Closed Bug 53838 Opened 24 years ago Closed 24 years ago

all keybindings which close windows crash the browser

Categories

(Core :: DOM: UI Events & Focus Handling, defect, P1)

defect

Tracking

()

VERIFIED FIXED

People

(Reporter: bugzilla, Assigned: hyatt)

References

Details

(Keywords: crash, regression, Whiteboard: [nsbeta3++]FIX IN HAND)

Attachments

(1 file)

occurs on the 3 platforms, using 2000.09.22.08 opt comm bits (also occurs in
mozilla).

1. open Prefs dialog.
2. dismiss it by hitting Esc key.

not a problem with other dialogs (at least with the Open Web Location one and
Find). guessing this is xbl, so over to hyatt --but do reassign as needed. thx!

trace from winNT:

Incident ID 17882689 
 Trigger Time                2000-09-22 15:50:11 
 Email Address                sairuh@netscape.com 
 User Comments                exiting prefs 
 Build ID                    2000092208 
 Product ID                Netscape6 
 Platform ID                Win32 

0x00000010 
DefineProperty [d:\builds\seamonkey\mozilla\js\src\jsapi.c, line 1912] 
JS_DefineProperty [d:\builds\seamonkey\mozilla\js\src\jsapi.c, line 2004] 
nsJSContext::BindCompiledEventHandler
[d:\builds\seamonkey\mozilla\dom\src\base\nsJSEnvironment.cpp, line 942] 
nsXBLPrototypeHandler::ExecuteHandler
[d:\builds\seamonkey\mozilla\layout\xbl\src\nsXBLPrototypeHandler.cpp, line 309] 
nsXBLWindowKeyHandler::WalkHandlersInternal
[d:\builds\seamonkey\mozilla\layout\xbl\src\nsXBLWindowKeyHandler.cpp, line 215] 
nsXBLWindowKeyHandler::WalkHandlers
[d:\builds\seamonkey\mozilla\layout\xbl\src\nsXBLWindowKeyHandler.cpp, line 252] 
nsXBLWindowKeyHandler::KeyPress
[d:\builds\seamonkey\mozilla\layout\xbl\src\nsXBLWindowKeyHandler.cpp, line 268] 
nsEventListenerManager::HandleEvent
[d:\builds\seamonkey\mozilla\layout\events\src\nsEventListenerManager.cpp, line
1123] 
nsXULDocument::HandleDOMEvent
[d:\builds\seamonkey\mozilla\rdf\content\src\nsXULDocument.cpp, line 2112] 
nsXULElement::HandleDOMEvent
[d:\builds\seamonkey\mozilla\rdf\content\src\nsXULElement.cpp, line 3348] 
nsXULElement::HandleDOMEvent
[d:\builds\seamonkey\mozilla\rdf\content\src\nsXULElement.cpp, line 3340] 
nsXULElement::HandleDOMEvent
[d:\builds\seamonkey\mozilla\rdf\content\src\nsXULElement.cpp, line 3340] 
PresShell::HandleEventInternal
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 4257] 
PresShell::HandleEvent
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 4192] 
nsView::HandleEvent [d:\builds\seamonkey\mozilla\view\src\nsView.cpp, line 379] 
nsViewManager2::DispatchEvent
[d:\builds\seamonkey\mozilla\view\src\nsViewManager2.cpp, line 1429] 
HandleEvent [d:\builds\seamonkey\mozilla\view\src\nsView.cpp, line 68] 
nsWindow::DispatchEvent
[d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 685] 
nsWindow::DispatchWindowEvent
[d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 702] 
nsWindow::DispatchKeyEvent
[d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 2285] 
nsWindow::OnChar [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp,
line 2408] 
nsWindow::ProcessMessage
[d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 2836] 
nsWindow::WindowProc
[d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp, line 951] 
USER32.dll + 0x1820 (0x77e71820) 
0x00010001
nominate for beta3 --very annoying regression for a commonly used shortcut...
also, traces for the other platforms for your viewing pleasure.

Mac OS:

0xffc10000 
JS_DefineProperty() [jsapi.c, line 2001] 
DOM_DLL + 0xf17c (0x0581ad7c) 
nsXBLPrototypeHandler::ExecuteHandler() [nsXBLPrototypeHandler.cpp, line 307] 
nsXBLWindowKeyHandler::WalkHandlersInternal() [nsXBLWindowKeyHandler.cpp, line
223] 
nsXBLWindowKeyHandler::WalkHandlers() [nsXBLWindowKeyHandler.cpp, line 250] 
nsXBLWindowKeyHandler::KeyPress() [nsXBLWindowKeyHandler.cpp, line 266] 
nsEventListenerManager::HandleEvent() [nsEventListenerManager.cpp, line 1118] 
nsXULDocument::HandleDOMEvent() [nsXULDocument.cpp, line 2111] 
nsXULElement::HandleDOMEvent() [nsXULElement.cpp, line 3343]

Linux:

0x006f0063 
libmozjs.so + 0x10310 (0x40107310) 
nsJSContext::BindCompiledEventHandler() 
nsXBLPrototypeHandler::ExecuteHandler() 
nsXBLWindowKeyHandler::WalkHandlersInternal() 
nsXBLWindowKeyHandler::WalkHandlers() 
nsXBLWindowKeyHandler::KeyPress() 
nsEventListenerManager::HandleEvent() 
nsXULDocument::HandleDOMEvent() 
nsXULElement::HandleDOMEvent() 
PresShell::HandleEventInternal() 
PresShell::HandleEvent() 
nsView::HandleEvent() 
nsViewManager2::DispatchEvent() 
HandleEvent() 
nsWidget::DispatchEvent() 
nsWidget::DispatchWindowEvent() 
nsWidget::OnInput() 
handle_key_press_event() 
dispatch_superwin_event() 
handle_gdk_event() 
libgdk-1.2.so.0 + 0x174db (0x408b14db) 
libglib-1.2.so.0 + 0x10186 (0x408de186) 
libglib-1.2.so.0 + 0x10751 (0x408de751) 
libglib-1.2.so.0 + 0x108f1 (0x408de8f1) 
libgtk-1.2.so.0 + 0x8c5b9 (0x408065b9) 
nsAppShell::Run() 
nsAppShellService::Run() 
main1() 
main() 
libc.so.6 + 0x189cb (0x4025e9cb) 
oh, yeah: Enter key also kills the app.
Summary: hitting Esc in Prefs dialog crashes browser → hitting Esc or Enter keys in Prefs dialog crashes browser
cc brendan
another case: open a new browser window, then close it using Command+W on mac or
Control+W on win32 (strangely, i cannot repro on linux). also crashes with the
same trace.
Summary: hitting Esc or Enter keys in Prefs dialog crashes browser → hitting Esc or Enter keys in Prefs dialog crashes browser; or ctrl+W
Just snooping around... We're passing nsnull to
nsJSContext::BindCompiledEventHandler at nsXBLPrototypeHandler.cpp:307. Not sure
if that's okay or not as a way of unbinding.

In BindCompiledEventHandler (nsJSContext.cpp) we do this:

930   if (funobj && ::JS_GetParent(mContext, funobj) != target) {
931     funobj = ::JS_CloneFunctionObject(mContext, funobj, target);
932     if (!funobj)
933       return NS_ERROR_OUT_OF_MEMORY;
934   }

I think this code might assume that the compiler necessarily optimizes by not
evaluating ::JS_GetParent(mContext, funobj) after finding funobj to be null...
If not, that could cause a segfault if JS_GetParent has problems with null...

That feels to me like barking up the wrong tree, though. Maybe OBJECT_TO_JSVAL
is dying... I'm not sure. My gut feeling is that we're not supposed to be
calling a function called "bind" to unbind, or we're calling it wrong. I don't
think I'll be able to contribute any real knowledge to this :)
nsbeta3+, p1 for M18.  assigning to dr to baby sit till hyatt gets back. cc 
hyatt.
Assignee: hyatt → dr
Priority: P3 → P1
Whiteboard: [nsbeta3+]
Target Milestone: --- → M18
>930   if (funobj && ::JS_GetParent(mContext, funobj) != target) {
>931     funobj = ::JS_CloneFunctionObject(mContext, funobj, target);
>932     if (!funobj)
>933       return NS_ERROR_OUT_OF_MEMORY;
>934   }
>
>I think this code might assume that the compiler necessarily optimizes by not
>evaluating ::JS_GetParent(mContext, funobj) after finding funobj to be null...

Uh, that's not an optimization, it is a requirement of C and C++'s so-called 
"short-circuiting" && and || logical connectives.  Count on it.  It's not a bug.
(Optimization describes what the compiler can do at compile-time, btw, and it 
can't know that a particular funobj value is null at runtime.)

The crash stacktraces here lack argument values, but if someone makes this 
happen in a debugger, look at obj in DefineProperty -- I bet it's bad.  If so, 
update the bug with its value, and try to trace where that value came from in 
memory.

/be
*** Bug 53767 has been marked as a duplicate of this bug. ***
 Here is a 'where full' stack backtrace from gdb from a recent Linux CVS
pull and build (with debugging, obviously):

(gdb) where full
#0  0x10 in ?? ()
No symbol table info available.
#1  0x401786f8 in JS_DefineProperty (cx=0x83ae088, obj=0x84a0eb0, 
    name=0xbfffbc60 "onxblkeypress", value=0, getter=0, setter=0, attrs=5)
    at /g/misc/cks/code/mozilla/js/src/jsapi.c:2003
        name = 0xbfffbc6e "\023@¬Ìf\bÈ\234xA¤¼ÿ¿¤¼ÿ¿¨¼ÿ¿`\030nA¨Ìf\b4»cA$¿ÿ¿
¿ÿ¿ü\004\026@¨Ìf\bä¿ÿ¿Pÿ=Aø~L\b°\016J\b¨Ìf\b"
        value = 5
        getter = 0x84de378
        attrs = 138076296
#2  0x41682a18 in nsJSContext::BindCompiledEventHandler (this=0x84c7ef8, 
    aTarget=0x84a0eb0, aName=0x866cca8, aHandler=0x0)
    at /g/misc/cks/code/mozilla/dom/src/base/nsJSEnvironment.cpp:938
        aTarget = (void *) 0x84a0eb0
        aName = (nsIAtom *) 0x10
        aHandler = (void *) 0x0
        charName =
"onxblkeypress\000\023@¬Ìf\bÈ\234xA¤¼ÿ¿¤¼ÿ¿¨¼ÿ¿`\030nA¨Ìf\b4»cA$¿ÿ¿
¿ÿ¿ü\004\026@¨Ìf\b"
        funobj = (struct JSObject *) 0x0
        target = (struct JSObject *) 0x84a0eb0
#3  0x413dff50 in nsXBLPrototypeHandler::ExecuteHandler (this=0x844e5a8, 
    aReceiver=0x84e5d28, aEvent=0x8603c40)
    at /g/misc/cks/code/mozilla/layout/xbl/src/nsXBLPrototypeHandler.cpp:307
---Type <return> to continue, or q <return> to quit---
        command = {<nsString> = {<basic_nsAWritableString<short unsigned int>> =
{<basic_nsAReadableString<short unsigned int>> = {<nsPrivateSharableString<short
unsigned int>> = {
          _vptr. = 0x4015c160 <nsAutoString virtual table>}, <No data fields>},
<No data fields>}, <nsStr> = {mLength = 0, mCapacity = 63, 
      mCharSize = eTwoByte, mOwnsBuffer = 0, {mStr = 0xbfffbf64 "", 
        mUStr = 0xbfffbf64}}, <No data fields>}, 
  mBuffer =
"\000\000\215A\020ú:\b\t\000\000\000=Û\227Aø\001\000\000¦9$@È-#@\020ú:\b\230¿ÿ¿´H\"@\000\000\000\000VS\020@¸T\231A\020ú:\bxÁÿ¿04\026@È¿ÿ¿_U\215A\020ú:\b\a\000\000\000=Û\227A\030H\006\b\037Û\227A4»cA0ú:\bä¿ÿ¿¡ªJA\020ú:\b4»cAxÁÿ¿|Áÿ¿(]N\b"}
        onEvent = {<nsString> = {<basic_nsAWritableString<short unsigned int>> =
{<basic_nsAReadableString<short unsigned int>> = {<nsPrivateSharableString<short
unsigned int>> = {
          _vptr. = 0x4015c160 <nsAutoString virtual table>}, <No data fields>},
<No data fields>}, <nsStr> = {mLength = 13, mCapacity = 63, 
      mCharSize = eTwoByte, mOwnsBuffer = 0, {mStr = 0xbfffbe8c "o", 
        mUStr = 0xbfffbe8c}}, <No data fields>}, 
  mBuffer =
"o\000n\000x\000b\000l\000k\000e\000y\000p\000r\000e\000s\000s\000\000\000|¿ÿ¿ì¾ÿ¿ð¾ÿ¿Ü¾ÿ¿\013\000\000\000.d\n@TÀÿ¿\220$ÆB¦9$@È-#@¦9$@¦9$@È-#@
]N\bô¾ÿ¿´H\"@\212Q\020@¸T\231A ]N\b ]N\b\034<\020@$¿ÿ¿\231­\212A
]N\b\004\000\000"}
        str = {<nsString> = {<basic_nsAWritableString<short unsigned int>> =
{<basic_nsAReadableString<short unsigned int>> = {<nsPrivateSharableString<short
un---Type <return> to continue, or q <return> to quit---
signed int>> = {
          _vptr. = 0x4015c160 <nsAutoString virtual table>}, <No data fields>},
<No data fields>}, <nsStr> = {mLength = 8, mCapacity = 63, 
      mCharSize = eTwoByte, mOwnsBuffer = 0, {mStr = 0xbfffbdf4 "k", 
        mUStr = 0xbfffbdf4}}, <No data fields>}, 
  mBuffer =
"k\000e\000y\000p\000r\000e\000s\000s\000\000\000\020@¦9$@È-#@(ÑD\b(¾ÿ¿´H\"@\212Q\020@4»cA(ÑD\b(ÑD\b\034<\020@X¾ÿ¿\000\020BA(ÑD\b¦9$@È-#@\230ÉC\b\\¾ÿ¿´H\"@\212Q\020@4»cA\230ÉC\b_\212Ý2\034<\020@\214¾ÿ¿(ÕEA\210¾ÿ¿\016\032\013@"}
        onEventAtom = {mRawPtr = 0x866cca8}
        handler = (void *) 0x84a0eb8
        handlerText = {<nsString> = {<basic_nsAWritableString<short unsigned
int>> = {<basic_nsAReadableString<short unsigned int>> =
{<nsPrivateSharableString<short unsigned int>> = {
          _vptr. = 0x4015c160 <nsAutoString virtual table>}, <No data fields>},
<No data fields>}, <nsStr> = {mLength = 14, mCapacity = 63, 
      mCharSize = eTwoByte, mOwnsBuffer = 0, {mStr = 0xbfffbd5c "B", 
        mUStr = 0xbfffbd5c}}, <No data fields>}, 
  mBuffer =
"B\000r\000o\000w\000s\000e\000r\000C\000l\000o\000s\000e\000(\000)\000\000\000ÿ¿^×\232A\b+D\b\005\000\000\00091\236A\030\001\000\000D+D\b°ÿ\236A\b+D\b\020M]A°½ÿ¿
»\234A\b+D\b°ÿ\236Aнÿ¿.Ý\232A\b+D\b°ÿ\236A\020M]A\b+D\b\001\000\000\000¦9$@È-#@h\202:\bì½ÿ¿"}
        boundGlobal = {mRawPtr = 0x83a8268}
        boundContext = {mRawPtr = 0x84c7ef8}
---Type <return> to continue, or q <return> to quit---
        owner = {mRawPtr = 0x84e5d30}
        scriptObject = (void *) 0x84a0eb0
        eventListener = {mRawPtr = 0x866bfa8}
        jsListener = {mRawPtr = 0x866bfac}
#4  0x413dceb4 in nsXBLWindowKeyHandler::WalkHandlersInternal (this=0x84cd398, 
    aKeyEvent=0x8603c40, aEventType=0x8377f10, aHandler=0x844eb08)
    at /g/misc/cks/code/mozilla/layout/xbl/src/nsXBLWindowKeyHandler.cpp:214
        rec = {mRawPtr = 0x84e5d28}
        disabled = {<nsString> = {<basic_nsAWritableString<short unsigned int>>
= {<basic_nsAReadableString<short unsigned int>> =
{<nsPrivateSharableString<short unsigned int>> = {
          _vptr. = 0x4015c160 <nsAutoString virtual table>}, <No data fields>},
<No data fields>}, <nsStr> = {mLength = 0, mCapacity = 63, 
      mCharSize = eTwoByte, mOwnsBuffer = 0, {mStr = 0xbfffc0f0 "", 
        mUStr = 0xbfffc0f0}}, <No data fields>}, 
  mBuffer =
"\000\000\"@\212Q\020@4»cA@<`\b\203\2121#\034<\020@0Áÿ¿íÂ\fA@<`\b\003\000\000\000:POA@\000\000\000\030H\006\b\037POA4»cA@<`\bHÁÿ¿\035Æ\fA@<`\b04\026@°Áÿ¿¼Áÿ¿dÁÿ¿àY\020@@<`\b²W\020@4»cA\000\000\000\000¼Áÿ¿\210Áÿ¿\210Áÿ¿Â§MA"}
        elt = {mRawPtr = 0x84e5d20}
        stopped = 0
        privateEvent = {mRawPtr = 0x8603c4c}
        matched = 1
        nextHandler = {mRawPtr = 0x84e5d20}
---Type <return> to continue, or q <return> to quit---
        aHandler = (nsIXBLPrototypeHandler *) 0xbfffc178
        rv = 138076296
        currHandler = {mRawPtr = 0x844e5a8}
#5  0x413dd41a in nsXBLWindowKeyHandler::WalkHandlers (this=0x84cd398, 
    aKeyEvent=0x8603c44, aEventType=0x8377f10)
    at /g/misc/cks/code/mozilla/layout/xbl/src/nsXBLWindowKeyHandler.cpp:250
        evt = {mRawPtr = 0x8603c48}
        prevent = 0
        keyEvent = {mRawPtr = 0x8603c40}
#6  0x413dd53c in nsXBLWindowKeyHandler::KeyPress (this=0x84cd398, 
    aKeyEvent=0x8603c44)
    at /g/misc/cks/code/mozilla/layout/xbl/src/nsXBLWindowKeyHandler.cpp:267
        this = (nsXBLWindowKeyHandler *) 0x10
        aKeyEvent = (nsIDOMEvent *) 0x84de378
#7  0x410b70ba in nsEventListenerManager::HandleEvent (this=0x83b00c8, 
    aPresContext=0x843c998, aEvent=0xbfffe6c0, aDOMEvent=0xbfffe2b8, 
    aCurrentTarget=0x83afa30, aFlags=2, aEventStatus=0xbfffe5ec)
    at
/g/misc/cks/code/mozilla/layout/events/src/nsEventListenerManager.cpp:1118
        ls = (nsListenerStruct *) 0x84cd3c0
        mKeyListener = (nsIDOMKeyListener *) 0x84cd398
        i = 0
        ret = 0
---Type <return> to continue, or q <return> to quit---
        kungFuDeathGrip = {mRawPtr = 0x83b00c8}
        empty = {<nsString> = {<basic_nsAWritableString<short unsigned int>> =
{<basic_nsAReadableString<short unsigned int>> = {<nsPrivateSharableString<short
unsigned int>> = {
          _vptr. = 0x4015c160 <nsAutoString virtual table>}, <No data fields>},
<No data fields>}, <nsStr> = {mLength = 0, mCapacity = 63, 
      mCharSize = eTwoByte, mOwnsBuffer = 0, {mStr = 0xbfffc270 "", 
        mUStr = 0xbfffc270}}, <No data fields>}, 
  mBuffer =
"\000\000\020@È\234xAø~L\b\004\000\000\00004\026@¨Âÿ¿÷ôgAø~L\b\f\000\000\000ÆVsA\030H\006\bªVsAÈ\234xAôÂÿ¿\bÃÿ¿ïriAø~L\b¸T\231A\004\000\000\000¸âÿ¿ôÂÿ¿ðÂÿ¿ç²i@\000\000\000\000\230H«B\000\000\000\000Ø\rq@\bE
\b\230H«B\000\000\000\000\b\000\000\000\004Ãÿ¿"}
#8  0x418dac30 in nsXULDocument::HandleDOMEvent (this=0x83afa10, 
    aPresContext=0x843c998, aEvent=0xbfffe6c0, aDOMEvent=0xbfffe2b8, aFlags=2, 
    aEventStatus=0xbfffe5ec)
    at /g/misc/cks/code/mozilla/rdf/content/src/nsXULDocument.cpp:2111
        aDOMEvent = (nsIDOMEvent **) 0xbfffe2b8
        aFlags = 2
        ret = 0
        domEvent = (nsIDOMEvent *) 0x0
#9  0x418bcf19 in nsXULElement::HandleDOMEvent (this=0x848b7f0, 
    aPresContext=0x843c998, aEvent=0xbfffe6c0, aDOMEvent=0xbfffe2b8, aFlags=2, 
    aEventStatus=0xbfffe5ec)
---Type <return> to continue, or q <return> to quit---
    at /g/misc/cks/code/mozilla/rdf/content/src/nsXULElement.cpp:3344
        ret = 0
        retarget = 0
        oldTarget = {mRawPtr = 0x0}
        domEvent = (nsIDOMEvent *) 0x0
        bindingParent = {mRawPtr = 0x0}
#10 0x418bcf19 in nsXULElement::HandleDOMEvent (this=0x84e4ea0, 
    aPresContext=0x843c998, aEvent=0xbfffe6c0, aDOMEvent=0xbfffe2b8, aFlags=2, 
    aEventStatus=0xbfffe5ec)
    at /g/misc/cks/code/mozilla/rdf/content/src/nsXULElement.cpp:3344
        ret = 0
        retarget = 0
        oldTarget = {mRawPtr = 0x0}
        domEvent = (nsIDOMEvent *) 0x0
        bindingParent = {mRawPtr = 0x0}
#11 0x418bcf19 in nsXULElement::HandleDOMEvent (this=0x84e5010, 
    aPresContext=0x843c998, aEvent=0xbfffe6c0, aDOMEvent=0xbfffe2b8, aFlags=2, 
    aEventStatus=0xbfffe5ec)
    at /g/misc/cks/code/mozilla/rdf/content/src/nsXULElement.cpp:3344
        ret = 0
        retarget = 0
        oldTarget = {mRawPtr = 0x0}
        domEvent = (nsIDOMEvent *) 0x0
---Type <return> to continue, or q <return> to quit---
        bindingParent = {mRawPtr = 0x0}
#12 0x418bcf19 in nsXULElement::HandleDOMEvent (this=0x84e51a8, 
    aPresContext=0x843c998, aEvent=0xbfffe6c0, aDOMEvent=0xbfffe2b8, aFlags=2, 
    aEventStatus=0xbfffe5ec)
    at /g/misc/cks/code/mozilla/rdf/content/src/nsXULElement.cpp:3344
        ret = 0
        retarget = 0
        oldTarget = {mRawPtr = 0x0}
        domEvent = (nsIDOMEvent *) 0x0
        bindingParent = {mRawPtr = 0x0}
#13 0x418bcf19 in nsXULElement::HandleDOMEvent (this=0x84e5250, 
    aPresContext=0x843c998, aEvent=0xbfffe6c0, aDOMEvent=0xbfffe2b8, aFlags=2, 
    aEventStatus=0xbfffe5ec)
    at /g/misc/cks/code/mozilla/rdf/content/src/nsXULElement.cpp:3344
        ret = 0
        retarget = 0
        oldTarget = {mRawPtr = 0x0}
        domEvent = (nsIDOMEvent *) 0x0
        bindingParent = {mRawPtr = 0x0}
#14 0x418c2cb7 in nsXULElement::HandleChromeEvent (this=0x84e5250, 
    aPresContext=0x843c998, aEvent=0xbfffe6c0, aDOMEvent=0xbfffe2b8, aFlags=2, 
    aEventStatus=0xbfffe5ec)
    at /g/misc/cks/code/mozilla/rdf/content/src/nsXULElement.cpp:4296
---Type <return> to continue, or q <return> to quit---
        aPresContext = (nsIPresContext *) 0x83ae088
        aEvent = (nsEvent *) 0x83ae088
        aDOMEvent = (nsIDOMEvent **) 0x83ae088
        aFlags = 138076296
        aEventStatus = (nsEventStatus *) 0x83ae088
        kungFuDeathGrip = {mRawPtr = 0x83afa10}

#15 0x416971ea in GlobalWindowImpl::HandleDOMEvent (this=0x85cdbe8, 
    aPresContext=0x843c998, aEvent=0xbfffe6c0, aDOMEvent=0xbfffe2b8, aFlags=2, 
    aEventStatus=0xbfffe5ec)
    at /g/misc/cks/code/mozilla/dom/src/base/nsGlobalWindow.cpp:516
        ret = 0
        domEvent = (nsIDOMEvent *) 0x0
        kungFuDeathGrip1 = {mRawPtr = 0x84e5264}
        kungFuDeathGrip2 = {mRawPtr = 0x85cdcc8}
#16 0x41418809 in nsDocument::HandleDOMEvent (this=0x84d1800, 
    aPresContext=0x843c998, aEvent=0xbfffe6c0, aDOMEvent=0xbfffe2b8, aFlags=2, 
    aEventStatus=0xbfffe5ec)
    at /g/misc/cks/code/mozilla/layout/base/src/nsDocument.cpp:3051
        aDOMEvent = (nsIDOMEvent **) 0xbfffe2b8
        aFlags = 2
        mRet = 0
        domEvent = (nsIDOMEvent *) 0x0
#17 0x4144d768 in nsGenericElement::HandleDOMEvent (this=0x85c1734, 
---Type <return> to continue, or q <return> to quit---
    aPresContext=0x843c998, aEvent=0xbfffe6c0, aDOMEvent=0xbfffe2b8, aFlags=1, 
    aEventStatus=0xbfffe5ec)
    at /g/misc/cks/code/mozilla/layout/base/src/nsGenericElement.cpp:1433
        ret = 0
        retarget = 0
        oldTarget = {mRawPtr = 0x0}
        domEvent = (nsIDOMEvent *) 0x8603c44
        bindingParent = {mRawPtr = 0x0}
#18 0x411a1e29 in nsHTMLHtmlElement::HandleDOMEvent (this=0x85c1720, 
    aPresContext=0x843c998, aEvent=0xbfffe6c0, aDOMEvent=0x0, aFlags=1, 
    aEventStatus=0xbfffe5ec)
    at
/g/misc/cks/code/mozilla/layout/html/content/src/nsHTMLHtmlElement.cpp:185
        aPresContext = (nsIPresContext *) 0x843c998
        aEvent = (nsEvent *) 0xbfffe6c0
        aDOMEvent = (nsIDOMEvent **) 0x84de378
        aFlags = 16
        aEventStatus = (nsEventStatus *) 0x83ae088
#19 0x4112f106 in PresShell::HandleEventInternal (this=0x82e18e8, 
    aEvent=0xbfffe6c0, aView=0x867fd38, aFlags=1, aStatus=0xbfffe5ec)
    at /g/misc/cks/code/mozilla/layout/html/base/src/nsPresShell.cpp:4255
        this = (PresShell *) 0x82e18e8
        rv = 0
---Type <return> to continue, or q <return> to quit---
        manager = (nsIEventStateManager *) 0x861c760
#20 0x4112ee00 in PresShell::HandleEvent (this=0x82e18e8, aView=0x867fd38, 
    aEvent=0xbfffe6c0, aEventStatus=0xbfffe5ec, aForceHandle=0, 
    aHandled=@0xbfffe580)
    at /g/misc/cks/code/mozilla/layout/html/base/src/nsPresShell.cpp:4190
        manager = (nsIEventStateManager *) 0x861c760
        this = (PresShell *) 0x82e18e8
        aEventStatus = (nsEventStatus *) 0x83ae088
        clientData = (void *) 0x86195f4
        frame = (nsIFrame *) 0x82e1914
        rv = 0
#21 0x40d70e1b in nsView::HandleEvent (this=0x867fd38, event=0xbfffe6c0, 
    aEventFlags=8, aStatus=0xbfffe5ec, aForceHandle=0, aHandled=@0xbfffe580)
    at /g/misc/cks/code/mozilla/view/src/nsView.cpp:366
        event = (nsGUIEvent *) 0xbfffe6c0
        aForceHandle = 138076296
        obs = (nsIViewObserver *) 0x82e18ec
#22 0x40d70dbe in nsView::HandleEvent (this=0x867f578, event=0xbfffe6c0, 
    aEventFlags=8, aStatus=0xbfffe5ec, aForceHandle=0, aHandled=@0xbfffe580)
    at /g/misc/cks/code/mozilla/view/src/nsView.cpp:350
        pKid = (nsIView *) 0x867fd38
        cnt = 0
        numkids = 1
---Type <return> to continue, or q <return> to quit---
        trect = {x = 0, y = -3444, width = 11060, height = 12600}
        x = 0
        y = 0
        event = (nsGUIEvent *) 0xbfffe6c0
        aForceHandle = 138076296
        obs = (nsIViewObserver *) 0x82e18ec
#23 0x40d70dbe in nsView::HandleEvent (this=0x8231f98, event=0xbfffe6c0, 
    aEventFlags=28, aStatus=0xbfffe5ec, aForceHandle=1, aHandled=@0xbfffe580)
    at /g/misc/cks/code/mozilla/view/src/nsView.cpp:350
        pKid = (nsIView *) 0x867f578
        cnt = 0
        numkids = 3
        trect = {x = 0, y = 0, width = 9506, height = 9156}
        x = 0
        y = 0
        event = (nsGUIEvent *) 0xbfffe6c0
        aForceHandle = 138076296
        obs = (nsIViewObserver *) 0x82e18ec
#24 0x40d7b9da in nsViewManager2::DispatchEvent (this=0x846d958, 
    aEvent=0xbfffe6c0, aStatus=0xbfffe5ec)
    at /g/misc/cks/code/mozilla/view/src/nsViewManager2.cpp:1427
        p2t = 14
        t2p = 0.0714285746
---Type <return> to continue, or q <return> to quit---
        handled = 1
        baseView = (nsIView *) 0x867f578
        view = (nsIView *) 0x8231f98
        offset = {x = 0, y = 0}
        sb = (nsIScrollbar *) 0x0
        aEvent = (nsGUIEvent *) 0xbfffe6c0
#25 0x40d704f2 in HandleEvent (aEvent=0xbfffe6c0)
    at /g/misc/cks/code/mozilla/view/src/nsView.cpp:67
        vm = (nsIViewManager *) 0x846d958
        aEvent = (nsGUIEvent *) 0xbfffe6c0
        result = nsEventStatus_eIgnore
        view = (nsIView *) 0x84de378
#26 0x40dc20fd in nsWidget::DispatchEvent (this=0x867f608, aEvent=0xbfffe6c0, 
    aStatus=@0xbfffe680)
    at /g/misc/cks/code/mozilla/widget/src/gtk/nsWidget.cpp:1475
        gw = (GtkObject *) 0x867f7c0
        nativeWidget = (void *) 0x10
#27 0x40dc1e3d in nsWidget::DispatchWindowEvent (this=0x867f608, 
    event=0xbfffe6c0)
    at /g/misc/cks/code/mozilla/widget/src/gtk/nsWidget.cpp:1366
        this = (nsWidget *) 0x867f608
        event = (nsGUIEvent *) 0x10
        status = nsEventStatus_eIgnore
---Type <return> to continue, or q <return> to quit---
#28 0x40dbf2b4 in nsWidget::OnInput (this=0x867f608, aEvent=@0xbfffe6c0)
    at /g/misc/cks/code/mozilla/widget/src/gtk/nsWidget.cpp:100
        ret = 0
        releaseWidget = 1
        widget = (nsWidget *) 0x867f608
#29 0x40dbb1a9 in handle_key_press_event (w=0x0, event=0x82487b8, p=0x867f608)
    at /g/misc/cks/code/mozilla/widget/src/gtk/nsWidget.h:201
        this = (nsWidget *) 0x867f608
        kevent = {<nsInputEvent> = {<nsGUIEvent> = {<nsEvent> = {
        eventStructType = 9 '\t', message = 131, point = {x = 0, y = 3444}, 
        refPoint = {x = 0, y = 0}, time = 3301055276, flags = 2, 
        internalAppFlags = 1080310599}, widget = 0x867f608, 
      nativeMsg = 0x40df272e}, isShift = 0, isControl = 1, isAlt = 0, 
    isMeta = 0}, keyCode = 0, charCode = 119, isChar = 1080294665}
        win = (nsWidget *) 0x867f608
#30 0x40dbb5e9 in dispatch_superwin_event (event=0x82487b8, window=0x867f608)
    at /g/misc/cks/code/mozilla/widget/src/gtk/nsGtkEventHandler.cpp:990
        event = (GdkEvent *) 0x82487b8
        window = (nsWindow *) 0x10
#31 0x40dbb49a in handle_gdk_event (event=0x82487b8, data=0x0)
    at /g/misc/cks/code/mozilla/widget/src/gtk/nsGtkEventHandler.cpp:904
        grabbingWindow = (nsWindow *) 0x82487b8
        grabbingGdkWindow = (GdkWindow *) 0x83e000c
---Type <return> to continue, or q <return> to quit---
        grabbingMozArea = (GtkWidget *) 0x4061746d
        window = (nsWindow *) 0x867f608
        current_grab = (GtkWidget *) 0x0
        superwin_grab = 138076296
        object = (GtkObject *) 0x867f7c0
        event_time = 138076296
#32 0x406174db in gdk_event_dispatch () from /usr/lib/libgdk-1.2.so.0
No symbol table info available.
#33 0x40647186 in g_main_dispatch () from /usr/lib/libglib-1.2.so.0
No symbol table info available.
#34 0x40647751 in g_main_iterate () from /usr/lib/libglib-1.2.so.0
No symbol table info available.
#35 0x406478f1 in g_main_run () from /usr/lib/libglib-1.2.so.0
No symbol table info available.
#36 0x4056c5b9 in gtk_main () from /usr/lib/libgtk-1.2.so.0
No symbol table info available.
#37 0x40daf453 in nsAppShell::Run (this=0x82053e8)
    at /g/misc/cks/code/mozilla/widget/src/gtk/nsAppShell.cpp:335
        this = (nsAppShell *) 0x82053e8
#38 0x41c4efe0 in nsAppShellService::Run (this=0x821a048)
    at /g/misc/cks/code/mozilla/xpfe/appshell/src/nsAppShellService.cpp:407
        this = (nsAppShellService *) 0x83ae088
#39 0x805260b in main1 (argc=1, argv=0xbfffe9d4, nativeApp=0x0)
---Type <return> to continue, or q <return> to quit---
    at /g/misc/cks/code/mozilla/xpfe/bootstrap/nsAppRunner.cpp:1004
        argv = (char **) 0x83ae088
        rv = 0
        eventQService = {mRawPtr = 0x807ab50}
        obsService = {mRawPtr = 0x807b138}
        needAutoreg = 1
        cmdLineArgs = {mRawPtr = 0x8190580}
        appShell = {mRawPtr = 0x821a048}
        walletService = {mRawPtr = 0x81f3200}
#40 0x8052b9b in main (argc=1, argv=0xbfffe9d4)
    at /g/misc/cks/code/mozilla/xpfe/bootstrap/nsAppRunner.cpp:1185
        argv = (char **) 0xbfffe9d4
        nativeApp = (nsINativeAppSupport *) 0x0
        rv = 138076296
        splash = (nsISplashScreen *) 0x0
        dosplash = 0
        mainResult = 0
#41 0x402f29cb in __libc_start_main (main=0x8052a40 <main>, argc=1, 
    argv=0xbfffe9d4, init=0x804c1ac <_init>, fini=0x805ede0 <_fini>, 
    rtld_fini=0x4000ae60 <_dl_fini>, stack_end=0xbfffe9cc)
    at ../sysdeps/generic/libc-start.c:92
        argv = (char **) 0xbfffe9d4
        rtld_fini = (void (*)()) 0x4000ae60 <_dl_fini>
---Type <return> to continue, or q <return> to quit---
        stack_end = (void *) 0x10
(gdb)
 More detail:
 In JS_DefineProperty() obj itself seems fine. However, while obj->maps->ops
appears to be a valid pointer (gdb does not puke on my shoes), the contents
are complete garbage: everything is set to 0x10101010.
 In the hope it helps:
(gdb) print *obj
$15 = {map = 0x84a0eb8, slots = 0x84a18c6}
(gdb) print *(obj->map)
$16 = {nrefs = 139071168, ops = 0x84a18c7, nslots = 139071176, 
  freeslot = 139073736}
(gdb) print obj->slots
$18 = (jsval *) 0x84a18c6
(gdb) print *(obj->slots)
$17 = 269488144

cks+netscape.com, anyone: please try the patch at bug 53123 and let us know if 
this bug reproduces, or not.

/be
 I repulled, getting the bits that Brendan had checked in.
 The bug is still reproducing for me (on CTRL+W to close windows).

 More more info: target->map->ops is smashed (to 0x10) already when we reach
nsJSContext::BindCompiledEventHandler() from
nsXBLPrototypeHandler::ExecuteHandler. (This is before the SEGV itself.)

 As another data point, the window that is closing from the CTRL+W
has already vanished (at the X level) by the time we hit this point.

 And as a final, third piece of information: I am running on a SMP
system, not a UP system. (I don't know if this makes any important
difference, but just in case...)
How does aReceiver look around

http://lxr.mozilla.org/mozilla/source/layout/xbl/src/nsXBLPrototypeHandler.cpp#2
90

That's where the JSObject came from, via nsIScriptObjectOwner::GetScriptObject.

/be
Since late july and till this crash appeared i've all along been seeing this
when closing a window with ctrl+w on linux:

Gdk-CRITICAL **: file gdkwindow.c: line 716 (gdk_window_ref): assertion `window
!= NULL' failed.

trudelle and laurel weren't able to repro it, but it kept displaying here.
Last tested it two days ago and it was still there. I "gave up" on that bug
since it was obviously hard to repro (bug 45947) but mentioning it here for what
it's worth.
 Info to help people to reproduce this:
 The site I'm using is http://www.theregister.co.uk/. I go to it in the main
browser window, button-2 a story to open it in a new window, and then Ctrl-W
the new window closed; it then consistently SEGVs. Other places are only
intermittent.

 More information: with Brendan telling me what to do, I traced the flow of
things through nsXBLPrototypeHandler::ExecuteHandler. scriptObject->map->ops
is fine before the call 'eventListener->HandleEvent(aEvent);' (line 304) and
is DOA afterwards.
I reproduced this on the first try on NT. This is in a branch build that has the 
patch brendan mentioned.

The cx looks good. The obj points into garbage. value (aka funobj) is null.

To answer brendan... aReceiver is an nsXULElement that looks reasonable. It has 
a ref count of 5. It's mScriptObject = mDocument = null.

Note that we ignore the return value at line 290 of...
   void* scriptObject;
   owner->GetScriptObject(boundContext, &scriptObject);

owner here *seems* to be a nsXULElement with a mScriptObject = null. Yet 
scriptObject is not null. The code does not seem to be able to do that, so this 
might be only the way to appears at the point of the error. This is funky.
Ah, nsXBLPrototypeHandler::ExecuteHandler nests deeper in its call to 
eventListener->HandleEvent. When it comes out owner->mScriptObject is null and 
the value cached in scriptObject points to a JSObject that is no more. We need a 
deathgrip or another call to GetScriptObject - though we may not want it to be 
creating a new script object just for us at this point, right? Anyway, I hope 
this is sufficient clue.
*** Bug 54019 has been marked as a duplicate of this bug. ***
A death grip in JS is called a GC root.  If you really need one, use 
JS_AddNamedRoot and JS_RemoveRoot.

But maybe there's a better way: can we take note of the fact that the script 
object has been finalized?  We could call GetScriptObject again, storing its out 
parameter in a scriptObjectAfter local, and then compare scriptObject == 
scriptObjectAfter and call the // Now unbind it code 
(BindCompiledEventHandler(..., nsnull)) only if the pointers match.

But that will create a new script object needlessly.  Too bad 
nsIScriptObjectOwner doesn't have a HasScriptObject method that tests without 
doing lazy construction.  Hyatt, anyone: is there another way to tell that we 
have lost the script object (and the receiver content node, and who knows what 
else), and avoid either a GC-root-death-grip or a gratuitous second ("after") 
script object?

/be
Question for hyatt: why is nsXBLPrototypeHandler::ExecuteHandler compiling as 
well as invoking?  That oxymoron indicates a performance bug: we should hoist 
the compilation out to load-time, if possible.  Is this do-able?  If so, what's 
the bug number?

/be
*** Bug 54177 has been marked as a duplicate of this bug. ***
I haven't tried that patch out (my Win98 machine at home is way out of date, and 
crashes too much when I try to build -- I'm a Linux guy now all the way), but it 
will avoid the crash.  It costs an extra GC root, temporarily, and it keeps the 
script object alive past some window-destruction point where otherwise it would 
become garbage.  That may break things due to a screwy finalize dependency, or 
some such.

Anyone, try it out and update this bug, please.

/be
Yes! The script object in question can now be for a window, a document or an 
element.  In the past XBL was only dealing with elements (which I believe are 
good about always being rooted).  In this case we're dealing with a document's 
script object.  I believe this is the right fix.
Perhaps we only need to add a named root if the script object in question 
belongs to a document or window?
*** Bug 10511 has been marked as a duplicate of this bug. ***
Oh baby, this is SO hyatt's bug.
Assignee: dr → hyatt
mass-adding rtm keyword to all open nsbeta3+ xptoolkit bugs
Keywords: rtm
PDT: this is a serious regression, and a very common crasher. we have a fix in
hand. this *really* ought to make it into the branch. (cc'ing jar)
Summary: hitting Esc or Enter keys in Prefs dialog crashes browser; or ctrl+W → all keybindings which close windows crash the browser
Whiteboard: [nsbeta3+] → [nsbeta3+]FIX IN HAND
Marking nsbeta3++.  Let's get this one in immediately so we don't have to slip
the beta.
Whiteboard: [nsbeta3+]FIX IN HAND → [nsbeta3++]FIX IN HAND
And was this checked in? ... It's supposedly blocking 44437.
actually, the fix in hand mentioned (brendan's two cents) isn't right according
to hyatt (roots aren't refcounted, so we could do some horrible breakage here).
he's going to submit a fix where the offending call just isn't made (things get
garbage-collected later rather than sooner, but not a big deal) as soon as the
trees open up.

this superfluous news update courtesy of dr@zarro.boogs
fixed.
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Huh?  Roots aren't refcounted.  So what?  The root will keep the JSObject alive. 
Please specify the horrible breakage forseen with my modest patch.

BTW, and as I discussed with hyatt, it would be even better to know that the 
script object had been finalized, and not bother clearing a bound event handler 
from some old, otherwise useless script object.

/be
Fixed without a patch attached here for review?  Hmph!

/be
The problem that waterson pointed out was that the object could already be 
rooted.  Calling AddRoot would then re-add the root to the table, and calling 
RemoveRoot would then uncorrectly remove the root all together.  In the case 
where nothing was being torn down/going away (which is most of the time), you'd 
end up unrooting objects when you didn't intend to.

Leaving the bound event handler on the object seems minor to me, since in the 
"onclick" case for attributes you do that anyway.  This makes XBL no worse than 
an attribute event handler situation.
You guys are forgetting that roots are identified by their addresses, and there 
can be no other root for &scriptObject where scriptObject is your void* local. 
So the scenario waterson fears cannot happen.

What fix did you go with (and where was the patch attached and reviewed)?

/be
vrfy fixed using 2000.09.29.xx-n6 [opt comm branch bits] on mac, linux and
winnt.
Keywords: rtmvtrunk
Verified Fixed with win32 mozilla trunk build 100204, linux mozilla trunk build
100208 and mac mozilla trunk build 100208.  Keybindings which close windows do
not cause crashes.  Setting bug status to Verified and removing the vtrunk keyword.
Status: RESOLVED → VERIFIED
Keywords: vtrunk
Component: Keyboard: Navigation → User events and focus handling
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: