Closed Bug 240720 Opened 21 years ago Closed 21 years ago

crash in nsSupportsHashtable::ReleaseElement()

Categories

(MailNews Core :: Composition, defect)

Product:
MailNews Core
Component:
Composition
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: mscott, Assigned: mscott)

References

Details

(Keywords: crash)

Attachments

(2 files)

possible fix
1.62 KB, patch
dbaron
: superreview+
Details | Diff | Splinter Review
How about this instead? This makes sure we invalidate the listbox's box object when the listbox's body frame is destroyed.
2.66 KB, patch
Bienvenu
: review+
dbaron
: superreview+
Details | Diff | Splinter Review
nsSupportsHashtable::ReleaseElement(nsHashKey * 0x0495e210, void * 0x046be5f8, void * 0x00000000) line 796 + 15 bytes hashEnumerate(PLDHashTable * 0x0495e050, PLDHashEntryHdr * 0x0495e134, unsigned int 0, void * 0x0012880c) line 115 + 26 bytes PL_DHashTableEnumerate(PLDHashTable * 0x0495e050, int (PLDHashTable *, PLDHashEntryHdr *, unsigned int, void *)* 0x10014760 hashEnumerate(PLDHashTable *, PLDHashEntryHdr *, unsigned int, void *), void * 0x0012880c) line 619 + 34 bytes nsHashtable::Enumerate(int (nsHashKey *, void *, void *)* 0x10015ba0 nsSupportsHashtable::ReleaseElement(nsHashKey *, void *, void *), void * 0x00000000) line 303 + 21 bytes nsSupportsHashtable::Enumerate(int (nsHashKey *, void *, void *)* 0x10015ba0 nsSupportsHashtable::ReleaseElement(nsHashKey *, void *, void *), void * 0x00000000) line 206 nsSupportsHashtable::~nsSupportsHashtable() line 803 nsSupportsHashtable::`scalar deleting destructor'(unsigned int 1) + 16 bytes nsPresState::~nsPresState() line 93 + 33 bytes nsPresState::`scalar deleting destructor'(unsigned int 1) + 15 bytes nsPresState::Release(nsPresState * const 0x0495dff0) line 83 + 209 bytes nsCOMPtr<nsIPresState>::assign_assuming_AddRef(nsIPresState * 0x00000000) line 495 nsCOMPtr<nsIPresState>::assign_with_AddRef(nsISupports * 0x00000000) line 1023 nsCOMPtr<nsIPresState>::operator=(nsIPresState * 0x00000000) line 608 nsBoxObject::SetDocument(nsBoxObject * const 0x04807cac, nsIDocument * 0x00000000) line 146 nsDocument::SetBoxObjectFor(nsDocument * const 0x043f3dec, nsIDOMElement * 0x041e96cc, nsIBoxObject * 0x00000000) line 2799 nsXULElement::SetDocument(nsIDocument * 0x00000000, int 1, int 1) line 1601 nsXULElement::RemoveChildAt(unsigned int 1, int 1) line 1939 nsGenericElement::doReplaceChild(nsIContent * 0x04519470, nsIDOMNode * 0x04d38e1c, nsIDOMNode * 0x041e96cc, nsIDOMNode * * 0x00128d58) line 2988 + 17 bytes nsXULElement::ReplaceChild(nsXULElement * const 0x0451947c, nsIDOMNode * 0x04d38e1c, nsIDOMNode * 0x041e96cc, nsIDOMNode * * 0x00128d58) line 850 + 24 bytes XPTC_InvokeByIndex(nsISupports * 0x0451947c, unsigned int 16, unsigned int 3, nsXPTCVariant * 0x00128d38) line 102 XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode CALL_METHOD) line 2027 + 43 bytes XPC_WN_CallMethod(JSContext * 0x0496c620, JSObject * 0x0460c3a0, unsigned int 2, long * 0x04c7d1cc, long * 0x00129000) line 1287 + 14 bytes js_Invoke(JSContext * 0x0496c620, unsigned int 2, unsigned int 0) line 1281 + 23 bytes js_Interpret(JSContext * 0x0496c620, long * 0x00129a34) line 3366 + 15 bytes js_Invoke(JSContext * 0x0496c620, unsigned int 1, unsigned int 0) line 1301 + 13 bytes js_Interpret(JSContext * 0x0496c620, long * 0x0012a418) line 3366 + 15 bytes js_Invoke(JSContext * 0x0496c620, unsigned int 1, unsigned int 2) line 1301 + 13 bytes js_InternalInvoke(JSContext * 0x0496c620, JSObject * 0x0475eaf0, long 80093824, unsigned int 0, unsigned int 1, long * 0x0012a67c, long * 0x0012a678) line 1378 + 20 bytes JS_CallFunctionValue(JSContext * 0x0496c620, JSObject * 0x0475eaf0, long 80093824, unsigned int 1, long * 0x0012a67c, long * 0x0012a678) line 3601 + 31 bytes nsJSContext::CallEventHandler(JSObject * 0x0475eaf0, JSObject * 0x04c62280, unsigned int 1, long * 0x0012a67c, long * 0x0012a678) line 1293 + 33 bytes nsJSEventListener::HandleEvent(nsJSEventListener * const 0x04a400f0, nsIDOMEvent * 0x04c09540) line 175 + 51 bytes nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x04a401d0, nsIDOMEvent * 0x04c09540, nsIDOMEventTarget * 0x04c08de0, unsigned int 8, unsigned int 7) line 1435 + 20 bytes nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x04a40088, nsIPresContext * 0x049f6410, nsEvent * 0x0012ad28, nsIDOMEvent * * 0x0012acbc, nsIDOMEventTarget * 0x04c08de0, unsigned int 7, nsEventStatus * 0x0012ad74) line 1530 nsXULElement::HandleDOMEvent(nsIPresContext * 0x049f6410, nsEvent * 0x0012ad28, nsIDOMEvent * * 0x0012acbc, unsigned int 7, nsEventStatus * 0x0012ad74) line 2801 PresShell::HandleDOMEventWithTarget(PresShell * const 