Closed Bug 355273 Opened 13 years ago Closed 12 years ago

Crash [@nsMacWindow::WindowEventHandler] when selecting Quit from Dock menu while modal javascript dialog displayed

Categories

(Core Graveyard :: Widget: Mac, defect, critical)

1.8 Branch
x86
Mac OS X
defect
Not set
critical

Tracking

(Not tracked)

VERIFIED FIXED

People

(Reporter: bent.mozilla, Assigned: mats)

References

Details

(Keywords: crash, regression, verified1.8.1.8)

Crash Data

Attachments

(3 files)

Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1) Gecko/20061003 BonEcho/2.0

STR:

1. Type 'javascript: alert(1)' in the URL bar (without the single quotes).
2. Click and hold the mouse on the BonEcho icon in the dock so that the context menu appears.
3. Select 'Quit'.
4. BonEcho will crash.

This does not happen by selecting the 'Quit' menu item from the menu bar, nor when hitting cmd-Q on the keyboard.
Attached file Stack (deleted) —
The JS here is most likely nsCloseAllWindows.js:76, as that's what I've run into on my XULRunner debug build.
Requesting blocking to get drivers' assessment.
Flags: blocking1.8.1?
This doesn't happen on Firefox 1.5. Regression.
Keywords: crash, regression
In XULRunner I'm crashing here:

http://lxr.mozilla.org/mozilla1.8/source/widget/src/mac/nsMacWindow.cpp#926

dereferencing a null pointer. It's weird, though, because 'self' and 'mMacEventHandler' are both valid.
I'll bet self->mMacEventHandler isn't, though. ;)
(In reply to comment #5)
> I'll bet self->mMacEventHandler isn't, though. ;)

It is. That's why it's weird. ;)

I think this stack may either be wrong or we're looking at some sort of race condition. If I break here I can't reproduce the crash. And I've seen some instances where the app shuts down normally even when I'm not in the debugger.
Attached file Apple report (deleted) —
Here is the apple crash data from my PPC crash using RC2 candidate, in case it helps.
I think this is the same as bug 355097.
I did some debugging and when you quit with a sheet open like this we are hiding and destroying the sheet after we hide and destroy its parent window.

One way to stop this crash is to hide any sheet children of the parent before hiding the parent. However, while we may want to do that I don't think that code would ever get used if this was handled correctly - we shouldn't be quitting when we have sheets up.
Not a topcrash, very corner case STR, not going to block on this, 1.8.1.1 possibly
Flags: blocking1.8.1? → blocking1.8.1-
Flags: blocking1.8.1.1?
Flags: blocking1.8.1.1? → blocking1.8.1.1+
Flags: blocking1.8.1.1+ → wanted1.8.1.x+
If we get a fix please ask for branch approval, but not looking hopeful.
Flags: wanted1.8.1.x+
WFM on trunk.  Selecting "Quit" from the dock icon while there's a modal alert() dialog open just makes Firefox beep.
(In reply to comment #12)

Yeah, I don't think I ever saw this on trunk.
Duplicate of this bug: 377350
Same happens for Thunderbird when closing the account wizard after opening a compose window while no account was created before. See bug 377350.
Mark, the line where Thunderbird maybe crashes comes from your patch on bug 345564. There you reimported the code which was removed on bug 340592. Does it have something to do with the crash?
Attached patch Patch rev. 1 (deleted) — Splinter Review
We get calls to nsMacWindow::WindowEventHandler() on a destroyed window.
Don't ask me why because that shouldn't happen since we call
::DisposeWindow() in the destructor - there shouldn't be any callbacks
after that, but there is.  Explicitly deregistering the event handlers
fixes it (it also seems to fix bug 355097).
The "mMacEventHandler.reset(nsnull)" isn't needed to fix this bug,
it's just a safe-guard in case we have more use-after-free issues...
Assignee: joshmoz → mats.palmgren
Status: NEW → ASSIGNED
Attachment #272505 - Flags: review?(joshmoz)
Where is DisposeWindow defined and implemented?  lxr can't find it.
Comment on attachment 272505 [details] [diff] [review]
Patch rev. 1

+  , mScrollEventHandler(0)
+  , mWindowEventHandler(0)

For consistency, please set these to NULL (not 0 or nsnull, which we use for gecko object pointers, this distinction being used for readability).
Attachment #272505 - Flags: review?(joshmoz) → review+
Comment on attachment 272505 [details] [diff] [review]
Patch rev. 1

sr for branches please.
Attachment #272505 - Flags: superreview?(roc)
Attachment #272505 - Flags: superreview?(roc) → superreview+
Attachment #272505 - Flags: approval1.8.1.7?
Attachment #272505 - Flags: approval1.8.1.6?
Attachment #272505 - Flags: approval1.8.0.13?
Comment on attachment 272505 [details] [diff] [review]
Patch rev. 1

Only approving blocking bugs for 1.8.1.6
Attachment #272505 - Flags: approval1.8.1.6?
Attachment #272505 - Flags: approval1.8.0.13? → approval1.8.0.14?
Comment on attachment 272505 [details] [diff] [review]
Patch rev. 1

approved for 1.8.1.7, a=dveditz for release-drivers
Attachment #272505 - Flags: approval1.8.1.7?
Attachment #272505 - Flags: approval1.8.1.7+
Attachment #272505 - Flags: approval1.8.0.14?
MOZILLA_1_8_BRANCH
mozilla/widget/src/mac/nsMacWindow.cpp 	1.158.2.29
mozilla/widget/src/mac/nsMacWindow.h 	1.58.2.9 

-> FIXED
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Keywords: fixed1.8.1.7
Resolution: --- → FIXED
Depends on: 394405
verified fixed 1.8.1.7 using Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.7pre) Gecko/2007090303 BonEcho/2.0.0.7pre

no crash on steps to reproduce from this bug - adding verified keyword
Flags: in-litmus?
Works fine with latest 1.8 branch builds. For Firefox 3 it's not possible anymore to close the application over the dock. I filed bug 410170 to cover this issue.
Status: RESOLVED → VERIFIED
https://litmus.mozilla.org/show_test.cgi?id=5202 has been added to the 2.0 test suite, 3.0 pending depending on behavior change.
Flags: in-litmus? → in-litmus+
Product: Core → Core Graveyard
Crash Signature: [@nsMacWindow::WindowEventHandler]
You need to log in before you can comment on or make changes to this bug.