Last Comment Bug 506838 - Crash bug when moving mouse between fields [@AllowedToAct(JSContext*, int) ]
: Crash bug when moving mouse between fields [@AllowedToAct(JSContext*, int) ]
Status: VERIFIED FIXED
[sg:investigate]
: crash, regression, verified1.9.1
Product: Core
Classification: Components
Component: XPConnect (show other bugs)
: 1.9.1 Branch
: x86 Windows XP
: -- critical with 1 vote (vote)
: ---
Assigned To: Blake Kaplan (:mrbkap)
:
Mentors:
https://bug418280.bugzilla.mozilla.or...
Depends on:
Blocks: 475864
  Show dependency treegraph
 
Reported: 2009-07-27 20:09 PDT by Steve Roussey (:sroussey)
Modified: 2011-06-13 10:01 PDT (History)
12 users (show)
dveditz: wanted1.9.0.x-
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
.3+
.3-fixed


Attachments
Proposed fix (1.92 KB, patch)
2009-08-06 16:37 PDT, Blake Kaplan (:mrbkap)
jst: review+
jst: superreview+
Details | Diff | Splinter Review

Description Steve Roussey (:sroussey) 2009-07-27 20:09:59 PDT
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729)

Fx crashes when moving mouse between fields. The file is an example that is an attachment to another bug report I am interested in, though I think this crashing is unrelated. 

Reproducible: Always

Steps to Reproduce:
1. go to https://bug418280.bugzilla.mozilla.org/attachment.cgi?id=304082
2. Move the mouse between fields quickly


Actual Results:  
Crash

Expected Results:  
No crash

If you install and activate firebug to receive the console.log calls, it does not crash.
Comment 1 Michael Ryan 2009-07-27 20:42:39 PDT
bp-119f6969-6019-4697-812b-e53e12090727

Signature	AllowedToAct(JSContext*, int)
UUID	119f6969-6019-4697-812b-e53e12090727
Time 	2009-07-27 20:32:58.513851
Uptime	27
Last Crash	34 seconds before submission
Product	Firefox
Version	3.5.1
Build ID	20090715094852
Branch	1.9.1
OS	Windows NT
OS Version	5.1.2600 Service Pack 2
CPU	x86
CPU Info	GenuineIntel family 15 model 2 stepping 9
Crash Reason	EXCEPTION_ACCESS_VIOLATION
Crash Address	0x20
User Comments	
Processor Notes 	

0  	xul.dll  	AllowedToAct  	 js/src/xpconnect/src/XPCSystemOnlyWrapper.cpp:205
1 	xul.dll 	XPC_SOW_toString 	js/src/xpconnect/src/XPCSystemOnlyWrapper.cpp:669
2 	js3250.dll 	js_Invoke 	js/src/jsinterp.cpp:1386
3 	js3250.dll 	js_InternalInvoke 	js/src/jsinterp.cpp:1447
4 	js3250.dll 	js_TryMethod 	js/src/jsobj.cpp:5517
5 	js3250.dll 	js_DefaultValue 	js/src/jsobj.cpp:4742
6 	js3250.dll 	js_ValueToString 	js/src/jsstr.cpp:2966
7 	js3250.dll 	js_ReportUncaughtException 	js/src/jsexn.cpp:1263
8 	js3250.dll 	js3250.dll@0x83a03 	
9 	xul.dll 	nsJSEventListener::HandleEvent 	dom/src/events/nsJSEventListener.cpp:247
10 	xul.dll 	nsEventListenerManager::HandleEventSubType 	content/events/src/nsEventListenerManager.cpp:1098
11 	xul.dll 	nsEventListenerManager::HandleEvent 	content/events/src/nsEventListenerManager.cpp:1206
12 	xul.dll 	nsEventTargetChainItem::HandleEvent 	content/events/src/nsEventDispatcher.cpp:236
13 	xul.dll 	nsEventTargetChainItem::HandleEventTargetChain 	content/events/src/nsEventDispatcher.cpp:300
14 	xul.dll 	nsEventDispatcher::Dispatch 	content/events/src/nsEventDispatcher.cpp:514
15 	xul.dll 	nsEventStateManager::DispatchMouseEvent 	content/events/src/nsEventStateManager.cpp:3697
16 	xul.dll 	xul.dll@0x2e3c47 	
17 	xul.dll 	nsEventStateManager::NotifyMouseOver 	content/events/src/nsEventStateManager.cpp:3810
18 	xul.dll 	nsEventStateManager::GenerateMouseEnterExit 	content/events/src/nsEventStateManager.cpp:3851
19 	xul.dll 	nsEventStateManager::PreHandleEvent 	content/events/src/nsEventStateManager.cpp:999
20 	xul.dll 	PresShell::HandleEventInternal 	layout/base/nsPresShell.cpp:6307
21 	xul.dll 	PresShell::HandlePositionedEvent 	layout/base/nsPresShell.cpp:6205
22 	xul.dll 	PresShell::HandleEvent 	layout/base/nsPresShell.cpp:6065
23 	xul.dll 	nsViewManager::HandleEvent 	view/src/nsViewManager.cpp:1400
24 	xul.dll 	nsViewManager::DispatchEvent 	view/src/nsViewManager.cpp:1359
25 	xul.dll 	HandleEvent 	view/src/nsView.cpp:168
26 	xul.dll 	nsWindow::DispatchEvent 	widget/src/windows/nsWindow.cpp:1051
27 	nssutil3.dll 	nssutil3.dll@0x1bb 	
28 	xul.dll 	nsWindow::DispatchMouseEvent 	widget/src/windows/nsWindow.cpp:6605
29 	xul.dll 	ChildWindow::DispatchMouseEvent 	widget/src/windows/nsWindow.cpp:6752
30 	xul.dll 	nsWindow::ProcessMessage 	widget/src/windows/nsWindow.cpp:4618
31 	xul.dll 	nsWindow::WindowProc 	widget/src/windows/nsWindow.cpp:1267
32 	user32.dll 	InternalCallWinProc 	
33 	user32.dll 	UserCallWinProcCheckWow 	
34 	user32.dll 	DispatchMessageWorker 	
35 	user32.dll 	DispatchMessageW 	
36 	xul.dll 	nsAppShell::ProcessNextNativeEvent 	widget/src/windows/nsAppShell.cpp:165
37 	winmm.dll 	timeGetTime
Comment 2 Michael Ryan 2009-07-27 20:53:45 PDT
Just on 3.5 branch, it seems.
Comment 4 XtC4UaLL [:xtc4uall] 2009-08-03 03:29:10 PDT
CCing mrbkap/smaug/John by Bug 418280 comment 10.
Comment 5 XtC4UaLL [:xtc4uall] 2009-08-03 06:49:34 PDT
fwiw, on 1.8.1/1.9.0 branch and MC there are just uncaught exceptions listed in error console output:

Error: uncaught exception: null
Error: uncaught exception: [object HTMLBodyElement]
Error: uncaught exception: [object HTMLInputElement]
Error: uncaught exception: [object HTMLHtmlElement]

and i failed finding a MC build that crashes which is weird.
Comment 6 Steve Roussey (:sroussey) 2009-08-06 14:08:24 PDT
As they are related, it would be awesome to close these as part of the fix:

https://bugzilla.mozilla.org/show_bug.cgi?id=418280
https://bugzilla.mozilla.org/show_bug.cgi?id=101197
https://bugzilla.mozilla.org/show_bug.cgi?id=208427

#208427 is the bug that jquery, extjs, dojo, mootools, etc reference, though that bug is technically about originalTarget not relatedTarget. It would have been better to reference #101197 from 2001. #418280 is more specific about the input element rather than the textarea, and gave the example I used as the test case for the crashing bug in Fx 3.5.x. At any rate, user JS code should not get the internal anonymous div in relatedTarget as that causes a permissions exception on accessing chrome objects when this crashing bug gets fixed.

Thanks,
Steven Roussey
Comment 7 Blake Kaplan (:mrbkap) 2009-08-06 16:37:38 PDT
Created attachment 393060 [details] [diff] [review]
Proposed fix

GetCxSubjectPrincipalAndFrame returns a non-scripted frame if there is only a native frame running but we got the principal off of the context's global object. So we have to deal with that.
Comment 8 Daniel Veditz [:dveditz] 2009-08-07 12:29:39 PDT
Which bug regressed this? Is this needed on the 1.9.0 branch also?
Comment 10 Samuel Sidler (old account; do not CC) 2009-08-10 17:35:43 PDT
Blake: Where are we on getting this landed on m-c? Code freeze for 1.9.1.3 is tomorrow at midnight. Also, please answer Dan's comment 8.
Comment 11 Blake Kaplan (:mrbkap) 2009-08-10 18:14:23 PDT
http://hg.mozilla.org/mozilla-central/rev/5d308b3a25a3
Comment 12 Blake Kaplan (:mrbkap) 2009-08-11 16:14:40 PDT
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/606e25f1066e (the second hunk wasn't needed.)
Comment 13 Al Billings [:abillings] 2009-08-19 13:19:53 PDT
Verified fixed for 1.9.1 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3pre) Gecko/20090817 Shiretoko/3.5.3pre (.NET CLR 3.5.30729). No longer crashes as it does with 1.9.1.2 with testcase.
Comment 14 Daniel Veditz [:dveditz] 2009-08-27 11:47:09 PDT
regression from bug 475864 which isn't going to land on the 1.9.0 branch.

Note You need to log in before you can comment on or make changes to this bug.