0x049f7f68, nsIContent * 0x04a40010, nsEvent * 0x0012ad28, nsEventStatus * 0x0012ad74) line 6095 nsButtonBoxFrame::MouseClicked(nsIPresContext * 0x049f6410, nsGUIEvent * 0x0012af4c) line 178 nsButtonBoxFrame::HandleEvent(nsButtonBoxFrame * const 0x04ad25cc, nsIPresContext * 0x049f6410, nsGUIEvent * 0x0012af4c, nsEventStatus * 0x0012b260) line 150 PresShell::HandleEventInternal(nsEvent * 0x0012af4c, nsIView * 0x00000000, unsigned int 1, nsEventStatus * 0x0012b260) line 6059 + 39 bytes PresShell::HandleEventWithTarget(PresShell * const 0x049f7f68, nsEvent * 0x0012af4c, nsIFrame * 0x04ad25cc, nsIContent * 0x04a40010, unsigned int 1, nsEventStatus * 0x0012b260) line 5970 + 22 bytes nsEventStateManager::CheckForAndDispatchClick(nsIPresContext * 0x049f6410, nsMouseEvent * 0x0012b480, nsEventStatus * 0x0012b260) line 2933 + 66 bytes nsEventStateManager::PostHandleEvent(nsEventStateManager * const 0x049f6ba8, nsIPresContext * 0x049f6410, nsEvent * 0x0012b480, nsIFrame * 0x04ad25cc, nsEventStatus * 0x0012b260, nsIView * 0x049f77b8) line 1944 + 23 bytes PresShell::HandleEventInternal(nsEvent * 0x0012b480, nsIView * 0x049f77b8, unsigned int 1, nsEventStatus * 0x0012b260) line 6067 + 52 bytes PresShell::HandleEvent(PresShell * const 0x049f7fdc, nsIView * 0x049f77b8, nsGUIEvent * 0x0012b480, nsEventStatus * 0x0012b260, int 1, int & 1) line 5908 + 25 bytes nsViewManager::HandleEvent(nsView * 0x049f77b8, nsGUIEvent * 0x0012b480, int 1) line 2238 nsViewManager::DispatchEvent(nsViewManager * const 0x049f75e8, nsGUIEvent * 0x0012b480, nsEventStatus * 0x0012b358) line 1978 + 20 bytes HandleEvent(nsGUIEvent * 0x0012b480) line 79 nsWindow::DispatchEvent(nsWindow * const 0x049f7854, nsGUIEvent * 0x0012b480, nsEventStatus & nsEventStatus_eIgnore) line 1067 + 10 bytes nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012b480) line 1088 nsWindow::DispatchMouseEvent(unsigned int 301, unsigned int 0, nsPoint * 0x00000000) line 5259 + 21 bytes ChildWindow::DispatchMouseEvent(unsigned int 301, unsigned int 0, nsPoint * 0x00000000) line 5514 nsWindow::ProcessMessage(unsigned int 514, unsigned int 0, long 22741406, long * 0x0012b930) line 4045 + 28 bytes nsWindow::WindowProc(HWND__ * 0x000a08cc, unsigned int 514, unsigned int 0, long 22741406) line 1349 + 27 bytes USER32! 77e3a2d0() USER32! 77e145e5() USER32! 77e1a816() nsXULWindow::ShowModal(nsXULWindow * const 0x04872d00) line 368 nsWebShellWindow::ShowModal(nsWebShellWindow * const 0x04872d00) line 1104 nsContentTreeOwner::ShowAsModal(nsContentTreeOwner * const 0x04876af4) line 449 nsWindowWatcher::OpenWindowJS(nsWindowWatcher * const 0x00f73664, nsIDOMWindow * 0x03680f84, const char * 0x0486dc40, const char * 0x00000000, const char * 0x0012bf64, int 1, unsigned int 1, long * 0x049839dc, nsIDOMWindow * * 0x0012bfbc) line 784 GlobalWindowImpl::OpenInternal(GlobalWindowImpl * const 0x03680f80, const nsAString & {...}, const nsAString & {...}, const nsAString & {...}, int 1, long * 0x049839d0, unsigned int 4, nsISupports * 0x00000000, nsIDOMWindow * * 0x0012c37c) line 4779 + 140 bytes GlobalWindowImpl::OpenDialog(GlobalWindowImpl * const 0x03680f88, nsIDOMWindow * * 0x0012c37c) line 3474 + 59 bytes XPTC_InvokeByIndex(nsISupports * 0x03680f88, unsigned int 16, unsigned int 1, nsXPTCVariant * 0x0012c37c) line 102 XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode CALL_METHOD) line 2027 + 43 bytes XPC_WN_CallMethod(JSContext * 0x04327210, JSObject * 0x025380a0, unsigned int 4, long * 0x049839d0, long * 0x0012c644) line 1287 + 14 bytes js_Invoke(JSContext * 0x04327210, unsigned int 4, unsigned int 0) line 1281 + 23 bytes js_Interpret(JSContext * 0x04327210, long * 0x0012d078) line 3366 + 15 bytes js_Invoke(JSContext * 0x04327210, unsigned int 1, unsigned int 2) line 1301 + 13 bytes nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJSClass * const 0x02d125a8, nsXPCWrappedJS * 0x04743a18, unsigned short 5, const nsXPTMethodInfo * 0x0244c218, nsXPTCMiniVariant * 0x0012d3b8) line 1336 + 22 bytes nsXPCWrappedJS::CallMethod(nsXPCWrappedJS * const 0x04743a18, unsigned short 5, const nsXPTMethodInfo * 0x0244c218, nsXPTCMiniVariant * 0x0012d3b8) line 450 PrepareAndDispatch(nsXPTCStubBase * 0x04743a18, unsigned int 5, unsigned int * 0x0012d468, unsigned int * 0x0012d458) line 117 + 31 bytes SharedStub() line 147 XPTC_InvokeByIndex(nsISupports * 0x04743a18, unsigned int 5, unsigned int 1, nsXPTCVariant * 0x0012d5d8) line 102 XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode CALL_METHOD) line 2027 + 43 bytes XPC_WN_CallMethod(JSContext * 0x04327210, JSObject * 0x024f6cd0, unsigned int 1, long * 0x049838f8, long * 0x0012d8a0) line 1287 + 14 bytes js_Invoke(JSContext * 0x04327210, unsigned int 1, unsigned int 0) line 1281 + 23 bytes js_Interpret(JSContext * 0x04327210, long * 0x0012e2d4) line 3366 + 15 bytes js_Invoke(JSContext * 0x04327210, unsigned int 1, unsigned int 2) line 1301 + 13 bytes js_InternalInvoke(JSContext * 0x04327210, JSObject * 0x041a4398, long 68830216, unsigned int 0, unsigned int 1, long * 0x0012e538, long * 0x0012e534) line 1378 + 20 bytes JS_CallFunctionValue(JSContext * 0x04327210, JSObject * 0x041a4398, long 68830216, unsigned int 1, long * 0x0012e538, long * 0x0012e534) line 3601 + 31 bytes nsJSContext::CallEventHandler(JSObject * 0x041a4398, JSObject * 0x041a4408, unsigned int 1, long * 0x0012e538, long * 0x0012e534) line 1293 + 33 bytes nsJSEventListener::HandleEvent(nsJSEventListener * const 0x0450ba98, nsIDOMEvent * 0x049e57e8) line 175 + 51 bytes nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x0450bb78, nsIDOMEvent * 0x049e57e8, nsIDOMEventTarget * 0x048a2348, unsigned int 8, unsigned int 7) line 1435 + 20 bytes nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x0450ba30, nsIPresContext * 0x0442a218, nsEvent * 0x0012f020, nsIDOMEvent * * 0x0012eb78, nsIDOMEventTarget * 0x048a2348, unsigned int 7, nsEventStatus * 0x0012f06c) line 1530 nsXULElement::HandleDOMEvent(nsIPresContext * 0x0442a218, nsEvent * 0x0012f020, nsIDOMEvent * * 0x0012eb78, unsigned int 7, nsEventStatus * 0x0012f06c) line 2801 nsXULElement::HandleDOMEvent(nsIPresContext * 0x0442a218, nsEvent * 0x0012f020, nsIDOMEvent * * 0x00000000, unsigned int 1, nsEventStatus * 0x0012f06c) line 2633 + 50 bytes PresShell::HandleDOMEventWithTarget(PresShell * const 0x043fc728, nsIContent * 0x04517780, nsEvent * 0x0012f020, nsEventStatus * 0x0012f06c) line 6095 nsButtonBoxFrame::MouseClicked(nsIPresContext * 0x0442a218, nsGUIEvent * 0x0012f244) line 178 nsButtonBoxFrame::HandleEvent(nsButtonBoxFrame * const 0x04695db0, nsIPresContext * 0x0442a218, nsGUIEvent * 0x0012f244, nsEventStatus * 0x0012f558) line 150 PresShell::HandleEventInternal(nsEvent * 0x0012f244, nsIView * 0x00000000, unsigned int 1, nsEventStatus * 0x0012f558) line 6059 + 39 bytes PresShell::HandleEventWithTarget(PresShell * const 0x043fc728, nsEvent * 0x0012f244, nsIFrame * 0x04695db0, nsIContent * 0x04517780, unsigned int 1, nsEventStatus * 0x0012f558) line 5970 + 22 bytes nsEventStateManager::CheckForAndDispatchClick(nsIPresContext * 0x0442a218, nsMouseEvent * 0x0012f778, nsEventStatus * 0x0012f558) line 2933 + 66 bytes nsEventStateManager::PostHandleEvent(nsEventStateManager * const 0x0442a830, nsIPresContext * 0x0442a218, nsEvent * 0x0012f778, nsIFrame * 0x04695db0, nsEventStatus * 0x0012f558, nsIView * 0x043fbe10) line 1944 + 23 bytes PresShell::HandleEventInternal(nsEvent * 0x0012f778, nsIView * 0x043fbe10, unsigned int 1, nsEventStatus * 0x0012f558) line 6067 + 52 bytes PresShell::HandleEvent(PresShell * const 0x043fc79c, nsIView * 0x043fbe10, nsGUIEvent * 0x0012f778, nsEventStatus * 0x0012f558, int 1, int & 1) line 5908 + 25 bytes nsViewManager::HandleEvent(nsView * 0x043fbe10, nsGUIEvent * 0x0012f778, int 1) line 2238 nsViewManager::DispatchEvent(nsViewManager * const 0x043fbc40, nsGUIEvent * 0x0012f778, nsEventStatus * 0x0012f650) line 1978 + 20 bytes HandleEvent(nsGUIEvent * 0x0012f778) line 79 nsWindow::DispatchEvent(nsWindow * const 0x043fbeac, nsGUIEvent * 0x0012f778, nsEventStatus & nsEventStatus_eIgnore) line 1067 + 10 bytes nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012f778) line 1088 nsWindow::DispatchMouseEvent(unsigned int 301, unsigned int 0, nsPoint * 0x00000000) line 5259 + 21 bytes ChildWindow::DispatchMouseEvent(unsigned int 301, unsigned int 0, nsPoint * 0x00000000) line 5514 nsWindow::ProcessMessage(unsigned int 514, unsigned int 0, long 2687071, long * 0x0012fc28) line 4045 + 28 bytes nsWindow::WindowProc(HWND__ * 0x001e058e, unsigned int 514, unsigned int 0, long 2687071) line 1349 + 27 bytes USER32! 77e3a2d0() USER32! 77e145e5() USER32! 77e1a816() nsAppShellService::Run(nsAppShellService * const 0x00f74e50) line 524 main1(int 1, char * * 0x00262508, nsISupports * 0x00eb2330) line 1303 + 32 bytes main(int 1, char * * 0x00262508) line 1780 + 37 bytes mainCRTStartup() line 338 + 17 bytes KERNEL32! 7c5987e7()
sorry, submitted too early. to reproduce this crash: 1) go to mail compose window 2) use the "select addresses" dialog 3) select lots of addresses (say 50?) 4) add them using the To button 5) hit ok I crash every time. element is already deleted (0xdddddddd)
Why me? Need a bit more debugging love, ideally some purify. This is not a PLDHashTable bug, I can unboldly predict. /be
Assignee: brendan → mscott
I'll run Purify on this.
Purify seems to have lost track of when that object was deleted, or PL_DHashTable has defeated it easily :-) but fwiw, I'm pretty sure Brendan is right, and this problem is specific to layout, or the addressing widget. I've only seen this crash replying to existing messages, or as described in this bug report.
Severity: normal → critical
Keywords: crash
I've also see this when bring up the compose window for a new message. I'll try to get a stack trace for that. I agree with david that it might be the addressing widget tickling a bug in layout. fear the addressing widget.
here's a similar stack for a crash when I do new compose window. nsSupportsHashtable::ReleaseElement(nsHashKey * 0x04b00b40, void * 0x04847a30, void * 0x00000000) line 812 + 15 bytes hashEnumerate(PLDHashTable * 0x04b00980, PLDHashEntryHdr * 0x04b00a64, unsigned int 0, void * 0x0012a1f0) line 131 + 26 bytes PL_DHashTableEnumerate(PLDHashTable * 0x04b00980, int (PLDHashTable *, PLDHashEntryHdr *, unsigned int, void *)* 0x10014760 hashEnumerate(PLDHashTable *, PLDHashEntryHdr *, unsigned int, void *), void * 0x0012a1f0) line 619 + 34 bytes nsHashtable::Enumerate(int (nsHashKey *, void *, void *)* 0x10015ba0 nsSupportsHashtable::ReleaseElement(nsHashKey *, void *, void *), void * 0x00000000) line 319 + 21 bytes nsSupportsHashtable::Enumerate(int (nsHashKey *, void *, void *)* 0x10015ba0 nsSupportsHashtable::ReleaseElement(nsHashKey *, void *, void *), void * 0x00000000) line 222 nsSupportsHashtable::~nsSupportsHashtable() line 819 nsSupportsHashtable::`scalar deleting destructor'(unsigned int 1) + 16 bytes nsPresState::~nsPresState() line 93 + 33 bytes nsPresState::`scalar deleting destructor'(unsigned int 1) + 15 bytes nsPresState::Release(nsPresState * const 0x04b00920) line 83 + 209 bytes nsCOMPtr<nsIPresState>::assign_assuming_AddRef(nsIPresState * 0x00000000) line 495 nsCOMPtr<nsIPresState>::assign_with_AddRef(nsISupports * 0x00000000) line 1023 nsCOMPtr<nsIPresState>::operator=(nsIPresState * 0x00000000) line 608 nsBoxObject::SetDocument(nsBoxObject * const 0x04ae0314, nsIDocument * 0x00000000) line 146 nsDocument::SetBoxObjectFor(nsDocument * const 0x03c0dbac, nsIDOMElement * 0x04669a4c, nsIBoxObject * 0x00000000) line 2790 nsXULElement::SetDocument(nsIDocument * 0x00000000, int 1, int 1) line 1590 nsXULElement::RemoveChildAt(unsigned int 1, int 1) line 1928 nsGenericElement::doReplaceChild(nsIContent * 0x045981b0, nsIDOMNode * 0x04b3a254, nsIDOMNode * 0x04669a4c, nsIDOMNode * * 0x0012a73c) line 2987 + 17 bytes nsXULElement::ReplaceChild(nsXULElement * const 0x045981bc, nsIDOMNode * 0x04b3a254, nsIDOMNode * 0x04669a4c, nsIDOMNode * * 0x0012a73c) line 846 + 24 bytes XPTC_InvokeByIndex(nsISupports * 0x045981bc, unsigned int 16, unsigned int 3, nsXPTCVariant * 0x0012a71c) line 102 XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode CALL_METHOD) line 2027 + 43 bytes XPC_WN_CallMethod(JSContext * 0x024e9c98, JSObject * 0x0492d6b0, unsigned int 2, long * 0x04b453a8, long * 0x0012a9e4) line 1287 + 14 bytes js_Invoke(JSContext * 0x024e9c98, unsigned int 2, unsigned int 0) line 1281 + 23 bytes js_Interpret(JSContext * 0x024e9c98, long * 0x0012b418) line 3366 + 15 bytes js_Invoke(JSContext * 0x024e9c98, unsigned int 0, unsigned int 0) line 1301 + 13 bytes js_Interpret(JSContext * 0x024e9c98, long * 0x0012bdfc) line 3366 + 15 bytes js_Invoke(JSContext * 0x024e9c98, unsigned int 0, unsigned int 2) line 1301 + 13 bytes nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJSClass * const 0x049c29e0, nsXPCWrappedJS * 0x04a688e8, unsigned short 3, const nsXPTMethodInfo * 0x03b91b18, nsXPTCMiniVariant * 0x0012c13c) line 1336 + 22 bytes nsXPCWrappedJS::CallMethod(nsXPCWrappedJS * const 0x04a688e8, unsigned short 3, const nsXPTMethodInfo * 0x03b91b18, nsXPTCMiniVariant * 0x0012c13c) line 450 PrepareAndDispatch(nsXPTCStubBase * 0x04a688e8, unsigned int 3, unsigned int * 0x0012c1ec, unsigned int * 0x0012c1dc) line 117 + 31 bytes SharedStub() line 147 nsMsgCompose::NotifyStateListeners(nsMsgCompose * const 0x049deeb0, TStateListenerNotification eComposeFieldsReady, unsigned int 0) line 3581 nsMsgCompose::InitEditor(nsMsgCompose * const 0x049deeb0, nsIEditor * 0x04a264b8, nsIDOMWindow * 0x0497f37c) line 1355 XPTC_InvokeByIndex(nsISupports * 0x049deeb0, unsigned int 27, unsigned int 2, nsXPTCVariant * 0x0012c414) line 102 XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode CALL_METHOD) line 2027 + 43 bytes XPC_WN_CallMethod(JSContext * 0x024e9c98, JSObject * 0x045b7550, unsigned int 2, long * 0x04b45294, long * 0x0012c6dc) line 1287 + 14 bytes js_Invoke(JSContext * 0x024e9c98, unsigned int 2, unsigned int 0) line 1281 + 23 bytes js_Interpret(JSContext * 0x024e9c98, long * 0x0012d110) line 3366 + 15 bytes js_Invoke(JSContext * 0x024e9c98, unsigned int 1, unsigned int 2) line 1301 + 13 bytes nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJSClass * const 0x049deeb0, nsXPCWrappedJS * 0x049def60, unsigned short 4, const nsXPTMethodInfo * 0x03c5a580, nsXPTCMiniVariant * 0x0012d450) line 1336 + 22 bytes nsXPCWrappedJS::CallMethod(nsXPCWrappedJS * const 0x049def60, unsigned short 4, const nsXPTMethodInfo * 0x03c5a580, nsXPTCMiniVariant * 0x0012d450) line 450 PrepareAndDispatch(nsXPTCStubBase * 0x049def60, unsigned int 4, unsigned int * 0x0012d500, unsigned int * 0x0012d4f0) line 117 + 31 bytes SharedStub() line 147 nsMsgComposeService::OpenWindow(const char * 0x00000000, nsIMsgComposeParams * 0x04a9f150) line 272 nsMsgComposeService::OpenComposeWindow(nsMsgComposeService * const 0x02558e90, const char * 0x00000000, const char * 0x04ab26c8, int 5, int 0, nsIMsgIdentity * 0x03c5f880, nsIMsgWindow * 0x03b87dd0) line 478 + 21 bytes XPTC_InvokeByIndex(nsISupports * 0x02558e90, unsigned int 3, unsigned int 6, nsXPTCVariant * 0x0012da1c) line 102 XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode CALL_METHOD) line 2027 + 43 bytes XPC_WN_CallMethod(JSContext * 0x024e9c98, JSObject * 0x03bcb1f0, unsigned int 6, long * 0x04b4516c, long * 0x0012dce4) line 1287 + 14 bytes js_Invoke(JSContext * 0x024e9c98, unsigned int 6, unsigned int 0) line 1281 + 23 bytes js_Interpret(JSContext * 0x024e9c98, long * 0x0012e718) line 3366 + 15 bytes js_Invoke(JSContext * 0x024e9c98, unsigned int 1, unsigned int 2) line 1301 + 13 bytes js_InternalInvoke(JSContext * 0x024e9c98, JSObject * 0x0388a2b8, long 69368328, unsigned int 0, unsigned int 1, long * 0x0012e97c, long * 0x0012e978) line 1378 + 20 bytes JS_CallFunctionValue(JSContext * 0x024e9c98, JSObject * 0x0388a2b8, long 69368328, unsigned int 1, long * 0x0012e97c, long * 0x0012e978) line 3618 + 31 bytes nsJSContext::CallEventHandler(JSObject * 0x0388a2b8, JSObject * 0x04227a08, unsigned int 1, long * 0x0012e97c, long * 0x0012e978) line 1292 + 33 bytes nsJSEventListener::HandleEvent(nsJSEventListener * const 0x03671638, nsIDOMEvent * 0x04aa1000) line 174 + 51 bytes nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x036716a0, nsIDOMEvent * 0x04aa1000, nsIDOMEventTarget * 0x04a8e1d8, unsigned int 8, unsigned int 7) line 1434 + 20 bytes nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x036715d0, nsIPresContext * 0x02c3bba8, nsEvent * 0x0012f028, nsIDOMEvent * * 0x0012efbc, nsIDOMEventTarget * 0x04a8e1d8, unsigned int 7, nsEventStatus * 0x0012f074) line 1529 nsXULElement::HandleDOMEvent(nsIPresContext * 0x02c3bba8, nsEvent * 0x0012f028, nsIDOMEvent * * 0x0012efbc, unsigned int 7, nsEventStatus * 0x0012f074) line 2790 PresShell::HandleDOMEventWithTarget(PresShell * const 0x02c646e0, nsIContent * 0x03673858, nsEvent * 0x0012f028, nsEventStatus * 0x0012f074) line 6108 nsButtonBoxFrame::MouseClicked(nsIPresContext * 0x02c3bba8, nsGUIEvent * 0x0012f24c) line 178 nsButtonBoxFrame::HandleEvent(nsButtonBoxFrame * const 0x0395c500, nsIPresContext * 0x02c3bba8, nsGUIEvent * 0x0012f24c, nsEventStatus * 0x0012f560) line 150 PresShell::HandleEventInternal(nsEvent * 0x0012f24c, nsIView * 0x00000000, unsigned int 1, nsEventStatus * 0x0012f560) line 6072 + 39 bytes PresShell::HandleEventWithTarget(PresShell * const 0x02c646e0, nsEvent * 0x0012f24c, nsIFrame * 0x0395c500, nsIContent * 0x03673858, unsigned int 1, nsEventStatus * 0x0012f560) line 5983 + 22 bytes nsEventStateManager::CheckForAndDispatchClick(nsIPresContext * 0x02c3bba8, nsMouseEvent * 0x0012f780, nsEventStatus * 0x0012f560) line 2933 + 66 bytes nsEventStateManager::PostHandleEvent(nsEventStateManager * const 0x02c946f8, nsIPresContext * 0x02c3bba8, nsEvent * 0x0012f780, nsIFrame * 0x0395c500, nsEventStatus * 0x0012f560, nsIView * 0x02c64118) line 1944 + 23 bytes PresShell::HandleEventInternal(nsEvent * 0x0012f780, nsIView * 0x02c64118, unsigned int 1, nsEventStatus * 0x0012f560) line 6080 + 52 bytes PresShell::HandleEvent(PresShell * const 0x02c64754, nsIView * 0x02c64118, nsGUIEvent * 0x0012f780, nsEventStatus * 0x0012f560, int 1, int & 1) line 5921 + 25 bytes nsViewManager::HandleEvent(nsView * 0x02c64118, nsGUIEvent * 0x0012f780, int 1) line 2236 nsViewManager::DispatchEvent(nsViewManager * const 0x02c94f88, nsGUIEvent * 0x0012f780, nsEventStatus * 0x0012f658) line 1976 + 20 bytes HandleEvent(nsGUIEvent * 0x0012f780) line 79 nsWindow::DispatchEvent(nsWindow * const 0x02c641b4, nsGUIEvent * 0x0012f780, nsEventStatus & nsEventStatus_eIgnore) line 1067 + 10 bytes nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012f780) line 1088 nsWindow::DispatchMouseEvent(unsigned int 301, unsigned int 0, nsPoint * 0x00000000) line 5189 + 21 bytes ChildWindow::DispatchMouseEvent(unsigned int 301, unsigned int 0, nsPoint * 0x00000000) line 5444 nsWindow::ProcessMessage(unsigned int 514, unsigned int 0, long 3735673, long * 0x0012fc28) line 3975 + 28 bytes nsWindow::WindowProc(HWND__ * 0x0037074a, unsigned int 514, unsigned int 0, long 3735673) line 1349 + 27 bytes USER32! 77e3a2d0() USER32! 77e145e5() USER32! 77e1a816() nsAppShellService::Run(nsAppShellService * const 0x00f75308) line 524 main1(int 1, char * * 0x00264f70, nsISupports * 0x00eb32b0) line 1302 + 32 bytes main(int 1, char * * 0x00264f70) line 1779 + 37 bytes mainCRTStartup() line 338 + 17 bytes KERNEL32! 7c5987e7()
This looks a lot like we're over-releasing the presstate. Anyone want to run a refcnt-balance log on nsPresState?
Looks more like over-releasing one of the objects in the hashtable to me, especially if this is Windows DEBUG where (I think) deleted objects are marked with 0xdddddddd.
yes, the object has been deleted. It's odd that Purify doesn't point out where the error is...
Probably it's an arena-allocated object, most likely an nsIFrame implementation (which really shouldn't be put in an nsSupportsHashtable).
(If you change the |memset| in FrameArena::FreeFrame in nsPresShell.cpp, does it end up with something other than 0xdddddddd?)
Don't nsIFrame impls assert in AddRef and Release? /be
nsFrame::AddRef and nsFrame::Release have NS_WARNING("not supported for frames"), which is almost an assertion, but some other frame classes override: http://lxr.mozilla.org/seamonkey/search?string=Frame%3A%3AAddRef http://lxr.mozilla.org/seamonkey/search?string=Frame%3A%3ARelease (The ones that return NS_OK are especially clever.)
(In reply to comment #11) > (If you change the |memset| in FrameArena::FreeFrame in nsPresShell.cpp, does it > end up with something other than 0xdddddddd?) yes, it does. I'll try disabling the frame arena and running purify again.
Yes, here are the error, allocation, and free stacks. [E] FMR: Free memory read in nsSupportsHashtable::ReleaseElement(nsHashKey *,void *,void *) {1 occurrence} Reading 4 bytes from 0x170074e0 (4 bytes at 0x170074e0 illegal) Address 0x170074e0 is 136 bytes into a 232 byte block at 0x17007458 Address 0x170074e0 points to a malloc'd block in heap 0x02420000 Thread ID: 0x944 Error location nsSupportsHashtable::ReleaseElement(nsHashKey *,void *,void *) [nsHashtable.cpp:796] hashEnumerate [nsHashtable.cpp:115] PL_DHashTableEnumerate [pldhash.c:619] nsHashtable::Enumerate((*)(nsHashKey *,void *,void *),void *) [nsHashtable.cpp:303] nsSupportsHashtable::Enumerate((*)(nsHashKey *,void *,void *),void *) [nsHashtable.h:205] nsSupportsHashtable::~nsSupportsHashtable(void) [nsHashtable.cpp:802] nsSupportsHashtable::`vector deleting destructor'(UINT) [gklayout.dll] nsPresState::~nsPresState(void) [nsPresState.cpp:93] nsPresState::`scalar deleting destructor'(UINT) [gklayout.dll] nsPresState::Release(void) [nsPresState.cpp:83] Allocation location malloc [dbgheap.c:129] PR_Malloc [prmem.c:474] FrameArena::AllocateFrame(UINT) [nsPresShell.cpp:618] PresShell::AllocateFrame(UINT) [nsPresShell.cpp:1969] nsFrame::new(UINT,nsIPresShell *) [nsFrame.cpp:436] NS_NewListBoxBodyFrame(nsIPresShell *,nsIFrame * *,int,nsIBoxLayout *) [nsListBoxBodyFrame.cpp:1510] nsCSSFrameConstructor::ConstructXULFrame(nsIPresShell *,nsIPresContext *,nsFrameConstructorState&,nsIContent *,nsIFrame *,nsIAtom *,int,nsStyleContext *,nsFrameItems&,int,int&) [nsCSSFrameConstructor.cpp:5454] nsCSSFrameConstructor::ConstructFrameInternal(nsIPresShell *,nsIPresContext *,nsFrameConstructorState&,nsIContent *,nsIFrame *,nsIAtom *,int,nsStyleContext *,nsFrameItems&,int) [nsCSSFrameConstructor.cpp:7133] nsCSSFrameConstructor::ConstructFrame(nsIPresShell *,nsIPresContext *,nsFrameConstructorState&,nsIContent *,nsIFrame *,nsFrameItems&) [nsCSSFrameConstructor.cpp:7026] nsCSSFrameConstructor::ProcessChildren(nsIPresShell *,nsIPresContext *,nsFrameConstructorState&,nsIContent *,nsIFrame *,int,nsFrameItems&,int,nsTableCreator *) [nsCSSFrameConstructor.cpp:11464] nsCSSFrameConstructor::ConstructXULFrame(nsIPresShell *,nsIPresContext *,nsFrameConstructorState&,nsIContent *,nsIFrame *,nsIAtom *,int,nsStyleContext *,nsFrameItems&,int,int&) [nsCSSFrameConstructor.cpp:5667] nsCSSFrameConstructor::ConstructFrameInternal(nsIPresShell *,nsIPresContext *,nsFrameConstructorState&,nsIContent *,nsIFrame *,nsIAtom *,int,nsStyleContext *,nsFrameItems&,int) [nsCSSFrameConstructor.cpp:7133] nsCSSFrameConstructor::ConstructFrame(nsIPresShell *,nsIPresContext *,nsFrameConstructorState&,nsIContent *,nsIFrame *,nsFrameItems&) [nsCSSFrameConstructor.cpp:7026] nsCSSFrameConstructor::ProcessChildren(nsIPresShell *,nsIPresContext *,nsFrameConstructorState&,nsIContent *,nsIFrame *,int,nsFrameItems&,int,nsTableCreator *) [nsCSSFrameConstructor.cpp:11464] nsCSSFrameConstructor::ConstructXULFrame(nsIPresShell *,nsIPresContext *,nsFrameConstructorState&,nsIContent *,nsIFrame *,nsIAtom *,int,nsStyleContext *,nsFrameItems&,int,int&) [nsCSSFrameConstructor.cpp:5667] nsCSSFrameConstructor::ConstructFrameInternal(nsIPresShell *,nsIPresContext *,nsFrameConstructorState&,nsIContent *,nsIFrame *,nsIAtom *,int,nsStyleContext *,nsFrameItems&,int) [nsCSSFrameConstructor.cpp:7133] nsCSSFrameConstructor::ConstructFrame(nsIPresShell *,nsIPresContext *,nsFrameConstructorState&,nsIContent *,nsIFrame *,nsFrameItems&) [nsCSSFrameConstructor.cpp:7026] nsCSSFrameConstructor::ContentInserted(nsIPresContext *,nsIContent *,nsIFrame *,nsIContent *,int,nsILayoutHistoryState *,int) [nsCSSFrameConstructor.cpp:8917] Free location free [dbgheap.c:955] PR_Free [prmem.c:502] FrameArena::FreeFrame(UINT,void *) [nsPresShell.cpp:655] PresShell::FreeFrame(UINT,void *) [nsPresShell.cpp:1963] nsFrame::Destroy(nsIPresContext *) [nsFrame.cpp:654] nsSplittableFrame::Destroy(nsIPresContext *) [nsSplittableFrame.cpp:71] nsContainerFrame::Destroy(nsIPresContext *) [nsContainerFrame.cpp:141] nsBoxFrame::Destroy(nsIPresContext *) [nsBoxFrame.cpp:1065] nsListBoxBodyFrame::Destroy(nsIPresContext *) [nsListBoxBodyFrame.cpp:278] nsFrameList::DestroyFrames(nsIPresContext *) [nsFrameList.cpp:129] nsContainerFrame::Destroy(nsIPresContext *) [nsContainerFrame.cpp:134] nsBoxFrame::Destroy(nsIPresContext *) [nsBoxFrame.cpp:1065] nsFrameList::DestroyFrames(nsIPresContext *) [nsFrameList.cpp:129] nsContainerFrame::Destroy(nsIPresContext *) [nsContainerFrame.cpp:134] nsBoxFrame::Destroy(nsIPresContext *) [nsBoxFrame.cpp:1065] nsGfxScrollFrame::Destroy(nsIPresContext *) [nsGfxScrollFrame.cpp:427] nsFrameList::DestroyFrames(nsIPresContext *) [nsFrameList.cpp:129] nsContainerFrame::Destroy(nsIPresContext *) [nsContainerFrame.cpp:134]
NS_IMETHODIMP_(nsrefcnt) nsListBoxBodyFrame::AddRef(void) { return 2; } NS_IMETHODIMP_(nsrefcnt) nsListBoxBodyFrame::Release(void) { return 1; }
Argh, what a mess. Are there bugs on file to fix all these broken AddRef and Release overrides? Why are they overriding the base class? /be
Here's the stack trace where the pres state gets deleted: nsPresState::~nsPresState() line 93 nsPresState::`scalar deleting destructor'(unsigned int 0x00000001) + 15 bytes nsPresState::Release(nsPresState * const 0x07c776e8) line 83 + 209 bytes nsCOMPtr<nsIPresState>::assign_assuming_AddRef(nsIPresState * 0x00000000) line 495 nsCOMPtr<nsIPresState>::assign_with_AddRef(nsISupports * 0x00000000) line 1023 nsCOMPtr<nsIPresState>::operator=(nsIPresState * 0x00000000) line 608 nsBoxObject::SetDocument(nsBoxObject * const 0x079fd834, nsIDocument * 0x00000000) line 146 nsDocument::SetBoxObjectFor(nsDocument * const 0x054f6844, nsIDOMElement * 0x0788bec4, nsIBoxObject * 0x00000000) line 2799 nsXULElement::SetDocument(nsIDocument * 0x00000000, int 0x00000001, int 0x00000001) line 1574 nsXULElement::RemoveChildAt(unsigned int 0x00000001, int 0x00000001) line 1912 nsGenericElement::doReplaceChild(nsIContent * 0x0538ed48, nsIDOMNode * 0x07edf684, nsIDOMNode * 0x0788bec4, nsIDOMNode * * 0x00128c4c) line 2988 + 17 bytes nsXULElement::ReplaceChild(nsXULElement * const 0x0538ed54, nsIDOMNode * 0x07edf684, nsIDOMNode * 0x0788bec4, nsIDOMNode * * 0x00128c4c) line 830 + 24 bytes XPTC_InvokeByIndex(nsISupports * 0x0538ed54, unsigned int 0x00000010, unsigned int 0x00000003, nsXPTCVariant * 0x00128c2c) line 102 XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode CALL_METHOD) line 2027 + 43 bytes XPC_WN_CallMethod(JSContext * 0x07c5d190, JSObject * 0x07708d68, unsigned int 0x00000002, long * 0x07edbf04, long * 0x00128efc) line 1287 + 14 bytes - this is called from the addressing widget js, probably here: function awAppendNewRow(setFocus) { var listbox = document.getElementById('addressingWidget'); var listitem1 = awGetListItem(1); if ( listbox && listitem1 ) { var lastRecipientType = awGetPopupElement(top.MAX_RECIPIENTS).selectedItem.getAttribute("value"); var nextDummy = awGetNextDummyRow(); var newNode = listitem1.cloneNode(true); if (nextDummy) listbox.replaceChild(newNode, nextDummy); else listbox.appendChild(newNode);
bienvenu: you're asking or answering the wrong question. don't ask where it got killed. ask why in the world it was put in the array in the first place. frames have a very specific ownership model and someone blew it.
I understand that's the fundamental problem that has to be fixed...if that's going to be the quickest fix, that's fine, but if there's some other quick fix that will stop the trunk from crashing, I think that's worth investigating too - I'm not sure how hard it is to fix the fundamental problem.
http://lxr.mozilla.org/seamonkey/source/layout/xul/base/src/nsListBoxObject.cpp#237 nsIListBoxObject* nsListBoxObject::GetListBoxBody() // It's a frame. Refcounts are irrelevant. nsCOMPtr<nsIListBoxObject> body; yeahBaby->QueryInterface(NS_GET_IID(nsIListBoxObject), getter_AddRefs(body)); SetPropertyAsSupports(listboxbody.get(), body); return body; This code has been doing this for a long time...the object is both an nsIListBoxObject and an nsIFrame. I wonder if a call to nsListBoxObject::InvalidatePresentationStuff before the frame is destroyed would paper over the crash.
i'm willing to write a debug only check on nsSupportsHashtable and similar xpcom creatures which QIs to nsIFrame and asserts at insertion time. That'd be the fast way to find your critter today and probably the best way to avoid this problem tomorrow.
thx, I've already found where it's happening...see http://bugzilla.mozilla.org/show_bug.cgi?id=240720#c21
Attached patch possible fixSplinter Review
cache a non-refcounted pointer
Comment on attachment 146814 [details] [diff] [review] possible fix I haven't had any problems with this patch...but I have no idea if this is right. It doesn't crash, and it doesn't seem to leak the frames...
Attachment #146814 - Flags: superreview?(dbaron)
Comment on attachment 146814 [details] [diff] [review] possible fix >+ if (mListBoxBody) { >+ nsCOMPtr<nsIListBoxObject> body(do_QueryInterface(mListBoxBody)); > return body; This could just be if (mListBoxBody) return mListBoxBody; but other than that, you need to find someone who knows something about box objects to review...
Attachment #146814 - Flags: superreview?(dbaron) → superreview+
Comment on attachment 146814 [details] [diff] [review] possible fix Ok, looking at the checkin log, I'm going to try jst. I'll remove the QI and comptr
Attachment #146814 - Flags: review?(jst)
I think I'd prefer this over the proposed fix since the proposed fix still leaves dangling pointers that could easily cause crashes in other situations. I don't know enough about this code to say if it will happen or not, but it seems likely that it could. David, can you test this?
yes, that works, and it seems like that's the way the code was supposed to work...
Attachment #147068 - Flags: superreview?(dbaron)
Attachment #147068 - Flags: review?(bienvenu)
Attachment #147068 - Flags: review?(bienvenu) → review+
Comment on attachment 147068 [details] [diff] [review] How about this instead? This makes sure we invalidate the listbox's box object when the listbox's body frame is destroyed. sr=dbaron, although I'm not a big fan of calling a variable that iterates over ancestors |parent|. I prefer |f| or |a|. :-) And the loop could also be a for loop instead of a while loop...
Attachment #147068 - Flags: superreview?(dbaron) → superreview+
David do you think this crash is in 1.7/0.6?
Fix checked in, let me know if someone wants me to land this on the 1.7 branch too.
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
I doubt it - it popped up right when the tree opened for 1.8, so some change there probably triggered it (I suspect some de-COM-tamification work exposed this problem). But we could scour talkback and see if any stack trace like that shows up in 1.7 builds...
Attachment #146814 - Flags: review?(jst)
*** Bug 263771 has been marked as a duplicate of this bug. ***
Product: MailNews → Core
Product: Core → MailNews Core
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: