Closed Bug 616288 Opened 14 years ago Closed 13 years ago

crash [@ nsAutoCompleteController::StartSearch ] when typing things too rapidly inside the location bar

Categories

(Toolkit :: Autocomplete, defect)

Product:
Toolkit
Component:
Autocomplete
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla2.0b11
Tracking Flags:
Tracking Status
blocking2.0 --- -
status1.9.2 --- .17-fixed
status1.9.1 --- .19-fixed

People

(Reporter: scoobidiver, Assigned: ehsan.akhgari)

References

Details

(Keywords: crash, Whiteboard: [sg:dos][STR in comment 23])

Crash Data

Attachments

(1 file, 1 obsolete file)

For check-in
2.26 KB, patch
Gavin
: approval2.0+
dveditz
: approval1.9.2.17+
dveditz
: approval1.9.1.19+
Details | Diff | Splinter Review 
It is a residual crash signature that exists in 3.6 and the trunk builds.
It is #35 top crasher on Linux in 4.0b8pre for the last week.

Comments say:
"Logging into my email at mail.live.com"
"Encountered the problem when I was going to comcast.net to check my email. Had many tabs open. Not sure of the interaction, however!"
"tried to access gmail.com and the browser blew up on me."
"entered a https url, pressed enter and firefox crashed."
"again. the https url lets firefox crash."

Signature	nsAutoCompleteController::StartSearch
UUID	045823ff-776a-40bb-a222-78ee12101202
Time 	2010-12-02 07:28:02.985205
Uptime	2214
Last Crash	2240 seconds (37.3 minutes) before submission
Install Age	3052 seconds (50.9 minutes) since version was first installed.
Product	Firefox
Version	4.0b8pre
Build ID	20101202030316
Branch	2.0
OS	Linux
OS Version	0.0.0 Linux 2.6.32-22-generic #36-Ubuntu SMP Thu Jun 3 22:02:19 UTC 2010 i686
CPU	x86
CPU Info	GenuineIntel family 15 model 3 stepping 4
Crash Reason	SIGSEGV
Crash Address	0x4

Frame 	Module 	Signature [Expand] 	Source
0 	libxul.so 	nsAutoCompleteController::StartSearch 	nsCOMPtr.h:577
1 	libxul.so 	nsAutoCompleteController::Notify 	nsAutoCompleteController.cpp:722
2 	libxul.so 	nsTimerImpl::Fire 	nsTimerImpl.cpp:428
3 	libxul.so 	nsTimerEvent::Run 	nsTimerImpl.cpp:517
4 	libxul.so 	nsThread::ProcessNextEvent 	nsThread.cpp:626
5 	libxul.so 	NS_ProcessNextEvent_P 	nsThreadUtils.cpp:250
6 	libxul.so 	mozilla::ipc::MessagePump::Run 	MessagePump.cpp:110
7 	libxul.so 	MessageLoop::RunInternal 	message_loop.cc:219
8 	libxul.so 	MessageLoop::Run 	message_loop.cc:202
9 	libxul.so 	nsBaseAppShell::Run 	nsBaseAppShell.cpp:192
10 	libxul.so 	nsAppStartup::Run 	nsAppStartup.cpp:191
11 		@0x1ebb32f 	
12 	libxul.so 	XRE_main 	nsAppRunner.cpp:3691
13 	firefox-bin 	main 	nsBrowserApp.cpp:158
14 	libc-2.12.1.so 	libc-2.12.1.so@0x16ce6 	
15 	firefox-bin 	firefox-bin@0x1390 	
16 	firefox-bin 	Output 	nsBrowserApp.cpp:77
17 		@0x0 	

More reports at:
http://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=exact&query=&range_value=4&range_unit=weeks&hang_type=any&process_type=any&plugin_field=&plugin_query_type=&plugin_query=&do_query=1&admin=&signature=nsAutoCompleteController%3A%3AStartSearch
It sounds like bug 620226 is the same bug for Windows.
OS: Linux → All
Hardware: x86 → All
(In reply to comment #0)
> It is a residual crash signature that exists in 3.6 and the trunk builds.
> It is #35 top crasher on Linux in 4.0b8pre for the last week.

I have some troubles to use the crash stats tool and I wasn't able to find the 3.6 signature. Can you point to it?
Windows crashes:
http://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=exact&query=&range_value=4&range_unit=weeks&hang_type=any&process_type=any&plugin_field=&plugin_query_type=&plugin_query=&do_query=1&admin=&signature=nsRefPtr%3CnsDOMStringList%3E%3A%3AnsRefPtr%3CnsDOMStringList%3E%28nsDOMStringList*%29%20|%20nsAutoCompleteController%3A%3AStartSearch%28%29

I double-checked it, this is new: there is no similar stack in 3.6.* (contrary to what is said in comment 1).

Actually, I think it might be a regression caused by Places given that the first occurrences of this crash are in December (mid-December (16) and two crashes earlier which could come from the Places branch).
Does that sound possible, Shawn?
Marco, could that be a Places regression? (sound to be a good candidate to me)
I find it rather unlikely that the Places branch merge causes this.  We didn't touch this code at all, nor did we change how we call it in any way.
(In reply to comment #6)
> I find it rather unlikely that the Places branch merge causes this.  We didn't
> touch this code at all, nor did we change how we call it in any way.

But Places changed how we access to the history, right? It looks like this crash happens when the user type in the awesome bar.
(In reply to comment #7)
> But Places changed how we access to the history, right? It looks like this
> crash happens when the user type in the awesome bar.
We only changed how we query the database, not how we interact with the AutoComplete API
> there is no similar stack in 3.6.* (contrary to what is said in comment 1).
It happens rarely in 3.6.13 (not the ratio between trunk and 3.6.13 users). See: bp-58e972bc-692f-4a79-8f5e-4e5df2101231

> the first occurrences of this crash are in December (mid-December (16) and two
> crashes earlier which could come from the Places branch).
If we consider mid-december as the first occurrence, the regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=f11f7ed625ba&tochange=a5413c3c1013
Keywords: regression
(In reply to comment #9)
If it's happening in 3.6, it doesn't seem like it's a regression in trunk (apart from it happening more often)
I got this when I opened a new tab and immediately typed into the location bar and pressed enter.  I think the crash happened before anything appeared in the location bar.

bp-5ddd2b61-1041-4e4e-9ccb-795882110109
I caught this under gdb:

(gdb) info args
this = (nsAutoCompleteController *) 0x128379640
(gdb) info locals
search = {
  mRawPtr = 0x15742b510
}
result = (Cannot access memory at address 0x0

(gdb) p *this
$16 = (nsAutoCompleteController) {
  <nsIAutoCompleteController> = {
    <nsISupports> = {
      _vptr$nsISupports = 0x116ca02d0
    }, <No data fields>},
  <nsIAutoCompleteObserver> = {
    <nsISupports> = {   
      _vptr$nsISupports = 0x116ca04c8
    }, <No data fields>},
  <nsITimerCallback> = {
    <nsISupports> = {
      _vptr$nsISupports = 0x116ca0500
    }, <No data fields>},
  <nsITreeView> = {
    <nsISupports> = {
      _vptr$nsISupports = 0x116ca0530
    }, <No data fields>},
  members of nsAutoCompleteController:
  mRefCnt = {
    mTagged = 0x145e305a8 
  },
  _mOwningThread = {
    mThread = 0x100c13750
  },
  static _cycleCollectorGlobal = {
    <nsXPCOMCycleCollectionParticipant> = {
      <nsScriptObjectTracer> = {
        <nsCycleCollectionParticipant> = {
          _vptr$nsCycleCollectionParticipant = 0x116ca0670
        }, <No data fields>}, <No data fields>}, <No data fields>},
  mInput = {
    mRawPtr = 0x0
  },
  mSearches = {
    <nsCOMArray_base> = {    <nsCOMArray_base> = {
      mArray = { 
        mImpl = 0x141c247a0
      }
    }, <No data fields>},
  mResults = {
    <nsCOMArray_base> = {
      mArray = {
        mImpl = 0x141d59e00
      }
    }, <No data fields>},
  mMatchCounts = {
    <nsTArray_base<nsTArrayDefaultAllocator>> = {
      mHdr = 0x1009b78a8
    }, <No data fields>},
  mTimer = {
    mRawPtr = 0x0
  },
  mSelection = {
    mRawPtr = 0x15a4d2b60
  },
  mTree = {
    mRawPtr = 0x0
  },
  mSearchString = {
    <nsAString_internal> = {
      mData = 0x15773bd48,
      mLength = 12,
      mFlags = 5
    }, <No data fields>},
  mDefaultIndexCompleted = 0 '\0',
  mBackspaced = 0 '\0',
  mPopupClosedByCompositionStart = 0 '\0', 
  mIsIMEComposing = 0 '\0',
  mIgnoreHandleText = 0 '\0',
  mIsOpen = 0,
  mSearchStatus = 3,
  mRowCount = 0,
  mSearchesOngoing = 0,
  mFirstSearchResult = 1
}
Seems like the underlying nsVoidArray for mSearches is empty:

(gdb) p *mSearches.mArray.mImpl
$20 = {
  mBits = 2147483650,
  mCount = 0,
  mArray = {0x141c1d190}
}

Which justifies this assertion right before the crash:

###!!! ASSERTION: nsVoidArray::FastElementAt: index out of range: '0 <= aIndex && aIndex < Count()', file ../../dist/include/nsVoidArray.h, line 74
One curious fact is this:

(gdb) p input
$21 = {
  mRawPtr = 0x1585b1b10
}
(gdb) p mInput
$22 = {
  mRawPtr = 0x0
}

As far as I can see, the only place where mInput is modified is in nsAutoCompleteController::SetInput, which explains why the mSearches array would be empty too.  Verifying all of the |this| members seems to confirm this theory.
Assignee: nobody → ehsan
The theory being SetInput(null) getting called, that is.
To verify my theory, I ran Firefox under gdb with special debugging hooks which log SetInput(nsnull) calls inside StartSearch, and here's the stack showing this happen in practice:

Breakpoint 1, nsAutoCompleteController::SetInput (this=0x127a4c000, aInput=0x0) at /Users/ehsanakhgari/moz/mozilla-central/toolkit/components/autocomplete/src/nsAutoCompleteController.cpp:123
#0  nsAutoCompleteController::SetInput (this=0x127a4c000, aInput=0x0) at /Users/ehsanakhgari/moz/mozilla-central/toolkit/components/autocomplete/src/nsAutoCompleteController.cpp:123
#1  0x0000000100928695 in NS_InvokeByIndex_P (that=0x127a4c000, methodIndex=4, paramCount=1, params=0x7fff5fbd73c0) at /Users/ehsanakhgari/moz/mozilla-central/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:208
#1  0x0000000100928695 in NS_InvokeByIndex_P (that=0x127a4c000, methodIndex=4, paramCount=1, params=0x7fff5fbd73c0) at /Users/ehsanakhgari/moz/mozilla-central/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:208
#2  0x0000000114806ff5 in CallMethodHelper::Invoke (this=0x7fff5fbd7380) at /Users/ehsanakhgari/moz/mozilla-central/js/src/xpconnect/src/xpcwrappednative.cpp:3072
#3  0x00000001148098cb in CallMethodHelper::Call (this=0x7fff5fbd7380) at /Users/ehsanakhgari/moz/mozilla-central/js/src/xpconnect/src/xpcwrappednative.cpp:2334
#4  0x0000000114802f1e in XPCWrappedNative::CallMethod (ccx=@0x7fff5fbd7620, mode=XPCWrappedNative::CALL_SETTER) at /Users/ehsanakhgari/moz/mozilla-central/js/src/xpconnect/src/xpcwrappednative.cpp:2298
#5  0x000000011481401f in XPCWrappedNative::SetAttribute (ccx=@0x7fff5fbd7620) at xpcprivate.h:2646
#6  0x000000011480efed in XPC_WN_GetterSetter (cx=0x1216e90e0, argc=1, vp=0x117949c70) at /Users/ehsanakhgari/moz/mozilla-central/js/src/xpconnect/src/xpcwrappednativejsops.cpp:1635
#7  0x00000001001bb445 in js::CallJSNative (cx=0x1216e90e0, native=0x11480ecfd <XPC_WN_GetterSetter(JSContext*, unsigned int, jsval_layout*)>, argc=1, vp=0x117949c70) at jscntxtinlines.h:692
#8  0x00000001001bfc92 in js::Invoke (cx=0x1216e90e0, argsRef=@0x7fff5fbd78b0, flags=0) at jsinterp.cpp:700
#9  0x00000001001c06dd in js::ExternalInvoke (cx=0x1216e90e0, thisv=@0x7fff5fbd7940, fval=@0x7fff5fbd79f0, argc=1, argv=0x7fff5fbd86c0, rval=0x7fff5fbd86c0) at jsinterp.cpp:858
#10 0x00000001001c077d in js::ExternalInvoke (cx=0x1216e90e0, obj=0x11e6069a0, fval=@0x7fff5fbd79f0, argc=1, argv=0x7fff5fbd86c0, rval=0x7fff5fbd86c0) at jsinterp.h:961
#11 0x00000001001c07f0 in js::ExternalGetOrSet (cx=0x1216e90e0, obj=0x11e6069a0, id={asBits = 4695527616}, fval=@0x7fff5fbd79f0, mode=JSACC_WRITE, argc=1, argv=0x7fff5fbd86c0, rval=0x7fff5fbd86c0) at jsinterp.cpp:898
#12 0x00000001001ea338 in js::Shape::set (this=0x13b668c20, cx=0x1216e90e0, obj=0x11e6069a0, vp=0x7fff5fbd86c0) at jsscopeinlines.h:266
#13 0x00000001001d8063 in js_NativeSet (cx=0x1216e90e0, obj=0x11e6069a0, shape=0x13b668c20, added=false, vp=0x7fff5fbd86c0) at /Users/ehsanakhgari/moz/mozilla-central/js/src/jsobj.cpp:5199
#14 0x00000001001de36a in js_SetPropertyHelper (cx=0x1216e90e0, obj=0x11e6069a0, id={asBits = 4695527616}, defineHow=1, vp=0x7fff5fbd86c0, strict=0) at /Users/ehsanakhgari/moz/mozilla-central/js/src/jsobj.cpp:5674
#15 0x00000001001a8d32 in js::Interpret () at /Users/ehsanakhgari/moz/mozilla-central/js/src/jsinterp.cpp:4477
#16 0x00000001001bf084 in js::RunScript (cx=0x1216e90e0, script=0x13ed13f00, fp=0x117949ba0) at jsinterp.cpp:657
#17 0x00000001001bfe9e in js::Invoke (cx=0x1216e90e0, argsRef=@0x7fff5fbd8f80, flags=0) at jsinterp.cpp:737
#18 0x00000001001c06dd in js::ExternalInvoke (cx=0x1216e90e0, thisv=@0x7fff5fbd9010, fval=@0x7fff5fbd9048, argc=1, argv=0x137c4ba20, rval=0x7fff5fbd91d0) at jsinterp.cpp:858
#19 0x00000001000eb71b in js::ExternalInvoke (cx=0x1216e90e0, obj=0x121edb9a0, fval=@0x7fff5fbd9048, argc=1, argv=0x137c4ba20, rval=0x7fff5fbd91d0) at jsinterp.h:961
#20 0x00000001000eb856 in JS_CallFunctionValue (cx=0x1216e90e0, obj=0x121edb9a0, fval={asBits = 18445477441429963280, debugView = {payload47 = 5115609616, tag = JSVAL_TAG_OBJECT}, s = {payload = {i32 = 820642320, u32 = 820642320, why =
 820642320, word = 18445477441429963280}}, asDouble = -nan(0xb800130ea0210), asPtr = 0xfffb800130ea0210}, argc=1, argv=0x137c4ba20, rval=0x7fff5fbd91d0) at /Users/ehsanakhgari/moz/mozilla-central/js/src/jsapi.cpp:5019
#21 0x000000011424b3f3 in nsJSContext::CallEventHandler (this=0x1216e9080, aTarget=0x12d0c8560, aScope=0x12bab1750, aHandler=0x130ea0210, aargv=0x141dee040, arv=0x7fff5fbd9440) at /Users/ehsanakhgari/moz/mozilla-central/dom/base/nsJSEn
vironment.cpp:2005
#22 0x00000001142db531 in nsJSEventListener::HandleEvent (this=0x11a86a8d0, aEvent=0x141d85120) at /Users/ehsanakhgari/moz/mozilla-central/dom/src/events/nsJSEventListener.cpp:228
#23 0x00000001141f827d in nsXBLPrototypeHandler::ExecuteHandler (this=0x11962cc60, aTarget=0x12d0c8560, aEvent=0x141d85120) at /Users/ehsanakhgari/moz/mozilla-central/content/xbl/src/nsXBLPrototypeHandler.cpp:332
#24 0x00000001141f20fa in nsXBLEventHandler::HandleEvent (this=0x121608300, aEvent=0x141d85120) at /Users/ehsanakhgari/moz/mozilla-central/content/xbl/src/nsXBLEventHandler.cpp:88
#25 0x0000000114028998 in nsEventListenerManager::HandleEventSubType (this=0x12d0c85e0, aListenerStruct=0x10120b660, aListener=0x121608300, aDOMEvent=0x141d85120, aCurrentTarget=0x12d0c8560, aPhaseFlags=4, aPusher=0x7fff5fbd9cd0) at /U
sers/ehsanakhgari/moz/mozilla-central/content/events/src/nsEventListenerManager.cpp:1114
#26 0x0000000114028e13 in nsEventListenerManager::HandleEventInternal (this=0x12d0c85e0, aPresContext=0x1222b1000, aEvent=0x7fff5fbd9db0, aDOMEvent=0x7fff5fbd9cb0, aCurrentTarget=0x12d0c8560, aFlags=4, aEventStatus=0x7fff5fbd9cb8, aPus
her=0x7fff5fbd9cd0) at /Users/ehsanakhgari/moz/mozilla-central/content/events/src/nsEventListenerManager.cpp:1209
#27 0x00000001140592cf in nsEventListenerManager::HandleEvent (this=0x12d0c85e0, aPresContext=0x1222b1000, aEvent=0x7fff5fbd9db0, aDOMEvent=0x7fff5fbd9cb0, aCurrentTarget=0x12d0c8560, aFlags=4, aEventStatus=0x7fff5fbd9cb8, aPusher=0x7fff5fbd9cd0) at nsEventListenerManager.h:146
#28 0x000000011405947a in nsEventTargetChainItem::HandleEvent (this=0x11a75e770, aVisitor=@0x7fff5fbd9ca0, aFlags=4, aMayHaveNewListenerManagers=0, aPusher=0x7fff5fbd9cd0) at /Users/ehsanakhgari/moz/mozilla-central/content/events/src/n
sEventDispatcher.cpp:212
#29 0x0000000114057778 in nsEventTargetChainItem::HandleEventTargetChain (this=0x11a75e3f0, aVisitor=@0x7fff5fbd9ca0, aFlags=6, aCallback=0x0, aMayHaveNewListenerManagers=0, aPusher=0x7fff5fbd9cd0) at /Users/ehsanakhgari/moz/mozilla-ce
ntral/content/events/src/nsEventDispatcher.cpp:311
#30 0x0000000114058522 in nsEventDispatcher::Dispatch (aTarget=0x12d017d20, aPresContext=0x1222b1000, aEvent=0x7fff5fbd9db0, aDOMEvent=0x0, aEventStatus=0x0, aCallback=0x0, aTargets=0x0) at /Users/ehsanakhgari/moz/mozilla-central/conte
nt/events/src/nsEventDispatcher.cpp:628
#31 0x0000000114261c4c in FocusBlurEvent::Run (this=0x1215b85c0) at /Users/ehsanakhgari/moz/mozilla-central/dom/base/nsFocusManager.cpp:1795
#32 0x0000000113ec9b3d in nsContentUtils::AddScriptRunner (aRunnable=0x1215b85c0) at /Users/ehsanakhgari/moz/mozilla-central/content/base/src/nsContentUtils.cpp:4747   
#33 0x0000000114258d75 in nsFocusManager::SendFocusOrBlurEvent (this=0x100c55e20, aType=1301, aPresShell=0x12eace180, aDocument=0x12e721000, aTarget=0x12d017d20, aFocusMethod=1, aWindowRaised=0, aIsRefocus=0) at /Users/ehsanakhgari/moz
/mozilla-central/dom/base/nsFocusManager.cpp:1844
#34 0x0000000114259cbb in nsFocusManager::Blur (this=0x100c55e20, aWindowToClear=0x1216e8d40, aAncestorWindowToFocus=0x1216e8d40, aIsLeavingDocument=1, aAdjustWidgets=1) at /Users/ehsanakhgari/moz/mozilla-central/dom/base/nsFocusManage
r.cpp:1524
#35 0x000000011425f406 in nsFocusManager::SetFocusInner (this=0x100c55e20, aNewContent=0x143d3d450, aFlags=0, aFocusChanged=0, aAdjustWidget=1) at /Users/ehsanakhgari/moz/mozilla-central/dom/base/nsFocusManager.cpp:1188
#36 0x000000011425fcce in nsFocusManager::SetFocus (this=0x100c55e20, aElement=0x143d3d4b8, aFlags=0) at /Users/ehsanakhgari/moz/mozilla-central/dom/base/nsFocusManager.cpp:445
#37 0x000000011454611f in nsXULElement::Focus (this=0x143d3d450) at /Users/ehsanakhgari/moz/mozilla-central/content/xul/content/src/nsXULElement.cpp:2074
#38 0x000000011482bbbe in nsIDOMXULElement_Focus (cx=0x1216e90e0, argc=0, vp=0x117949b78) at dom_quickstubs.cpp:25330
#39 0x00000001001bb445 in js::CallJSNative (cx=0x1216e90e0, native=0x11482bb15 <nsIDOMXULElement_Focus(JSContext*, unsigned int, jsval_layout*)>, argc=0, vp=0x117949b78) at jscntxtinlines.h:692
#40 0x00000001001aaa57 in js::Interpret () at /Users/ehsanakhgari/moz/mozilla-central/js/src/jsinterp.cpp:4780
#41 0x00000001001bf084 in js::RunScript (cx=0x1216e90e0, script=0x13cfb3a80, fp=0x117949a98) at jsinterp.cpp:657
#42 0x00000001001bfe9e in js::Invoke (cx=0x1216e90e0, argsRef=@0x7fff5fbdb700, flags=0) at jsinterp.cpp:737
#43 0x000000010016eb1c in js_fun_apply (cx=0x1216e90e0, argc=2, vp=0x117949a58) at /Users/ehsanakhgari/moz/mozilla-central/js/src/jsfun.cpp:2182
#44 0x00000001001bb445 in js::CallJSNative (cx=0x1216e90e0, native=0x10016e7fa <js_fun_apply(JSContext*, unsigned int, js::Value*)>, argc=2, vp=0x117949a58) at jscntxtinlines.h:692
#45 0x00000001001aaa57 in js::Interpret () at /Users/ehsanakhgari/moz/mozilla-central/js/src/jsinterp.cpp:4780
#46 0x00000001001bf084 in js::RunScript (cx=0x1216e90e0, script=0x1216512c0, fp=0x117949950) at jsinterp.cpp:657
#47 0x00000001001bfe9e in js::Invoke (cx=0x1216e90e0, argsRef=@0x7fff5fbdcb80, flags=0) at jsinterp.cpp:737
#48 0x00000001001c06dd in js::ExternalInvoke (cx=0x1216e90e0, thisv=@0x7fff5fbdcc10, fval=@0x7fff5fbdcc48, argc=0, argv=0x7fff5fbdd2c8, rval=0x7fff5fbdcec0) at jsinterp.cpp:858
#49 0x00000001000eb71b in js::ExternalInvoke (cx=0x1216e90e0, obj=0x121edb9a0, fval=@0x7fff5fbdcc48, argc=0, argv=0x7fff5fbdd2c8, rval=0x7fff5fbdcec0) at jsinterp.h:961
#50 0x00000001000eb856 in JS_CallFunctionValue (cx=0x1216e90e0, obj=0x121edb9a0, fval={asBits = 18445477441178260600, debugView = {payload47 = 4863906936, tag = JSVAL_TAG_OBJECT}, s = {payload = {i32 = 568939640, u32 = 568939640, why =
 568939640, word = 18445477441178260600}}, asDouble = -nan(0xb800121e95478), asPtr = 0xfffb800121e95478}, argc=0, argv=0x7fff5fbdd2c8, rval=0x7fff5fbdcec0) at /Users/ehsanakhgari/moz/mozilla-central/js/src/jsapi.cpp:5019
#51 0x00000001147f61ad in nsXPCWrappedJSClass::CallMethod (this=0x141d77650, wrapper=0x141d77750, methodIndex=36, info=0x1021b3e30, nativeParams=0x7fff5fbdd420) at /Users/ehsanakhgari/moz/mozilla-central/js/src/xpconnect/src/xpcwrapped
jsclass.cpp:1700
#52 0x00000001147ed128 in nsXPCWrappedJS::CallMethod (this=0x141d77750, methodIndex=36, info=0x1021b3e30, params=0x7fff5fbdd420) at /Users/ehsanakhgari/moz/mozilla-central/js/src/xpconnect/src/xpcwrappedjs.cpp:588
#53 0x0000000100929cce in PrepareAndDispatch (self=0x141d777d0, methodIndex=36, args=0x7fff5fbdd5a0, gpregs=0x7fff5fbdd520, fpregs=0x7fff5fbdd550) at /Users/ehsanakhgari/moz/mozilla-central/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x
86_64_darwin.cpp:153
#54 0x0000000100928743 in SharedStub () at xpt_struct.h:332
#55 0x0000000116d17539 in nsAutoCompleteController::EnterMatch (this=0x127a4c000, aIsPopupSelection=1) at /Users/ehsanakhgari/moz/mozilla-central/toolkit/components/autocomplete/src/nsAutoCompleteController.cpp:1187
#56 0x0000000116d176a6 in nsAutoCompleteController::HandleEnter (this=0x127a4c000, aIsPopupSelection=1, _retval=0x7fff5fbddae8) at /Users/ehsanakhgari/moz/mozilla-central/toolkit/components/autocomplete/src/nsAutoCompleteController.cpp
:288
#57 0x0000000100928695 in NS_InvokeByIndex_P (that=0x127a4c000, methodIndex=10, paramCount=2, params=0x7fff5fbddad0) at /Users/ehsanakhgari/moz/mozilla-central/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:208
#58 0x0000000114806ff5 in CallMethodHelper::Invoke (this=0x7fff5fbdda90) at /Users/ehsanakhgari/moz/mozilla-central/js/src/xpconnect/src/xpcwrappednative.cpp:3072
#59 0x00000001148098cb in CallMethodHelper::Call (this=0x7fff5fbdda90) at /Users/ehsanakhgari/moz/mozilla-central/js/src/xpconnect/src/xpcwrappednative.cpp:2334
#60 0x0000000114802f1e in XPCWrappedNative::CallMethod (ccx=@0x7fff5fbddd10, mode=XPCWrappedNative::CALL_METHOD) at /Users/ehsanakhgari/moz/mozilla-central/js/src/xpconnect/src/xpcwrappednative.cpp:2298
#61 0x000000011480f32a in XPC_WN_CallMethod (cx=0x1216e90e0, argc=1, vp=0x117949928) at /Users/ehsanakhgari/moz/mozilla-central/js/src/xpconnect/src/xpcwrappednativejsops.cpp:1593
#62 0x00000001001bb445 in js::CallJSNative (cx=0x1216e90e0, native=0x11480f084 <XPC_WN_CallMethod(JSContext*, unsigned int, jsval_layout*)>, argc=1, vp=0x117949928) at jscntxtinlines.h:692
#63 0x00000001001bfc92 in js::Invoke (cx=0x1216e90e0, argsRef=@0x7fff5fbddfa0, flags=0) at jsinterp.cpp:700
#64 0x00000001001c06dd in js::ExternalInvoke (cx=0x1216e90e0, thisv=@0x117949888, fval=@0x12962bc10, argc=1, argv=0x117949890, rval=0x7fff5fbde048) at jsinterp.cpp:858
#65 0x0000000100229d35 in js::JSProxyHandler::call (this=0x100551910, cx=0x1216e90e0, proxy=0x12962bbb0, argc=1, vp=0x117949880) at /Users/ehsanakhgari/moz/mozilla-central/js/src/jsproxy.cpp:248
#66 0x000000010028c4ec in JSWrapper::call (this=0x100551910, cx=0x1216e90e0, wrapper=0x12962bbb0, argc=1, vp=0x117949880) at /Users/ehsanakhgari/moz/mozilla-central/js/src/jswrapper.cpp:235
#67 0x000000010028c685 in JSCrossCompartmentWrapper::call (this=0x100551910, cx=0x1216e90e0, wrapper=0x12962bbb0, argc=1, vp=0x117949880) at /Users/ehsanakhgari/moz/mozilla-central/js/src/jswrapper.cpp:601
#68 0x000000010022b063 in js::JSProxy::call (cx=0x1216e90e0, proxy=0x12962bbb0, argc=1, vp=0x117949880) at /Users/ehsanakhgari/moz/mozilla-central/js/src/jsproxy.cpp:810
#69 0x000000010022b0d3 in js::proxy_Call (cx=0x1216e90e0, argc=1, vp=0x117949880) at /Users/ehsanakhgari/moz/mozilla-central/js/src/jsproxy.cpp:1062
#70 0x00000001001bb445 in js::CallJSNative (cx=0x1216e90e0, native=0x10022b077 <js::proxy_Call(JSContext*, unsigned int, js::Value*)>, argc=1, vp=0x117949880) at jscntxtinlines.h:692
#71 0x00000001001bfc08 in js::Invoke (cx=0x1216e90e0, argsRef=@0x7fff5fbde6b0, flags=0) at jsinterp.cpp:693   
#72 0x00000001001aabab in js::Interpret () at /Users/ehsanakhgari/moz/mozilla-central/js/src/jsinterp.cpp:4791  
#73 0x00000001001bf084 in js::RunScript (cx=0x1216e90e0, script=0x119689a90, fp=0x117949820) at jsinterp.cpp:657
#74 0x00000001001bfe9e in js::Invoke (cx=0x1216e90e0, argsRef=@0x7fff5fbdf740, flags=0) at jsinterp.cpp:737
#75 0x00000001001c06dd in js::ExternalInvoke (cx=0x1216e90e0, thisv=@0x117949768, fval=@0x13b8c9748, argc=1, argv=0x117949770, rval=0x7fff5fbdf7e8) at jsinterp.cpp:858 
#76 0x0000000100229d35 in js::JSProxyHandler::call (this=0x100551910, cx=0x1216e90e0, proxy=0x13b8c96e8, argc=1, vp=0x117949760) at /Users/ehsanakhgari/moz/mozilla-central/js/src/jsproxy.cpp:248
#77 0x000000010028c4ec in JSWrapper::call (this=0x100551910, cx=0x1216e90e0, wrapper=0x13b8c96e8, argc=1, vp=0x117949760) at /Users/ehsanakhgari/moz/mozilla-central/js/src/jswrapper.cpp:235
#78 0x000000010028c685 in JSCrossCompartmentWrapper::call (this=0x100551910, cx=0x1216e90e0, wrapper=0x13b8c96e8, argc=1, vp=0x117949760) at /Users/ehsanakhgari/moz/mozilla-central/js/src/jswrapper.cpp:601
#79 0x000000010022b063 in js::JSProxy::call (cx=0x1216e90e0, proxy=0x13b8c96e8, argc=1, vp=0x117949760) at /Users/ehsanakhgari/moz/mozilla-central/js/src/jsproxy.cpp:810
#80 0x000000010022b0d3 in js::proxy_Call (cx=0x1216e90e0, argc=1, vp=0x117949760) at /Users/ehsanakhgari/moz/mozilla-central/js/src/jsproxy.cpp:1062
#81 0x00000001001bb445 in js::CallJSNative (cx=0x1216e90e0, native=0x10022b077 <js::proxy_Call(JSContext*, unsigned int, js::Value*)>, argc=1, vp=0x117949760) at jscntxtinlines.h:692
#82 0x00000001001bfc08 in js::Invoke (cx=0x1216e90e0, argsRef=@0x7fff5fbdfb90, flags=0) at jsinterp.cpp:693
#83 0x00000001001c06dd in js::ExternalInvoke (cx=0x1216e90e0, thisv=@0x7fff5fbdfc20, fval=@0x7fff5fbdfc58, argc=1, argv=0x7fff5fbe02d8, rval=0x7fff5fbdfed0) at jsinterp.cpp:858
#84 0x00000001000eb71b in js::ExternalInvoke (cx=0x1216e90e0, obj=0x121edb9a0, fval=@0x7fff5fbdfc58, argc=1, argv=0x7fff5fbe02d8, rval=0x7fff5fbdfed0) at jsinterp.h:961
#85 0x00000001000eb856 in JS_CallFunctionValue (cx=0x1216e90e0, obj=0x121edb9a0, fval={asBits = 18445477441608390376, debugView = {payload47 = 5294036712, tag = JSVAL_TAG_OBJECT}, s = {payload = {i32 = 999069416, u32 = 999069416, why =
 999069416, word = 18445477441608390376}}, asDouble = -nan(0xb80013b8c96e8), asPtr = 0xfffb80013b8c96e8}, argc=1, argv=0x7fff5fbe02d8, rval=0x7fff5fbdfed0) at /Users/ehsanakhgari/moz/mozilla-central/js/src/jsapi.cpp:5019
#86 0x00000001147f61ad in nsXPCWrappedJSClass::CallMethod (this=0x12466b130, wrapper=0x13b904d20, methodIndex=3, info=0x102112518, nativeParams=0x7fff5fbe0430) at /Users/ehsanakhgari/moz/mozilla-central/js/src/xpconnect/src/xpcwrappedj
sclass.cpp:1700
#87 0x00000001147ed128 in nsXPCWrappedJS::CallMethod (this=0x13b904d20, methodIndex=3, info=0x102112518, params=0x7fff5fbe0430) at /Users/ehsanakhgari/moz/mozilla-central/js/src/xpconnect/src/xpcwrappedjs.cpp:588
#88 0x0000000100929cce in PrepareAndDispatch (self=0x13b904da0, methodIndex=3, args=0x7fff5fbe05b0, gpregs=0x7fff5fbe0530, fpregs=0x7fff5fbe0560) at /Users/ehsanakhgari/moz/mozilla-central/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x8
6_64_darwin.cpp:153
#89 0x0000000100928743 in SharedStub () at xpt_struct.h:332
#90 0x0000000114028998 in nsEventListenerManager::HandleEventSubType (this=0x12d0c85e0, aListenerStruct=0x10120b750, aListener=0x13b904da0, aDOMEvent=0x13ea6c220, aCurrentTarget=0x12d0c8560, aPhaseFlags=4, aPusher=0x7fff5fbe0b30) at /U
sers/ehsanakhgari/moz/mozilla-central/content/events/src/nsEventListenerManager.cpp:1114
#91 0x0000000114028e13 in nsEventListenerManager::HandleEventInternal (this=0x12d0c85e0, aPresContext=0x1222b1000, aEvent=0x7fff5fbe1400, aDOMEvent=0x7fff5fbe0b10, aCurrentTarget=0x12d0c8560, aFlags=4, aEventStatus=0x7fff5fbe0b18, aPus
her=0x7fff5fbe0b30) at /Users/ehsanakhgari/moz/mozilla-central/content/events/src/nsEventListenerManager.cpp:1209
#92 0x00000001140592cf in nsEventListenerManager::HandleEvent (this=0x12d0c85e0, aPresContext=0x1222b1000, aEvent=0x7fff5fbe1400, aDOMEvent=0x7fff5fbe0b10, aCurrentTarget=0x12d0c8560, aFlags=4, aEventStatus=0x7fff5fbe0b18, aPusher=0x7f
ff5fbe0b30) at nsEventListenerManager.h:146
#93 0x000000011405947a in nsEventTargetChainItem::HandleEvent (this=0x11a75eaf0, aVisitor=@0x7fff5fbe0b00, aFlags=4, aMayHaveNewListenerManagers=0, aPusher=0x7fff5fbe0b30) at /Users/ehsanakhgari/moz/mozilla-central/content/events/src/n
sEventDispatcher.cpp:212
#94 0x0000000114057778 in nsEventTargetChainItem::HandleEventTargetChain (this=0x11a75ee38, aVisitor=@0x7fff5fbe0b00, aFlags=6, aCallback=0x7fff5fbe0c40, aMayHaveNewListenerManagers=0, aPusher=0x7fff5fbe0b30) at /Users/ehsanakhgari/moz
/mozilla-central/content/events/src/nsEventDispatcher.cpp:311
#95 0x0000000114058522 in nsEventDispatcher::Dispatch (aTarget=0x12d017d20, aPresContext=0x1222b1000, aEvent=0x7fff5fbe1400, aDOMEvent=0x0, aEventStatus=0x7fff5fbe0f1c, aCallback=0x7fff5fbe0c40, aTargets=0x0) at /Users/ehsanakhgari/moz
/mozilla-central/content/events/src/nsEventDispatcher.cpp:628
#96 0x0000000113c18ef7 in PresShell::HandleEventInternal (this=0x12eace180, aEvent=0x7fff5fbe1400, aView=0x12eac7010, aStatus=0x7fff5fbe0f1c) at /Users/ehsanakhgari/moz/mozilla-central/layout/base/nsPresShell.cpp:6988
#97 0x0000000113c29054 in PresShell::HandleEvent (this=0x12eace180, aView=0x12eac7010, aEvent=0x7fff5fbe1400, aDontRetargetEvents=0, aEventStatus=0x7fff5fbe0f1c) at /Users/ehsanakhgari/moz/mozilla-central/layout/base/nsPresShell.cpp:67
35
#98 0x0000000114233e55 in nsViewManager::HandleEvent (this=0x12eac6fa0, aView=0x12eac7010, aEvent=0x7fff5fbe1400) at /Users/ehsanakhgari/moz/mozilla-central/view/src/nsViewManager.cpp:1095
#99 0x0000000114237e69 in nsViewManager::DispatchEvent (this=0x12eac6fa0, aEvent=0x7fff5fbe1400, aView=0x12eac7010, aStatus=0x7fff5fbe112c) at /Users/ehsanakhgari/moz/mozilla-central/view/src/nsViewManager.cpp:1073
#100 0x00000001142314bc in HandleEvent (aEvent=0x7fff5fbe1400) at /Users/ehsanakhgari/moz/mozilla-central/view/src/nsView.cpp:161
#101 0x00000001139149cd in nsChildView::DispatchEvent (this=0x12eac7090, event=0x7fff5fbe1400, aStatus=@0x7fff5fbe124c) at /Users/ehsanakhgari/moz/mozilla-central/widget/src/cocoa/nsChildView.mm:1797
#102 0x0000000113910950 in nsChildView::DispatchWindowEvent (this=0x12eac7090, event=@0x7fff5fbe1400) at /Users/ehsanakhgari/moz/mozilla-central/widget/src/cocoa/nsChildView.mm:1807
#103 0x0000000113919a7c in -[ChildView processKeyDownEvent:] (self=0x12eac7200, _cmd=0x1018206b0, theEvent=0x13ea6acf0) at /Users/ehsanakhgari/moz/mozilla-central/widget/src/cocoa/nsChildView.mm:5232
#104 0x000000011391972a in -[ChildView keyDown:] (self=0x12eac7200, _cmd=0x7fff88ec7400, theEvent=0x13ea6acf0) at /Users/ehsanakhgari/moz/mozilla-central/widget/src/cocoa/nsChildView.mm:5501
#105 0x00007fff888c706f in -[NSWindow sendEvent:] ()
#106 0x000000011390450f in -[ToolbarWindow sendEvent:] (self=0x1216e6210, _cmd=0x7fff88ec1a10, anEvent=0x13ea6acf0) at /Users/ehsanakhgari/moz/mozilla-central/widget/src/cocoa/nsCocoaWindow.mm:2439
#107 0x00007fff887fba86 in -[NSApplication sendEvent:] ()
#108 0x00000001138ff272 in nsAppShell::ProcessNextNativeEvent (this=0x100c76210, aMayWait=0) at /Users/ehsanakhgari/moz/mozilla-central/widget/src/cocoa/nsAppShell.mm:653
#109 0x000000011395251e in nsBaseAppShell::DoProcessNextNativeEvent (this=0x100c76210, mayWait=0) at /Users/ehsanakhgari/moz/mozilla-central/widget/src/xpwidgets/nsBaseAppShell.cpp:176
#110 0x0000000113953161 in nsBaseAppShell::OnProcessNextEvent (this=0x100c76210, thr=0x1018111b0, mayWait=1, recursionDepth=3) at /Users/ehsanakhgari/moz/mozilla-central/widget/src/xpwidgets/nsBaseAppShell.cpp:318
#111 0x00000001138fece2 in nsAppShell::OnProcessNextEvent (this=0x100c76210, aThread=0x1018111b0, aMayWait=1, aRecursionDepth=3) at /Users/ehsanakhgari/moz/mozilla-central/widget/src/cocoa/nsAppShell.mm:839
#112 0x0000000100905a8c in nsThread::ProcessNextEvent (this=0x1018111b0, mayWait=1, result=0x7fff5fbe2128) at /Users/ehsanakhgari/moz/mozilla-central/xpcom/threads/nsThread.cpp:597
#113 0x0000000100928695 in NS_InvokeByIndex_P (that=0x1018111b0, methodIndex=8, paramCount=2, params=0x7fff5fbe2110) at /Users/ehsanakhgari/moz/mozilla-central/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:208
#114 0x0000000114806ff5 in CallMethodHelper::Invoke (this=0x7fff5fbe20d0) at /Users/ehsanakhgari/moz/mozilla-central/js/src/xpconnect/src/xpcwrappednative.cpp:3072
#115 0x00000001148098cb in CallMethodHelper::Call (this=0x7fff5fbe20d0) at /Users/ehsanakhgari/moz/mozilla-central/js/src/xpconnect/src/xpcwrappednative.cpp:2334
#116 0x0000000114802f1e in XPCWrappedNative::CallMethod (ccx=@0x7fff5fbe2350, mode=XPCWrappedNative::CALL_METHOD) at /Users/ehsanakhgari/moz/mozilla-central/js/src/xpconnect/src/xpcwrappednative.cpp:2298
#117 0x000000011480f32a in XPC_WN_CallMethod (cx=0x10183f2a0, argc=1, vp=0x117949710) at /Users/ehsanakhgari/moz/mozilla-central/js/src/xpconnect/src/xpcwrappednativejsops.cpp:1593
#118 0x00000001001bb445 in js::CallJSNative (cx=0x10183f2a0, native=0x11480f084 <XPC_WN_CallMethod(JSContext*, unsigned int, jsval_layout*)>, argc=1, vp=0x117949710) at jscntxtinlines.h:692
#119 0x00000001001aaa57 in js::Interpret () at /Users/ehsanakhgari/moz/mozilla-central/js/src/jsinterp.cpp:4780
#120 0x00000001001bf084 in js::RunScript (cx=0x10183f2a0, script=0x1258dfa00, fp=0x1179493f8) at jsinterp.cpp:657
#121 0x00000001001bfe9e in js::Invoke (cx=0x10183f2a0, argsRef=@0x7fff5fbe3850, flags=0) at jsinterp.cpp:737
#122 0x00000001001c06dd in js::ExternalInvoke (cx=0x10183f2a0, thisv=@0x7fff5fbe38e0, fval=@0x7fff5fbe3918, argc=4, argv=0x7fff5fbe3f98, rval=0x7fff5fbe3b90) at jsinterp.cpp:858
#123 0x00000001000eb71b in js::ExternalInvoke (cx=0x10183f2a0, obj=0x126534410, fval=@0x7fff5fbe3918, argc=4, argv=0x7fff5fbe3f98, rval=0x7fff5fbe3b90) at jsinterp.h:961
#124 0x00000001000eb856 in JS_CallFunctionValue (cx=0x10183f2a0, obj=0x126534410, fval={asBits = 18445477441252316456, debugView = {payload47 = 4937962792, tag = JSVAL_TAG_OBJECT}, s = {payload = {i32 = 642995496, u32 = 642995496, why
= 642995496, word = 18445477441252316456}}, asDouble = -nan(0xb800126535528), asPtr = 0xfffb800126535528}, argc=4, argv=0x7fff5fbe3f98, rval=0x7fff5fbe3b90) at /Users/ehsanakhgari/moz/mozilla-central/js/src/jsapi.cpp:5019
#125 0x00000001147f61ad in nsXPCWrappedJSClass::CallMethod (this=0x1216cf720, wrapper=0x126942280, methodIndex=3, info=0x1021b3890, nativeParams=0x7fff5fbe40f0) at /Users/ehsanakhgari/moz/mozilla-central/js/src/xpconnect/src/xpcwrapped
jsclass.cpp:1700
#126 0x00000001147ed128 in nsXPCWrappedJS::CallMethod (this=0x126942280, methodIndex=3, info=0x1021b3890, params=0x7fff5fbe40f0) at /Users/ehsanakhgari/moz/mozilla-central/js/src/xpconnect/src/xpcwrappedjs.cpp:588
#127 0x0000000100929cce in PrepareAndDispatch (self=0x126942300, methodIndex=3, args=0x7fff5fbe4270, gpregs=0x7fff5fbe41f0, fpregs=0x7fff5fbe4220) at /Users/ehsanakhgari/moz/mozilla-central/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x
86_64_darwin.cpp:153
#128 0x0000000100928743 in SharedStub () at xpt_struct.h:332
#129 0x0000000116d17927 in nsAutoCompleteController::StartSearch () at /Users/ehsanakhgari/moz/mozilla-central/toolkit/components/autocomplete/src/nsAutoCompleteController.cpp:1043 
#130 0x0000000116d17a27 in nsAutoCompleteController::Notify (this=0x127a4c000, timer=0x143ca5860) at /Users/ehsanakhgari/moz/mozilla-central/toolkit/components/autocomplete/src/nsAutoCompleteController.cpp:722
#131 0x000000010090df8a in nsTimerImpl::Fire (this=0x143ca5860) at /Users/ehsanakhgari/moz/mozilla-central/xpcom/threads/nsTimerImpl.cpp:428
#132 0x000000010090e1e0 in nsTimerEvent::Run (this=0x12ea78d60) at /Users/ehsanakhgari/moz/mozilla-central/xpcom/threads/nsTimerImpl.cpp:517
#133 0x0000000100905c58 in nsThread::ProcessNextEvent (this=0x1018111b0, mayWait=0, result=0x7fff5fbe4614) at /Users/ehsanakhgari/moz/mozilla-central/xpcom/threads/nsThread.cpp:633
#134 0x000000010087cff5 in NS_ProcessPendingEvents_P (thread=0x1018111b0, timeout=20) at nsThreadUtils.cpp:200
#135 0x0000000113952a77 in nsBaseAppShell::NativeEventCallback (this=0x100c76210, aAlwaysBlockNative=0) at /Users/ehsanakhgari/moz/mozilla-central/widget/src/xpwidgets/nsBaseAppShell.cpp:135
#136 0x00000001138ff6d9 in nsAppShell::ProcessGeckoEvents (aInfo=0x100c76210) at /Users/ehsanakhgari/moz/mozilla-central/widget/src/cocoa/nsAppShell.mm:405
...
So, basically here is a complete analysis of what happens.  nsAutoCompleteController::StartSearch calls TagAutoCompleteSearch.startSearch, which calls a generator, which leads us to process thread events.  If you quickly type something to trigger a search and then press enter soon enough (or possibly press tab to blur the urlbar, or something to that effect), we end up in a cycle which can lead to calls to SetInput(nsnull) for multiple reasons.

The proper fix is to not assume that we're dealing with an attached autocomplete controller after calls into nsIAutoCompleteSearch::StartSearch.  Patch to follow up soon.
Summary: crash [@ nsAutoCompleteController::StartSearch ] → crash [@ nsAutoCompleteController::StartSearch ] when typing things too rapidly inside the location bar
Attached patch Patch (v1) (obsolete) — Splinter Review 

        Attachment #506671 -
        Flags: review?(sdwilsh)

        Attachment #506671 -
        Flags: approval2.0?

    
    

    
  
Now that a simple and relatively low risk fix is at hand, I think we should consider this for branches.  I also think that we should (soft-)block on this for 2.0.
Status: NEW → ASSIGNED
blocking2.0: --- → ?

          status1.9.1:
          --- → ?

          status1.9.2:
          --- → ?

    
    

    
  
Doesn't seem to be a regression so I don't think it will block, will happily see that patch approved and landed after review though.
blocking2.0: ? → -

    
    

    
  
This is very easy to reproduce in a debug build.  Here is what I do to trigger it.

1. Open Firefox.  A profile with a big places file (such as your main profile) might be helpful here, haven't tried new profiles.
2. Copy an address into the clipboard (I used about:config, but anything should work.
3. Quickly go through these steps:
 * Cmd+T to open a new tab/Cmd+L to focus the location bar/Cmd+W and Cmd+N to open a new tab in place of the existing one.
 * Cmd+V to paste.
 * Enter
(you can switch between the three variations of the first step arbitrarily).

The key part here seems to be doing this stuff quickly in a sequence.  I hit this crash with gdb attached in less than 10 seconds of doing step 3.
Whiteboard: [STR in comment 23]

    
    

    
  
Comment on attachment 506671 [details] [diff] [review]
Patch (v1)

>+    // nsIAutoCompleteSearch::StartSearch might cause us to be detached from
>+    // our input field, so it's not safe to assume that it's safe to iterate
>+    // over the next iteration.
How about this instead:
Because of the joy of nested event loops (which can easily happen when some code uses a generator for an asynchronous AutoComplete search), nsIAutoCompleteSearch::StartSearch might cause us to be detached from our input field.  The next time we iterate, we'd be touching something that we shouldn't be, and result in a crash.

r=sdwilsh

        Attachment #506671 -
        Flags: review?(sdwilsh) → review+

    
    

    
  

      
      
      
      

        Attached patch
          
          
        For check-inSplinter Review
      

    


  
Done!

        Attachment #506671 -
        Attachment is obsolete: true

        Attachment #507930 -
        Flags: approval2.0?

        Attachment #506671 -
        Flags: approval2.0?

        Attachment #507930 -
        Flags: approval2.0? → approval2.0+

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/7cf9d28a0a40
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla2.0b11

    
  

        Attachment #507930 -
        Flags: approval1.9.2.15?

        Attachment #507930 -
        Flags: approval1.9.1.18?

    
    

    
  
Oops, I just realized that I had changed the wrong comment.  This patch fixes that:

http://hg.mozilla.org/mozilla-central/rev/a2f4bc829c88
Keywords: regression
Whiteboard: [STR in comment 23] → [sg:dos][STR in comment 23]

    
    

    
  
Comment on attachment 507930 [details] [diff] [review]
For check-in

approved for 1.9.2.15 and 1.9.1.18, a=dveditz for release-drivers

        Attachment #507930 -
        Flags: approval1.9.2.15?

        Attachment #507930 -
        Flags: approval1.9.2.15+

        Attachment #507930 -
        Flags: approval1.9.1.18?

        Attachment #507930 -
        Flags: approval1.9.1.18+

    
    

    
  
The "3.6.15" we're releasing today does not fix this bug, the release containing this bug fix has been renamed to "3.6.16" and the bugzilla flags will be updated to reflect that soon. Today's release is a re-release of 3.6.14 plus a fix for a bug that prevented many Java applets from starting up.
Crash Signature: [@ nsAutoCompleteController::StartSearch ]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: