Closed Bug 355931 Opened 14 years ago Closed 13 years ago

[FIX]crash when upload a file in Google Page Creator [@ 0x00000000] [@ nsEventListenerManager::HandleEvent]

Categories

(Core :: DOM: UI Events & Focus Handling, defect, P1, critical)

defect

Tracking

()

VERIFIED FIXED
mozilla1.9alpha1

People

(Reporter: baffclan, Assigned: bzbarsky)

References

()

Details

(4 keywords)

Crash Data

Attachments

(4 files)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20061008 Minefield/3.0a1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20061008 Minefield/3.0a1

crash when upload a file in Google Page Creator


Reproducible: Always

Steps to Reproduce:
1. open http://pages.google.com/
2. login a google
3. upload a stuff(file)




Firefox/2006100804-trunk/WinXP
TB24284195Q

Firefox/2006100704-trunk/WinXP
TB24282303X, TB24282302Z
Stack Signature	 0x00020027 17bc990c
Product ID	FirefoxTrunk
Build ID	2006100804
Trigger Time	2006-10-08 06:14:28.0
Platform	Win32
Operating System	Windows NT 5.1 build 2600
Module	
URL visited	
User Comments	crash when upload a file in Google Page Creator
Since Last Crash	67 sec
Total Uptime	67 sec
Trigger Reason	Access violation
Source File, Line No.	N/A
Stack Trace 	
0x00020027
firefox.exe + 0x20aa01 (0x0060aa01)
firefox.exe + 0x20aad4 (0x0060aad4)
firefox.exe + 0x20ada9 (0x0060ada9)
firefox.exe + 0x171042 (0x00571042)
firefox.exe + 0x172878 (0x00572878)
firefox.exe + 0x24c6a4 (0x0064c6a4)



Stack Signature	 0x00000000 8e189bc1
Product ID	FirefoxTrunk
Build ID	2006100704
Trigger Time	2006-10-08 04:46:25.0
Platform	Win32
Operating System	Windows NT 5.1 build 2600
Module	
URL visited	
User Comments	crash when upload a file in Google Page Creator
Since Last Crash	120 sec
Total Uptime	9274 sec
Trigger Reason	Access violation
Source File, Line No.	N/A
Stack Trace 	
0x00000000
nsEventListenerManager::HandleEvent  [mozilla\content\events\src\nseventlistenermanager.cpp, line 1414]
nsEventTargetChainItem::HandleEvent  [mozilla\content\events\src\nseventdispatcher.cpp, line 356]
nsEventTargetChainItem::HandleEventTargetChain  [mozilla\content\events\src\nseventdispatcher.cpp, line 433]
nsEventDispatcher::Dispatch  [mozilla\content\events\src\nseventdispatcher.cpp, line 643]
PresShell::HandleEventInternal  [mozilla\layout\base\nspresshell.cpp, line 6251]
PresShell::HandleEventWithTarget  [mozilla\layout\base\nspresshell.cpp, line 6156]
nsEventStateManager::CheckForAndDispatchClick  [mozilla\content\events\src\nseventstatemanager.cpp, line 3231]



Stack Signature	 0x00000000 8e189bc1
Product ID	FirefoxTrunk
Build ID	2006100704
Trigger Time	2006-10-08 04:43:50.0
Platform	Win32
Operating System	Windows NT 5.1 build 2600
Module	
URL visited	
User Comments	
Since Last Crash	9154 sec
Total Uptime	9154 sec
Trigger Reason	Access violation
Source File, Line No.	N/A
Stack Trace 	
0x00000000
nsEventListenerManager::HandleEvent  [mozilla\content\events\src\nseventlistenermanager.cpp, line 1414]
nsEventTargetChainItem::HandleEvent  [mozilla\content\events\src\nseventdispatcher.cpp, line 356]
nsEventTargetChainItem::HandleEventTargetChain  [mozilla\content\events\src\nseventdispatcher.cpp, line 433]
nsEventDispatcher::Dispatch  [mozilla\content\events\src\nseventdispatcher.cpp, line 643]
PresShell::HandleEventInternal  [mozilla\layout\base\nspresshell.cpp, line 6251]
PresShell::HandleEventWithTarget  [mozilla\layout\base\nspresshell.cpp, line 6156]
nsEventStateManager::CheckForAndDispatchClick  [mozilla\content\events\src\nseventstatemanager.cpp, line 3231]
Keywords: crash
Summary: crash when upload a file in Google Page Creator → crash when upload a file in Google Page Creator [@ 0x00020027 17bc990c]
Version: unspecified → Trunk
WFM Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20061007 Minefield/3.0a1

Is this reproducable Safe Mode (http://kb.mozillazine.org/Safe_Mode)?
Summary: crash when upload a file in Google Page Creator [@ 0x00020027 17bc990c] → crash when upload a file in Google Page Creator [@ 0x00020027 17bc990c] [@ 0x00000000 8e189bc1]
(In reply to comment #2)
> Is this reproducable Safe Mode (http://kb.mozillazine.org/Safe_Mode)?
 
Firefox/2006100804-trunk/WinXP with safemode
upload file is jpeg image file

TB24285195M

Incident ID: 24285195
Stack Signature	0x00020027 a21228b1
Product ID	FirefoxTrunk
Build ID	2006100804
Trigger Time	2006-10-08 06:49:57.0
Platform	Win32
Operating System	Windows NT 5.1 build 2600
Module	
URL visited	
User Comments	bug 355931 Firefox/2006100804-trunk/WinXP with safemode upload file is jpeg image file
Since Last Crash	244 sec
Total Uptime	2002 sec
Trigger Reason	Access violation
Source File, Line No.	N/A
Stack Trace 	
0x00020027
nsEventTargetChainItem::HandleEvent  [mozilla\content\events\src\nseventdispatcher.cpp, line 356]
nsEventTargetChainItem::HandleEventTargetChain  [mozilla\content\events\src\nseventdispatcher.cpp, line 433]
nsEventDispatcher::Dispatch  [mozilla\content\events\src\nseventdispatcher.cpp, line 643]
PresShell::HandleEventInternal  [mozilla\layout\base\nspresshell.cpp, line 6251]
PresShell::HandleEventWithTarget  [mozilla\layout\base\nspresshell.cpp, line 6156]
nsEventStateManager::CheckForAndDispatchClick  [mozilla\content\events\src\nseventstatemanager.cpp, line 3231]


*** This bug has been marked as a duplicate of 355362 ***
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Er... this is not a duplicate of bug 355362.  What made you think it is?

This bug does need a testcase, or at least reliable steps to reproduce (the "upload stuff" step should be however many steps it takes to explicitly describe where one should click and what keys on the keyboard one should hit to reproduce the problem).
Status: RESOLVED → UNCONFIRMED
Keywords: qawanted
Resolution: DUPLICATE → ---
Also, is this a regression?  If so, from when?
Flags: blocking1.9?
Assignee: nobody → events
Component: General → Event Handling
Product: Firefox → Core
QA Contact: general → ian
Summary: crash when upload a file in Google Page Creator [@ 0x00020027 17bc990c] [@ 0x00000000 8e189bc1] → crash when upload a file in Google Page Creator [@ 0x00000000] [@ nsEventListenerManager::HandleEvent]
(In reply to comment #6)
> Also, is this a regression?  If so, from when?
> 

WFM Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20061008 Minefield/3.0a1
WFM Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/0000000000 Minefield/3.0a1 from code dated Fri Oct 6 20:13:13 PDT 2006.
This is wfm also with current trunk build. Baffclan, what are the exact steps to reproduce this crash? Do you also get the crash with a new, clean profile?
(In reply to comment #9)
> This is wfm also with current trunk build. Baffclan, what are the exact steps
> to reproduce this crash? Do you also get the crash with a new, clean profile?
> 

yes, reproduce with new profile.

Steps to Reproduce(New Profile):
1. Create New profile, and start
2. open http://pages.google.com/
3. appear "Security Warning" dialog
4. checked "Alert me ehoenever I am about to view an encrypted page."
5. click [OK]
6. login a google
7. appear "Confirm" dialog
8. click [Not Now]
9. appear "Security Warning" dialog
10. checked "Alert me whoenever I am about to view an encrypted page."
11. click [OK]
12. click [upload]
13. click [Browse...]
14. appear "File Upload"
15. select a file, and clock [Open]
16. appear "Security Warning" dialog
17. checked "Alert me whoenever I submit infomation that's not encrypted."
18. click [Continue]
19. crash a Firefox

20. however don't appear talkback

21. try again upload file  in Google Page Creator
22. appear talkback



reproduce with SeaMonkey trunk build, too.
TB24325806Y, TB24322058Z
Thanks for the steps to reproduce! It appears that the "Security Warning" dialog that appears while the file gets uploaded is causing the crash somehow, because I can reproduce this with a new, clean profile.
This regressed between 2006-08-03 and 2006-08-04:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2006-08-03+05&maxdate=2006-08-04+07&cvsroot=%2Fcvsroot
Status: UNCONFIRMED → NEW
Ever confirmed: true
Just to be clear, this is no problem on branch.
(In reply to comment #11)
> This regressed between 2006-08-03 and 2006-08-04:
> 

I tested Fx/2006080104-trunk/WinXP.
It is crashed.

TB24401282Z, TB24401245W

Incident ID: 24401245
Stack Signature	0x00020045 c2916e18
Product ID	FirefoxTrunk
Build ID	2006080104
Trigger Time	2006-10-10 22:56:56.0
Platform	Win32
Operating System	Windows NT 5.1 build 2600
Module	
URL visited	
User Comments	bug 355931? Fx/2006080104-trunk
Since Last Crash	59860 sec
Total Uptime	59860 sec
Trigger Reason	Access violation
Source File, Line No.	N/A
Stack Trace 	
0x00020045
nsEventTargetChainItem::HandleEvent  [mozilla\content\events\src\nseventdispatcher.cpp, line 356]
nsEventTargetChainItem::HandleEventTargetChain  [mozilla\content\events\src\nseventdispatcher.cpp, line 433]
nsEventDispatcher::Dispatch  [mozilla\content\events\src\nseventdispatcher.cpp, line 643]
PresShell::HandleEventInternal  [mozilla\layout\base\nspresshell.cpp, line 6280]
PresShell::HandleEventWithTarget  [mozilla\layout\base\nspresshell.cpp, line 6173]
nsEventStateManager::CheckForAndDispatchClick  [mozilla\content\events\src\nseventstatemanager.cpp, line 3221]
Attached patch Patch to fixSplinter Review
baffclan, thanks a ton for the steps to reproduce!  They made figuring this out a snap!

So as far as I can tell the basic problem is that bug 40533 was never really fixed correctly.  In this bug, we hit the following sequence of events:

1)  User clicks on file control.
2)  Inside the click handler user selects file.
3)  Inside the click handler we fire onchange.
4)  Onchange triggers page navigation.
5)  Modal dialog comes up; event processing while it's up allows destruction of
    the file control frame.
6)  We unwind back to where the click event was dispatched to the listener.
7)  We crash, because the listener _is_ the frame, and so is dead.  The fact
    that the listener manager thinks it's holding a ref to it is immaterial.

The solution, of course, is to use a properly refcounted listener object.  I wish we could just start asserting when people addref frames.  :(

Note that this is probably an issue on branch too if one tries hard enough; I'll write a branch version of the patch once the trunk one has been reviewed.
Assignee: events → bzbarsky
Status: NEW → ASSIGNED
Attachment #245320 - Flags: superreview?(roc)
Attachment #245320 - Flags: review?(roc)
Note that this code ends up calling NS_RELEASE on an already-dead frame....
Flags: blocking1.8.1.1?
Flags: blocking1.8.0.9?
OS: Windows XP → All
Priority: -- → P1
Hardware: PC → All
Summary: crash when upload a file in Google Page Creator [@ 0x00000000] [@ nsEventListenerManager::HandleEvent] → [FIX]crash when upload a file in Google Page Creator [@ 0x00000000] [@ nsEventListenerManager::HandleEvent]
Target Milestone: --- → mozilla1.9alpha
This is coming in on the late side... we'll look at patch approval when you request one otherwise into a later branch release.
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Flags: blocking1.8.1.1?
Flags: blocking1.8.1.1-
Flags: blocking1.8.0.9?
Flags: blocking1.8.0.9-
Attachment #245320 - Flags: superreview?(roc)
Attachment #245320 - Flags: superreview+
Attachment #245320 - Flags: review?(roc)
Attachment #245320 - Flags: review+
Attached patch Branch patchSplinter Review
Attachment #245498 - Flags: approval1.8.1.1?
Attachment #245498 - Flags: approval1.8.0.9?
Boris, why you don't check-in the patch yet?
Er.. I checked in the trunk patch at 2006-11-13 14:05 Pacific time, right before I posted the branch patch.  I must have forgotten to comment in the bug.  The branch patch is waiting on approval, of course.
Status: ASSIGNED → RESOLVED
Closed: 14 years ago13 years ago
Resolution: --- → FIXED
Thanks for check-in. 
I found it in bonsai.
Comment on attachment 245498 [details] [diff] [review]
Branch patch

approved for 1.8/1.8.0 branches, a=dveditz for drivers
Attachment #245498 - Flags: approval1.8.1.1?
Attachment #245498 - Flags: approval1.8.1.1+
Attachment #245498 - Flags: approval1.8.0.9?
Attachment #245498 - Flags: approval1.8.0.9+
Fixed for 1.8.0.9, 1.8.1.1
WFM:

Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.1pre) Gecko/20061130 BonEcho/2.0.0.1pre
Status: RESOLVED → VERIFIED
Keywords: verified1.8.1.1
Verified fixed for 1.8.0.9 and 1.8.1.1. with Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1.1pre) Gecko/20061202 BonEcho/2.0.0.1pre
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.0.9pre) Gecko/20061202 Firefox/1.5.0.9pre
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Flags: blocking1.9? → in-testsuite?
Crash Signature: [@ 0x00000000] [@ nsEventListenerManager::HandleEvent]
Component: Event Handling → User events and focus handling
You need to log in before you can comment on or make changes to this bug.