteController::HandleEnter] ( VERIFIED + FIXED )
--> but seems to not solve all the issues

Bug 326468
Possibility of crash when autocomplete is open, document is reloaded and then autocomplete is clicked (NEW)
--> but crash in nsFormFillController::OnTextEntered , not nsAutoCompleteController::HandleEnter

Bug 320659
crash [@ nsFormFillController::OnTextEntered] (UNCONFIRMED)
--> but seems also different ... 

Bug 296526
While autocomplete list is visible opening the context menu causes a misplacement, the focus is lost and a crash occurs when trying to load another URL [@nsAutoCompleteController::HandleEnter]
--> line 450 ...

So, i've decided to open a new bug ...

i will try to reproduce it ...
Component: General → Autocomplete
Product: Firefox → Toolkit
Version: unspecified → 1.8 Branch
sorry for the spam ... wrong operation: moving to toolkit was an error
Component: Autocomplete → Location Bar and Autocomplete
Product: Toolkit → Firefox
Version: 1.8 Branch → 1.5.0.x Branch
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.8.0.3?
Flags: blocking-firefox2?
Keywords: crash, topcrash
bryner, can you take a look at this?
Assignee: nobody → bryner
Flags: blocking1.8.0.3? → blocking1.8.0.3+
Bug 296526 has a patch...
No baked patch, too late to make 1.8.0.4
Flags: blocking1.8.0.5?
Flags: blocking1.8.0.4-
Flags: blocking1.8.0.4+
Depends on: 296526
Need to get traction on Martijn's patch in bug 296526
Flags: blocking-firefox2? → blocking-firefox2+
QA Contact: general → location.bar
*** Bug 339467 has been marked as a duplicate of this bug. ***
Target Milestone: --- → Firefox 2 beta1
Flags: blocking1.8.0.5? → blocking1.8.0.5+
Depends on: 339467
Is this one distinct from bug 296526 (which has a patch)? You say it *is* distinct from bug 339467 which has a testcase but no patch, and isn't nominated for any 1.8 branch.
Assignee: bryner → martijn.martijn
Yeah, all those bugs are distinct from each other. There are different ways to trigger the crash (not sure how is triggered in this bug, though).
It happens when something bad has happened focus related.
So maybe the crash could/should also be fixed by adding some kind of checks in  nsAutoCompleteController::HandleEnter and related functions, but the bad focus state should also really not be happening.
Looks like this nsAutoCompleteController::HandleEnter crash isn't going to get fixed for 1.8.0.5

If we get a 1.8 fix for firefox 2 please request 1.8.0.x approval for the patch, but otherwise this probably isn't a blocker.
Flags: blocking1.8.0.5+ → blocking1.8.0.5-
Is it just so that mInput is nsnull when nsAutoCompleteController::HandleEnter is called?
In nsAutoCompleteController there is |if (mInput)| checks in
quite many places, but not in ::HandleEnter, ::HandleDelete
or ::HandleEscape.
I haven't seen this crash, nor bug 339467.
...trying to write a test case.
Not a good test case, but makes FF to crash.
Run this in JS Console:
var a = Components.classes["@mozilla.org/autocomplete/controller;1"].createInstance().QueryInterface(Components.interfaces.nsIAutoCompleteController); a.handleEnter();
Adding few null checks to prevent testcase -like crashes.
I went through all the uses of mInput and added either if (!mInput)
or NS_ENSURE_STATE(mInput) in those cases where I think it might be possible to crash. 
|if| is used in public methods, NS_ENSURE_STATE in protected methods.
Attachment #227253 - Flags: superreview?(bryner)
Attachment #227253 - Flags: review?(bryner)
Comment on attachment 227253 [details] [diff] [review]
add few null checks

Asking also approvals, since this may (or may not) help with some of the common nsAutoCompleteController::HandleEnter crashes. And at least fixes one way to crash the browser.
Attachment #227253 - Flags: approval1.8.1?
Attachment #227253 - Flags: approval1.8.0.5?
If TB stacks don't lie, most of the crashes happen when mInput
is null, I think. So the patch should help there.
Attachment #227253 - Flags: superreview?(bryner)
Attachment #227253 - Flags: superreview+
Attachment #227253 - Flags: review?(bryner)
Attachment #227253 - Flags: review+
Attachment #227253 - Flags: approval1.8.1?
Comment on attachment 227253 [details] [diff] [review]
add few null checks

Checked in to trunk
*** Bug 341885 has been marked as a duplicate of this bug. ***
Whiteboard: 181b1+
Comment on attachment 227253 [details] [diff] [review]
add few null checks

Re-asking approval for 1.8.1. This is just adding null checks to places where mInput can be nsnull even in 'valid' cases.
Attachment #227253 - Flags: approval1.8.1?
And according to TB, there hasn't been crashes
@nsAutoCompleteController::HandleEnter since this landed to trunk.
(though, the patch has been in only ~2 days)
Assignee: martijn.martijn → Olli.Pettay
*** Bug 339467 has been marked as a duplicate of this bug. ***
No longer depends on: 339467
Attachment #227253 - Flags: approval1.8.1? → approval1.8.1+
Status: NEW → RESOLVED
Closed: 18 years ago
Keywords: fixed1.8.1
Resolution: --- → FIXED
Comment on attachment 227253 [details] [diff] [review]
add few null checks

approved for 1.8.0 branch, a=jay for drivers.  please land asap, so we can
respin and get RC2 out for testing.
Attachment #227253 - Flags: approval1.8.0.5? → approval1.8.0.5+
Keywords: fixed1.8.0.5
verified, no longer appearing in crash reports
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.0.5, fixed1.8.1verified1.8.0.5, verified1.8.1
Crash Signature: [@ nsAutoCompleteController::HandleEnter]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: