Closed Bug 819286 Opened 13 years ago Closed 13 years ago

Crash when browser tab closes while zooming

Categories

(Core :: DOM: Core & HTML, defect, P2)

Product:
Core
Component:
DOM: Core & HTML
Platform:
ARM
Gonk (Firefox OS)
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla20
Project Flags:
blocking-basecamp +
Tracking Flags:
Tracking Status
firefox19 --- fixed
firefox20 --- fixed
b2g18 --- fixed

People

(Reporter: martijn.martijn, Assigned: fabrice)

References

(
URL
)

Details

(Keywords: crash, testcase)

Attachments

(2 files)

wip
828 bytes, patch
Details | Diff | Splinter Review
patch
859 bytes, patch
cjones
: review+
Details | Diff | Splinter Review
Steps to reproduce: - Visit url testcase - Tap on the button, a new window opens - Double tap on the button, or make a pinch zoom gesture Expected result: no crash Actual result: crash
blocking-basecamp: --- → ?
BB+, P2 - severe usability issue
Assignee: nobody → ben
blocking-basecamp: ? → +
Priority: -- → P2
Thanks for the test case. I can reproduce a full crash of B2G. This is what I see in logcat http://pastebin.mozilla.org/1985278 Justin, any idea where to start with this?
Severity: critical → normal
- Figure out which process is crashing (browser process or main process). You probably already have this figured out, but it's not clear from the bug. - Attach gdb - Reproduce the crash - (gdb) bt
Component: Gaia::Browser → DOM: Core & HTML
Product: Boot2Gecko → Core
QA Contact: nhirata.bugzilla
I tested with current inbound and gaia tip, and got no crash.
Hm, forget the previous comment. I can actually crash when double clicking on the button, but not when using pinch to zoom. I'll get a backtrace.
Program received signal SIGSEGV, Segmentation fault. nsEventStateManager::MapEventCoordinatesForChildProcess (aFrameLoader=0x0, aEvent=0xbe8200c0) at /home/fabrice/dev/inbound/content/events/src/nsEventStateManager.cpp:1590 1590 nsIFrame* targetFrame = aFrameLoader->GetPrimaryFrameOfOwningContent(); (gdb) bt #0 nsEventStateManager::MapEventCoordinatesForChildProcess (aFrameLoader=0x0, aEvent=0xbe8200c0) at /home/fabrice/dev/inbound/content/events/src/nsEventStateManager.cpp:1590 #1 0x41055e32 in mozilla::dom::TabParent::TryCapture (this=0x492a87a0, aEvent=<value optimized out>) at /home/fabrice/dev/inbound/dom/ipc/TabParent.cpp:484 #2 0x40fd9006 in nsWindow::DispatchInputEvent (aEvent=..., aWasCaptured=0xbe820647) at /home/fabrice/dev/inbound/widget/gonk/nsWindow.cpp:278 #3 0x40fd816a in sendTouchEvent (this=<value optimized out>) at /home/fabrice/dev/inbound/widget/gonk/nsAppShell.cpp:197 #4 GeckoInputDispatcher::dispatchOnce (this=<value optimized out>) at /home/fabrice/dev/inbound/widget/gonk/nsAppShell.cpp:443 #5 0x40fd73b0 in nsAppShell::ProcessNextNativeEvent (this=0x4293b6a0, mayWait=<value optimized out>) at /home/fabrice/dev/inbound/widget/gonk/nsAppShell.cpp:725 #6 0x40ff40fa in nsBaseAppShell::DoProcessNextNativeEvent (this=0xbe8205e0, mayWait=71, recursionDepth=1227524000) at /home/fabrice/dev/inbound/widget/xpwidgets/nsBaseAppShell.cpp:139 #7 0x40ff41c0 in nsBaseAppShell::OnProcessNextEvent (this=0x4293b6a0, thr=0x40409880, mayWait=false, recursionDepth=0) at /home/fabrice/dev/inbound/widget/xpwidgets/nsBaseAppShell.cpp:286 #8 0x41171aca in nsThread::ProcessNextEvent (this=0x40409880, mayWait=false, result=0xbe820817) at /home/fabrice/dev/inbound/xpcom/threads/nsThread.cpp:600 #9 0x41151db2 in NS_ProcessNextEvent_P (thread=0x4293b6a0, mayWait=false) at /home/fabrice/dev/b2g/B2G/objdir-gecko/xpcom/build/nsThreadUtils.cpp:221 #10 0x410693fc in mozilla::ipc::MessagePump::Run (this=0x40402400, aDelegate=0x4042d0c0) at /home/fabrice/dev/inbound/ipc/glue/MessagePump.cpp:82 #11 0x4119383c in MessageLoop::RunInternal (this=0x0) at /home/fabrice/dev/inbound/ipc/chromium/src/base/message_loop.cc:215 #12 0x411938f2 in MessageLoop::RunHandler (this=0x4042d0c0) at /home/fabrice/dev/inbound/ipc/chromium/src/base/message_loop.cc:208 #13 MessageLoop::Run (this=0x4042d0c0) at /home/fabrice/dev/inbound/ipc/chromium/src/base/message_loop.cc:182 #14 0x40ff3cc0 in nsBaseAppShell::Run (this=0x4293b6a0) at /home/fabrice/dev/inbound/widget/xpwidgets/nsBaseAppShell.cpp:163 #15 0x40f50acc in nsAppStartup::Run (this=0x42c8b910) at /home/fabrice/dev/inbound/toolkit/components/startup/nsAppStartup.cpp:291 #16 0x40993420 in XREMain::XRE_mainRun (this=0xbe8209d4) at /home/fabrice/dev/inbound/toolkit/xre/nsAppRunner.cpp:3824 #17 0x40995bec in XREMain::XRE_main (this=0xbe8209d4, argc=<value optimized out>, argv=0xbe822bb4, aAppData=<value optimized out>) at /home/fabrice/dev/inbound/toolkit/xre/nsAppRunner.cpp:3891 #18 0x40995d50 in XRE_main (argc=1, argv=0xbe822bb4, aAppData=0x1f184, aFlags=<value optimized out>) at /home/fabrice/dev/inbound/toolkit/xre/nsAppRunner.cpp:4089 #19 0x0000a15e in do_main (argc=1, argv=0xbe822bb4) at /home/fabrice/dev/inbound/b2g/app/nsBrowserApp.cpp:164 #20 main (argc=1, argv=0xbe822bb4) at /home/fabrice/dev/inbound/b2g/app/nsBrowserApp.cpp:253
Attached patch wipSplinter Review
That patch prevents the crash, but is probably not doing what we should (how do we end up with a null mFrameElement in the first place?).
Attachment #690639 - Flags: feedback?(jones.chris.g)
Comment on attachment 690639 [details] [diff] [review] wip Hm yeah, this is really bad. We should also set sEventCapturer to null here, because this TabParent can't do anything without a frameloader and we may trying to send events to the wrong place.
Attachment #690639 - Flags: feedback?(jones.chris.g)
Attached patch patchSplinter Review
Assignee: ben → fabrice
Attachment #690711 - Flags: review?(jones.chris.g)
Attachment #690711 - Flags: review?(jones.chris.g) → review+
https://hg.mozilla.org/mozilla-central/rev/ee1418ff5eda
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla20
status-b2g18: --- → fixed
Whiteboard: [status-b2g18:fixed]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: