Closed Bug 21571 Opened 25 years ago Closed 25 years ago

[CRASH] on exiting appruner after scrolling bookmarks

Categories

(Core :: DOM: UI Events & Focus Handling, defect, P3)

Product:
Core
Component:
DOM: UI Events & Focus Handling
Platform:
x86
Windows NT
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: karnaze, Assigned: eric)

References

Details

(Keywords: crash)

Attachments

(1 file)

this is the workaround, removes the crash
1.82 KB, patch
Details | Diff | Splinter Review 
In apprunner open bookmarks so they have to be scrolled. If you scroll them and
then exit apprunner, you get the following stack. I'm not sure if this is a
webshell, xul, or event problem.


nsEventListenerManager::ReleaseListeners(nsVoidArray * * 0x02616adc, int 0) line
166 + 18 bytes
nsEventListenerManager::~nsEventListenerManager() line 82
nsEventListenerManager::`scalar deleting destructor'(unsigned int 1) + 15 bytes
nsEventListenerManager::Release(nsEventListenerManager * const 0x02616ad0) line
95 + 131 bytes
nsGenericElement::~nsGenericElement() line 185 + 27 bytes
nsGenericContainerElement::~nsGenericContainerElement() line 1409 + 20 bytes
nsGenericXMLElement::~nsGenericXMLElement() line 68 + 8 bytes
nsXMLElement::~nsXMLElement() line 78 + 11 bytes
AnonymousElement::~AnonymousElement() + 15 bytes
AnonymousElement::`scalar deleting destructor'(unsigned int 1) + 15 bytes
nsXMLElement::Release(nsXMLElement * const 0x02614640) line 96 + 131 bytes
AnonymousElement::Release(AnonymousElement * const 0x02614640) line 215 + 12
bytes
nsCOMPtr<nsIDOMNode>::~nsCOMPtr<nsIDOMNode>() line 434
nsXULDocument::~nsXULDocument() line 439 + 112 bytes
nsXULDocument::`scalar deleting destructor'() + 15 bytes
nsXULDocument::Release(nsXULDocument * const 0x025e9e10) line 530 + 138 bytes
nsJSUtils::nsGenericFinalize(JSContext * 0x025ef6b0, JSObject * 0x01ef1a00) line
484 + 12 bytes
FinalizeXULDocument(JSContext * 0x025ef6b0, JSObject * 0x01ef1a00) line 232 + 13
bytes
js_FinalizeObject(JSContext * 0x025ef6b0, JSObject * 0x01ef1a00) line 1372 + 114
bytes
js_GC(JSContext * 0x025ef6b0) line 891 + 11 bytes
js_ForceGC(JSContext * 0x025ef6b0) line 678 + 9 bytes
js_DestroyContext(JSContext * 0x025ef6b0, int 2) line 178 + 9 bytes
JS_DestroyContext(JSContext * 0x025ef6b0) line 788 + 11 bytes
nsJSContext::~nsJSContext() line 183 + 13 bytes
nsJSContext::`scalar deleting destructor'(unsigned int 1) + 15 bytes
nsJSContext::Release(nsJSContext * const 0x025ef840) line 186 + 134 bytes
nsWebShell::~nsWebShell() line 691 + 18 bytes
nsWebShell::`scalar deleting destructor'(unsigned int 1) + 15 bytes
nsWebShell::Release(nsWebShell * const 0x025ea500) line 768 + 137 bytes
nsCOMPtr<nsIBaseWindow>::~nsCOMPtr<nsIBaseWindow>() line 434
nsHTMLFrameInnerFrame::~nsHTMLFrameInnerFrame() line 447 + 8 bytes
nsHTMLFrameInnerFrame::`scalar deleting destructor'(unsigned int 1) + 15 bytes
nsFrame::Destroy(nsFrame * const 0x00dc9448, nsIPresContext * 0x01c84840) line
407 + 34 bytes
nsFrameList::DestroyFrames(nsIPresContext * 0x01c84840) line 35
nsContainerFrame::Destroy(nsContainerFrame * const 0x00dc940c, nsIPresContext *
0x01c84840) line 97
nsFrameList::DestroyFrames(nsIPresContext * 0x01c84840) line 35
nsContainerFrame::Destroy(nsContainerFrame * const 0x00dbb4e0, nsIPresContext *
0x01c84840) line 97
nsFrameList::DestroyFrames(nsIPresContext * 0x01c84840) line 35
nsContainerFrame::Destroy(nsContainerFrame * const 0x00dbb264, nsIPresContext *
0x01c84840) line 97
nsFrameList::DestroyFrames(nsIPresContext * 0x01c84840) line 35
nsContainerFrame::Destroy(nsContainerFrame * const 0x00dbb224, nsIPresContext *
0x01c84840) line 97
nsFrameList::DestroyFrames(nsIPresContext * 0x01c84840) line 35
nsContainerFrame::Destroy(nsContainerFrame * const 0x01eef0b0, nsIPresContext *
0x01c84840) line 97
nsFrameList::DestroyFrames(nsIPresContext * 0x01c84840) line 35
nsContainerFrame::Destroy(nsContainerFrame * const 0x01eef074, nsIPresContext *
0x01c84840) line 97
nsFrameList::DestroyFrames(nsIPresContext * 0x01c84840) line 35
nsContainerFrame::Destroy(nsContainerFrame * const 0x01eef038, nsIPresContext *
0x01c84840) line 97
ViewportFrame::Destroy(ViewportFrame * const 0x01eef038, nsIPresContext *
0x01c84840) line 138
FrameManager::~FrameManager() line 341
FrameManager::`scalar deleting destructor'(unsigned int 1) + 15 bytes
FrameManager::Release(FrameManager * const 0x01cac280) line 326 + 134 bytes
PresShell::~PresShell() line 685 + 27 bytes
PresShell::`scalar deleting destructor'() + 15 bytes
PresShell::Release(PresShell * const 0x01cac850) line 616 + 138 bytes
nsView::HandleEvent(nsView * const 0x01cacda0, nsGUIEvent * 0x0012fb68, unsigned
int 28, nsEventStatus * 0x0012fa74, int & 1) line 854 + 18 bytes
nsViewManager::DispatchEvent(nsViewManager * const 0x01cacf70, nsGUIEvent *
0x0012fb68, nsEventStatus * 0x0012fa74) line 1678
HandleEvent(nsGUIEvent * 0x0012fb68) line 69
nsWindow::DispatchEvent(nsWindow * const 0x01cacc74, nsGUIEvent * 0x0012fb68,
nsEventStatus & nsEventStatus_eIgnore) line 421 + 10 bytes
nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012fb68) line 442
nsWindow::DispatchMouseEvent(unsigned int 301, nsPoint * 0x00000000) line 3332 +
21 bytes
ChildWindow::DispatchMouseEvent(unsigned int 301, nsPoint * 0x00000000) line
3550
nsWindow::ProcessMessage(unsigned int 514, unsigned int 0, long 19595305, long *
0x0012fdc8) line 2632 + 24 bytes
nsWindow::WindowProc(HWND__ * 0x001a019e, unsigned int 514, unsigned int 0, long
19595305) line 608 + 27 bytes
USER32! DispatchMessageWorker@8 + 135 bytes
USER32! DispatchMessageA@4 + 11 bytes
nsAppShell::Run(nsAppShell * const 0x00c8e580) line 89
nsAppShellService::Run(nsAppShellService * const 0x00c64c30) line 482
main1(int 1, char * * 0x00bf49f0) line 609 + 32 bytes
main(int 1, char * * 0x00bf49f0) line 677 + 13 bytes
mainCRTStartup() line 338 + 17 bytes
Severity: normal → critical
Target Milestone: M12
buster, can you take a look and see what's up with this?
Assignee: buster → karnaze
Whiteboard: [test case needed]
I cannot reproduce the crash.  I do exactly these steps:
1) open apprunner
2) open bookmarks
3) resize the bookmarks window so it scrolls vertically (this only needs to be
done the first time, bookmarks remember the last window size.)
4) scroll down to bottom
5) exit apprunner
6) exit bookmarks
No crash on WinNT with a build from late last night (12/12/99).  Switching
the order of (5) and (6) makes no difference.  Scrolling up vs. down makes no
difference.  Scrolling using the arrow keys, the thumb, or the scroll bar itself
(the space between the arrows and the thumb) makes no difference.

I do notice that the bookmarks window leaks a webshell.  I'll submit that as a
separate bug.  I also notice that the bookmark entries paint over the bottom
border of the window.  I'll submit that bug too.

Chris, assigning back to you in the hopes of getting a reproducable test case.

Jan, anyone else seeing this on any platform?
Assignee: karnaze → buster
Let me explain exactly what I did to get the crash. My build was around 11pm
last night.

1) bring up apprunner in the debugger
2) click on the bookmars icon in the sidebar so that bookmarks show up there. Do
not open a separate bookmarks window if that is even possible.
3) expand at least 2 bookmark folders so that there is stuff to scroll
4) grab the scroll thingy in the center of the scroll bar and drag it up and
down, scrolling the bookmarks.
5) exit apprunner
ah, that makes a BIG difference.  I was opening the bookmarks window ("Manage
bookmarks" on the bookmarks window.)  I will try again...
scrolling doesn't matter, all that matters is the scrollbar in the sidebar
bookmarks panel is the last thing clicked on before exiting.  that's what causes
the crash.  the scrollbar for the content does not have this problem.
cc'ing evaughan in case anything about this problem rings a bell with him.
still investigating...
the root cause is that nsSliderFrame implements nsIDOMEventListener and passes
itself to nsEventListenerManager::AddEventListener().
nsEventListenerManager::AddEventListener() assumes it is passed an
object that is governed by ref-counting.  But nsSliderFrame is **not** a
ref-counted object, and it's lifetime is implicitly controlled by the lifetime
of the frame model.  By passing itself to
nsEventListenerManager::AddEventListener(), the slider is passing in a pointer
that can be yanked out from underneath the event listener manager.  When the
event listener manager is destroyed, it correctly tries to clean up any objects
still under it's control, including the already-deleted slider.

I think the real solution is to create a ref-counted listener object for the
slider to hand off to nsEventListenerManager::AddEventListener().
Assignee: buster → evaughan
Whiteboard: [test case needed] → chofmann, approval to check in workaround?
asking for permission to check in, and assigning to evaughan for the real
solution.  Eric, if you're the wrong guy, please assign it to the right person
(joki? hyatt?)
ok to check in. - chris h.
Blocks: 21629
Whiteboard: chofmann, approval to check in workaround?
workaround checked in.  r=rods, a=chofmann
Status: NEW → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
marking this work around "fixed" so it shows up on the
testing/regression testing radar.  onen a new one for
any remaining issues/the right fix.

thanks
Keywords: verifyme
Adding crash keyword
Keywords: crash
Verified with mozilla bits 071108 on NT
Status: RESOLVED → VERIFIED
Keywords: verifyme
Component: Event Handling → User events and focus handling
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: