305041 - shutdown crash [@ nsAttrValue::ToString] nsAttrValue::sEnumTableArray is null

Assignee

Description

•

19 years ago

steps to reproduce:
1. rename seamonkey.exe HsEngine.exe
2. provide HsEngine.exe and a frontend to a QA at work
3. foolishly let the QA use the pair

expected results:
no gecko implicated crashes (and many crashes or errors in .net frontend code)

actual results:
this crash

reproducable:
yes, my qa reproduced it at least 3 times without effort in well under an hour
(the only reason for the long interval is i kept missing the crash and getting
distracted, and the fact that i wasn't paying any attention to a clock, so the
time is a rough estimate rounded up).

(620.334): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00006800 ebx=0012f828 ecx=00000020 edx=00000000 esi=06b709f0 edi=064ea670
eip=01551220 esp=0012f704 ebp=0012f788 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210206
*** WARNING: Unable to verify checksum for C:\Program Files\Cenzic\Cenzic
Hailstorm\Engine\BackEnd\components\gklayout.dll
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for
C:\Program Files\Cenzic\Cenzic Hailstorm\Engine\BackEnd\components\gklayout.dll - 
gklayout!NSGetModule+0xeee4d:
01551220 8b5204           mov     edx,[edx+0x4]     ds:0023:00000004=????????
*** WARNING: Unable to verify checksum for C:\Program Files\Cenzic\Cenzic
Hailstorm\Engine\BackEnd\components\jsd3250.dll
*** WARNING: Unable to verify checksum for C:\Program Files\Cenzic\Cenzic
Hailstorm\Engine\BackEnd\js3250.dll
0:000> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

CThread::setThreadIndex FAILED hr = 0x80004002
CThread::setThreadIndex FAILED hr = 0x80004002

FAULTING_IP: 
gklayout!nsAttrValue::ToString+2c6
[c:\build\chs3\build\mozilla\content\base\src\nsattrvalue.cpp @ 348]
01551220 8b5204           mov     edx,[edx+0x4]

EXCEPTION_RECORD:  ffffffff -- (.exr ffffffffffffffff)
ExceptionAddress: 01551220 (gklayout!nsAttrValue::ToString+0x000002c6)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 00000004
Attempt to read from address 00000004

FAULTING_THREAD:  00000334

DEFAULT_BUCKET_ID:  APPLICATION_FAULT

PROCESS_NAME:  HsEngine.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced
memory at "0x%08lx". The memory could not be "%s".

READ_ADDRESS:  00000004 

BUGCHECK_STR:  ACCESS_VIOLATION

MANAGED_STACK: !dumpstack -EE
 succeeded
Loaded Son of Strike data table version 5 from
"C:\WINNT\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
Current frame: 
ChildEBP RetAddr  Caller,Callee

LAST_CONTROL_TRANSFER:  from 01552c21 to 01551220

STACK_TEXT:  
0012f7fc 01552c21 0012f828 0012f8c0 0155d7ae
gklayout!nsAttrValue::ToString+0x2c6
[c:\build\chs3\build\mozilla\content\base\src\nsattrvalue.cpp @ 348]
0012f808 0155d7ae 00000000 002ae6c8 0012f828
gklayout!nsGenericElement::GetAttr+0x30
[c:\build\chs3\build\mozilla\content\base\src\nsgenericelement.cpp @ 3611]
0012f8c0 0155d542 064ea670 0012f8d8 06cbcf10
gklayout!nsDOMAttribute::GetValue+0x4d
[c:\build\chs3\build\mozilla\content\base\src\nsdomattribute.cpp @ 126]
0012f970 0155e679 00000000 0012f9c0 0155e4ca
gklayout!nsDOMAttribute::SetMap+0x3c
[c:\build\chs3\build\mozilla\content\base\src\nsdomattribute.cpp @ 99]
0012f97c 0155e4ca 06cbce74 064ea678 00000000 gklayout!RemoveMapRef+0x1a
[c:\build\chs3\build\mozilla\content\base\src\nsdomattributemap.cpp @ 73]
0012f98c 1000ea47 0618c91c 06cbce70 00000001
gklayout!nsBaseHashtable<nsAttrHashKey,nsCOMPtr<nsIDOMNode>,nsIDOMNode
*>::s_EnumStub+0x15
[c:\build\chs3\build\mozilla\rel-i586-pc-msvc\dist\include\xpcom\nsbasehashtable.h
@ 349]
0012f9c0 0155e5ba 00000001 0155e4b5 0012f9d4
xpcom_core!PL_DHashTableEnumerate+0x4f
[c:\build\chs3\build\mozilla\xpcom\ds\pldhash.c @ 619]
0012f9dc 0155e6b9 0155e65f 00000000 06bc9998
gklayout!nsBaseHashtable<nsAttrHashKey,nsCOMPtr<nsIDOMNode>,nsIDOMNode
*>::Enumerate+0x20
[c:\build\chs3\build\mozilla\rel-i586-pc-msvc\dist\include\xpcom\nsbasehashtable.h
@ 224]
0012f9ec 01553e7e 06b6c010 01556116 06b6c010
gklayout!nsDOMAttributeMap::DropReference+0x12
[c:\build\chs3\build\mozilla\content\base\src\nsdomattributemap.cpp @ 85]
0012f9f4 01556116 06b6c010 06b6c010 01601eed
gklayout!nsDOMSlots::~nsDOMSlots+0x26
[c:\build\chs3\build\mozilla\content\base\src\nsgenericelement.cpp @ 741]
0012fa00 01601eed 00ec493c 0160e757 00000001
gklayout!nsGenericElement::~nsGenericElement+0x5b
[c:\build\chs3\build\mozilla\content\base\src\nsgenericelement.cpp @ 866]
0012fa08 0160e757 00000001 00fbc48d 06b6c010
gklayout!nsHTMLTableCellElement::`scalar deleting destructor'+0x8
0012fa10 00fbc48d 06b6c010 00000000 00000001
gklayout!nsHTMLIFrameElement::Release+0x1b
[c:\build\chs3\build\mozilla\content\html\content\src\nshtmliframeelement.cpp @ 92]
0012fa40 013768c3 05cf1d88 00000001 00ebe128
xpc3250!XPCJSRuntime::GCCallback+0x416
[c:\build\chs3\build\mozilla\js\src\xpconnect\src\xpcjsruntime.cpp @ 563]
0012fa50 015c1e9f 05cf1d88 00000001 00ebe128 jsd3250!jsds_GCCallbackProc+0x2e
[c:\build\chs3\build\mozilla\js\jsd\jsd_xpc.cpp @ 522]
0012fa60 00ffd11c 05cf1d88 00000001 05cf1e20 gklayout!DOMGCCallback+0x14
[c:\build\chs3\build\mozilla\dom\src\base\nsjsenvironment.cpp @ 2102]
0012faac 00ffd317 05cf1d88 00000000 00ebe128 js3250!js_GC+0x893
[c:\build\chs3\build\mozilla\js\src\jsgc.c @ 1940]
0012fabc 00fe9a36 05cf1d88 00000000 064d5cfc js3250!js_ForceGC+0x29
[c:\build\chs3\build\mozilla\js\src\jsgc.c @ 1502]
0012fad8 00fe1447 05cf1d88 00000002 015c19be js3250!js_DestroyContext+0x136
[c:\build\chs3\build\mozilla\js\src\jscntxt.c @ 284]
0012fae4 015c19be 05cf1d88 06e50420 06d152f0 js3250!JS_DestroyContext+0xb
[c:\build\chs3\build\mozilla\js\src\jsapi.c @ 943]
0012faf4 015c208c 00000000 015c1a46 00000001
gklayout!nsJSContext::~nsJSContext+0x9a
[c:\build\chs3\build\mozilla\dom\src\base\nsjsenvironment.cpp @ 743]
0012fafc 015c1a46 00000001 1000103c 06e50420 gklayout!nsJSContext::`scalar
deleting destructor'+0x8
0012fb04 1000103c 06e50420 100010ad 00000000 gklayout!nsJSContext::Release+0x18
[c:\build\chs3\build\mozilla\dom\src\base\nsjsenvironment.cpp @ 770]
0012fb0c 100010ad 00000000 06d15308 064d5cfc
xpcom_core!nsCOMPtr_base::assign_assuming_AddRef+0x12
[c:\build\chs3\build\mozilla\xpcom\glue\nscomptr.h @ 532]
0012fb1c 01594aa3 00000000 06d152e8 01594d24
xpcom_core!nsCOMPtr_base::assign_with_AddRef+0x1a
[c:\build\chs3\build\mozilla\rel-i586-pc-msvc\xpcom\build\nscomptr.cpp @ 89]
0012fb28 01594d24 00000000 10001086 06d152e8
gklayout!nsXBLDocGlobalObject::SetContext+0x10
[c:\build\chs3\build\mozilla\content\xbl\src\nsxbldocumentinfo.cpp @ 181]
0012fb3c 01594dda 06c047fc 015899f5 00000001
gklayout!nsXBLDocumentInfo::~nsXBLDocumentInfo+0x2b
[c:\build\chs3\build\mozilla\content\xbl\src\nsxbldocumentinfo.cpp @ 365]
0012fb44 015899f5 00000001 10001092 06d152e8 gklayout!nsXBLDocumentInfo::`scalar
deleting destructor'+0x8
0012fb4c 10001092 06d152e8 0158d4fc 06c2d988 gklayout!nsXBLService::Release+0x18
[c:\build\chs3\build\mozilla\content\xbl\src\nsxblservice.cpp @ 466]
0012fb54 0158d4fc 06c2d988 06c04868 1000e802
xpcom_core!nsCOMPtr_base::~nsCOMPtr_base+0xc
[c:\build\chs3\build\mozilla\rel-i586-pc-msvc\xpcom\build\nscomptr.cpp @ 82]
0012fb60 1000e802 06c2d988 06c047fc 06c2d9c8
gklayout!ObjectEntry::~ObjectEntry+0xf
[c:\build\chs3\build\mozilla\content\xbl\src\nsbindingmanager.cpp @ 186]
0012fb7c 0159dc8a 06c2d988 0158d988 10001086 xpcom_core!PL_DHashTableFinish+0x38
[c:\build\chs3\build\mozilla\xpcom\ds\pldhash.c @ 343]
0012fb84 0158d988 10001086 06c2d8d8 10039814
gklayout!nsTHashtable<nsBaseHashtableET<nsURIHashKey,nsCOMPtr<nsIObserver> >
>::~nsTHashtable<nsBaseHashtableET<nsURIHashKey,nsCOMPtr<nsIObserver> > >+0xc
[c:\build\chs3\build\mozilla\rel-i586-pc-msvc\dist\include\xpcom\nsthashtable.h
@ 315]
0012fb94 0158e639 06c4d3b8 10001092 06c2d8d8
gklayout!nsBindingManager::~nsBindingManager+0x88
[c:\build\chs3\build\mozilla\content\xbl\src\nsbindingmanager.cpp @ 328]
0012fb9c 10001092 06c2d8d8 01536098 06c4d3b8
gklayout!nsBindingManager::Release+0x1b
[c:\build\chs3\build\mozilla\content\xbl\src\nsbindingmanager.cpp @ 297]
0012fba4 01536098 06c4d3b8 06c4d3b8 0000011a
xpcom_core!nsCOMPtr_base::~nsCOMPtr_base+0xc
[c:\build\chs3\build\mozilla\rel-i586-pc-msvc\xpcom\build\nscomptr.cpp @ 82]
0012fbb4 01578319 00ec493c 0153550e 00000001
gklayout!nsIDocument::~nsIDocument+0x33
[c:\build\chs3\build\mozilla\rel-i586-pc-msvc\dist\include\content\nsidocument.h
@ 761]
0012fbbc 0153550e 00000001 00fbc48d 06c4d3b8 gklayout!nsHTMLDocument::`scalar
deleting destructor'+0x8
0012fbc4 00fbc48d 06c4d3b8 00000000 00000001 gklayout!nsDocument::Release+0x1e
[c:\build\chs3\build\mozilla\content\base\src\nsdocument.cpp @ 738]
0012fbf4 013768c3 06c8c728 00000001 00ebe128
xpc3250!XPCJSRuntime::GCCallback+0x416
[c:\build\chs3\build\mozilla\js\src\xpconnect\src\xpcjsruntime.cpp @ 563]
0012fc04 015c1e9f 06c8c728 00000001 00ebe128 jsd3250!jsds_GCCallbackProc+0x2e
[c:\build\chs3\build\mozilla\js\jsd\jsd_xpc.cpp @ 522]
0012fc14 00ffd11c 06c8c728 00000001 06c8c7c0 gklayout!DOMGCCallback+0x14
[c:\build\chs3\build\mozilla\dom\src\base\nsjsenvironment.cpp @ 2102]
0012fc60 00ffd317 06c8c728 00000000 00ebe128 js3250!js_GC+0x893
[c:\build\chs3\build\mozilla\js\src\jsgc.c @ 1940]
0012fc70 00fe9a36 06c8c728 00000000 0703858c js3250!js_ForceGC+0x29
[c:\build\chs3\build\mozilla\js\src\jsgc.c @ 1502]
0012fc8c 00fe1447 06c8c728 00000002 015c19be js3250!js_DestroyContext+0x136
[c:\build\chs3\build\mozilla\js\src\jscntxt.c @ 284]
0012fc98 015c19be 06c8c728 06bef0d8 06e45608 js3250!JS_DestroyContext+0xb
[c:\build\chs3\build\mozilla\js\src\jsapi.c @ 943]
0012fca8 015c208c 00000000 015c1a46 00000001
gklayout!nsJSContext::~nsJSContext+0x9a
[c:\build\chs3\build\mozilla\dom\src\base\nsjsenvironment.cpp @ 743]
0012fcb0 015c1a46 00000001 1000103c 06bef0d8 gklayout!nsJSContext::`scalar
deleting destructor'+0x8
0012fcb8 1000103c 06bef0d8 100010ad 00000000 gklayout!nsJSContext::Release+0x18
[c:\build\chs3\build\mozilla\dom\src\base\nsjsenvironment.cpp @ 770]
0012fcc0 100010ad 00000000 06e45620 0703858c
xpcom_core!nsCOMPtr_base::assign_assuming_AddRef+0x12
[c:\build\chs3\build\mozilla\xpcom\glue\nscomptr.h @ 532]


FOLLOWUP_IP: 
gklayout!nsAttrValue::ToString+2c6
[c:\build\chs3\build\mozilla\content\base\src\nsattrvalue.cpp @ 348]
01551220 8b5204           mov     edx,[edx+0x4]

SYMBOL_STACK_INDEX:  0

FOLLOWUP_NAME:  MachineOwner

SYMBOL_NAME:  gklayout!nsAttrValue::ToString+2c6

MODULE_NAME:  gklayout

IMAGE_NAME:  gklayout.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  4302ae2a

STACK_COMMAND:  ~0s ; kb

FAILURE_BUCKET_ID:  ACCESS_VIOLATION_gklayout!nsAttrValue::ToString+2c6

BUCKET_ID:  ACCESS_VIOLATION_gklayout!nsAttrValue::ToString+2c6

Followup: MachineOwner
---------

0:000> dv
           this = 0x00000000
        aResult = 0x0012f828
         intStr = class nsAutoString
              v = 0x12f808
         intStr = class nsAutoString
         intStr = class nsAutoString
          count = 1243144
            tmp = class nsAutoString
0:000> dt nsAttrValue::sEnumTableArray
(null) 

0:000> kP
ChildEBP RetAddr  
0012f7fc 01552c21 gklayout!nsAttrValue::ToString(
			class nsAString_internal * aResult = 0x0012f828)+0x2c6
[c:\build\chs3\build\mozilla\content\base\src\nsattrvalue.cpp @ 348]
0012f808 0155d7ae gklayout!nsGenericElement::GetAttr(
			int aNameSpaceID = 0, 
			class nsIAtom * aName = 0x002ae6c8, 
			class nsAString_internal * aResult = 0x0012f828)+0x30
[c:\build\chs3\build\mozilla\content\base\src\nsgenericelement.cpp @ 3611]
0012f8c0 0155d542 gklayout!nsDOMAttribute::GetValue(
			class nsAString_internal * aValue = 0x0012f8d8)+0x4d
[c:\build\chs3\build\mozilla\content\base\src\nsdomattribute.cpp @ 126]
0012f970 0155e679 gklayout!nsDOMAttribute::SetMap(
			class nsDOMAttributeMap * aMap = 0x00000000)+0x3c
[c:\build\chs3\build\mozilla\content\base\src\nsdomattribute.cpp @ 99]
0012f97c 0155e4ca gklayout!RemoveMapRef(
			class nsAttrKey * aKey = 0x06cbce74, 
			class nsCOMPtr<nsIDOMNode> * aData = 0x064ea678, 
			void * aUserArg = 0x00000000)+0x1a
[c:\build\chs3\build\mozilla\content\base\src\nsdomattributemap.cpp @ 73]
0012f98c 1000ea47
gklayout!nsBaseHashtable<nsAttrHashKey,nsCOMPtr<nsIDOMNode>,nsIDOMNode
*>::s_EnumStub(
			struct PLDHashTable * table = 0x0155e5ba, 
			struct PLDHashEntryHdr * hdr = 0x00000001, 
			unsigned int number = 0x155e4b5, 
			void * arg = 0x0012f9d4)+0x15
[c:\build\chs3\build\mozilla\rel-i586-pc-msvc\dist\include\xpcom\nsbasehashtable.h
@ 349]
0012f9c0 0155e5ba xpcom_core!PL_DHashTableEnumerate(
			struct PLDHashTable * table = 0x00000001, 
			<function> * etor = 0x0155e4b5, 
			void * arg = 0x0012f9d4)+0x4f [c:\build\chs3\build\mozilla\xpcom\ds\pldhash.c
@ 619]
0012f9dc 0155e6b9
gklayout!nsBaseHashtable<nsAttrHashKey,nsCOMPtr<nsIDOMNode>,nsIDOMNode
*>::Enumerate(
			<function> * enumFunc = 0x0155e65f, 
			void * userArg = 0x00000000)+0x20
[c:\build\chs3\build\mozilla\rel-i586-pc-msvc\dist\include\xpcom\nsbasehashtable.h
@ 224]
0012f9ec 01553e7e gklayout!nsDOMAttributeMap::DropReference(void)+0x12
[c:\build\chs3\build\mozilla\content\base\src\nsdomattributemap.cpp @ 85]
0012f9f4 01556116 gklayout!nsDOMSlots::~nsDOMSlots(void)+0x26
[c:\build\chs3\build\mozilla\content\base\src\nsgenericelement.cpp @ 741]
0012fa00 01601eed gklayout!nsGenericElement::~nsGenericElement(void)+0x5b
[c:\build\chs3\build\mozilla\content\base\src\nsgenericelement.cpp @ 866]
0012fa08 0160e757 gklayout!nsHTMLTableCellElement::`scalar deleting
destructor'(void)+0x8
0012fa10 00fbc48d gklayout!nsHTMLIFrameElement::Release(void)+0x1b
[c:\build\chs3\build\mozilla\content\html\content\src\nshtmliframeelement.cpp @ 92]
0012fa40 013768c3 xpc3250!XPCJSRuntime::GCCallback(
			struct JSContext * cx = 0x05cf1d88, 
			JSGCStatus status = JSGC_END (1))+0x416
[c:\build\chs3\build\mozilla\js\src\xpconnect\src\xpcjsruntime.cpp @ 563]
0012fa50 015c1e9f jsd3250!jsds_GCCallbackProc(
			struct JSContext * cx = 0x00ffd317, 
			JSGCStatus status = 97459592 (No matching enumerant))+0x2e
[c:\build\chs3\build\mozilla\js\jsd\jsd_xpc.cpp @ 522]
0012fa60 00ffd11c gklayout!DOMGCCallback(
			struct JSContext * cx = 0x00ffd317, 
			JSGCStatus status = 97459592 (No matching enumerant))+0x14
[c:\build\chs3\build\mozilla\dom\src\base\nsjsenvironment.cpp @ 2102]
0012faac 00ffd317 js3250!js_GC(
			struct JSContext * cx = 0x05cf1d88, 
			unsigned int gcflags = 0)+0x893 [c:\build\chs3\build\mozilla\js\src\jsgc.c @
1940]
0012fabc 00fe9a36 js3250!js_ForceGC(
			struct JSContext * cx = 0x00000000, 
			unsigned int gcflags = 0)+0x29 [c:\build\chs3\build\mozilla\js\src\jsgc.c @ 1502]
0012fad8 00fe1447 js3250!js_DestroyContext(
			struct JSContext * cx = 0x00000000, 
			JSGCMode gcmode = JS_NO_GC (0))+0x136
[c:\build\chs3\build\mozilla\js\src\jscntxt.c @ 284]
0012fae4 015c19be js3250!JS_DestroyContext(
			struct JSContext * cx = <Memory access error>)+0xb
[c:\build\chs3\build\mozilla\js\src\jsapi.c @ 943]

the crashing code is:
    case eEnum:
    {
      PRInt16 val = GetEnumValue();
      EnumTable* table = NS_STATIC_CAST(EnumTable*, sEnumTableArray->
          FastElementAt(GetIntInternal() & NS_ATTRVALUE_ENUMTABLEINDEX_MASK));

timeless

Assignee

Comment 1

•

19 years ago

ok, a bit more information, this is a gc shutdown crash, nsAttrValue::Shutdown 
called by nsLayoutModule-Shutdown() is winning a race w/ 
mozJSComponentLoader::UnloadAll which has components that have references to 
dom nodes entrailed in the gc world.

gklayout!nsAttrValue::ToString(class nsAString_internal * aResult = 0x0012f9dc)
+0x2c6 (FPO: [Uses EBP] [1,60,0]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\content\base\src\nsattrvalue.cpp @ 348]
gklayout!nsGenericElement::GetAttr(int aNameSpaceID = 0, class nsIAtom * aName 
= 0x002add78, class nsAString_internal * aResult = 0x0012f9dc)+0x30 (FPO: [Non-
Fpo]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\content\base\src\nsgenericelement.cpp @ 3611]
gklayout!nsDOMAttribute::GetValue(class nsAString_internal * aValue = 
0x0012fa8c)+0x4d (FPO: [Non-Fpo]) (CONV: stdcall) [c:\build\chs3
\build\mozilla\content\base\src\nsdomattribute.cpp @ 126]
gklayout!nsDOMAttribute::SetMap(class nsDOMAttributeMap * aMap = 0x00000000)
+0x3c (FPO: [Non-Fpo]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\content\base\src\nsdomattribute.cpp @ 99]
gklayout!RemoveMapRef(class nsAttrKey * aKey = 0x08d5ad0c, class 
nsCOMPtr<nsIDOMNode> * aData = 0x02d2ac20, void * aUserArg = 0x00000000)+0x1a 
(FPO: [Non-Fpo]) (CONV: cdecl) [c:\build\chs3
\build\mozilla\content\base\src\nsdomattributemap.cpp @ 73]
gklayout!nsBaseHashtable<nsAttrHashKey,nsCOMPtr<nsIDOMNode>,nsIDOMNode 
*>::s_EnumStub(struct PLDHashTable * table = 0x00ffe5ba, struct 
PLDHashEntryHdr * hdr = 0x00000000, unsigned int number = 0xffe4b5, void * arg 
= 0x0012fb88)+0x15 (FPO: [4,0,0]) (CONV: cdecl) [c:\build\chs3
\build\mozilla\rel-i586-pc-msvc\dist\include\xpcom\nsbasehashtable.h @ 349]
xpcom_core!PL_DHashTableEnumerate(struct PLDHashTable * table = 0x00000000, 
<function> * etor = 0x00ffe4b5, void * arg = 0x0012fb88)+0x4f (FPO: [Non-Fpo]) 
(CONV: cdecl) [c:\build\chs3\build\mozilla\xpcom\ds\pldhash.c @ 619]
gklayout!nsBaseHashtable<nsAttrHashKey,nsCOMPtr<nsIDOMNode>,nsIDOMNode 
*>::Enumerate(<function> * enumFunc = 0x00ffe65f, void * userArg = 0x00000000)
+0x20 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\build\chs3\build\mozilla\rel-i586-
pc-msvc\dist\include\xpcom\nsbasehashtable.h @ 224]
gklayout!nsDOMAttributeMap::DropReference(void)+0x12 (FPO: [0,0,0]) (CONV: 
thiscall) [c:\build\chs3\build\mozilla\content\base\src\nsdomattributemap.cpp 
@ 85]
gklayout!nsDOMSlots::~nsDOMSlots(void)+0x26 (FPO: [0,0,0]) (CONV: thiscall) 
[c:\build\chs3\build\mozilla\content\base\src\nsgenericelement.cpp @ 741]
gklayout!nsGenericElement::~nsGenericElement(void)+0x5b (FPO: [0,0,0]) (CONV: 
thiscall) [c:\build\chs3\build\mozilla\content\base\src\nsgenericelement.cpp @ 
866]
gklayout!nsHTMLTableCellElement::`scalar deleting destructor'(void)+0x8 (FPO: 
[1,0,0]) (CONV: thiscall)
gklayout!nsHTMLIFrameElement::Release(void)+0x1b (FPO: [1,0,0]) (CONV: 
stdcall) [c:\build\chs3
\build\mozilla\content\html\content\src\nshtmliframeelement.cpp @ 92]
xpc3250!XPCJSRuntime::GCCallback(struct JSContext * cx = 0x06760430, 
JSGCStatus status = JSGC_END (1))+0x416 (FPO: [Non-Fpo]) (CONV: cdecl) 
[c:\build\chs3\build\mozilla\js\src\xpconnect\src\xpcjsruntime.cpp @ 563]
jsd3250!jsds_GCCallbackProc(struct JSContext * cx = 0x00acd317, JSGCStatus 
status = 108397616 (No matching enumerant))+0x2e (FPO: [2,0,0]) (CONV: cdecl) 
[c:\build\chs3\build\mozilla\js\jsd\jsd_xpc.cpp @ 522]
gklayout!DOMGCCallback(struct JSContext * cx = 0x00acd317, JSGCStatus status = 
108397616 (No matching enumerant))+0x14 (FPO: [2,0,0]) (CONV: cdecl) 
[c:\build\chs3\build\mozilla\dom\src\base\nsjsenvironment.cpp @ 2102]
js3250!js_GC(struct JSContext * cx = 0x06760430, unsigned int gcflags = 0)
+0x893 (FPO: [Non-Fpo]) (CONV: cdecl) [c:\build\chs3
\build\mozilla\js\src\jsgc.c @ 1940]
js3250!js_ForceGC(struct JSContext * cx = 0x00000000, unsigned int gcflags = 0)
+0x29 (FPO: [2,0,0]) (CONV: cdecl) [c:\build\chs3\build\mozilla\js\src\jsgc.c 
@ 1502]
js3250!js_DestroyContext(struct JSContext * cx = 0x00000000, JSGCMode gcmode = 
JS_NO_GC (0))+0x136 (FPO: [Uses EBP] [2,0,0]) (CONV: cdecl) [c:\build\chs3
\build\mozilla\js\src\jscntxt.c @ 284]
js3250!JS_DestroyContext(struct JSContext * cx = <Memory access error>)+0xb 
(FPO: [1,0,0]) (CONV: cdecl) [c:\build\chs3\build\mozilla\js\src\jsapi.c @ 943]
gklayout!nsJSContext::~nsJSContext(void)+0x9a (FPO: [0,0,0]) (CONV: thiscall) 
[c:\build\chs3\build\mozilla\dom\src\base\nsjsenvironment.cpp @ 743]
gklayout!nsJSContext::`scalar deleting destructor'(void)+0x8 (FPO: [1,0,0]) 
(CONV: thiscall)
gklayout!nsJSContext::Release(void)+0x18 (FPO: [1,0,0]) (CONV: stdcall) 
[c:\build\chs3\build\mozilla\dom\src\base\nsjsenvironment.cpp @ 770]
xpcom_core!nsCOMPtr_base::assign_assuming_AddRef(class nsISupports * newPtr = 
<Memory access error>)+0x12 (FPO: [1,0,0]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\xpcom\glue\nscomptr.h @ 532]
xpcom_core!nsCOMPtr_base::assign_with_AddRef(class nsISupports * rawPtr = 
<Memory access error>)+0x1a (FPO: [1,0,0]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\rel-i586-pc-msvc\xpcom\build\nscomptr.cpp @ 89]
gklayout!nsXBLDocGlobalObject::SetContext(class nsIScriptContext * aContext = 
<Memory access error>)+0x10 (FPO: [1,0,0]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\content\xbl\src\nsxbldocumentinfo.cpp @ 181]
gklayout!nsXBLDocumentInfo::~nsXBLDocumentInfo(void)+0x2b (FPO: [0,0,0]) 
(CONV: thiscall) [c:\build\chs3
\build\mozilla\content\xbl\src\nsxbldocumentinfo.cpp @ 365]
gklayout!nsXBLDocumentInfo::`scalar deleting destructor'(void)+0x8 (FPO: 
[1,0,0]) (CONV: thiscall)
gklayout!nsXBLService::Release(void)+0x18 (FPO: [1,0,0]) (CONV: stdcall) 
[c:\build\chs3\build\mozilla\content\xbl\src\nsxblservice.cpp @ 466]
xpcom_core!nsCOMPtr_base::~nsCOMPtr_base(void)+0xc (FPO: [0,0,0]) (CONV: 
thiscall) [c:\build\chs3\build\mozilla\rel-i586-pc-
msvc\xpcom\build\nscomptr.cpp @ 82]
gklayout!nsBaseHashtableET<nsURIHashKey,nsCOMPtr<nsIXBLDocumentInfo> 
>::~nsBaseHashtableET<nsURIHashKey,nsCOMPtr<nsIXBLDocumentInfo> >(void)+0xf 
(FPO: [0,0,0]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\content\xbl\src\nsbindingmanager.cpp @ 186]
xpcom_core!PL_DHashTableFinish(struct PLDHashTable * table = <Memory access 
error>)+0x38 (FPO: [Uses EBP] [1,0,0]) (CONV: cdecl) [c:\build\chs3
\build\mozilla\xpcom\ds\pldhash.c @ 343]
gklayout!nsTHashtable<nsBaseHashtableET<nsURIHashKey,nsCOMPtr<nsIObserver> > 
>::~nsTHashtable<nsBaseHashtableET<nsURIHashKey,nsCOMPtr<nsIObserver> > >(void)
+0xc (FPO: [0,0,0]) (CONV: thiscall) [c:\build\chs3\build\mozilla\rel-i586-pc-
msvc\dist\include\xpcom\nsthashtable.h @ 315]
gklayout!nsBindingManager::~nsBindingManager(void)+0x88 (FPO: [0,0,0]) (CONV: 
thiscall) [c:\build\chs3\build\mozilla\content\xbl\src\nsbindingmanager.cpp @ 
328]
gklayout!nsBindingManager::Release(void)+0x1b (FPO: [1,0,0]) (CONV: stdcall) 
[c:\build\chs3\build\mozilla\content\xbl\src\nsbindingmanager.cpp @ 297]
xpcom_core!nsCOMPtr_base::~nsCOMPtr_base(void)+0xc (FPO: [0,0,0]) (CONV: 
thiscall) [c:\build\chs3\build\mozilla\rel-i586-pc-
msvc\xpcom\build\nscomptr.cpp @ 82]
gklayout!nsIDocument::~nsIDocument(void)+0x33 (FPO: [0,0,0]) (CONV: thiscall) 
[c:\build\chs3\build\mozilla\rel-i586-pc-
msvc\dist\include\content\nsidocument.h @ 761]
gklayout!nsHTMLDocument::`scalar deleting destructor'(void)+0x8 (FPO: [1,0,0]) 
(CONV: thiscall)
gklayout!nsDocument::Release(void)+0x1e (FPO: [1,0,0]) (CONV: stdcall) 
[c:\build\chs3\build\mozilla\content\base\src\nsdocument.cpp @ 738]
xpc3250!XPCJSRuntime::GCCallback(struct JSContext * cx = 0x009a2478, 
JSGCStatus status = JSGC_END (1))+0x416 (FPO: [Non-Fpo]) (CONV: cdecl) 
[c:\build\chs3\build\mozilla\js\src\xpconnect\src\xpcjsruntime.cpp @ 563]
jsd3250!jsds_GCCallbackProc(struct JSContext * cx = 0x00acd317, JSGCStatus 
status = 10101880 (No matching enumerant))+0x2e (FPO: [2,0,0]) (CONV: cdecl) 
[c:\build\chs3\build\mozilla\js\jsd\jsd_xpc.cpp @ 522]
gklayout!DOMGCCallback(struct JSContext * cx = 0x00acd317, JSGCStatus status = 
10101880 (No matching enumerant))+0x14 (FPO: [2,0,0]) (CONV: cdecl) 
[c:\build\chs3\build\mozilla\dom\src\base\nsjsenvironment.cpp @ 2102]
js3250!js_GC(struct JSContext * cx = 0x009a2478, unsigned int gcflags = 0)
+0x893 (FPO: [Non-Fpo]) (CONV: cdecl) [c:\build\chs3
\build\mozilla\js\src\jsgc.c @ 1940]
js3250!js_ForceGC(struct JSContext * cx = 0x00000000, unsigned int gcflags = 0)
+0x29 (FPO: [2,0,0]) (CONV: cdecl) [c:\build\chs3\build\mozilla\js\src\jsgc.c 
@ 1502]
js3250!js_DestroyContext(struct JSContext * cx = 0x00000000, JSGCMode gcmode = 
JS_NO_GC (0))+0x136 (FPO: [Uses EBP] [2,0,0]) (CONV: cdecl) [c:\build\chs3
\build\mozilla\js\src\jscntxt.c @ 284]
js3250!JS_DestroyContext(struct JSContext * cx = 0x10022ce4)+0xb (FPO: 
[1,0,0]) (CONV: cdecl) [c:\build\chs3\build\mozilla\js\src\jsapi.c @ 943]
xpc3250!mozJSComponentLoader::UnloadAll(int aWhen = 3)+0x5d (FPO: [Non-Fpo]) 
(CONV: stdcall) [c:\build\chs3
\build\mozilla\js\src\xpconnect\loader\mozjscomponentloader.cpp @ 1007]
xpcom_core!nsComponentManagerImpl::UnloadLibraries(class nsIServiceManager * 
serviceMgr = 0x00000000, int aWhen = 3)+0x37 (FPO: [Non-Fpo]) (CONV: thiscall) 
[c:\build\chs3\build\mozilla\xpcom\components\nscomponentmanager.cpp @ 3115]
xpcom_core!nsComponentManagerImpl::Shutdown(void)+0x6d (FPO: [0,0,0]) (CONV: 
thiscall) [c:\build\chs3\build\mozilla\xpcom\components\nscomponentmanager.cpp 
@ 900]
xpcom_core!NS_ShutdownXPCOM_P(class nsIServiceManager * servMgr = 0x00000000)
+0x172 (FPO: [Non-Fpo]) (CONV: cdecl) [c:\build\chs3
\build\mozilla\xpcom\build\nsxpcominit.cpp @ 831]
HsEngine!GRE_Shutdown(void)+0x7 (FPO: [0,0,0]) (CONV: cdecl) [c:\build\chs3
\build\mozilla\xpcom\glue\standalone\nsxpcomglue.cpp @ 494]
HsEngine!main(int argc = 3, char ** argv = 0x002a44f8)+0xd7 (FPO: [Non-Fpo]) 
(CONV: cdecl) [c:\build\chs3\build\mozilla\xpfe\bootstrap\nsapprunner.cpp @ 
1780]
HsEngine!WinMain(struct HINSTANCE__ * __formal = 0x7c816d4f, struct 
HINSTANCE__ * __formal = 0x00340038, char * args = 0x00390038 "", int __formal 
= 2147348480)+0x18 (FPO: [4,0,0]) (CONV: stdcall) [c:\build\chs3
\build\mozilla\xpfe\bootstrap\nsapprunner.cpp @ 1789]
HsEngine!WinMainCRTStartup(void)+0x185 (FPO: [Non-Fpo]) (CONV: cdecl) 
[f:\vs70builds\3077\vc\crtbld\crt\src\crtexe.c @ 390]
kernel32!BaseProcessStart+0x23 (FPO: [Non-Fpo])

Summary: [@ nsAttrValue::ToString] nsAttrValue::sEnumTableArray is null → shutdown crash [@ nsAttrValue::ToString] nsAttrValue::sEnumTableArray is null

timeless

Assignee

Comment 2

•

19 years ago

Attached patch this works (obsolete) — Details — Splinter Review

Assignee: bugmail → timeless

Status: NEW → ASSIGNED

Attachment #193215 - Flags: superreview?(bzbarsky)

Attachment #193215 - Flags: review?(bzbarsky)

Boris Zbarsky [:bzbarsky]

Comment 3

•

19 years ago

Comment on attachment 193215 [details] [diff] [review]
this works

Please make that a protected member and have a method to toggle it.

Also, I think you should be setting initialized to true and false only when the
layout module thinks it's initialized or not.

timeless

Assignee

Updated

•

19 years ago

Attachment #193215 - Attachment is obsolete: true

Attachment #193215 - Flags: superreview?(bzbarsky)

Attachment #193215 - Flags: review?(bzbarsky)

timeless

Assignee

Comment 4

•

19 years ago

Attached patch formalized (obsolete) — Details — Splinter Review

Attachment #193225 - Flags: superreview?(bzbarsky)

Attachment #193225 - Flags: review?(bzbarsky)

Boris Zbarsky [:bzbarsky]

Updated

•

19 years ago

Attachment #193225 - Flags: superreview?(bzbarsky)

Attachment #193225 - Flags: superreview+

Attachment #193225 - Flags: review?(bzbarsky)

Attachment #193225 - Flags: review+

timeless

Assignee

Comment 5

•

19 years ago

Comment on attachment 193225 [details] [diff] [review]
formalized

this is a small localized change to protect dom attributes from shutdown
crashes.
we hit it consistently in our product which will be living on the 1.8 branch
for probably 24 months

Attachment #193225 - Flags: approval1.8b4?

Chris Beard

Updated

•

19 years ago

Attachment #193225 - Flags: approval1.8b4? → approval1.8b4+

amano

Comment 6

•

19 years ago

Hmm. Someone is needed to check that in on the branch.

timeless

Assignee

Comment 7

•

19 years ago

Comment on attachment 193225 [details] [diff] [review]
formalized

mozilla/layout/build/nsLayoutModule.cpp 	1.140
mozilla/content/base/src/nsDOMAttribute.h	1.21
mozilla/content/base/src/nsDOMAttribute.cpp	1.55

Attachment #193225 - Attachment is obsolete: true

timeless

Assignee

Comment 8

•

19 years ago

Comment on attachment 193225 [details] [diff] [review]
formalized

MOZILLA_1_8_BRANCH:
mozilla/layout/build/nsLayoutModule.cpp 	1.139.8.1
mozilla/content/base/src/nsDOMAttribute.h 	1.20.4.1
mozilla/content/base/src/nsDOMAttribute.cpp 	1.54.4.1

Status: ASSIGNED → RESOLVED

Closed: 19 years ago

Keywords: fixed1.8

Resolution: --- → FIXED

Tracy Walker [:tracy]

Updated

•

19 years ago

Status: RESOLVED → VERIFIED

Keywords: fixed1.8 → verified1.8

Nobody; OK to take it and work on it

Updated

•

13 years ago

Crash Signature: [@ nsAttrValue::ToString]

Nobody; OK to take it and work on it

Updated

•

5 years ago

Component: DOM → DOM: Core & HTML

this works 19 years ago timeless 5.03 KB, patch		Details \| Diff \| Splinter Review
formalized 19 years ago timeless 5.83 KB, patch	bzbarsky : review+ bzbarsky : superreview+ cbeard : approval1.8b4+	Details \| Diff \| Splinter Review

Bugzilla

Quick Search

shutdown crash [@ nsAttrValue::ToString] nsAttrValue::sEnumTableArray is null

Categories

(Core :: DOM: Core & HTML, defect)

Tracking

()

People

(Reporter: timeless, Assigned: timeless)

References

(
URL
)

Details

(Keywords: crash, verified1.8)

Crash Data

Security

(public)

User Story

Attachments

(2 obsolete files)

Description

Comment 1

Comment 2

Comment 3

Updated

Comment 4

Updated

Comment 5

Updated

Comment 6

Comment 7

Comment 8

Updated

Updated

Updated

Attachment

General

Description

File Name

Content Type