341309 - Firefox crashes when I try to login [@ nsAutoCompleteController::ClosePopup]

Status: VERIFIED FIXED

(Toolkit :: Autocomplete, defect, P1)

Description

[Jure Repinc (JLP)]

I'm using Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9a1) Gecko/20060612 Minefield/3.0a1

Reproducable: always

Steps to reproduce:
1. visit http://content.emule-project.net/
2. Click in the username field on the left
3. Select the username from the dropdown
4. Enter password
5. Click "Log In"

Actual result: Firefox crashes

Expected result: Firefox should not crash

When Firefox crashes I also get this error in the console:

************************************************************
* Call to xpconnect wrapped JSObject produced this error:  *
[Exception... "Cannot modify properties of a WrappedNative"  nsresult: "0x80570034 (NS_ERROR_XPC_CANT_MODIFY_PROP_ON_WN)"  location: "JS frame :: chrome://global/content/bindings/autocomplete.xml :: onxblpopuphiding :: line 735"  data: no]
************************************************************
###!!! ASSERTION: You can't dereference a NULL nsCOMPtr with operator->().: 'mRawPtr != 0', file ../../../../dist/include/xpcom/nsCOMPtr.h, line 849

Comment 1

[Adam Guthrie]

Could you install with talkback and get a talkback ID for the crash? http://kb.mozillazine.org/Talkback

Comment 2

[Jure Repinc (JLP)]

I can't find talkback, but I found spme instructions for gdb and it gives me this output (if I did it correctly):

#0  0x00002aaab206e2b4 in nsAutoCompleteController::ClosePopup (this=0x10c3510)
    at /home/jlp/Work/Mozilla/mozilla/toolkit/components/autocomplete/src/nsAutoCompleteController.cpp:938
#1  0x00002aaab206f0d1 in nsAutoCompleteController::Rollup (this=0x10c3510)
    at /home/jlp/Work/Mozilla/mozilla/toolkit/components/autocomplete/src/nsAutoCompleteController.cpp:642
#2  0x00002aaaacf43080 in check_for_rollup (aWindow=0x4efcc40, aMouseX=45, aMouseY=909, aIsWheel=0)
    at /home/jlp/Work/Mozilla/mozilla/widget/src/gtk2/nsWindow.cpp:3761
#3  0x00002aaaacf43bd0 in nsWindow::OnButtonPressEvent (this=0x228efa0, aWidget=0x711520, aEvent=0x502a9e0)
    at /home/jlp/Work/Mozilla/mozilla/widget/src/gtk2/nsWindow.cpp:1873
#4  0x00002aaaacf43d81 in button_press_event_cb (widget=0x711520, event=0x502a9e0) at /home/jlp/Work/Mozilla/mozilla/widget/src/gtk2/nsWindow.cpp:4147
#5  0x00002b1aefa246fd in gtk_marshal_BOOLEAN__VOID () from /usr/lib/libgtk-x11-2.0.so.0
#6  0x00002b1af058a28a in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#7  0x00002b1af0599842 in g_signal_chain_from_overridden () from /usr/lib/libgobject-2.0.so.0
#8  0x00002b1af059a900 in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0
#9  0x00002b1af059ad14 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0
#10 0x00002b1aefafc21f in gtk_widget_get_default_style () from /usr/lib/libgtk-x11-2.0.so.0
#11 0x00002b1aefa1e363 in gtk_propagate_event () from /usr/lib/libgtk-x11-2.0.so.0
#12 0x00002b1aefa1f408 in gtk_main_do_event () from /usr/lib/libgtk-x11-2.0.so.0
#13 0x00002b1aefe7f4cc in gdk_add_client_message_filter () from /usr/lib/libgdk-x11-2.0.so.0
#14 0x00002b1af06e6b97 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#15 0x00002b1af06e9d36 in g_main_context_check () from /usr/lib/libglib-2.0.so.0
#16 0x00002b1af06ea27e in g_main_context_iteration () from /usr/lib/libglib-2.0.so.0
#17 0x00002aaaacf4d034 in nsAppShell::ProcessNextNativeEvent (this=0x5c5ac0, mayWait=1)
    at /home/jlp/Work/Mozilla/mozilla/widget/src/gtk2/nsAppShell.cpp:144
#18 0x00002aaaacf69a7c in nsBaseAppShell::DoProcessNextNativeEvent (this=0x5c5ac0, mayWait=1)
    at /home/jlp/Work/Mozilla/mozilla/widget/src/xpwidgets/nsBaseAppShell.cpp:136
#19 0x00002aaaacf69f75 in nsBaseAppShell::OnProcessNextEvent (this=0x5c5ac0, thr=0x52eb60, mayWait=1, recursionDepth=0)
    at /home/jlp/Work/Mozilla/mozilla/widget/src/xpwidgets/nsBaseAppShell.cpp:231
#20 0x00002b1aef2ff9d3 in ?? ()
#21 0x00007ffffffb7600 in ?? ()
#22 0x0000000000196a68 in ?? ()
#23 0x00000000005c5ac8 in ?? ()
#24 0x00002aaaacf6a968 in nsCOMPtr<nsIRunnable>::operator= (this=0xeea05782, rhs=0x7ffffffb7620) at nsCOMPtr.h:715
#25 0x00002b1aef28a99e in ?? ()
#26 0x0000000000503700 in ?? ()
#27 0x0000000100000001 in ?? ()
#28 0x000000010152eb60 in ?? ()
#29 0x000000000052eb60 in ?? ()
#30 0xff6d6e6873606268 in ?? ()
#31 0x000000010061bff0 in ?? ()
#32 0x00007ffffffb76c0 in ?? ()
#33 0x00002aaaacf6a0fc in nsBaseAppShell::Run (this=0x52eb60) at /home/jlp/Work/Mozilla/mozilla/widget/src/xpwidgets/nsBaseAppShell.cpp:153
#34 0x00002aaaacf6a0fc in nsBaseAppShell::Run (this=0x5c5ac0) at /home/jlp/Work/Mozilla/mozilla/widget/src/xpwidgets/nsBaseAppShell.cpp:153
#35 0x00002aaaae46f100 in nsAppStartup::Run (this=0x73bed0) at /home/jlp/Work/Mozilla/mozilla/toolkit/components/startup/src/nsAppStartup.cpp:171
#36 0x00002b1aeec39ad5 in ?? ()
#37 0x00000001fffb7860 in ?? ()
#38 0x00002b1a00a30000 in ?? ()
#39 0x00000001fffb7810 in ?? ()
#40 0x00000001eea3a000 in ?? ()
#41 0x0000000000000001 in ?? ()
#42 0x0000000000000041 in ?? ()
#43 0x00002b1af27244b8 in ?? ()
---Type <return> to continue, or q <return> to quit---
#44 0x00002b1aee9fca1b in do_lookup_x () from /lib64/ld-linux-x86-64.so.2
#45 0x00007ffffffb7808 in ?? ()
#46 0x0001001100000021 in ?? ()
#47 0x000000000000003f in ?? ()
#48 0x00007ffffffb7808 in ?? ()
#49 0x30305f3161302e33 in ?? ()
#50 0x3030303030303030 in ?? ()
#51 0x305f3161392e312f in ?? ()
#52 0x3030303030303030 in ?? ()
#53 0x00002b1aeea00030 in _dl_profile_fixup () from /lib64/ld-linux-x86-64.so.2
#54 0x0000000000000000 in ?? ()

Comment 3

[timeless]

Attachment: this should do it

Comment 4

[Boris Zbarsky [:bzbarsky]]

Not an XBL issue.

Comment 5

[Adam Guthrie]

I have a pretty good feeling this is a regression from bug 236791.

Comment 6

[timeless]

*** Bug 341378 has been marked as a duplicate of this bug. ***

Comment 7

[Joey Minta]

(In reply to comment #5)
> I have a pretty good feeling this is a regression from bug 236791.
> 
I'd be really surprised if this was actually caused by my checkin.  Still, it'd be very helpful if we could get a confirmed regression range, if this is a regression at all.  Jure, or anyone else who can reproduce this, can you try the last couple of nightly builds and see if you can find a range where this does/does not occur.   For reference, bug 236791 landed on June 7.

Comment 8

[Andreas Morawietz]

I just got 3 crashes as I tried to login on a homepage... TB19830800Z, TB19830443Y, TB19830413G
( h**p://stud-e.htw-saarland.de/backend )


At the moment I can't login on that page anymore... I must use another browser for it...

It happens only on that page.. all other pages are fine.

Comment 9

[Peter van der Woude [:Peter6]]

hmm, bug 236791 was NOT checked in on branch, so comment #14 (branch regression on 20060613) either regressed from a different bug , or the regressor (bug 236791) here might be wrong ?

Comment 10

[Peter van der Woude [:Peter6]]

oops, didn't mean to change the 2 fields

Comment 11

[Joey Minta]

(In reply to comment #9)
> hmm, bug 236791 was NOT checked in on branch, so comment #14 (branch regression
> on 20060613) either regressed from a different bug , or the regressor (bug
> 236791) here might be wrong ?
> 
False. nsAutoCompleteController.cpp 1.32.2.9 and nsAutoCompleteController.h 1.7.8.2

Comment 12

[Peter van der Woude [:Peter6]]

(In reply to comment #11)
> (In reply to comment #9)
> > hmm, bug 236791 was NOT checked in on branch, so comment #14 (branch regression
> > on 20060613) either regressed from a different bug , or the regressor (bug
> > 236791) here might be wrong ?
> > 
> False. nsAutoCompleteController.cpp 1.32.2.9 and nsAutoCompleteController.h
> 1.7.8.2
> 
I'm not seeing those 2 on branch between 20060612-20060613

Comment 13

[Joey Minta]

(In reply to comment #12)
> I'm not seeing those 2 on branch between 20060612-20060613
> 
Right, see comment #7, they landed on 20060607

Comment 14

[Peter van der Woude [:Peter6]]

(In reply to comment #13)
> (In reply to comment #12)
> > I'm not seeing those 2 on branch between 20060612-20060613
> > 
> Right, see comment #7, they landed on 20060607
> 

That means the branch regression in comment #8 should be a new bug, no ?

Comment 15

[Adam Guthrie]

I don't see a regression range mentioned here besides my comment 5 (which is probably wrong). 

If anyone can figure out a regression range for this bug it would be greatly appreciated. I saw that bug 341378 had some pretty solid steps to reproduce...

Comment 16

[Peter van der Woude [:Peter6]]

for 1.8.1_branch, from what I see on moz forum
works in 20060612 nightly
fails in 20060612 nightly

http://tinderbox.mozilla.org/bonsai/cvsquery.cgi?treeid=default&module=all&branch=MOZILLA_1_8_BRANCH&branchtype=match&filetype=match&whotype=match&sortby=Date&hours=2&date=explicit&mindate=20060612+035000&maxdate=20060613+043000&cvsroot=%2Fcvsroot

Comment 17

[Adam Guthrie]

*** Bug 341392 has been marked as a duplicate of this bug. ***

Comment 18

[Adam Guthrie]

*** Bug 341428 has been marked as a duplicate of this bug. ***

Comment 19

[Doug Halamay]

Requesting blocking FF2, since this is a definite problem for day-to-day use.

Comment 20

[Doug Shelton]

I have a build from 2006-06-10 that does not display this bustage.  Builds from 2006-06-12 do.  I hope this helps narrow the range.

Comment 21

[Doug Shelton]

had trouble applying patch (unusual format) but applied changes by hand and no longer see crash.

Comment 22

[Reed Loden [:reed]]

Attachment: timeless's patch without the XXX comments

Same thing as timeless's patch but without the XXX comments and another NS_ENSURE_TRUE() in ::ClosePopup().

Comment 23

[Doug Halamay]

I can confirm that the patch fixes this bug.

Comment 24

[Brian Ryner (not reading)]

Comment on attachment 225674 [details] [diff] [review]
timeless's patch without the XXX comments

>@@ -299,11 +301,12 @@ nsAutoCompleteController::HandleEscape(P
>   mInput->GetPopupOpen(_retval);
>   
>   ClearSearchTimer();
>   ClearResults();
>   RevertTextValue();
>-  ClosePopup();
>+  if (mIsOpen)
>+    ClosePopup();

If we want to avoid trying to close the popup if it's already closed, I'd prefer moving that check into ClosePopup().  Same with the other call site where you added this check.

Looks good otherwise.

Comment 25

[:Gavin Sharp [email: gavin@gavinsharp.com]]

Attachment: patch for the underlying issue

Comment 26

[:Gavin Sharp [email: gavin@gavinsharp.com]]

This is a regression from bug 340572. The null check patch should probably be landed anyways, but my patch will fix the underlying issue with the autocomplete popup setting bogus maxRows values.

Comment 27

[:Gavin Sharp [email: gavin@gavinsharp.com]]

Landed attachment 225743 [details] [diff] [review] on the trunk and 1.8 branch.
mozilla/toolkit/content/widgets/autocomplete.xml 	1.44.2.13
mozilla/toolkit/content/widgets/autocomplete.xml 	1.63

Comment 28

[:Gavin Sharp [email: gavin@gavinsharp.com]]

I'd like to confirm that the patch fixes the crashes people have been seeing before closing this bug, so if people could test tomorrow's nightly builds (or hourlies after now) and confirm that it no longer crashes that'd be great.

Comment 29

[Doug Halamay]

I can confirm that the checked-in patch fixes the problem.

Mozilla/5.0 (Windows; compatible; U; Windows NT 5.1; en-US; rv:1.8.1a3) Gecko/20060615 Firefox/2.0a3 ID:2006061519

Comment 30

[Jure Repinc (JLP)]

I just recompiled from CVS and the problem is also fixed for me. Thanks!

Comment 31

[:Gavin Sharp [email: gavin@gavinsharp.com]]

Ok, I'll call this FIXED, and file a new bug for the better null checks.

Comment 32

[:Gavin Sharp [email: gavin@gavinsharp.com]]

Filed bug 341885.

Comment 33

[Tracy Walker [:tracy]]

I can't reproduce on 2.0b2 builds from 0821
verified per comments in 29 n 30 (reporter)