Closed Bug 490196 Opened 15 years ago Closed 15 years ago

Firefox crashes when click the spinarrow button to increment and then decrement [@ nsButtonBoxFrame::DoMouseClick]

Categories

(Core :: XUL, defect)

Product:
Core
Component:
XUL
Version:
1.9.0 Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9.2a1
Tracking Flags:
Tracking Status
blocking1.9.1 --- .2+
status1.9.1 --- .2-fixed

People

(Reporter: htoshi73, Assigned: smaug)

References

Details

(4 keywords, Whiteboard: [sg:critical?])

Crash Data

Attachments

(2 files)

Stack
11.27 KB, text/plain
Details
patch
794 bytes, patch
roc
: review+
roc
: superreview+
samuel.sidler+old
: approval1.9.1.2+
dveditz
: approval1.9.0.14+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.0.9) Gecko/2009040821 Firefox/3.0.9

Firefox crashes when remember visited pages is set to 0

Reproducible: Always

Steps to Reproduce:
1. Go to Tool->Option->Privacy setting page.
2. In the history area "Remember visited pages for the last xxx days",
click the up-arrow button to increment the value, and decrement it.
When the value decreased to "0", Firefox crashes.



I have sent 2 crash reports.

http://crash-stats.mozilla.com/report/index/be096666-7fee-49d6-aa67-0038f2090425
http://crash-stats.mozilla.com/report/index/57c34c31-3365-4c85-87bb-35dfe2090425
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/layout/xul/base/src/nsButtonBoxFrame.cpp&rev=1.45&mark=142#138

UUID	57c34c31-3365-4c85-87bb-35dfe2090425
Crash Address	0x0
nsButtonBoxFrame::DoMouseClick	 mozilla/layout/xul/base/src/nsButtonBoxFrame.cpp:143
nsAutoRepeatBoxFrame::Notify	mozilla/layout/xul/base/src/nsScrollBoxFrame.cpp:191
nsAutoRepeatBoxFrame::Notify	mozilla/layout/xul/base/src/nsScrollBoxFrame.cpp:89
nsRepeatService::Notify	mozilla/layout/xul/base/src/nsRepeatService.cpp:116
nsTimerImpl::Fire	mozilla/xpcom/threads/nsTimerImpl.cpp:443
...
nsXULWindow::ShowModal	mozilla/xpfe/appshell/src/nsXULWindow.cpp:401
nsContentTreeOwner::ShowAsModal	mozilla/xpfe/appshell/src/nsContentTreeOwner.cpp:524
xul.dll@0x2fe363	
nsWindowWatcher::OpenWindowJS	mozilla/embedding/components/windowwatcher/src/nsWindowWatcher.cpp:484 

some frame things null check mContent, this file doesn't,
Component: Preferences → XP Toolkit/Widgets: XUL
Keywords: crash
Product: Firefox → Core
QA Contact: preferences → xptoolkit.xul
Summary: Firefox crashes when remember visited pages is set to 0 → Firefox crashes when click the spinarrow button to increment and then decrement [@ nsButtonBoxFrame::DoMouseClick]
Version: unspecified → 1.9.0 Branch
Severity: normal → critical
Same in Firefox 3.0.11 (the new official version):

http://crash-stats.mozilla.com/report/index/cd7ec7f4-713c-41ac-8ac6-b53fe2090611
New Version, same problem (v3.5) and still unconfirmed :/
Report for v3.5
http://crash-stats.mozilla.com/report/index/55e0f49f-f7b8-4b18-8985-3698c2090701
Confirming. qawanted: can someone confirm this?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: wanted1.9.1.x?
Flags: wanted1.9.0.x?
Keywords: qawanted
Achim, normally the down arrow should be disabled after you clicked it and the box has a value of 1. Don't you see that?

Can you please further run Firefox in Safe Mode? So we can check if an extension is causing this crash: http://support.mozilla.com/kb/Safe+Mode
I can click the arrows (from the cache) down from 1 to 0 and than it crash.

Safe-Mode:
I started Firefox in Safe-Mode and didn't disable anything at the start.
Result: No crash when i lower the cache with the arrows to 0 MB

Normal-Mode:
Lowering the cache with the arrows to 0MB -> Crash
Lowering the cash with Mouse and Keybord (not the arrows) to 0 MB -> No Crash
I found the failure...
With Noia2.0 (extreme) Theme = Crash
With normal standard Theme = no crash

Omg ^^
Thanks Achim! That looks good and I'm able to reproduce the crash. Let's see what is causing this crash. I'll come up with an analysis shortly.
OS: Windows XP → All
Hardware: x86 → All
Attached file Stack 
The member mContent is somehow warped and points to an invalid address:

gdb) frame 0
#0  0x1338b360 in nsButtonBoxFrame::DoMouseClick (this=0x1d3645a8, aEvent=0x0, aTrustEvent=221) at /data/build/shiretoko/layout/xul/base/src/nsButtonBoxFrame.cpp:142
142	  if (mContent->AttrValueIs(kNameSpaceID_None, nsGkAtoms::disabled,
(gdb) l
137	
138	void 
139	nsButtonBoxFrame::DoMouseClick(nsGUIEvent* aEvent, PRBool aTrustEvent) 
140	{
141	  // Don't execute if we're disabled.
142	  if (mContent->AttrValueIs(kNameSpaceID_None, nsGkAtoms::disabled,
143	                            nsGkAtoms::_true, eCaseMatters))
144	    return;
145	
146	  // Execute the oncommand event handler.
(gdb) p mContent
$1 = (class nsIContent *) 0xdddddddd
(gdb) p *mContent
Cannot access memory at address 0xdddddddd
Olli, would you have time to have a look at this?
Keywords: qawanted
Flags: blocking1.9.1.1?
Flags: blocking1.9.0.13?
Assignee: nobody → Olli.Pettay
Group: core-security
Can't reproduce on linux. Testing now on OSX.
Attached patch patchSplinter Review 
a bit tricky to debug, but simple fix.
Attachment #386487 - Flags: superreview?(roc)
Attachment #386487 - Flags: review?(roc)
Attachment #386487 - Flags: superreview?(roc)
Attachment #386487 - Flags: superreview+
Attachment #386487 - Flags: review?(roc)
Attachment #386487 - Flags: review+
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Even though the initial description would not amount to a "critical" bug (manual UI fiddling with non-default theme) I'm guessing this could be reproduced with the right web content. We'll want a crashtest for the regression-testing suite and verifying on branches anyway.
Keywords: testcase-wanted
Whiteboard: [sg:critical?]
Verified fixed on trunk with builds on OS X and Windows:

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090703 Minefield/3.6a1pre
Status: RESOLVED → VERIFIED
Flags: in-testsuite?
Keywords: testcase-wantedtestcase
Target Milestone: --- → mozilla1.9.2a1
Flags: wanted1.9.1.x?
Flags: wanted1.9.1.x+
Flags: wanted1.9.0.x?
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.13? → blocking1.9.0.13+
Not for 1.9.1.1, but we'll block on this for 1.9.1.2.
Flags: blocking1.9.1.1?
Whiteboard: [sg:critical?] → [sg:critical?][1.9.1.2+]
blocking1.9.1: --- → .2+
status1.9.1: --- → wanted
Is this ready to land? If so, can we get it on mozilla-1.9.1?
Comment on attachment 386487 [details] [diff] [review]
patch

Applies to branches with some fuzz.
Attachment #386487 - Flags: approval1.9.1.2?
Attachment #386487 - Flags: approval1.9.0.12?
Comment on attachment 386487 [details] [diff] [review]
patch

Approved for 1.9.1.2. a=ss for release-drivers

(We'll be back to approve for 1.9.0.13.)
Attachment #386487 - Flags: approval1.9.1.2?
Attachment #386487 - Flags: approval1.9.1.2+
Attachment #386487 - Flags: approval1.9.0.13?
Attachment #386487 - Flags: approval1.9.0.12?
Comment on attachment 386487 [details] [diff] [review]
patch

Approved for 1.9.0.13, a=dveditz for release-drivers
Attachment #386487 - Flags: approval1.9.0.13? → approval1.9.0.13+
Verified fixed on 1.9.1 with builds on all platforms like Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2pre) Gecko/20090729 Shiretoko/3.5.2pre (.NET CLR 3.5.30729) ID:20090729045022
Keywords: verified1.9.1
Whiteboard: [sg:critical?][1.9.1.2+] → [sg:critical?]
Checking in layout/xul/base/src/nsScrollBoxFrame.cpp;
/cvsroot/mozilla/layout/xul/base/src/nsScrollBoxFrame.cpp,v  <--  nsScrollBoxFrame.cpp
new revision: 1.78; previous revision: 1.77
done
Keywords: fixed1.9.0.14
Verified on 1.9.0 with builds on Windows and OS X like: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.14pre) Gecko/2009081004 GranParadiso/3.0.14pre ID:2009081004
Keywords: fixed1.9.0.14verified1.9.0.14
Group: core-security
Crash Signature: [@ nsButtonBoxFrame::DoMouseClick]
Moving to Core:XUL per https://bugzilla.mozilla.org/show_bug.cgi?id=1455336
Component: XP Toolkit/Widgets: XUL → XUL
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: