Closed Bug 408463 Opened 17 years ago Closed 17 years ago

top crash @ nsAutoCompleteController::HandleStartComposition(), RevertTextValue() and HandleKeyNavigation()

Categories

(Firefox :: Address Bar, defect, P1)

Product:
Firefox
Component:
Address Bar
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
Firefox 3 beta3

People

(Reporter: moco, Assigned: moco)

References

(
URL
)

Details

(Keywords: crash)

Attachments

(2 files, 1 obsolete file)

patch
1.10 KB, patch
asaf
: review+
Details | Diff | Splinter Review
updated bulletproofing
2.23 KB, patch
asaf
: review+
Details | Diff | Splinter Review 
top crash @ nsAutoCompleteController::HandleStartComposition()

From a crash report:  http://crash-stats.mozilla.com/report/index/27165375-a90f-11dc-99a5-001a4bd43e5c

Looking at the code:

 339    // Stop all searches in case they are async.
 340    StopSearch();
 341                   
 342    PRBool isOpen;
 343    mInput->GetPopupOpen(&isOpen);

From the stack:

0	nsAutoCompleteController::HandleStartComposition()	mozilla/toolkit/components/autocomplete/src/nsAutoCompleteController.cpp:343 
1	NS_InvokeByIndex_P	mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:101 
2	XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode)	mozilla/js/src/xpconnect/src/xpcwrappednative.cpp:2347 
3	XPC_WN_CallMethod(JSContext*, JSObject*, unsigned int, long*, long*)	mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp:1467

This sounds familiar, right?  (See bug #395344)

After we call StopSearch(), we need to check mInput

Something like:

   // Stop all searches in case they are async.
   StopSearch();
 
+  if (!mInput) {
+    // StopSearch() can call PostSearchCleanup() which might result
+    // in a blur event, which could null out mInput, so we need to check it
+    // again.  See bug #395344 for more details
+    return NS_OK;
+  }
Flags: blocking-firefox3?
Attached patch patchSplinter Review 

        Attachment #293276 -
        Flags: review?(gavin.sharp)
Severity: major → critical
Keywords: crash

    
    

    
  
From http://crash-stats.mozilla.com/?do_query=1&product=Firefox&query_search=signature&query_type=contains&query=nsAutoCompleteController&date=&range_value=1&range_unit=weeks, it looks like this is happening in a few other places:

nsAutoCompleteController::RevertTextValue()

1136                   nsresult
1137                   nsAutoCompleteController::RevertTextValue()
1138                   {
1139                     nsAutoString oldValue(mSearchString);
1140                     
1141                     PRBool cancel = PR_FALSE;
1142                     mInput->OnTextReverted(&cancel);  

nsAutoCompleteController::EnterMatch()

and 

nsAutoCompleteController::HandleKeyNavigation()

I'll audit nsAutoCompleteController and add the check for !mInput after calls to StopSearch() where necessary.

Status: NEW → ASSIGNED
Priority: -- → P1

    
    

    
  
Comment on attachment 293276 [details] [diff] [review]
patch

r=mano

        Attachment #293276 -
        Flags: review?(gavin.sharp) → review+
Flags: blocking-firefox3? → blocking-firefox3+

    
    

    
  
Checking in nsAutoCompleteController.cpp;
/cvsroot/mozilla/toolkit/components/autocomplete/src/nsAutoCompleteController.cpp,v  <--  nsAutoCompleteController.cpp
new revision: 1.73; previous revision: 1.72
done

fixed checked in, but I still need to audit and the rest of the code for other instances and fix them.

I'll do that in a follow up patch.




    
    

    
  
this patch contains the fix for crash in 
nsAutoCompleteController::RevertTextValue(), which makes sense as we are calling StopSearch() before calling RevertTextValue().

this patch contains another fix for a crash in nsAutoCompleteController::HandleKeyNavigation(), but I'm not seeing where StopSearch() is happening, so I've bulletproofed and added a warning.

the crash in nsAutoCompleteController::EnterMatch() from crash-stat was from a long time ago, and was just once, so I'm not as worried about it, but I'll keep an eye on it:

http://crash-stats.mozilla.com/?do_query=1&product=Firefox&query_search=signature&query_type=contains&query=nsAutoCompleteController&date=&range_value=1&range_unit=months

    
    

    
  
I've logged a spin off bug #409902, per mano, to figure out why mInput is null in HandleKeyNavigation().
No longer blocks: 409902
Summary: top crash @ nsAutoCompleteController::HandleStartComposition() → top crash @ nsAutoCompleteController::HandleStartComposition(), RevertTextValue() and HandleKeyNavigation()

    
    

    
  


  

        Attachment #293786 -
        Attachment is obsolete: true

        Attachment #294614 -
        Flags: review?(mano)

        Attachment #293786 -
        Flags: review?(mano)

    
    

    
  
Comment on attachment 294614 [details] [diff] [review]
updated bulletproofing

r=mano

        Attachment #294614 -
        Flags: review?(mano) → review+

    
    

    
  
fixed.

Checking in toolkit/components/autocomplete/src/nsAutoCompleteController.cpp;
/cvsroot/mozilla/toolkit/components/autocomplete/src/nsAutoCompleteController.cpp,v  <--  nsAutoCompleteController.cpp
new revision: 1.74; previous revision: 1.73
done


Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED

    
    

    
  
I ran separate queries for the three methods listed in comment 6, and http://crash-stats.mozilla.com couldn't find any current crashers.

Verified FIXED
Status: RESOLVED → VERIFIED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: