Closed Bug 215250 Opened 22 years ago Closed 22 years ago

crash in nsTimerImpl::InitWithCallback

Categories

(Core :: Layout: Form Controls, defect)

Product:
Core
Component:
Layout: Form Controls
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: spam, Assigned: dougt)

References

(
URL
)

Details

(Keywords: crash, regression)

Attachments

(1 file)

patch
1.39 KB, patch
brendan
: review+
brendan
: superreview+
asa
: approval1.5b+
Details | Diff | Splinter Review
Going to http://www.bilnorge.no now causes a crash. May be related to checkin for bug 215163, see stack attached in attachment 129277 [details]
Another way to achieve a crash in nsTimerImpl::InitWithCallback is to load the bugzilla query page, simply select component "browser" and then wheelscroll the box. Immediate crash. This may be a blocker. #0 0x409169fd in nsTimerImpl::InitWithCallback(nsITimerCallback*, unsigned, unsigned) () #1 0x40bc634d in nsSelectUpdateTimer::Start(nsIPresContext*) () #2 0x40bc552b in nsListControlFrame::StartUpdateTimer(nsIPresContext*) () #3 0x40bc2d84 in nsListControlFrame::RemoveOption(nsIPresContext*, int) () #4 0x40d6ffef in nsHTMLSelectElement::RemoveOptionsFromList(nsIContent*, int, int) () #5 0x40d7052f in nsHTMLSelectElement::WillRemoveOptions(nsIContent*, int) () #6 0x40d6fd0e in nsHTMLSelectElement::RemoveChildAt(int, int) () #7 0x40ca80b2 in nsGenericElement::doRemoveChild(nsIDOMNode*, nsIDOMNode**) () #8 0x40d74c6d in nsHTMLSelectElement::RemoveChild(nsIDOMNode*, nsIDOMNode**) () #9 0x40d70a1d in nsHTMLSelectElement::Remove(int) () #10 0x40d70bb5 in nsHTMLSelectElement::SetLength(unsigned) () #11 0x40d73941 in nsHTMLOptionCollection::SetLength(unsigned) ()
*** Bug 215251 has been marked as a duplicate of this bug. ***
raising blocking 1.5b flag as it prevents using Mozilla 2003080605 to triage bug reports on bugzilla.
Flags: blocking1.5b?
That's because the code in question explicitly works around the timer bug fixed in bug 215163 by doing an NS_RELEASE_THIS() before reinitializing the timer.
Component: XPCOM → Layout: Form Controls
Attached patch patchSplinter Review
This should fix it, although I haven't tested yet.
Any more such workarounds that need to be removed? /be
Flags: blocking1.5b? → blocking1.5b+
Comment on attachment 129296 [details] [diff] [review] patch I've tested that this does fix the crash (using steps to reproduce that don't involve wheel scrolling, since I don't have a wheel mouse).
Attachment #129296 - Flags: superreview?(brendan)
Attachment #129296 - Flags: review?(brendan)
Comment on attachment 129296 [details] [diff] [review] patch r+sr=brendan. /be
Attachment #129296 - Flags: superreview?(brendan)
Attachment #129296 - Flags: superreview+
Attachment #129296 - Flags: review?(brendan)
Attachment #129296 - Flags: review+
Comment on attachment 129296 [details] [diff] [review] patch a=asa (on behalf of drivers) for checkin to 1.5beta.
Attachment #129296 - Flags: approval1.5b? → approval1.5b+
Fix checked in to trunk, 2003-08-06 17:00 -0700.
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
I checked all the callers of InitWithCallback: * I think the original change fixed leaks in * nsComposerCommandsUpdater::PrimeUpdateTimer (the original bug) * nsNSSComponent::DefineNextTimer * nsAutoScrollTimer::Start Those were the only places (other than the case in this bug) where timers were reinitialized using InitWithCallback. I still need to figure out a good way to find the nsITimer::Init callers, though.
It looks like there's only one caller of nsITimer::Init (nsHttpHandler), and it's fine.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: