Closed Bug 699725 Opened 8 years ago Closed 8 years ago

crash nsEventStateManager::FillInEventFromGestureDown

Categories

(Firefox for Android :: General, defect, P2, critical)

Product:
Firefox for Android
Component:
General
Platform:
Other
Android
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Tracking Flags:
Tracking Status
firefox11 --- fixed
fennec 11+ ---

People

(Reporter: Usul, Assigned: gcp)

Details

(Keywords: crash, reproducible, Whiteboard: [native-crash])

Crash Data

Attachments

(1 file)

Patch 1. Disable Gekco handling of click_hold.
962 bytes, patch
mfinkle
: review+
Details | Diff | Splinter Review 
This bug was filed from the Socorro interface and is 
report bp-c670b2ce-6aec-465f-a51e-41a1b2111103 .
============================================================= 
can't reproduce for now. what i remembered happend :
i was visiting glenat.fr and clicked a link on the front page
while it was loading i realized i had not clicked the one i wanted
tried to click the android back button and then the awsome bar that's when it crashed
I
Keywords: reproducible
Product: Fennec → Fennec Native
Version: Trunk → unspecified
I can reproduce this by rapidly taping on links at www.androidcentral.com

20111104074346
http://hg.mozilla.org/projects/birch/rev/6eeeae97b14d

bp-538d287c-cba9-4721-a3b5-1cda62111104
From Socorro: 

Frame 	Module 	Signature [Expand] 	Source
0 	libxul.so 	nsEventStateManager::FillInEventFromGestureDown 	content/events/src/nsEventStateManager.cpp:2011
1 	libxul.so 	nsEventStateManager::FireContextClick 	content/events/src/nsEventStateManager.cpp:1912
2 	libxul.so 	nsEventStateManager::sClickHoldCallback 	content/events/src/nsEventStateManager.cpp:1806
3 	libxul.so 	nsTimerImpl::Fire 	xpcom/threads/nsTimerImpl.cpp:424
4 	libxul.so 	nsTimerEvent::Run 	xpcom/threads/nsTimerImpl.cpp:520
5 	libxul.so 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:631
6 	libxul.so 	NS_ProcessNextEvent_P 	obj-firefox/xpcom/build/nsThreadUtils.cpp:245
7 	libxul.so 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:110
8 	libxul.so 	MessageLoop::RunInternal 	ipc/chromium/src/base/message_loop.cc:208
9 	libxul.so 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:201
10 	libxul.so 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:189
11 	libxul.so 	nsAppStartup::Run 	toolkit/components/startup/nsAppStartup.cpp:228
12 	libxul.so 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3547
13 	libxul.so 	Java_org_mozilla_gecko_GeckoAppShell_nativeRun 	toolkit/xre/nsAndroidStartup.cpp:139
14 	libmozutils.so 	Java_org_mozilla_gecko_GeckoAppShell_nativeRun 	other-licenses/android/APKOpen.cpp:232
15 	libdvm.so 	dvmPlatformInvoke 	
16 	libdvm.so 	dvmCallJNIMethod_general 	
17 	libdvm.so 	dvmResolveNativeMethod 	
18 	libdvm.so 	dvmAsmSisterStart 	
19 	libdvm.so 	dvmMterpStd 	
20 	libdvm.so 	dvmInterpret 	
21 	libdvm.so 	dvmCallMethodV 	
22 	libdvm.so 	dvmCallMethod 	
23 	libdvm.so 	dvmAttachCurrentThread 	
24 	libc.so 	__thread_entry 	
25 	libc.so 	pthread_create 	

Show/hide other threads
Whiteboard: [native-crash]
Hardware: Other → ARM
Assignee: nobody → gpascutto
Priority: -- → P2
Hardware: ARM → Other
Last log outputs in the relevant crashes:

I/PRLog   (16891): 2839792[46f0d080]: UpdateFilter: smoothSlack = -67.2812, filterLength = 32
I/PRLog   (16891): 2839792[46f0d080]: ###!!! ASSERTION: You can't dereference a NULL nsCOMPtr with operator->().: 'mRawPtr != 0', file ../../dist/include/nsCOMPtr.h, line 849
I/Gecko   (16891): ###!!! ASSERTION: You can't dereference a NULL nsCOMPtr with operator->().: 'mRawPtr != 0', file ../../dist/include/nsCOMPtr.h, line 849

I/PRLog   (17171): 3041120[47e0d080]: THRD(47e42080) ProcessNextEvent [0 0]
I/PRLog   (17171): 3041120[47e0d080]: THRD(47e42080) running [4b42e030]
I/PRLog   (17171): 3041120[47e0d080]: THRD(47e42080) ProcessNextEvent [0 0]
I/PRLog   (17171): 3041120[47e0d080]: THRD(47e42080) running [4b42e0c0]
I/PRLog   (17171): 3041120[47e0d080]: THRD(47e42080) ProcessNextEvent [0 0]
I/PRLog   (17171): 3041120[47e0d080]: THRD(47e42080) running [4b42e130]
I/PRLog   (17171): 3041120[47e0d080]: THRD(47e42080) ProcessNextEvent [0 0]
I/PRLog   (17171): 3041120[47e0d080]: THRD(47e42080) running [4ad08a90]
I/PRLog   (17171): 3041120[47e0d080]: nsComponentManager: CreateInstanceByContractID(@mozilla.org/supports-PRUint64;1) succeeded
I/PRLog   (17171): 3041120[47e0d080]: nsObserverService::NotifyObservers(inner-window-destroyed)
I/PRLog   (17171): 3041120[47e0d080]: THRD(47e42080) ProcessNextEvent [0 0]
I/PRLog   (17171): 3041120[47e0d080]: THRD(47e42080) running [4a35b840]
I/PRLog   (17171): 3041120[47e0d080]: THRD(47e42080) ProcessNextEvent [0 0]
I/PRLog   (17171): 3041120[47e0d080]: THRD(47e42080) running [4a3e1860]
I/PRLog   (17171): 3041120[47e0d080]: [this=4a3e1860] time between PostTimerEvent() and Fire(): 1904.000000ms
I/PRLog   (17171): 3041120[47e0d080]: [this=49a679c0] expected delay time  500ms
I/PRLog   (17171): 3041120[47e0d080]: [this=49a679c0] actual delay time   2352.000000ms
I/PRLog   (17171): 3041120[47e0d080]: [this=49a679c0] (mType is 0)       -------
I/PRLog   (17171): 3041120[47e0d080]: [this=49a679c0]     delta           1852ms
I/PRLog   (17171): 3041120[47e0d080]: UpdateFilter: smoothSlack = -51.0625, filterLength = 32
I/PRLog   (17171): 3041120[47e0d080]: ###!!! ASSERTION: You can't dereference a NULL nsCOMPtr with operator->().: 'mRawPtr != 0', file ../../dist/include/nsCOMPtr.h, line 849
I/Gecko   (17171): ###!!! ASSERTION: You can't dereference a NULL nsCOMPtr with operator->().: 'mRawPtr != 0', file ../../dist/include/nsCOMPtr.h, line 849
What seems to happen is that on MOUSE_BUTTON_DOWN, a Timer is started to determine whether the click is potentially a drag or "popup context menu" event. It also tracks the widget where the mouse went down. After the mousedown has lasted more than 500ms, a context menu click is inferred, and the code tries to figure out what to pop up a context menu for. It does this by investigating mPresContext->GetPrimaryFrameFor(mGestureDownContent) for the closest Widget. However, both that and it's parent are empty and don't contain any widgets. The code doesn't handle this null case and breaks.

I'd think this happens if you start a MOUSE_BUTTON_DOWN while the page is loading or being closed.

I can detect the "no widgets" case and bail out easily enough, but someone familiar with nsEventStateManager.cpp should comment if that's acceptable or if there's something else wrong that should be fixed instead.
(In reply to Gian-Carlo Pascutto (:gcp) from comment #6)
> It does this
> by investigating mPresContext->GetPrimaryFrameFor(mGestureDownContent) for
> the closest Widget. However, both that and it's parent are empty and don't
> contain any widgets.
What "that"?

> I can detect the "no widgets" case and bail out easily enough, but someone
> familiar with nsEventStateManager.cpp should comment if that's acceptable or
> if there's something else wrong that should be fixed instead.
Sounds ok
>However, both that and it's parent are empty
>What "that"

nsView* mCurrentTarget. This gets walked up through all parents and checked for any existing Widgets (view/src/nsView.cpp, around line 1100).
http://hg.mozilla.org/projects/birch/rev/65f78c4b804b

This added context menu handling inside Java/Android to Native Fennec, so the code here probably shouldn't even run. Will disable the relevant prefs and test.
Comment on attachment 574830 [details] [diff] [review]
Patch 1. Disable Gekco handling of click_hold.


>+/* Android has its own click_hold detection */
>+#ifndef ANDROID
> /* use long press to display a context menu */
> pref("ui.click_hold_context_menus", true);
>+#endif

You can just remove the preference. No need for the #ifndef
Attachment #574830 - Flags: review?(mark.finkle) → review+
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Samsung Nexus S (Android 2.3.6)
20111116054452
http://hg.mozilla.org/projects/birch/rev/426690602cd5
Status: RESOLVED → VERIFIED
tracking-fennec: --- → 11+
You need to log in before you can comment on or make changes to this bug.