Closed Bug 366500 Opened 18 years ago Closed 18 years ago

Crash hitting OK in dialog [@ nsQueryInterface::operator] called from [@ nsAccessible::Shutdown] (when dialog's 1st widget is textbox)

Categories

(Core :: Disability Access APIs, defect)

Product:
Core
Component:
Disability Access APIs
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: monsanto, Assigned: evan.yan)

References

Details

(Keywords: access)

Attachments

(1 file, 1 obsolete file)

refined patch
1.62 KB, patch
aaronlev
: review+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.1) Gecko/20060601 Firefox/2.0.0.1 (Ubuntu-edgy)
Build Identifier: 

Thunderbird crashed after I hit the OK button in the Message Filters - Filter Rules dialog.

Incident ID: 28188863
Stack Signature	0x00000061 95ef7db0
Product ID	ThunderbirdTrunk
Build ID	2007010903
Trigger Time	2007-01-09 10:41:46.0
Platform	LinuxIntel
Operating System	Linux 2.6.17-10-generic
Module	
URL visited	
User Comments	Hit okay button creating message filter with accessibility enabled
Since Last Crash	0 sec
Total Uptime	0 sec
Trigger Reason	SIGSEGV: Segmentation Fault: (signal 11)
Source File, Line No.	N/A
Stack Trace 	
0x00000061
nsQueryInterface::operator()  [mozilla/xpcom/build/nsCOMPtr.cpp, line 47]
nsCOMPtr_base::assign_from_qi()  [mozilla/xpcom/build/nsCOMPtr.cpp, line 96]
nsAccessible::Shutdown()  [mozilla/accessible/src/base/nsAccessible.cpp, line 897]
nsAccessNode::ClearCacheEntry()  [mozilla/accessible/src/base/nsAccessNode.cpp, line 626]
nsBaseHashtable<nsVoidHashKey, nsCOMPtr<nsIAccessNode>, nsIAccessNode*>::s_EnumStub()
PL_DHashTableEnumerate()  [mozilla/xpcom/build/pldhash.c, line 684]
nsAccessNode::ClearCache()  [mozilla/accessible/src/base/nsAccessNode.cpp, line 635]
nsDocAccessible::Shutdown()  [mozilla/accessible/src/base/nsDocAccessible.cpp, line 712]
nsDocAccessible::Destroy()  [mozilla/accessible/src/base/nsDocAccessible.cpp, line 473]
nsRootAccessible::HandleEventWithTarget()  [mozilla/accessible/src/base/nsRootAccessible.cpp, line 556]
nsRootAccessibleWrap::HandleEventWithTarget()  [mozilla/accessible/src/atk/nsRootAccessibleWrap.cpp, line 428]
nsRootAccessible::HandleEvent()  [mozilla/accessible/src/base/nsRootAccessible.cpp, line 840]
nsEventListenerManager::HandleEventSubType()  [mozilla/content/events/src/nsEventListenerManager.cpp, line 1280]
nsEventListenerManager::HandleEvent()  [mozilla/content/events/src/nsEventListenerManager.cpp, line 1055]
nsEventTargetChainItem::HandleEvent()  [mozilla/content/events/src/nsEventDispatcher.cpp, line 1038]
nsEventTargetChainItem::HandleEventTargetChain()  [mozilla/content/events/src/nsEventDispatcher.cpp, line 404]
nsEventDispatcher::Dispatch()  [mozilla/content/events/src/nsEventDispatcher.cpp, line 636]
nsDocument::DispatchEventToWindow()  [mozilla/content/base/src/nsDocument.cpp, line 5253]
nsDocument::OnPageHide()  [mozilla/content/base/src/nsDocument.cpp, line 5307]
DocumentViewerImpl::PageHide()  [mozilla/layout/base/nsDocumentViewer.cpp, line 1246]
nsDocShell::FirePageHideNotification()  [mozilla/docshell/base/nsDocShell.cpp, line 62]
nsDocShell::Destroy()  [mozilla/docshell/base/nsDocShell.cpp, line 1119]
nsXULWindow::Destroy()  [mozilla/xpfe/appshell/src/nsXULWindow.cpp, line 713]
nsWebShellWindow::Destroy()  [mozilla/xpfe/appshell/src/nsWebShellWindow.cpp, line 828]
nsChromeTreeOwner::Destroy()  [mozilla/xpfe/appshell/src/nsChromeTreeOwner.cpp, line 363]
nsGlobalWindow::ReallyCloseWindow()  [mozilla/dom/src/base/nsGlobalWindow.cpp, line 1343]
nsCloseEvent::Run()
nsThread::ProcessNextEvent()  [mozilla/xpcom/threads/nsThread.cpp, line 483]
NS_ProcessNextEvent_P()  [mozilla/xpcom/build/nsThreadUtils.cpp, line 225]
nsXULWindow::ShowModal()  [mozilla/xpfe/appshell/src/nsXULWindow.cpp, line 402]
nsContentTreeOwner::ShowAsModal()  [mozilla/xpfe/appshell/src/nsContentTreeOwner.cpp, line 503]
nsWindowWatcher::OpenWindowJSInternal()  [mozilla/embedding/components/windowwatcher/src/nsWindowWatcher.cpp, line 618]
nsWindowWatcher::OpenWindowJS()  [mozilla/embedding/components/windowwatcher/src/nsWindowWatcher.cpp, line 481]
nsGlobalWindow::OpenInternal()  [mozilla/dom/src/base/nsGlobalWindow.cpp, line 846]
nsGlobalWindow::OpenDialog()  [mozilla/dom/src/base/nsGlobalWindow.cpp, line 840]
NS_InvokeByIndex()
XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode)()  [mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 3212]
XPC_WN_CallMethod()  [mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 1455]
js_Invoke()  [mozilla/js/src/jsinterp.c, line 1348]
js_Interpret()  [mozilla/js/src/jsinterp.c, line 4059]
js_Invoke()  [mozilla/js/src/jsinterp.c, line 1367]
js_InternalInvoke()  [mozilla/js/src/jsinterp.c, line 1442]
JS_CallFunctionValue()  [mozilla/js/src/jsapi.c, line 4370]
nsJSContext::CallEventHandler()  [mozilla/dom/src/base/nsJSEnvironment.cpp, line 1752]
nsJSEventListener::HandleEvent()  [mozilla/dom/src/events/nsJSEventListener.cpp, line 846]
nsEventListenerManager::HandleEventSubType()  [mozilla/content/events/src/nsEventListenerManager.cpp, line 1280]
nsEventListenerManager::HandleEvent()  [mozilla/content/events/src/nsEventListenerManager.cpp, line 1055]
nsEventTargetChainItem::HandleEvent()  [mozilla/content/events/src/nsEventDispatcher.cpp, line 1038]
nsEventTargetChainItem::HandleEventTargetChain()  [mozilla/content/events/src/nsEventDispatcher.cpp, line 433]
nsEventDispatcher::Dispatch()  [mozilla/content/events/src/nsEventDispatcher.cpp, line 636]
PresShell::HandleDOMEventWithTarget()  [mozilla/layout/base/nsPresShell.cpp, line 5856]
nsButtonBoxFrame::DoMouseClick()  [mozilla/layout/xul/base/src/nsButtonBoxFrame.cpp, line 936]
nsButtonBoxFrame::HandleEvent()  [mozilla/layout/xul/base/src/nsButtonBoxFrame.cpp, line 137]
nsPresShellEventCB::HandleEvent()
nsEventTargetChainItem::HandleEventTargetChain()  [mozilla/content/events/src/nsEventDispatcher.cpp, line 1030]
nsEventDispatcher::Dispatch()  [mozilla/content/events/src/nsEventDispatcher.cpp, line 636]
PresShell::HandleEventInternal()  [mozilla/layout/base/nsPresShell.cpp, line 955]
PresShell::HandleEvent()  [mozilla/layout/base/nsPresShell.cpp, line 5599]
nsViewManager::HandleEvent()  [mozilla/view/src/nsViewManager.cpp, line 1665]
nsViewManager::DispatchEvent()  [mozilla/view/src/nsViewManager.cpp, line 1623]
HandleEvent()  [mozilla/view/src/nsView.cpp, line 228]
nsCommonWidget::DispatchEvent()  [mozilla/widget/src/gtk2/nsCommonWidget.cpp, line 216]
nsWindow::OnKeyReleaseEvent()  [mozilla/widget/src/gtk2/nsWindow.cpp, line 2212]
key_release_event_cb()  [mozilla/widget/src/gtk2/nsWindow.cpp, line 4450]
libgtk-x11-2.0.so.0 + 0x13cb00 (0xb7b0bb00)
libgobject-2.0.so.0 + 0x979b (0xb789979b)
libgobject-2.0.so.0 + 0x19b93 (0xb78a9b93)
libgobject-2.0.so.0 + 0x1ae7f (0xb78aae7f)
libgobject-2.0.so.0 + 0x1b279 (0xb78ab279)
libgtk-x11-2.0.so.0 + 0x2505f8 (0xb7c1f5f8)
libgtk-x11-2.0.so.0 + 0x260677 (0xb7c2f677)
libgtk-x11-2.0.so.0 + 0x2606bc (0xb7c2f6bc)
libgtk-x11-2.0.so.0 + 0x13cb00 (0xb7b0bb00)
libgobject-2.0.so.0 + 0x7fb9 (0xb7897fb9)
libgobject-2.0.so.0 + 0x979b (0xb789979b)
libgobject-2.0.so.0 + 0x1a1e3 (0xb78aa1e3)
libgobject-2.0.so.0 + 0x1ae7f (0xb78aae7f)
libgobject-2.0.so.0 + 0x1b279 (0xb78ab279)
libgtk-x11-2.0.so.0 + 0x2505f8 (0xb7c1f5f8)
libgtk-x11-2.0.so.0 + 0x135f2a (0xb7b04f2a)
libgtk-x11-2.0.so.0 + 0x1370f7 (0xb7b060f7)
libgdk-x11-2.0.so.0 + 0x447ea (0xb79757ea)
libglib-2.0.so.0 + 0x2b802 (0xb7829802)
libglib-2.0.so.0 + 0x2e7df (0xb782c7df)
libglib-2.0.so.0 + 0x2ed45 (0xb782cd45)
nsBaseAppShell::DoProcessNextNativeEvent()  [mozilla/widget/src/xpwidgets/nsBaseAppShell.cpp, line 137]
nsBaseAppShell::OnProcessNextEvent()  [mozilla/widget/src/xpwidgets/nsBaseAppShell.cpp, line 231]
nsThread::ProcessNextEvent()  [mozilla/xpcom/threads/nsThread.cpp, line 496]
NS_ProcessNextEvent_P()  [mozilla/xpcom/build/nsThreadUtils.cpp, line 225]
nsBaseAppShell::Run()  [mozilla/widget/src/xpwidgets/nsBaseAppShell.cpp, line 153]
nsAppStartup::Run()  [mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 172]
XRE_main()  [mozilla/toolkit/xre/nsAppRunner.cpp, line 846]
main()  [mozilla/mail/app/nsMailApp.cpp, line 63]
libc.so.6 + 0x158cc (0xb72cc8cc)

Reproducible: Sometimes

Steps to Reproduce:
1. Enable accessibility on the desktop.
2. Create a new message filter rule and hit the OK button on the dialog
3.
Actual Results:  
See above

Expected Results:  
See above
Keywords: access, sec508
Nothing in that stack says "Thunderbird" so much as it says "nsAccessible::Shutdown() makes a bad call." See also the very similar stack in bug 366434 (or, see whatever bug he meant with the circular reference in bug 366434 comment 1).
Assignee: mscott → aaronleventhal
Severity: major → critical
Component: Mail Window Front End → Disability Access APIs
Product: Thunderbird → Core
QA Contact: front-end → accessibility-apis
Summary: version 3 alpha 1 (20070109) → Crash hitting OK in dialog [@ nsQueryInterface::operator] called from [@ nsAccessible::Shutdown]
Version: unspecified → Trunk
Is there any 100% reproducable way to get the crash, in Thunderbird or Firefox?
Not 100%, but above 33%.
1) Open thunderbird, 
2) click menu->File->New->Address Book Card
3) Type something in "First:" field, press esc.
4) If it didn't crash, do step 2) 3) again.
Status: UNCONFIRMED → NEW
Ever confirmed: true
I agree with Ginn. The crashes occur about one-third of the time.
some info from my debugging:

the crash take place when shutdowning the nsXULTextFieldAccessible, its mFirstChild is a raw pointer and have a value, but when we convert mFirstChild to a COMPtr and dereference the COMPtr in nsAccessible::Shutdown(), TB crashes.

