Closed Bug 506838 Opened 15 years ago Closed 15 years ago

Crash bug when moving mouse between fields [@AllowedToAct(JSContext*, int) ]

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Version:
1.9.1 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Tracking Flags:
Tracking Status
blocking1.9.1 --- .3+
status1.9.1 --- .3-fixed

People

(Reporter: sroussey, Assigned: mrbkap)

References

(
URL
)

Details

(Keywords: crash, regression, verified1.9.1, Whiteboard: [sg:investigate])

Crash Data

Attachments

(1 file)

Proposed fix
1.92 KB, patch
jst
: review+
jst
: superreview+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729)

Fx crashes when moving mouse between fields. The file is an example that is an attachment to another bug report I am interested in, though I think this crashing is unrelated. 

Reproducible: Always

Steps to Reproduce:
1. go to https://bug418280.bugzilla.mozilla.org/attachment.cgi?id=304082
2. Move the mouse between fields quickly


Actual Results:  
Crash

Expected Results:  
No crash

If you install and activate firebug to receive the console.log calls, it does not crash.
OS: Windows NT → Windows 7
bp-119f6969-6019-4697-812b-e53e12090727

Signature	AllowedToAct(JSContext*, int)
UUID	119f6969-6019-4697-812b-e53e12090727
Time 	2009-07-27 20:32:58.513851
Uptime	27
Last Crash	34 seconds before submission
Product	Firefox
Version	3.5.1
Build ID	20090715094852
Branch	1.9.1
OS	Windows NT
OS Version	5.1.2600 Service Pack 2
CPU	x86
CPU Info	GenuineIntel family 15 model 2 stepping 9
Crash Reason	EXCEPTION_ACCESS_VIOLATION
Crash Address	0x20
User Comments	
Processor Notes 	

0  	xul.dll  	AllowedToAct  	 js/src/xpconnect/src/XPCSystemOnlyWrapper.cpp:205
1 	xul.dll 	XPC_SOW_toString 	js/src/xpconnect/src/XPCSystemOnlyWrapper.cpp:669
2 	js3250.dll 	js_Invoke 	js/src/jsinterp.cpp:1386
3 	js3250.dll 	js_InternalInvoke 	js/src/jsinterp.cpp:1447
4 	js3250.dll 	js_TryMethod 	js/src/jsobj.cpp:5517
5 	js3250.dll 	js_DefaultValue 	js/src/jsobj.cpp:4742
6 	js3250.dll 	js_ValueToString 	js/src/jsstr.cpp:2966
7 	js3250.dll 	js_ReportUncaughtException 	js/src/jsexn.cpp:1263
8 	js3250.dll 	js3250.dll@0x83a03 	
9 	xul.dll 	nsJSEventListener::HandleEvent 	dom/src/events/nsJSEventListener.cpp:247
10 	xul.dll 	nsEventListenerManager::HandleEventSubType 	content/events/src/nsEventListenerManager.cpp:1098
11 	xul.dll 	nsEventListenerManager::HandleEvent 	content/events/src/nsEventListenerManager.cpp:1206
12 	xul.dll 	nsEventTargetChainItem::HandleEvent 	content/events/src/nsEventDispatcher.cpp:236
13 	xul.dll 	nsEventTargetChainItem::HandleEventTargetChain 	content/events/src/nsEventDispatcher.cpp:300
14 	xul.dll 	nsEventDispatcher::Dispatch 	content/events/src/nsEventDispatcher.cpp:514
15 	xul.dll 	nsEventStateManager::DispatchMouseEvent 	content/events/src/nsEventStateManager.cpp:3697
16 	xul.dll 	xul.dll@0x2e3c47 	
17 	xul.dll 	nsEventStateManager::NotifyMouseOver 	content/events/src/nsEventStateManager.cpp:3810
18 	xul.dll 	nsEventStateManager::GenerateMouseEnterExit 	content/events/src/nsEventStateManager.cpp:3851
19 	xul.dll 	nsEventStateManager::PreHandleEvent 	content/events/src/nsEventStateManager.cpp:999
20 	xul.dll 	PresShell::HandleEventInternal 	layout/base/nsPresShell.cpp:6307
21 	xul.dll 	PresShell::HandlePositionedEvent 	layout/base/nsPresShell.cpp:6205
22 	xul.dll 	PresShell::HandleEvent 	layout/base/nsPresShell.cpp:6065
23 	xul.dll 	nsViewManager::HandleEvent 	view/src/nsViewManager.cpp:1400
24 	xul.dll 	nsViewManager::DispatchEvent 	view/src/nsViewManager.cpp:1359
25 	xul.dll 	HandleEvent 	view/src/nsView.cpp:168
26 	xul.dll 	nsWindow::DispatchEvent 	widget/src/windows/nsWindow.cpp:1051
27 	nssutil3.dll 	nssutil3.dll@0x1bb 	
28 	xul.dll 	nsWindow::DispatchMouseEvent 	widget/src/windows/nsWindow.cpp:6605
29 	xul.dll 	ChildWindow::DispatchMouseEvent 	widget/src/windows/nsWindow.cpp:6752
30 	xul.dll 	nsWindow::ProcessMessage 	widget/src/windows/nsWindow.cpp:4618
31 	xul.dll 	nsWindow::WindowProc 	widget/src/windows/nsWindow.cpp:1267
32 	user32.dll 	InternalCallWinProc 	
33 	user32.dll 	UserCallWinProcCheckWow 	
34 	user32.dll 	DispatchMessageWorker 	
35 	user32.dll 	DispatchMessageW 	
36 	xul.dll 	nsAppShell::ProcessNextNativeEvent 	widget/src/windows/nsAppShell.cpp:165
37 	winmm.dll 	timeGetTime
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash
OS: Windows 7 → Windows XP
Summary: Crash bug when moving mouse between fields → Crash bug when moving mouse between fields [@AllowedToAct(JSContext*, int) ]
Just on 3.5 branch, it seems.
Version: unspecified → 3.5 Branch
CCing mrbkap/smaug/John by Bug 418280 comment 10.
Component: General → XPConnect
Keywords: regressionwindow-wanted
Product: Firefox → Core
QA Contact: general → xpconnect
Version: 3.5 Branch → 1.9.1 Branch
blocking1.9.1: --- → ?
Group: core-security
fwiw, on 1.8.1/1.9.0 branch and MC there are just uncaught exceptions listed in error console output:

Error: uncaught exception: null
Error: uncaught exception: [object HTMLBodyElement]
Error: uncaught exception: [object HTMLInputElement]
Error: uncaught exception: [object HTMLHtmlElement]

and i failed finding a MC build that crashes which is weird.
Assignee: nobody → mrbkap
As they are related, it would be awesome to close these as part of the fix:

https://bugzilla.mozilla.org/show_bug.cgi?id=418280
https://bugzilla.mozilla.org/show_bug.cgi?id=101197
https://bugzilla.mozilla.org/show_bug.cgi?id=208427

#208427 is the bug that jquery, extjs, dojo, mootools, etc reference, though that bug is technically about originalTarget not relatedTarget. It would have been better to reference #101197 from 2001. #418280 is more specific about the input element rather than the textarea, and gave the example I used as the test case for the crashing bug in Fx 3.5.x. At any rate, user JS code should not get the internal anonymous div in relatedTarget as that causes a permissions exception on accessing chrome objects when this crashing bug gets fixed.

Thanks,
Steven Roussey
Attached patch Proposed fixSplinter Review 
GetCxSubjectPrincipalAndFrame returns a non-scripted frame if there is only a native frame running but we got the principal off of the context's global object. So we have to deal with that.
Attachment #393060 - Flags: superreview?(jst)
Attachment #393060 - Flags: review?(jst)
Which bug regressed this? Is this needed on the 1.9.0 branch also?
blocking1.9.1: ? → .3+
status1.9.1: --- → wanted
Flags: wanted1.9.0.x?
Attachment #393060 - Flags: superreview?(jst)
Attachment #393060 - Flags: superreview+
Attachment #393060 - Flags: review?(jst)
Attachment #393060 - Flags: review+
Blake: Where are we on getting this landed on m-c? Code freeze for 1.9.1.3 is tomorrow at midnight. Also, please answer Dan's comment 8.
Blocks: 475864
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Verified fixed for 1.9.1 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3pre) Gecko/20090817 Shiretoko/3.5.3pre (.NET CLR 3.5.30729). No longer crashes as it does with 1.9.1.2 with testcase.
Status: RESOLVED → VERIFIED
Keywords: verified1.9.1
regression from bug 475864 which isn't going to land on the 1.9.0 branch.
Flags: wanted1.9.0.x? → wanted1.9.0.x-
Whiteboard: [sg:investigate]
Group: core-security
Crash Signature: [@AllowedToAct(JSContext*, int) ]
You need to log in before you can comment on or make changes to this bug.