Closed Bug 506838 Opened 15 years ago Closed 15 years ago

Crash bug when moving mouse between fields [@AllowedToAct(JSContext*, int) ]

Categories

(Core :: XPConnect, defect)

1.9.1 Branch
x86
Windows XP
defect
Not set
critical

Tracking

()

VERIFIED FIXED
Tracking Status
blocking1.9.1 --- .3+
status1.9.1 --- .3-fixed

People

(Reporter: sroussey, Assigned: mrbkap)

References

()

Details

(Keywords: crash, regression, verified1.9.1, Whiteboard: [sg:investigate])

Crash Data

Attachments

(1 file)

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729) Fx crashes when moving mouse between fields. The file is an example that is an attachment to another bug report I am interested in, though I think this crashing is unrelated. Reproducible: Always Steps to Reproduce: 1. go to https://bug418280.bugzilla.mozilla.org/attachment.cgi?id=304082 2. Move the mouse between fields quickly Actual Results: Crash Expected Results: No crash If you install and activate firebug to receive the console.log calls, it does not crash.
OS: Windows NT → Windows 7
bp-119f6969-6019-4697-812b-e53e12090727 Signature AllowedToAct(JSContext*, int) UUID 119f6969-6019-4697-812b-e53e12090727 Time 2009-07-27 20:32:58.513851 Uptime 27 Last Crash 34 seconds before submission Product Firefox Version 3.5.1 Build ID 20090715094852 Branch 1.9.1 OS Windows NT OS Version 5.1.2600 Service Pack 2 CPU x86 CPU Info GenuineIntel family 15 model 2 stepping 9 Crash Reason EXCEPTION_ACCESS_VIOLATION Crash Address 0x20 User Comments Processor Notes 0 xul.dll AllowedToAct js/src/xpconnect/src/XPCSystemOnlyWrapper.cpp:205 1 xul.dll XPC_SOW_toString js/src/xpconnect/src/XPCSystemOnlyWrapper.cpp:669 2 js3250.dll js_Invoke js/src/jsinterp.cpp:1386 3 js3250.dll js_InternalInvoke js/src/jsinterp.cpp:1447 4 js3250.dll js_TryMethod js/src/jsobj.cpp:5517 5 js3250.dll js_DefaultValue js/src/jsobj.cpp:4742 6 js3250.dll js_ValueToString js/src/jsstr.cpp:2966 7 js3250.dll js_ReportUncaughtException js/src/jsexn.cpp:1263 8 js3250.dll js3250.dll@0x83a03 9 xul.dll nsJSEventListener::HandleEvent dom/src/events/nsJSEventListener.cpp:247 10 xul.dll nsEventListenerManager::HandleEventSubType content/events/src/nsEventListenerManager.cpp:1098 11 xul.dll nsEventListenerManager::HandleEvent content/events/src/nsEventListenerManager.cpp:1206 12 xul.dll nsEventTargetChainItem::HandleEvent content/events/src/nsEventDispatcher.cpp:236 13 xul.dll nsEventTargetChainItem::HandleEventTargetChain content/events/src/nsEventDispatcher.cpp:300 14 xul.dll nsEventDispatcher::Dispatch content/events/src/nsEventDispatcher.cpp:514 15 xul.dll nsEventStateManager::DispatchMouseEvent content/events/src/nsEventStateManager.cpp:3697 16 xul.dll xul.dll@0x2e3c47 17 xul.dll nsEventStateManager::NotifyMouseOver content/events/src/nsEventStateManager.cpp:3810 18 xul.dll nsEventStateManager::GenerateMouseEnterExit content/events/src/nsEventStateManager.cpp:3851 19 xul.dll nsEventStateManager::PreHandleEvent content/events/src/nsEventStateManager.cpp:999 20 xul.dll PresShell::HandleEventInternal layout/base/nsPresShell.cpp:6307 21 xul.dll PresShell::HandlePositionedEvent layout/base/nsPresShell.cpp:6205 22 xul.dll PresShell::HandleEvent layout/base/nsPresShell.cpp:6065 23 xul.dll nsViewManager::HandleEvent view/src/nsViewManager.cpp:1400 24 xul.dll nsViewManager::DispatchEvent view/src/nsViewManager.cpp:1359 25 xul.dll HandleEvent view/src/nsView.cpp:168 26 xul.dll nsWindow::DispatchEvent widget/src/windows/nsWindow.cpp:1051 27 nssutil3.dll nssutil3.dll@0x1bb 28 xul.dll nsWindow::DispatchMouseEvent widget/src/windows/nsWindow.cpp:6605 29 xul.dll ChildWindow::DispatchMouseEvent widget/src/windows/nsWindow.cpp:6752 30 xul.dll nsWindow::ProcessMessage widget/src/windows/nsWindow.cpp:4618 31 xul.dll nsWindow::WindowProc widget/src/windows/nsWindow.cpp:1267 32 user32.dll InternalCallWinProc 33 user32.dll UserCallWinProcCheckWow 34 user32.dll DispatchMessageWorker 35 user32.dll DispatchMessageW 36 xul.dll nsAppShell::ProcessNextNativeEvent widget/src/windows/nsAppShell.cpp:165 37 winmm.dll timeGetTime
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash
OS: Windows 7 → Windows XP
Summary: Crash bug when moving mouse between fields → Crash bug when moving mouse between fields [@AllowedToAct(JSContext*, int) ]
Just on 3.5 branch, it seems.
Version: unspecified → 3.5 Branch
CCing mrbkap/smaug/John by Bug 418280 comment 10.
Component: General → XPConnect
Product: Firefox → Core
QA Contact: general → xpconnect
Version: 3.5 Branch → 1.9.1 Branch
blocking1.9.1: --- → ?
Group: core-security
fwiw, on 1.8.1/1.9.0 branch and MC there are just uncaught exceptions listed in error console output: Error: uncaught exception: null Error: uncaught exception: [object HTMLBodyElement] Error: uncaught exception: [object HTMLInputElement] Error: uncaught exception: [object HTMLHtmlElement] and i failed finding a MC build that crashes which is weird.
Assignee: nobody → mrbkap
As they are related, it would be awesome to close these as part of the fix: https://bugzilla.mozilla.org/show_bug.cgi?id=418280 https://bugzilla.mozilla.org/show_bug.cgi?id=101197 https://bugzilla.mozilla.org/show_bug.cgi?id=208427 #208427 is the bug that jquery, extjs, dojo, mootools, etc reference, though that bug is technically about originalTarget not relatedTarget. It would have been better to reference #101197 from 2001. #418280 is more specific about the input element rather than the textarea, and gave the example I used as the test case for the crashing bug in Fx 3.5.x. At any rate, user JS code should not get the internal anonymous div in relatedTarget as that causes a permissions exception on accessing chrome objects when this crashing bug gets fixed. Thanks, Steven Roussey
Attached patch Proposed fixSplinter Review
GetCxSubjectPrincipalAndFrame returns a non-scripted frame if there is only a native frame running but we got the principal off of the context's global object. So we have to deal with that.
Attachment #393060 - Flags: superreview?(jst)
Attachment #393060 - Flags: review?(jst)
Which bug regressed this? Is this needed on the 1.9.0 branch also?
blocking1.9.1: ? → .3+
Flags: wanted1.9.0.x?
Attachment #393060 - Flags: superreview?(jst)
Attachment #393060 - Flags: superreview+
Attachment #393060 - Flags: review?(jst)
Attachment #393060 - Flags: review+
Blake: Where are we on getting this landed on m-c? Code freeze for 1.9.1.3 is tomorrow at midnight. Also, please answer Dan's comment 8.
Blocks: 475864
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Verified fixed for 1.9.1 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3pre) Gecko/20090817 Shiretoko/3.5.3pre (.NET CLR 3.5.30729). No longer crashes as it does with 1.9.1.2 with testcase.
Status: RESOLVED → VERIFIED
Keywords: verified1.9.1
regression from bug 475864 which isn't going to land on the 1.9.0 branch.
Flags: wanted1.9.0.x? → wanted1.9.0.x-
Whiteboard: [sg:investigate]
Group: core-security
Crash Signature: [@AllowedToAct(JSContext*, int) ]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: