Closed Bug 409570 Opened 17 years ago Closed 17 years ago

Ctrl + arrow in form text input crashes Firefox [@ nsNativeKeyBindings::KeyPress]

Categories

(Core :: DOM: UI Events & Focus Handling, defect)

Product:
Core
Component:
DOM: UI Events & Focus Handling
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9beta3

People

(Reporter: bjackson0971, Assigned: ivanov)

References

Details

(Keywords: crash, regression)

Crash Data

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9b3pre) Gecko/2007122208 Firefox/3.0b3pre
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9b3pre) Gecko/2007122208 Firefox/3.0b3pre

In my nightly trunk builds from CVS in recent days, pressing Ctr + left or right arrow in a text input in a form or in the location bar crashes Firefox. Stack trace is below. Note that omit frame pointer and other GCC optimizations were enabled in my build, so the trace may be incomplete or inaccurate. The crash did not happen with omit frame pointer removed.

Reproducible: Always

Steps to Reproduce:
1. Press Ctrl + left or right arrow in a form's text input or the location bar
2. Firefox seg faults
3.



Program received signal SIGSEGV, Segmentation fault.
0x08252a31 in nsNativeKeyBindings::KeyPress (this=0x92c8670, 
    aEvent=@0xbfd34094, aCallback=0x834ab64 <DoCommandCallback>, 
    aCallbackData=0x98156cc) at nsNativeKeyBindings.cpp:299
299       if (guiEvent &&
(gdb) bt
#0  0x08252a31 in nsNativeKeyBindings::KeyPress (this=0x92c8670, 
    aEvent=@0xbfd34094, aCallback=0x834ab64 <DoCommandCallback>, 
    aCallbackData=0x98156cc) at nsNativeKeyBindings.cpp:299
#1  0x0834771c in nsTextInputListener::KeyPress (this=0x9846d38, 
    aKeyEvent=0xb43507e8) at nsTextControlFrame.cpp:477
#2  0x0846f417 in nsEventListenerManager::HandleEvent (this=0x981b0e8, 
    aPresContext=0x913b138, aEvent=0xbfd344dc, aDOMEvent=0xbfd34230, 
    aCurrentTarget=0x97e6a00, aFlags=518, aEventStatus=0xbfd34234)
    at nsEventListenerManager.cpp:184
#3  0x08485646 in nsEventTargetChainItem::HandleEvent (this=0xb2a22848, 
    aVisitor=@0xbfd34228, aFlags=518) at nsEventDispatcher.cpp:206
#4  0x08485765 in nsEventTargetChainItem::HandleEventTargetChain (
    this=0xb2a229a8, aVisitor=@0xbfd34228, aFlags=518, aCallback=0xbfd34294)
    at nsEventDispatcher.cpp:264
#5  0x0848587f in nsEventTargetChainItem::HandleEventTargetChain (
    this=0xb2a229a8, aVisitor=@0xbfd34228, aFlags=518, aCallback=0xbfd34294)
    at nsEventDispatcher.cpp:316
#6  0x08486166 in nsEventDispatcher::Dispatch (aTarget=0x97e6a00, 
    aPresContext=0x913b138, aEvent=0xbfd344dc, aDOMEvent=0x0, 
    aEventStatus=0xbfd34350, aCallback=0xbfd34294) at nsEventDispatcher.cpp:479
#7  0x082d0ec7 in PresShell::HandleEventInternal (this=0x94027c0, 
    aEvent=0xbfd344dc, aView=0x92adbc0, aStatus=0xbfd34350)
    at nsPresShell.cpp:5822
---Type <return> to continue, or q <return> to quit--- 
#8  0x082d22d9 in PresShell::HandleEvent (this=0x94027c0, aView=0x92adbc0, 
    aEvent=0xbfd344dc, aEventStatus=0xbfd34350) at nsPresShell.cpp:5622
#9  0x084e544a in nsViewManager::HandleEvent (this=0x92adb60, aView=0x92adbc0, 
    aPoint=@0xbfd343d0, aEvent=0xbfd344dc, aCaptured=0)
    at nsViewManager.cpp:1295
#10 0x084e86c4 in nsViewManager::DispatchEvent (this=0x92adb60, 
    aEvent=0xbfd344dc, aStatus=0xbfd34430) at nsViewManager.cpp:1251
#11 0x084e3ee3 in HandleEvent (aEvent=0xbfd344dc) at nsView.cpp:168
#12 0x0827959f in nsCommonWidget::DispatchEvent (this=0x92a05a8, 
    aEvent=0xbfd344dc, aStatus=@0xbfd345b8) at nsCommonWidget.cpp:156
#13 0x08277df5 in nsWindow::OnKeyPressEvent (this=0x92a05a8, 
    aWidget=0x9217cc0, aEvent=0x8ea7ea0) at nsWindow.cpp:2396
#14 0x082784b6 in key_press_event_cb (widget=0x9217cc0, event=0x8ea7ea0)
    at nsWindow.cpp:4706
#15 0x4ce1f56c in JS_DHashAllocTable () at jsdhash.c:88
#16 0x4c85de9d in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#17 0x4c87160c in JS_DHashAllocTable () at jsdhash.c:88
#18 0x4c872f46 in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0
#19 0x4c87357b in g_signal_emit () from /usr/lib/libgobject-2.0.so.0
#20 0x4cf45fa3 in JS_DHashAllocTable () at jsdhash.c:88
#21 0x4cf57346 in gtk_window_propagate_key_event ()
   from /usr/lib/libgtk-x11-2.0.so.0
#22 0x4cf5a66e in JS_DHashAllocTable () at jsdhash.c:88
---Type <return> to continue, or q <return> to quit---
#23 0x4ce1f56c in JS_DHashAllocTable () at jsdhash.c:88
#24 0x4c85c6ce in JS_DHashAllocTable () at jsdhash.c:88
#25 0x4c85de9d in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#26 0x4c8717ac in JS_DHashAllocTable () at jsdhash.c:88
#27 0x4c872f46 in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0
#28 0x4c87357b in g_signal_emit () from /usr/lib/libgobject-2.0.so.0
#29 0x4cf45fa3 in JS_DHashAllocTable () at jsdhash.c:88
#30 0x4ce183d7 in gtk_propagate_event () from /usr/lib/libgtk-x11-2.0.so.0
#31 0x4ce1959c in gtk_main_do_event () from /usr/lib/libgtk-x11-2.0.so.0
#32 0x4cbcedc8 in JS_DHashAllocTable () at jsdhash.c:88
#33 0x4c693932 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#34 0x4c696d44 in JS_DHashAllocTable () at jsdhash.c:88
#35 0x4c69724c in g_main_context_iteration () from /usr/lib/libglib-2.0.so.0
#36 0x08259f71 in nsBaseAppShell::DoProcessNextNativeEvent (this=0x8ed6a00, 
    mayWait=1) at nsBaseAppShell.cpp:137
#37 0x0825a207 in nsBaseAppShell::OnProcessNextEvent (this=0x8ed6a00, 
    thr=0x8ece738, mayWait=1, recursionDepth=0) at nsBaseAppShell.cpp:247
#38 0xb7dbdace in JS_DHashAllocTable () at jsdhash.c:88
#39 0x08ed6a00 in ?? ()
#40 0x08ece738 in ?? ()
#41 0x00000001 in ?? ()
#42 0x00000001 in ?? ()
#43 0x00000001 in ?? ()
Version: unspecified → Trunk
Summary: Ctrl + arrow in form text input crashes Firefox → Ctrl + arrow in form text input crashes Firefox [@ nsNativeKeyBindings::KeyPress]
Flags: blocking-firefox3?
Keywords: crash
I see it, too.
Minefield crashes when typed [Tab], [Ctrl]+[V] or etc. in a textfield.
----------------------------------------------------------------------
Using Minefield (contributed build by Sun):
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/contrib/latest-trunk/firefox-3.0b3pre.en-US.solaris11-i386.tar.bz2

Build identifier: Mozilla/5.0 (X11; U; SunOS i86pc; ja; rv:1.9b3pre) Gecko/2007122402 Minefield/3.0b3pre

Build platform
target
i386-pc-solaris2.11

Build tools
Compiler 	Version 	Compiler flags
/ws/onnv-tools-prc/SUNWspro/SS11/bin/cc 	Sun C 5.8 Patch 121016-05 2007/01/10 	-xlibmopt -xstrconst -xbuiltin=%all -mt
/ws/onnv-tools-prc/SUNWspro/SS11/bin/CC 	Sun C++ 5.8 Patch 121018-07 2006/11/01 	-xlibmil -xlibmopt -lCrun -lCstd -xbuiltin=%all -features=tmplife -norunpath -mt

Configure arguments
--enable-application=browser --enable-dtrace --enable-xinerama --disable-tests --srcdir=/export/home/mozilla/uild/firefox-nightly/src/mozilla
----------------------------------------------------------------------
Stack trace:

Reading firefox-bin
core file header read successfully
Reading ld.so.1
Reading libCrun.so.1
Reading libCstd.so.1
Reading libpthread.so.1
Reading libc.so.1
Reading libxpcom.so
Reading libxul.so
Reading libsqlite3.so
Reading libmozjs.so
Reading libssl3.so
Reading libnss3.so
Reading libplc4.so
Reading libnspr4.so
Reading libthread.so.1
Reading librt.so.1
Reading libplds4.so
Reading libsocket.so.1
Reading libnsl.so.1
Reading libdl.so.1
Reading libgobject-2.0.so.0.1200.12
Reading libglib-2.0.so.0.1200.12
Reading libXrender.so.1
Reading libX11.so.4
Reading libgtk-x11-2.0.so.0.1000.12
Reading libgdk-x11-2.0.so.0.1000.12
Reading libmlib.so.2
Reading libmlib_sse2.so.2
Reading libcairo.so.2.11.5
Reading libXt.so.4
Reading libdemangle.so.1
Reading libgthread-2.0.so.0.1200.12
Reading ja.so.3
Reading methods_ja_JP.eucJP.so.3
Reading xlibi18n_ja.so.2
Reading libXau.so.6
Reading libXext.so.0
Reading UTF-8%8859-1.so
Reading libXfixes.so.1
Reading libXi.so.5
Reading libgnomeui-2.so.0.1800.1
Reading libart_lgpl_2.so.2.3.19
Reading libgconf-2.so.4.1.2
Reading libORBit-2.so.0.1.0
Reading libjpeg.so.62.0.0
Reading libgnome-2.so.0.1800.0
Reading libbonobo-activation.so.4.0.0
Reading libpopt.so.0.0.0
Reading libbonoboui-2.so.0.0.0
Reading libbonobo-2.so.0.0.0
Reading libORBitCosNaming-2.so.0.1.0
Reading libxml2.so.2
Reading libz.so.1
Reading libm.so.2
Reading libICE.so.6
Reading libgnomevfs-2.so.0.1800.1
Reading libresolv.so.2
Reading libdbus-glib-1.so.2.1.0
Reading libdbus-1.so.3.2.0
Reading libSM.so.6
Reading libgdk_pixbuf-2.0.so.0.1000.12
Reading libatk-1.0.so.0.1809.1
Reading eucJP%UTF-16LE.so
Reading UTF-16LE%eucJP.so
Reading libbrowserdirprovider.so
Reading libpango-1.0.so.0.1600.4
Reading libgmodule-2.0.so.0.1200.12
Reading libnimbus.so
Reading libpangocairo-1.0.so.0.1600.4
Reading libfontconfig.so.1
Reading libXrandr.so.2
Reading libfreetype.so.6
Reading libpng12.so.0.18.0
Reading libpangoft2-1.0.so.0.1600.4
Reading libexpat.so.0.5.0
Reading libmp.so.2
Reading libmd.so.1
Reading libscf.so.1
Reading libuutil.so.1
Reading libgen.so.1
Reading eucJP%UTF-8.so
Reading libpixbufloader-xpm.so
Reading im-iiim.so
Reading libiiimcf.so.3.0.0
Reading libiiimp.so.1.0.0
Reading atokx2aux.so
Reading WnnAUX.so
Reading libsoftokn3.so
Reading libbsm.so.1
Reading libsecdb.so.1
Reading libtsol.so.2
Reading libnssdbm3.so
Reading libfreebl3.so
Reading libkstat.so.1
Reading libsmime3.so
Reading libnssckbi.so
Reading libbrowsercomps.so
Reading libnkgnomevfs.so
Reading pango-basic-fc.so
Reading libimgicon.so
Reading libpixbufloader-png.so
Reading libgnome-keyring.so.0.0.1
Reading libgnomecanvas-2.so.0.1400.0
Reading libgailutil.so.18.0.1
Reading libssl.so.0.9.8
Reading libcrypto.so.0.9.8
Reading libesd.so.0.2.38
Reading libaudiofile.so.0.0.2
Reading libXinerama.so.1
Reading libmozgnome.so
Reading xiiimp.so.2
Reading UTF-8%eucJP.so
t@1 (l@1) terminated by signal SEGV (セグメント例外)
0xd115f1b5: __lwp_kill+0x0015:  jae      __lwp_kill+0x23        [ 0xd115f1c3, .+0xe ]
(dbx) where
current thread: t@1
=>[1] __lwp_kill(0x1, 0xb), at 0xd115f1b5 
  [2] _thr_kill(0x1, 0xb), at 0xd115bccb 
  [3] raise(0xb), at 0xd1116a62 
  [4] nsProfileLock::FatalSignalHandler(0xb, 0x0, 0x8045794), at 0xcf8ab2d2 
  [5] __sighndlr(0xb, 0x0, 0x8045794, 0xcf8ab1ec), at 0xd115dcaf 
  ---- called from signal handler with signal 11 (SIGSEGV) ------
  [6] gtk_bindings_activate_event(0x8d5b9f8, 0x630065), at 0xce6b2bc0 
  [7] nsNativeKeyBindings::KeyPress(0x8da7118, 0x8045a14, 0xcfba58dc, 0x9256064), at 0xd0486f0f 
  [8] nsTextInputListener::KeyPress(0x8dbb318, 0x8d95a30), at 0xcfba5fed 
  [9] DispatchToInterface(0x8d95a30, 0x8dbb320, 0xcfd4f4cc, 0x0, 0xd0cf1c50), at 0xcfd4a0d5 
  [10] nsEventListenerManager::HandleEvent(0x8dbb740, 0x8bed948, 0x8045f84, 0x8045c40, 0x925e2a0, 0x206, 0x8045c44), at 0xcfd4d4f7 
  [11] nsEventTargetChainItem::HandleEvent(0x9043fc0, 0x8045c38, 0x206), at 0xcfd78a2d 
  [12] nsEventTargetChainItem::HandleEventTargetChain(0x9044260, 0x8045c38, 0x206, 0x8045cc8), at 0xcfd78b99 
  [13] nsEventTargetChainItem::HandleEventTargetChain(0x9044260, 0x8045c38, 0x6, 0x8045cc8), at 0xcfd78d04 
  [14] nsEventDispatcher::Dispatch(0x925e2a0, 0x8bed948, 0x8045f84, 0x0, 0x8045ebc, 0x8045cc8), at 0xcfd792a6 
  [15] PresShell::HandleEventInternal(0x8d25d28, 0x8045f84, 0x8bee280, 0x8045ebc), at 0xcfb0466e 
  [16] PresShell::HandleEvent(0x8d25d28, 0x8bee280, 0x8045f84, 0x8045ebc), at 0xcfb03f78 
  [17] nsViewManager::DispatchEvent(0x91a44a0, 0x8045f84, 0x8045eec), at 0xcfef0afc 
  [18] HandleEvent(0x8045f84), at 0xcfeea366 
  [19] nsCommonWidget::DispatchEvent(0x91c6338, 0x8045f84, 0x804606c), at 0xd047afaa 
  [20] nsWindow::OnKeyPressEvent(0x91c6338, 0x817fb68, 0x809dae8), at 0xd046de6b 
  [21] key_press_event_cb(0x817fb68, 0x809dae8, 0x0), at 0xd04745d0 
  [22] _gtk_marshal_BOOLEAN__BOXED(0x84eef58, 0x8046180, 0x2, 0x804623c, 0x804619c, 0x0), at 0xce76799c 
  [23] g_closure_invoke(0x84eef58, 0x8046180, 0x2, 0x804623c, 0x804619c), at 0xcec6edd3 
  [24] signal_emit_unlocked_R(0x80b6838, 0x0, 0x817fb68, 0x80463bc, 0x804623c), at 0xcec82ac6 
  [25] g_signal_emit_valist(0x817fb68, 0x33, 0x0, 0x80464b0), at 0xcec81b76 
  [26] g_signal_emit(0x817fb68, 0x33, 0x0, 0x809dae8, 0x80464d4), at 0xcec81f6d 
  [27] gtk_widget_event_internal(0x817fb68, 0x809dae8), at 0xce86a07b 
  [28] gtk_widget_event(0x817fb68, 0x809dae8), at 0xce869d0d 
  [29] gtk_window_propagate_key_event(0x8189348, 0x809dae8), at 0xce87583d 
  [30] gtk_window_key_press_event(0x8189348, 0x809dae8, 0x80b3e78), at 0xce875908 
  [31] _gtk_marshal_BOOLEAN__BOXED(0x80b5d50, 0x8046640, 0x2, 0x80466fc, 0x804665c, 0xce8758d8), at 0xce76799c 
  [32] g_type_class_meta_marshal(0x80b5d50, 0x8046640, 0x2, 0x80466fc, 0x804665c, 0xcc), at 0xcec6f0b4 
  [33] g_closure_invoke(0x80b5d50, 0x8046640, 0x2, 0x80466fc, 0x804665c), at 0xcec6edd3 
  [34] signal_emit_unlocked_R(0x80b6838, 0x0, 0x8189348, 0x804687c, 0x80466fc), at 0xcec82c8a 
  [35] g_signal_emit_valist(0x8189348, 0x33, 0x0, 0x8046970), at 0xcec81b76 
  [36] g_signal_emit(0x8189348, 0x33, 0x0, 0x809dae8, 0x8046994), at 0xcec81f6d 
  [37] gtk_widget_event_internal(0x8189348, 0x809dae8), at 0xce86a07b 
  [38] gtk_widget_event(0x8189348, 0x809dae8), at 0xce869d0d 
  [39] gtk_propagate_event(0x8189348, 0x809dae8), at 0xce76668d 
  [40] gtk_main_do_event(0x809dae8, 0x0), at 0xce765681 
  [41] gdk_event_dispatch(0x80a2770, 0x0, 0x0), at 0xce9c6d22 
  [42] g_main_dispatch(0x80a27b8), at 0xcebe517d 
  [43] g_main_context_dispatch(0x80a27b8), at 0xcebe626d 
  [44] g_main_context_iterate(0x80a27b8, 0x1, 0x1, 0x8083e38), at 0xcebe668a 
  [45] g_main_context_iteration(0x80a27b8, 0x1), at 0xcebe68e3 
  [46] nsAppShell::ProcessNextNativeEvent(0x8157118, 0x1), at 0xd0478efd 
  [47] nsBaseAppShell::OnProcessNextEvent(0x8157118, 0x80c8d28, 0x1, 0x0), at 0xd04922d8 
  [48] nsThread::ProcessNextEvent(0x80c8d28, 0x1, 0x8046c30), at 0xd05f2f23 
  [49] NS_ProcessNextEvent_P(0x80c8d28, 0x1), at 0xd05a02eb 
  [50] nsBaseAppShell::Run(0x8157118), at 0xd049211b 
  [51] nsAppStartup::Run(0x818dd80), at 0xd0282c71 
  [52] XRE_main(0x1, 0x8047090, 0x80837c8), at 0xcf8a1d32 
  [53] main(0x1, 0x8047090, 0x8047098), at 0x8051714 
I presume this is a regression?
Until Gecko/2007121902, crashes didn't occur.
From  Gecko/2007122002, crashes occur.
Tsuyoshi SASAMOTO, thank you for your clarification. To be even more clearer, could you please test with your two builds, and give us the build IDs as reported by putting:

about:

in the URL bar, pressing enter, and reporting the "Build identifier:". Thank you!
Is this right?

Crashes didn't occur:
Build identifier: Mozilla/5.0 (X11; U; SunOS i86pc; ja; rv:1.9b3pre) Gecko/2007121902 Minefield/3.0b3pre

Crashes occur:
Build identifier: Mozilla/5.0 (X11; U; SunOS i86pc; ja; rv:1.9b3pre) Gecko/2007122002 Minefield/3.0b3pre
Tsuyoshi SASAMOTO, I am not sure it is right.. in comment 3 you say

> Until Gecko/2007121902, crashes didn't occur.
> From  Gecko/2007122002, crashes occur.

which means in 2007-12-19 hour 02 you had no crash
but in 2007-12-20 hour 02 you had a crash

But then in comment 5 you say:
> No-crash: 2007121902 Minefield/3.0b3pre
> Crash: 2007122002 Minefield/3.0b3pre

which means in 2007-12-19 hour 02 you had no crash (MATCHES!)
but in 2007-12-22 hour 02 you had a crash (DIFFERENT FROM THE ORIGINAL CRASH RANGE!)

So I don't know what to believe!
(In reply to comment #6)

Hmm... It's an illusion. Please see comment 5 carefully.
I wrote Gecko/2007122002, NOT Gecko/2007122202.
Blocks: 406407
Regression coming from bug 406407.

For some reason, I can't reproduce the crash using an official build.
Status: UNCONFIRMED → NEW
Component: General → Keyboard: Navigation
Ever confirmed: true
Flags: blocking-firefox3?
Product: Firefox → Core
QA Contact: general → keyboard.navigation
Keywords: regression
Assignee: nobody → lolkaantimat
bug 406407 is fixed now, so this shouldn't crash any more.

Brad, Tsuyoshi, please reopen if you still see this crash.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9 M11
The crash is fixed with the latest from trunk.
Now it works without crashes, thanks.

Build identifier: Mozilla/5.0 (X11; U; SunOS i86pc; ja; rv:1.9b3pre) Gecko/2007123102 Minefield/3.0b3pre
Crash Signature: [@ nsNativeKeyBindings::KeyPress]
Component: Keyboard: Navigation → User events and focus handling
You need to log in before you can comment on or make changes to this bug.