Last Comment Bug 706026 - Crash in nsXULTextFieldAccessible::FrameSelection
: Crash in nsXULTextFieldAccessible::FrameSelection
: crash, regression
Product: Core
Classification: Components
Component: Disability Access APIs (show other bugs)
: 10 Branch
: x86 Windows 7
-- critical (vote)
: mozilla11
Assigned To: alexander :surkov
: alexander :surkov
Depends on: 539683
  Show dependency treegraph
Reported: 2011-11-29 01:50 PST by Scoobidiver (away)
Modified: 2012-02-02 07:53 PST (History)
6 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

patch (618 bytes, patch)
2011-11-29 03:12 PST, alexander :surkov
mzehe: review+
asa: approval‑mozilla‑aurora+
Details | Diff | Splinter Review
patch to land on aurora (834 bytes, patch)
2011-12-15 07:30 PST, David Bolter [:davidb]
no flags Details | Diff | Splinter Review

Description User image Scoobidiver (away) 2011-11-29 01:50:54 PST
It's a low volume crash signature that first appeared in 10.0a1/20111022.

Signature	nsXULTextFieldAccessible::FrameSelection()
UUID	884d6edc-979a-410e-9f79-b90022111128
Date Processed	2011-11-28 20:19:51.444158
Uptime	646
Install Age	6.3 hours since version was first installed.
Install Time	2011-11-28 21:59:14
Product	Firefox
Version	11.0a1
Build ID	20111128031052
Release Channel	nightly
OS	Windows NT
OS Version	6.1.7601 Service Pack 1
Build Architecture	x86
Build Architecture Info	GenuineIntel family 6 model 23 stepping 6
Crash Address	0x2c
App Notes 	AdapterVendorID: 10de, AdapterDeviceID: 0427, AdapterSubsysID: 02091028, AdapterDriverVersion: 6.1.7600.16385
D3D10 Layers? D3D10 Layers-
D3D9 Layers? D3D9 Layers-
EMCheckCompatibility	False

Frame 	Module 	Signature [Expand] 	Source
0 	xul.dll 	nsXULTextFieldAccessible::FrameSelection 	accessible/src/xul/nsXULFormControlAccessible.cpp:892
1 	xul.dll 	nsHyperTextAccessible::GetSelectionDOMRanges 	accessible/src/html/nsHyperTextAccessible.cpp:1748
2 	xul.dll 	nsHyperTextAccessible::GetSelectionCount 	accessible/src/html/nsHyperTextAccessible.cpp:1800
3 	xul.dll 	CAccessibleText::get_nSelections 	accessible/src/msaa/CAccessibleText.cpp:181
4 	rpcrt4.dll 	Invoke 	
5 	rpcrt4.dll 	NdrStubCall2 	
6 	ole32.dll 	CStdStubBuffer_Invoke 	
7 	ole32.dll 	SyncStubInvoke 	
8 	ole32.dll 	StubInvoke 	
9 	ole32.dll 	CCtxComChnl::ContextInvoke 	
10 	ole32.dll 	MTAInvoke 	
11 	ole32.dll 	STAInvoke 	
12 	ole32.dll 	AppInvoke 	
13 	ole32.dll 	ComInvokeWithLockAndIPID 	
14 	ole32.dll 	ComInvoke 	
15 	ole32.dll 	ThreadDispatch 	
16 	ole32.dll 	ThreadWndProc 	
17 	user32.dll 	InternalCallWinProc 	
18 	user32.dll 	UserCallWinProcCheckWow 	
19 	user32.dll 	DispatchMessageWorker 	
20 	user32.dll 	DispatchMessageW 	
21 	xul.dll 	nsAppShell::ProcessNextNativeEvent 	widget/src/windows/nsAppShell.cpp:344
22 	xul.dll 	nsBaseAppShell::OnProcessNextEvent 	widget/src/xpwidgets/nsBaseAppShell.cpp:324
23 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:587

More reports at:
Comment 1 User image Marco Zehe (:MarcoZ) 2011-11-29 02:15:41 PST
One bug that landed on the 20th of October is bug 680085 that dealt with frame offsets IIRC. David, could this be the cause?
Comment 2 User image alexander :surkov 2011-11-29 02:29:10 PST
bug 539683 will fix this one
Comment 3 User image Scoobidiver (away) 2011-11-29 02:47:21 PST
Maybe bug 680085 should be backed out in Aurora.
Comment 4 User image alexander :surkov 2011-11-29 03:09:25 PST
(In reply to Scoobidiver from comment #3)
> Maybe bug 680085 should be backed out in Aurora.

It doesn't look guilty. I think bug 688126 caused that. Backing out is always option but this one might be tricky because iirc bunch of other bug fixed depended on that.
Comment 5 User image alexander :surkov 2011-11-29 03:12:19 PST
Created attachment 577543 [details] [diff] [review]

small fix to get it ported to aurora branch
Comment 6 User image Marco Zehe (:MarcoZ) 2011-11-29 03:27:25 PST
Comment on attachment 577543 [details] [diff] [review]

r=me. I think this makes sense to take on Central, too, since we don't know when Tbsaunde will get to fixing the other bug.
Comment 7 User image alexander :surkov 2011-11-29 03:29:47 PST
(In reply to Marco Zehe (:MarcoZ) from comment #6)
> Comment on attachment 577543 [details] [diff] [review] [diff] [details] [review]
> patch
> r=me. I think this makes sense to take on Central, too, since we don't know
> when Tbsaunde will get to fixing the other bug.

sure it is. It looks bug tracking and my review requests keep him busy :)
Comment 8 User image Marco Zehe (:MarcoZ) 2011-11-29 06:22:51 PST
Turns out I just ran into this crash, too. I accidentally had invoked the Firefox search instead of the NVDA search, and when I had already typed something, but instead of searching, hit Escape to close the toolbar/search field, I got this crash:
Comment 9 User image alexander :surkov 2011-11-29 06:39:10 PST
inbound land
Comment 10 User image Marco Bonardo [::mak] 2011-11-30 03:50:14 PST
Comment 11 User image alexander :surkov 2011-11-30 04:30:56 PST
Comment on attachment 577543 [details] [diff] [review]

trivial regression fix introduced in Firefox 10
Comment 12 User image David Bolter [:davidb] 2011-12-15 07:30:32 PST
Created attachment 581960 [details] [diff] [review]
patch to land on aurora

To land when aurora tree looks good.
Comment 13 User image David Bolter [:davidb] 2011-12-15 08:28:27 PST
Comment 14 User image Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2011-12-28 13:38:07 PST
Is this something QA can verify?
Comment 15 User image Ioana (away) 2012-01-13 02:01:07 PST
I have verified the crash stats on Socorro and this crash doesn't appear to have reproduced anymore after the fix for this bug was pushed.

Please let me know if there is another way you want me to verify this bug.

Note You need to log in before you can comment on or make changes to this bug.