Firefox 1.5.0.2 Linux topcrash [@ IM_get_input_context]

VERIFIED FIXED

Status

()

defect
--
critical
VERIFIED FIXED
13 years ago
8 years ago

People

(Reporter: dbaron, Assigned: masayuki)

Tracking

(4 keywords)

1.8 Branch
x86
Linux
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.8.1 -
blocking1.8.1.3 -
blocking1.8.1.4 +
blocking1.8.0.4 -
blocking1.8.0.5 -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [would take patch], crash signature, )

Attachments

(2 attachments, 2 obsolete attachments)

One of the Linux topcrashes in Firefox 1.5.0.2 is a null pointer dereference in IM_get_input_context, which unconditionally dereferences owningWindow, which is null when we crash.

The top of the stack is pretty constant between incidents although the source of the document viewer destruction varies (direct or in fastback cache):

IM_get_input_context()  [/builds/tinderbox/Fx-Mozilla1.8.0/Linux_2.4.21-37.ELsmp_Depend/mozilla/widget/src/gtk2/nsWindow.cpp, line 4793]
nsWindow::IMELoseFocus()  [/builds/tinderbox/Fx-Mozilla1.8.0/Linux_2.4.21-37.ELsmp_Depend/mozilla/widget/src/gtk2/nsWindow.cpp, line 4387]
nsWindow::IMEDestroyContext()  [/builds/tinderbox/Fx-Mozilla1.8.0/Linux_2.4.21-37.ELsmp_Depend/mozilla/widget/src/gtk2/nsWindow.cpp, line 4358]
nsWindow::Destroy()  [/builds/tinderbox/Fx-Mozilla1.8.0/Linux_2.4.21-37.ELsmp_Depend/mozilla/widget/src/gtk2/nsWindow.cpp, line 404]
nsView::~nsView()  [/builds/tinderbox/Fx-Mozilla1.8.0/Linux_2.4.21-37.ELsmp_Depend/mozilla/view/src/nsView.cpp, line 267]
nsIView::Destroy()  [/builds/tinderbox/Fx-Mozilla1.8.0/Linux_2.4.21-37.ELsmp_Depend/mozilla/view/src/nsView.cpp, line 304]
nsFrame::Destroy()  [/builds/tinderbox/Fx-Mozilla1.8.0/Linux_2.4.21-37.ELsmp_Depend/mozilla/layout/generic/nsFrame.cpp, line 669]
nsContainerFrame::Destroy()  [/builds/tinderbox/Fx-Mozilla1.8.0/Linux_2.4.21-37.ELsmp_Depend/mozilla/layout/generic/nsContainerFrame.cpp, line 169]
nsFrameManager::Destroy()  [/builds/tinderbox/Fx-Mozilla1.8.0/Linux_2.4.21-37.ELsmp_Depend/mozilla/layout/base/nsFrameManager.cpp, line 298]
PresShell::Destroy()  [/builds/tinderbox/Fx-Mozilla1.8.0/Linux_2.4.21-37.ELsmp_Depend/mozilla/layout/base/nsPresShell.cpp, line 1957]
DocumentViewerImpl::Destroy()  [/builds/tinderbox/Fx-Mozilla1.8.0/Linux_2.4.21-37.ELsmp_Depend/mozilla/layout/base/nsDocumentViewer.cpp, line 712]
Flags: blocking1.8.0.3?
Summary: Firefox 1.5.0.2 topcrash [@ IM_get_input_context] → Firefox 1.5.0.2 Linux topcrash [@ IM_get_input_context]
taking. but what is cause of this regression?
Assignee: nobody → masayuki
Posted patch Patch rv1.0 (obsolete) — Splinter Review
This patch is not needed on Trunk. Because trunk already has this code.
Attachment #219424 - Flags: superreview?(roc)
Attachment #219424 - Flags: review?(masaki.katakai)
Attachment #219424 - Flags: approval-branch-1.8.1?(roc)
I cannot reproduce this bug, but maybe the patch fixes this bug.
Status: NEW → ASSIGNED
Oops. Sorry. I'm wrong.
Attachment #219424 - Attachment is obsolete: true
Attachment #219454 - Flags: superreview?(roc)
Attachment #219454 - Flags: review?(masaki.katakai)
Attachment #219454 - Flags: approval-branch-1.8.1?(roc)
Attachment #219424 - Flags: superreview?(roc)
Attachment #219424 - Flags: review?(masaki.katakai)
Attachment #219424 - Flags: approval-branch-1.8.1?(roc)

Comment 6

13 years ago
Comment on attachment 219454 [details] [diff] [review]
Patch rv1.1 for 1.8.x

+katakai

I'm also not seeing this problem on my environment, but the patch seems OK.
Attachment #219454 - Flags: review?(masaki.katakai) → review+
Version: Trunk → 1.8 Branch
Posted patch Patch rv1.0 for Trunk (obsolete) — Splinter Review
Uh, I found similar risk. We should fix this too.
Attachment #219531 - Flags: superreview?(roc)
Attachment #219531 - Flags: review?(masaki.katakai)
Attachment #219454 - Attachment description: Patch rv1.1 → Patch rv1.1 for 1.8.x

Comment 8

13 years ago
Comment on attachment 219531 [details] [diff] [review]
Patch rv1.0 for Trunk

+katakai
Attachment #219531 - Flags: review?(masaki.katakai) → review+
Comment on attachment 219454 [details] [diff] [review]
Patch rv1.1 for 1.8.x

The code is fine, but can you explain why aArea can be null or owningWindow can be null?
Attachment #219454 - Flags: superreview?(roc)
Attachment #219454 - Flags: superreview+
Attachment #219454 - Flags: approval-branch-1.8.1?(roc)
Attachment #219454 - Flags: approval-branch-1.8.1+
Comment on attachment 219454 [details] [diff] [review]
Patch rv1.1 for 1.8.x

Actually, let's wait until we can verify that this fixes the real issue. Do we know anyone who can reproduce the crash here?
Attachment #219454 - Flags: superreview+
Attachment #219454 - Flags: approval-branch-1.8.1+
(In reply to comment #10)
> (From update of attachment 219454 [details] [diff] [review] [edit])
> Actually, let's wait until we can verify that this fixes the real issue. Do we
> know anyone who can reproduce the crash here?
> 

No, I don't know. I don't see this report on bugzilla-jp, Japanese forums and Japanese blogs.
Oshima-san:

Can you reproduce this bug?
Could it be a teardown ordering issue?  Are the stacks something that commonly happens during window teardown?
dbaron: looks like it to me.

I'm a bit afraid that checking in this patch will just make us crash somewhere else, or worse, corrupt memory instead of crashing.
This sounds like the sort of fix that truly needs the trunk-baking time to make sure there are't any bad regressions or side-effects. Too late for 1.8.0.4
Flags: blocking1.8.0.5?
Flags: blocking1.8.0.4?
Flags: blocking1.8.0.4-
(In reply to comment #15)
> This sounds like the sort of fix that truly needs the trunk-baking time to make
> sure there are't any bad regressions or side-effects. Too late for 1.8.0.4

We cannot test on Trunk, because the trunk doesn't have this code. We can test only on MOZILLA_1_8_BRANCH.
Boris has reported same report in bug 337036.

Boris:
Can you help us? See comment 10, comment 13 and comment 14.
So I see bug 337036 almost half the time when closing windows.  Simple testcase:

  javascript:alert('aaa')

Then click "ok".

Half the time I crash (inside GTK); that's bug 337036 (which has a slightly different stack from this one).  The other half, I get:

(Gecko:12931): GLib-GObject-WARNING **: invalid cast from `(null)' to `GtkWidget'
(Gecko:12931): GLib-GObject-WARNING **: invalid cast from `(null)' to `GObject'
(Gecko:12931): GLib-GObject-CRITICAL **: file gobject.c: line 1642 (g_object_get_data): assertion `G_IS_OBJECT (object)' failed

When I crash, mIMEData is false.  So I wouldn't even hit the codepath the patch in this bug is changing.  Furthermore, in IM_get_owning_window I have a non-null aArea and a non-null aArea->inner_window.  But the call to get_gtk_widget_for_gdk_window crashes.

So as far as I can tell, either bug 337036 is a different bug or this patch is wallpaper that doesn't fix the underlying issue.
(In reply to comment #18)
> Half the time I crash (inside GTK); that's bug 337036 (which has a slightly
> different stack from this one).

Ah, right, sorry.
Attachment #219531 - Attachment is obsolete: true
Attachment #219531 - Flags: superreview?(roc)
Can we get this bug landed on the 1.8 branch ("fixed1.8.1" state) and get some verification there that this doesn't cause the worse problems roc was worried about?
Flags: blocking1.8.1+
Flags: blocking1.8.0.5?
Flags: blocking1.8.0.5+
Has anyone yet confirmed that this patch actually fixes anything? Comment #18 suggests it does not. I don't think we should check in a patch that we're not sure actually fixes anything.
Too late to get an unbaked patch into 1.8.0.5 for a non-security issue.
Flags: blocking1.8.0.5+ → blocking1.8.0.5-

Updated

13 years ago
Target Milestone: --- → mozilla1.8.1beta2
Minusing for blocking1.8.1 because it doesn't look like we're going to be able to get a fix for this one, although it would be great if we could still get a patch.
Flags: blocking1.8.1+ → blocking1.8.1-
Whiteboard: [would take patch]

Comment 24

13 years ago
*** Bug 352537 has been marked as a duplicate of this bug. ***
Just a long shot: does the patch in bug 351225 fix it?
(speculating that we destroy a view/window that has already been destroyed)

Comment 26

12 years ago
(In reply to comment #25)
> Just a long shot: does the patch in bug 351225 fix it?
> (speculating that we destroy a view/window that has already been destroyed)
> 

I don't think so; we have received a report whose stacktrace looks quite similar from a user of 2.0.0.1. bug 351225 is verified1.8.1.1 so this is unlikely to be the same problem.

You can take a look here:
https://launchpad.net/ubuntu/+source/firefox/+bug/85627

Comment 27

12 years ago
For all intents and purposes, this crash is the #1 Linux topcrash in 2.0.0.1 (only crashes in libc.so.6 and Flash outnumber it). Renominating in hopes that someone has time to take a second look.
Flags: blocking1.8.1.3?
Not going to block 1.8.1.3 for this, this is a very short cycle with no time for baking.  Moving nom over to 1.8.1.4, we probably want to take this early.
Flags: blocking1.8.1.4?
Flags: blocking1.8.1.3?
Flags: blocking1.8.1.3-
We should get this fixed -- the small percentage of our users who use an IM (5%? 10% at most?) have managed to generate the #2 linux top crash.

roc: is there a way to track down your concerns in comment 14?
Flags: blocking1.8.1.4? → blocking1.8.1.4+
Comment on attachment 219454 [details] [diff] [review]
Patch rv1.1 for 1.8.x

OK. I'm unconvinced this will fix anything but it obviously won't make things worse, so let's land this on the 1.8.1 branch and see if that affects anything.

What we really need here, though, is someone who can reproduce this crash reliably. If it's such a huge crasher we should be able to find such a person...
Attachment #219454 - Flags: superreview+
Comment on attachment 219454 [details] [diff] [review]
Patch rv1.1 for 1.8.x

Thank you roc. Let's land it.
Attachment #219454 - Flags: approval1.8.1.4?
Comment on attachment 219454 [details] [diff] [review]
Patch rv1.1 for 1.8.x

approved for 1.8.1.4, a=dveditz for release-drivers
Attachment #219454 - Flags: approval1.8.1.4? → approval1.8.1.4+
checked-in to 1.8 branch.
Status: ASSIGNED → RESOLVED
Last Resolved: 12 years ago
Keywords: fixed1.8.1.4
Resolution: --- → FIXED
Target Milestone: mozilla1.8.1beta2 → ---
Verified with Simple testcase:

  javascript:alert('aaa')

Then click "ok"

on Linux FC5 with 2.0.0.4 rc2
Status: RESOLVED → VERIFIED

Comment 36

12 years ago
i never saw this crash with the simple testcase mentioned. Hope this fix does not just split this issue in crashes at multiple places.
Crash Signature: [@ IM_get_input_context]
You need to log in before you can comment on or make changes to this bug.