Crash [@ nsGenericHTMLElement::HandleDOMEventForAnchors]

RESOLVED FIXED

Status

()

--
critical
RESOLVED FIXED
12 years ago
12 years ago

People

(Reporter: glandium, Assigned: glandium)

Tracking

({crash, fixed1.8.0.9, fixed1.8.1})

1.8 Branch
x86
Linux
crash, fixed1.8.0.9, fixed1.8.1
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [needs testcase], crash signature)

Attachments

(1 attachment, 1 obsolete attachment)

(Assignee)

Description

12 years ago
I get quite some random crashes, so I now have a permanent setting to dump a core whenever a crash occurs.

I got one just a few moments ago, and I can now provide some information. I don't know if this is the crash I get everytime, though.

Here is a full backtrace:

#0  0xffffe410 in __kernel_vsyscall ()
No symbol table info available.
#1  0xa7d8ca6d in raise () from /lib/tls/i686/cmov/libpthread.so.0
No symbol table info available.
#2  0x080825cc in nsProfileLock::FatalSignalHandler (signo=11) at nsProfileLock.cpp:206
        unblock_sigs = {__val = {1024, 0 <repeats 31 times>}}
        oldact = <value optimized out>
#3  <signal handler called>
No symbol table info available.
#4  nsGenericHTMLElement::HandleDOMEventForAnchors (this=0xd9e74f0, aPresContext=0xb436398, aEvent=0xaffc0058, aDOMEvent=0x0, aFlags=1,
    aEventStatus=0xaffbfed4) at nsGenericHTMLElement.cpp:1560
        focusController = (class nsIFocusController *) 0x0
        isActive = 0
        win = {<nsCOMPtr_base> = {mRawPtr = 0xd4a83a0}, <No data fields>}
        handler = (class nsILinkHandler *) 0xd35a4b4
        document = (nsIDocument *) 0xaa16fe0
#5  0x082a568d in PresShell::HandleEventInternal (this=0xcbf1770, aEvent=0xaffc0058, aView=0xd93ad88, aFlags=1, aStatus=0xaffbfed4)
    at nsPresShell.cpp:6379
        isHandlingUserInput = 1
        manager = {<nsCOMPtr_base> = {mRawPtr = 0xb4366e8}, <No data fields>}
        rv = 0
#6  0x082a92e1 in PresShell::HandleEvent (this=0xcbf1770, aView=0xd93ad88, aEvent=0xaffc0058, aEventStatus=0xaffbfed4, aForceHandle=0,
    aHandled=@0xaffbfecc) at nsPresShell.cpp:6215
        esm = <value optimized out>
#7  0x084ac974 in nsViewManager::HandleEvent (this=0xb806750, aView=0xb8067c8, aEvent=0xaffc0058, aCaptured=0) at nsViewManager.cpp:2557
        handled = 1
        vVM = <value optimized out>
        v = (class nsView *) 0xd93ad88
#8  0x084adc55 in nsViewManager::DispatchEvent (this=0xb806750, aEvent=0xaffc0058, aStatus=0xaffbffc0) at nsViewManager.cpp:2246
        parent = <value optimized out>
        t2p = 0.25
        p2t = 13
        view = (class nsView *) 0xb8067c8
        capturedEvent = 0
#9  0x084a5966 in HandleEvent (aEvent=0xaffc0058) at nsView.cpp:171
        result = nsEventStatus_eIgnore
#10 0x08268df5 in nsCommonWidget::DispatchEvent (this=0xd4a8060, aEvent=0xaffc0058, aStatus=@0xaffc00a8) at nsCommonWidget.cpp:219
No locals.
#11 0x08265ab5 in nsWindow::OnButtonPressEvent (this=0xd4a8060, aWidget=0x9992a08, aEvent=0x8b4c690) at nsWindow.cpp:1565
        event = {<nsInputEvent> = {<nsGUIEvent> = {<nsEvent> = {eventStructType = 10 '\n', message = 302, point = {x = 4674, y = 5662}, refPoint = {
x = 359, y = 435}, time = 0, flags = 1024,
internalAppFlags = 2, userType = 0x0}, widget = 0xd4a8060, nativeMsg = 0x0}, isShift = 0,
    isControl = 0, isAlt = 0, isMeta = 0}, clickCount = 1, acceptActivation = 0 '\0', reason = nsMouseEvent::eReal}
#12 0x08265c06 in button_press_event_cb (widget=0x0, event=0x8b4c690) at nsWindow.cpp:3724
        window = (nsWindow *) 0xd542488
#13 0xa7bb6aa0 in _gtk_marshal_BOOLEAN__BOXED () from /usr/lib/libgtk-x11-2.0.so.0
No symbol table info available.
#14 0xa77d8a0b in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
No symbol table info available.
#15 0xa77e8e83 in g_signal_chain_from_overridden () from /usr/lib/libgobject-2.0.so.0
No symbol table info available.
#16 0xa77ea158 in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0
No symbol table info available.
#17 0xa77ea529 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0
No symbol table info available.
#18 0xa7ca8624 in gtk_widget_activate () from /usr/lib/libgtk-x11-2.0.so.0
No symbol table info available.
#19 0xa7bb4ecd in gtk_propagate_event () from /usr/lib/libgtk-x11-2.0.so.0
No symbol table info available.
#20 0xa7bb5343 in gtk_main_do_event () from /usr/lib/libgtk-x11-2.0.so.0
No symbol table info available.
#21 0xa7a48bfa in _gdk_events_queue () from /usr/lib/libgdk-x11-2.0.so.0
No symbol table info available.
#22 0xa7768e2c in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#23 0xa776c176 in g_main_context_check () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#24 0xa776c537 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#25 0xa7bb44e1 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
No symbol table info available.
#26 0x08268506 in nsAppShell::Run (this=0x8c357e8) at nsAppShell.cpp:139
No locals.
#27 0x08791102 in nsAppStartup::Run (this=0x8c357a8) at nsAppStartup.cpp:150
        rv = <value optimized out>
#28 0x0807c5f4 in XRE_main (argc=1, argv=0xaffc0b14, aAppData=0x8908a60) at nsAppRunner.cpp:2374
        remoteService = {<nsCOMPtr_base> = {mRawPtr = 0x9028468}, <No data fields>}
#29 0x08078587 in main (argc=0, argv=0x0) at nsBrowserApp.cpp:61
No locals.
#30 0xa72eaeb0 in __libc_start_main () from /lib/tls/i686/cmov/libc.so.6
No symbol table info available.
#31 0x080784d1 in _start () at ../../../../dist/include/xpcom/nsCOMPtr.h:268

As you can see, the crash itself occurs in nsGenericHTMLElement::HandleDOMEventForAnchors in nsGenericHTMLElement.cpp at line 1560, which reads:
focusController->GetActive(&isActive);
... and focusController is ... NULL.

There's a need for a test there... or focusController is not supposed to be NULL in which case there's another bug leading to this crash.
(Assignee)

Comment 1

12 years ago
Created attachment 228520 [details] [diff] [review]
Proposed patch

Seeing how other code uses focusControllers returned by GetRootFocusController, and what this method returns, it seems a test should be enough.

I also added tests in other places of the code similar to this one, there may be crashers there too.
Attachment #228520 - Flags: review?(bryner)
(Assignee)

Comment 2

12 years ago
Created attachment 228521 [details] [diff] [review]
Proposed patch

Oops, I forgot the file where the crasher showed up.
Attachment #228520 - Attachment is obsolete: true
Attachment #228521 - Flags: review?(bryner)
Attachment #228520 - Flags: review?(bryner)

Updated

12 years ago
Assignee: nobody → general
Component: General → DOM
Flags: review?(bryner)
Keywords: crash
Product: Firefox → Core
QA Contact: general → ian
Version: 1.5.0.x Branch → 1.8 Branch
(Assignee)

Comment 3

12 years ago
Hum. it'd be nice to know why the review flag has been removed.
(In reply to comment #3)
> Hum. it'd be nice to know why the review flag has been removed.

The fact that bugzilla bug 274802 isn't fixed :( Go ahead and request again.

Comment 5

12 years ago
I guess I clobbered it when changing the component. Feel free to re-request.
Summary: Crash in nsGenericHTMLElement::HandleDOMEventForAnchors → Crash [@ nsGenericHTMLElement::HandleDOMEventForAnchors]
(Assignee)

Updated

12 years ago
Attachment #228521 - Flags: review?(bryner)

Comment 6

12 years ago
*** Bug 281035 has been marked as a duplicate of this bug. ***
Attachment #228521 - Flags: review?(bryner) → review+

Updated

12 years ago
Attachment #228521 - Flags: superreview?(jst)

Comment 7

12 years ago
I'll check this in once sr+
Comment on attachment 228521 [details] [diff] [review]
Proposed patch

sr=jst
Attachment #228521 - Flags: superreview?(jst) → superreview+

Updated

12 years ago
Assignee: general → mh+mozilla

Comment 9

12 years ago
Checked in to trunk.
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Flags: blocking1.9a1?
Resolution: --- → FIXED
Is this patch also something useful for branch?
The bug was filed on the 1.8 branch.
Comment on attachment 228521 [details] [diff] [review]
Proposed patch

These are a bunch of null checks, so is safe enough for branch.
Attachment #228521 - Flags: approval1.8.1?

Comment 12

12 years ago
Comment on attachment 228521 [details] [diff] [review]
Proposed patch

a=darin on behalf of drivers for the MOZILLA_1_8_BRANCH.
Attachment #228521 - Flags: approval1.8.1? → approval1.8.1+
Checking in content/html/content/src/nsGenericHTMLElement.cpp;
/cvsroot/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,v  <--  nsGen
ericHTMLElement.cpp
new revision: 1.596.2.15; previous revision: 1.596.2.14
done
Checking in content/html/content/src/nsHTMLInputElement.cpp;
/cvsroot/mozilla/content/html/content/src/nsHTMLInputElement.cpp,v  <--  nsHTMLI
nputElement.cpp
new revision: 1.390.2.14; previous revision: 1.390.2.13
done
Checking in dom/src/base/nsGlobalWindow.cpp;
/cvsroot/mozilla/dom/src/base/nsGlobalWindow.cpp,v  <--  nsGlobalWindow.cpp
new revision: 1.761.2.59; previous revision: 1.761.2.58
done

Checked into the 1.8.1 branch.
Keywords: fixed1.8.1
Comment on attachment 228521 [details] [diff] [review]
Proposed patch

I think it's also important to get this on the 1.8.0.x branch.
Attachment #228521 - Flags: approval1.8.0.8?

Comment 15

12 years ago
*** Bug 181169 has been marked as a duplicate of this bug. ***
Comment on attachment 228521 [details] [diff] [review]
Proposed patch

approved for 1.8.0 branch, a=dveditz for drivers
Attachment #228521 - Flags: approval1.8.0.9? → approval1.8.0.9+
Checking in content/html/content/src/nsGenericHTMLElement.cpp;
/cvsroot/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,v  <--  nsGen
ericHTMLElement.cpp
new revision: 1.596.2.7.2.3; previous revision: 1.596.2.7.2.2
done
Checking in content/html/content/src/nsHTMLInputElement.cpp;
/cvsroot/mozilla/content/html/content/src/nsHTMLInputElement.cpp,v  <--  nsHTMLI
nputElement.cpp
new revision: 1.390.2.6.2.6; previous revision: 1.390.2.6.2.5
done
Checking in dom/src/base/nsGlobalWindow.cpp;
/cvsroot/mozilla/dom/src/base/nsGlobalWindow.cpp,v  <--  nsGlobalWindow.cpp
new revision: 1.761.2.22.2.12; previous revision: 1.761.2.22.2.11
done

Checked in on the 1.8.0.x branch.
Keywords: fixed1.8.0.9
can I get a testcase/testing scenario for this bug for verification?
Whiteboard: [needs testcase]
Crash Signature: [@ nsGenericHTMLElement::HandleDOMEventForAnchors]
You need to log in before you can comment on or make changes to this bug.