When inputting in a textfield, nsDocAccessible::InvalidateCacheSubtree() will be called by nsDocAccessible::CharacterDataChanged(), so we keep creating new accessible for the text. The mFirstChild which cause the crash is the very last accessible we created for the text.

I added print in nsAccessible::~nsAccessible() and nsAccessible::Shutdown(), but didn't see the mFirstChild being shutdowned or destructed.
(In reply to comment #10)
> I added print in nsAccessible::~nsAccessible() and nsAccessible::Shutdown(),
> but didn't see the mFirstChild being shutdowned or destructed.
> 
OK, now I see the mFirstChild was shutdowned.

The cause of this bug:
for a xul textfield, we have both a nsXULTextFieldAccessible and a nsHTMLTextFieldAccessible for it. I can see both of them are Init()-ed, and set the same text accessible as their child. When we shutdown one of the textfield accessible, its children - the text accessible is also shutdowned. Then when we going to shutdown the other textfield accessible and access its children, which has already been shutdowned, it cause TB crash.
Assignee: aaronleventhal → Evan.Yan
Evan pointed out on IRC that the html:input is getting the focus event, and thus it's creating an accessible for that and Init()'ing it. When the HTML input gets focus we really want to fire an event for the XUL textbox's accessible.

We might want to implement
nsXULTextFieldAccessible::GetAllowsAnonChildAccessibles() and make it return PR_FALSE. The idea is the when the event happens nsRootAccessible::HandleEvent() gets it, which then gets the dom node we really want for the event, from GetTargetNode() at http://lxr.mozilla.org/seamonkey/source/accessible/src/base/nsRootAccessible.cpp#806
That in turn uses accService->GetRelevantContentNodeFor().
If we're on an anonymous node, it checks to see if anonymous child accessibles are allowed by the parent via GetAllowsAnonChildAccessibles() (the method we mentioned before).
If they're not allowed, that means the event must be handled on the  non-anonymous dom node. In this case, if we return false for  GetAllowsAnonChildAccessibles(), that would mean it would return the xul textbox element, and not the html:input. That would avoid having the extra nsHTMLTextFIeldAccessible created and init'd for html:input which is anonymous.

But, I'm not sure if this would break the nsIAccessibleText/nsHyperTextAccessible stuff. Would need to try it.
Evan & I determined that the problem isn't GetAllowsAnonChildAccessibles() which is already returning the right thing, and thus GetRelevantContentNodeFor() returns the right node.

The problem is that GetRelevantContentNodeFor() isn't used to transform the node for the first focus event in the dialog, which is generated by FireCurrentFocusEvent()
Summary: Crash hitting OK in dialog [@ nsQueryInterface::operator] called from [@ nsAccessible::Shutdown] → Crash hitting OK in dialog [@ nsQueryInterface::operator] called from [@ nsAccessible::Shutdown] (when dialog's 1st widget is textbox)
Attached patch patch (obsolete) — Splinter Review 
call GetRelevantContentNodeFor() to get the target node we really want for the event.
Attachment #251894 - Flags: review?(aaronleventhal)
Attached patch refined patchSplinter Review 
just one line change to the former patch, to later initialize
Attachment #251894 - Attachment is obsolete: true
Attachment #251896 - Flags: review?(aaronleventhal)
Attachment #251894 - Flags: review?(aaronleventhal)
Comment on attachment 251896 [details] [diff] [review]
refined patch

Fine, check to see whether we really need the rv or whether just checking if targetNode != nsnull is enough.
Attachment #251896 - Flags: review?(aaronleventhal) → review+
(In reply to comment #16)
> Fine, check to see whether we really need the rv or whether just checking if
> targetNode != nsnull is enough.
> 
yes, GetRelevantContentNodeFor() always returns NS_OK.
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: