Closed Bug 237736 Opened 20 years ago Closed 18 years ago

hacked pre mozilla1.7a crashes on exit [@ PL_DHashTableRawRemove] (nsGenericElement::~nsGenericElement)

Categories

(Core :: DOM: Core & HTML, defect, P1)

Product:
Core
Component:
DOM: Core & HTML
Version:
1.8 Branch
Type:
defect

Tracking

()

Status:
VERIFIED WORKSFORME
Milestone:
mozilla1.8final

People

(Reporter: timeless, Assigned: benjamin)

References

Details

(Keywords: crash, topcrash-)

Crash Data

@see bug 162526

setup:
[source tree is still pre1.7a]
build is opt(release) w/ symbols
an xpconnect (js) component is registered as a service
the component grabs a reference to a xul window (and probably never releases it)
things happen (it's used)
the user asks mozilla to quit (ctrl-q)

this is reproducable but at least requires an xpconnect component which we're
unlikely to publish. I could probably make a reduced component.
sometimes mozilla quits gracefully.

frequently it doesn't:
 	xpcom.dll!PL_DHashTableRawRemove(PLDHashTable * table=0x01395c54,
PLDHashEntryHdr * entry=0x02c81f7c)  Line 596 + 0x3	C
 	xpcom.dll!PL_DHashTableOperate(PLDHashTable * table=0x01395c54, const void *
key=0x02861a58, PLDHashOperator op=PL_DHASH_REMOVE)  Line 561 + 0xd	C
>	gklayout.dll!nsGenericElement::~nsGenericElement()  Line 847 + 0x10	C++
 	gklayout.dll!nsGenericContainerElement::~nsGenericContainerElement()  + 0xf	C++
 	gklayout.dll!nsGenericHTMLElement::~nsGenericHTMLElement()  + 0xf	C++
 	gklayout.dll!nsGenericHTMLFormElement::~nsGenericHTMLFormElement()  Line
3319 + 0x8	C++
 	gklayout.dll!nsHTMLInputElement::~nsHTMLInputElement()  Line 383 + 0x33	C++
 	gklayout.dll!nsHTMLInputElement::`scalar deleting destructor'()  + 0xf	C++
 	gklayout.dll!nsHTMLIFrameElement::Release()  Line 176 + 0x4f	C++
 	gklayout.dll!nsHTMLSelectElement::Release()  Line 476 + 0xc	C++
 	gklayout.dll!nsAttrAndChildArray::Clear()  Line 527 + 0xc	C++
 	gklayout.dll!nsAttrAndChildArray::~nsAttrAndChildArray()  Line 77	C++
 	gklayout.dll!nsGenericElement::~nsGenericElement()  Line 857 + 0xb	C++
 	gklayout.dll!nsGenericContainerElement::~nsGenericContainerElement()  + 0xf	C++
 	gklayout.dll!nsGenericHTMLElement::~nsGenericHTMLElement()  + 0xf	C++
 	gklayout.dll!nsHTMLTableCellElement::~nsHTMLTableCellElement()  Line 132 + 0x8	C++
 	gklayout.dll!nsHTMLTableCellElement::`scalar deleting destructor'()  + 0xf	C++
 	gklayout.dll!nsHTMLIFrameElement::Release()  Line 176 + 0x4f	C++
 	gklayout.dll!nsHTMLSelectElement::Release()  Line 476 + 0xc	C++
 	gklayout.dll!nsAttrAndChildArray::Clear()  Line 527 + 0xc	C++
 	gklayout.dll!nsAttrAndChildArray::~nsAttrAndChildArray()  Line 77	C++
 	gklayout.dll!nsGenericElement::~nsGenericElement()  Line 857 + 0xb	C++
 	gklayout.dll!nsGenericContainerElement::~nsGenericContainerElement()  + 0xf	C++
 	gklayout.dll!nsGenericHTMLElement::~nsGenericHTMLElement()  + 0xf	C++
 	gklayout.dll!nsHTMLTableRowElement::~nsHTMLTableRowElement()  Line 251 + 0x8	C++
 	gklayout.dll!nsHTMLTableRowElement::`scalar deleting destructor'()  + 0xf	C++
 	gklayout.dll!nsHTMLIFrameElement::Release()  Line 176 + 0x4f	C++
 	gklayout.dll!nsHTMLSelectElement::Release()  Line 476 + 0xc	C++
 	gklayout.dll!nsAttrAndChildArray::Clear()  Line 527 + 0xc	C++
 	gklayout.dll!nsAttrAndChildArray::~nsAttrAndChildArray()  Line 77	C++
 	gklayout.dll!nsGenericElement::~nsGenericElement()  Line 857 + 0xb	C++
 	gklayout.dll!nsGenericContainerElement::~nsGenericContainerElement()  + 0xf	C++
 	gklayout.dll!nsGenericHTMLElement::~nsGenericHTMLElement()  + 0xf	C++
 	gklayout.dll!nsHTMLTableSectionElement::~nsHTMLTableSectionElement()  Line
127 + 0x8	C++
 	gklayout.dll!nsHTMLTableSectionElement::`scalar deleting destructor'()  + 0xf	C++
 	gklayout.dll!nsHTMLIFrameElement::Release()  Line 176 + 0x4f	C++
 	gklayout.dll!nsHTMLSelectElement::Release()  Line 476 + 0xc	C++
 	gklayout.dll!nsAttrAndChildArray::Clear()  Line 527 + 0xc	C++
 	gklayout.dll!nsAttrAndChildArray::~nsAttrAndChildArray()  Line 77	C++
 	gklayout.dll!nsGenericElement::~nsGenericElement()  Line 857 + 0xb	C++
 	gklayout.dll!nsGenericContainerElement::~nsGenericContainerElement()  + 0xf	C++
 	gklayout.dll!nsGenericHTMLElement::~nsGenericHTMLElement()  + 0xf	C++
 	gklayout.dll!nsHTMLTableElement::~nsHTMLTableElement()  Line 358 + 0x8	C++
 	gklayout.dll!nsHTMLTableElement::`scalar deleting destructor'()  + 0xf	C++
 	gklayout.dll!nsHTMLIFrameElement::Release()  Line 176 + 0x4f	C++
 	gklayout.dll!nsHTMLSelectElement::Release()  Line 476 + 0xc	C++
 	gklayout.dll!nsAttrAndChildArray::Clear()  Line 527 + 0xc	C++
 	gklayout.dll!nsAttrAndChildArray::~nsAttrAndChildArray()  Line 77	C++
 	gklayout.dll!nsGenericElement::~nsGenericElement()  Line 857 + 0xb	C++
 	gklayout.dll!nsGenericContainerElement::~nsGenericContainerElement()  + 0xf	C++
 	gklayout.dll!nsGenericHTMLElement::~nsGenericHTMLElement()  + 0xf	C++
 	gklayout.dll!nsHTMLFormElement::~nsHTMLFormElement()  Line 473 + 0x55	C++
 	gklayout.dll!nsHTMLFormElement::`scalar deleting destructor'()  + 0xf	C++
 	gklayout.dll!nsHTMLIFrameElement::Release()  Line 176 + 0x4f	C++
 	gklayout.dll!nsHTMLSelectElement::Release()  Line 476 + 0xc	C++
 	gklayout.dll!nsAttrAndChildArray::Clear()  Line 527 + 0xc	C++
 	gklayout.dll!nsAttrAndChildArray::~nsAttrAndChildArray()  Line 77	C++
 	gklayout.dll!nsGenericElement::~nsGenericElement()  Line 857 + 0xb	C++
 	gklayout.dll!nsGenericContainerElement::~nsGenericContainerElement()  + 0xf	C++
 	gklayout.dll!nsGenericHTMLElement::~nsGenericHTMLElement()  + 0xf	C++
 	gklayout.dll!nsHTMLBodyElement::~nsHTMLBodyElement()  Line 333 + 0x8	C++
 	gklayout.dll!nsHTMLBodyElement::`scalar deleting destructor'()  + 0xf	C++
 	gklayout.dll!nsHTMLIFrameElement::Release()  Line 176 + 0x4f	C++
 	gklayout.dll!nsHTMLSelectElement::Release()  Line 476 + 0xc	C++
 	gklayout.dll!nsAttrAndChildArray::Clear()  Line 527 + 0xc	C++
 	gklayout.dll!nsAttrAndChildArray::~nsAttrAndChildArray()  Line 77	C++
 	gklayout.dll!nsGenericElement::~nsGenericElement()  Line 857 + 0xb	C++
 	gklayout.dll!nsGenericContainerElement::~nsGenericContainerElement()  + 0xf	C++
 	gklayout.dll!nsGenericHTMLElement::~nsGenericHTMLElement()  + 0xf	C++
 	gklayout.dll!nsHTMLHtmlElement::~nsHTMLHtmlElement()  Line 105 + 0x8	C++
 	gklayout.dll!nsHTMLHtmlElement::`scalar deleting destructor'()  + 0xf	C++
 	gklayout.dll!nsHTMLIFrameElement::Release()  Line 176 + 0x4f	C++
 	gklayout.dll!nsHTMLSelectElement::Release()  Line 476 + 0xc	C++
 	xpcom.dll!ReleaseObjects(void * aElement=0x02ac1f30, void *
__formal=0x00000000)  Line 152 + 0x12	C++
 	xpcom.dll!nsStringArray::EnumerateForwards(int (nsString &, void *)*
aFunc=0x10011460, void * aData=0x00000000)  Line 648 + 0x15	C++
 	xpcom.dll!nsCOMArray_base::Clear()  Line 160	C++
 	gklayout.dll!nsCOMArray<nsScriptLoadRequest>::Clear()  Line 211	C++
 	gklayout.dll!nsDocument::~nsDocument()  Line 553	C++
 	gklayout.dll!nsHTMLDocument::~nsHTMLDocument()  Line 317 + 0xb0	C++
 	gklayout.dll!nsHTMLDocument::`scalar deleting destructor'()  + 0xf	C++
 	gklayout.dll!nsDocument::Release()  Line 643 + 0x55	C++
 	gklayout.dll!nsXMLDocument::Release()  Line 211 + 0xc	C++
 	xpc3250.dll!XPCJSRuntime::GCCallback(JSContext * cx=0x02670078, JSGCStatus
status=JSGC_END)  Line 556 + 0x12	C++
 	jsd3250.dll!jsds_GCCallbackProc(JSContext * cx=0x02670078, JSGCStatus
status=JSGC_END)  Line 518 + 0xe	C++
 	jsdom.dll!DOMGCCallback(JSContext * cx=0x02670078, JSGCStatus status=JSGC_END)
 Line 1811 + 0x17	C++
 	js3250.dll!js_GC(JSContext * cx=0x02670078, unsigned int gcflags=0)  Line
1419 + 0xc	C
 	js3250.dll!js_ForceGC(JSContext * cx=0x02670078, unsigned int gcflags=0)  Line
1000 + 0xd	C
 	js3250.dll!JS_GC(JSContext * cx=0x02670078)  Line 1684 + 0xb	C
 	xpc3250.dll!mozJSComponentLoader::UnloadAll(int aWhen=3)  Line 1179 + 0xa	C++
 	xpcom.dll!nsComponentManagerImpl::UnloadLibraries(nsIServiceManager *
serviceMgr=0x00000000, int aWhen=3)  Line 3128 + 0x28	C++
 	xpcom.dll!nsComponentManagerImpl::Shutdown()  Line 878	C++
 	xpcom.dll!NS_ShutdownXPCOM(nsIServiceManager * servMgr=0x00000000)  Line 776
+ 0xb	C++
 	mozilla.exe!NS_ShutdownXPCOM(nsIServiceManager * servMgr=0x00000000)  Line
178 + 0xd	C++
 	mozilla.exe!GRE_Shutdown()  Line 354 + 0x7	C++
 	mozilla.exe!main(int argc=2, char * * argv=0x002a4d60)  Line 1686 + 0x5	C++
 	mozilla.exe!WinMain(HINSTANCE__ * __formal=0x00400000, HINSTANCE__ *
__formal=0x00400000, char * args=0x0015231c, HINSTANCE__ * __formal=0x00400000)
 Line 1702 + 0x17	C++
 	mozilla.exe!WinMainCRTStartup()  Line 390 + 0x1b	C
 	kernel32.dll!_BaseProcessStart@4()  + 0x23	

Partly, this is a shutdown ordering problem. The services need to shutdown and
we don't guarantee order. i'm discussing a possible solution to that problem on
#developers. but in the interim, I think we can fix this crash.

-	sEventListenerManagersHash	{ops=0x01390c38 hash_table_ops data=0x00000000
hashShift=28 ...}	PLDHashTable
+	ops	0x01390c38 hash_table_ops	const PLDHashTableOps *
	data	0x00000000	void *
	hashShift	28	short
	maxAlphaFrac	192 'À'	unsigned char
	minAlphaFrac	64 '@'	unsigned char
	entrySize	12	unsigned int
	entryCount	2	unsigned int
	removedCount	2	unsigned int
	generation	14	unsigned int
+	entryStore	0x02bce6e0 ""	char *

The local problem seems to me to be that ops are non harmful and data is null.
but i don't quite understand how data becomes null...
Summary: Trunk crashes on exit [@ PL_DHashTableRawRemove] → hacked pre mozilla1.7a crashes on exit [@ PL_DHashTableRawRemove]
I met crash with similar stack while reloading document:
http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=TB580941K
ok, sounds like this bug could be confirmed and given to a real owner. i'd love
to not own it.
Updating summary with M17x and FF10 since this is a topcrasher for Mozilla 1.7.5
and Firefox 1.0.  I haven't been able to reproduce, but since Timeless was able
to reproduce this and seems to have an idea of what's going on, marking this
topcrash+.  Here is the latest Talkback data:
http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=1&searchby=stacksig&match=contains&searchfor=PL_DHashTableRawRemove&vendor=All&product=All&platform=All&buildid=&sdate=&stime=&edate=&etime=&sortby=bbid

And a couple of incidents:
Firefox 1.0 (all the incidents seem to have this short stack):

Incident ID: 3262285
Stack Signature	PL_DHashTableRawRemove 02be9e08
Product ID	Firefox10
Build ID	2004110711
Trigger Time	2005-01-24 10:29:15.0
Platform	Win32
Operating System	Windows NT 5.0 build 2195
Module	xpcom.dll + (0000f2b3)
URL visited	mail.yahoo.com, totalfark.com, gmail.com
User Comments	
Since Last Crash	117250 sec
Total Uptime	774106 sec
Trigger Reason	Access violation
Source File, Line No.
d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/xpcom/ds/pldhash.c,
line 596
Stack Trace 	
PL_DHashTableRawRemove 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/xpcom/ds/pldhash.c,
line 596]
nsGenericElement::~nsGenericElement 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 851]
---------------------------------------------
And Mozilla 1.7.5:
Incident ID: 3174760
Stack Signature	PL_DHashTableRawRemove 3d9d62f8
Product ID	Mozilla17
Build ID	2004121708
Trigger Time	2005-01-20 01:24:04.0
Platform	Win32
Operating System	Windows 98 4.10 build 67766446
Module	XPCOM.DLL + (0000eff8)
URL visited	
User Comments	
Since Last Crash	150822 sec
Total Uptime	1213227 sec
Trigger Reason	Access violation
Source File, Line No.
d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/xpcom/ds/pldhash.c,
line 592
Stack Trace 	
PL_DHashTableRawRemove 
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/xpcom/ds/pldhash.c,
line 592]
PL_DHashTableOperate 
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/xpcom/ds/pldhash.c,
line 564]
nsGenericElement::~nsGenericElement 
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 854]
nsHTMLAnchorElement::`scalar deleting destructor'
nsGenericElement::Release 
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 3152]
nsAttrAndChildArray::Clear 
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/base/src/nsAttrAndChildArray.cpp,
line 532]
nsAttrAndChildArray::~nsAttrAndChildArray 
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/base/src/nsAttrAndChildArray.cpp,
line 77]
nsGenericElement::~nsGenericElement 
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp]
nsHTMLDivElement::`scalar deleting destructor'
nsGenericElement::Release 
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 3152]
nsAttrAndChildArray::Clear 
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/base/src/nsAttrAndChildArray.cpp,
line 532]
nsAttrAndChildArray::~nsAttrAndChildArray 
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/base/src/nsAttrAndChildArray.cpp,
line 77]
nsGenericElement::~nsGenericElement 
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp]
nsHTMLDivElement::`scalar deleting destructor'
nsGenericElement::Release 
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 3152]
nsAttrAndChildArray::Clear 
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/base/src/nsAttrAndChildArray.cpp,
line 532]
nsAttrAndChildArray::~nsAttrAndChildArray 
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/base/src/nsAttrAndChildArray.cpp,
line 77]
nsGenericElement::~nsGenericElement 
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp]
nsHTMLDivElement::`scalar deleting destructor'
nsGenericElement::Release 
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 3152]
nsAttrAndChildArray::Clear 
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/base/src/nsAttrAndChildArray.cpp,
line 532]
nsAttrAndChildArray::~nsAttrAndChildArray 
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/base/src/nsAttrAndChildArray.cpp,
line 77]
nsGenericElement::~nsGenericElement 
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp]
nsHTMLDivElement::`scalar deleting destructor'
nsGenericElement::Release 
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 3152]
nsAttrAndChildArray::Clear 
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/base/src/nsAttrAndChildArray.cpp,
line 532]
nsAttrAndChildArray::~nsAttrAndChildArray 
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/base/src/nsAttrAndChildArray.cpp,
line 77]
nsGenericElement::~nsGenericElement 
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp]
nsHTMLDivElement::`scalar deleting destructor'
nsGenericElement::Release 
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 3152]
nsAttrAndChildArray::Clear 
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/base/src/nsAttrAndChildArray.cpp,
line 532]
nsAttrAndChildArray::~nsAttrAndChildArray 
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/base/src/nsAttrAndChildArray.cpp,
line 77]
nsGenericElement::~nsGenericElement 
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp]
nsHTMLBodyElement::`scalar deleting destructor'
nsGenericElement::Release 
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 3152]
nsAttrAndChildArray::Clear 
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/base/src/nsAttrAndChildArray.cpp,
line 532]
nsAttrAndChildArray::~nsAttrAndChildArray 
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/base/src/nsAttrAndChildArray.cpp,
line 77]
nsGenericElement::~nsGenericElement 
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp]
nsHTMLHtmlElement::`scalar deleting destructor'
nsGenericElement::Release 
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 3152]
ReleaseObjects 
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/xpcom/ds/nsCOMArray.cpp,
line 153]
nsVoidArray::EnumerateForwards 
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/xpcom/ds/nsVoidArray.cpp,
line 652]
nsCOMArray_base::Clear 
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/xpcom/ds/nsCOMArray.cpp,
line 160]
nsDocument::~nsDocument 
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/base/src/nsDocument.cpp,
line 574]
PresShell::~PresShell 
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp,
line 1618]
PresShell::`scalar deleting destructor'
PresShell::Release 
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp,
line 1589]
nsCOMPtr_base::~nsCOMPtr_base 
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/xpcom/glue/nsCOMPtr.cpp,
line 82]
nsTypeAheadFind::GetTargetIfTypeAheadOkay 
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/extensions/typeaheadfind/src/nsTypeAheadFind.cpp,
line 2523]
TYPEAHEADFIND.DLL + 0x72d4 (0x619872d4)
nsTypeAheadFind::AddRef 
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/extensions/typeaheadfind/src/nsTypeAheadFind.cpp,
line 134]
nsTypeAheadFind::CancelFind 
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/extensions/typeaheadfind/src/nsTypeAheadFind.cpp,
line 2012]
0x8b560c4d
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: topcrash+
Summary: hacked pre mozilla1.7a crashes on exit [@ PL_DHashTableRawRemove] → M17x FF10 crash [@ PL_DHashTableRawRemove]
*** Bug 283671 has been marked as a duplicate of this bug. ***
Flags: blocking1.8b4?
Assignee: timeless → bugmail
Whiteboard: [no l10n impact]
not seeing this high on the list in alpha2
Flags: blocking1.8b4? → blocking1.8b4-
I am unable to reproduce this based on the comments from bug #283671 with Deer
Park Alpha 2.
I mostly see this crash randomly happening (so not really reproducable), but it
happens.
BTW: Atm this is #7 on the topcrasher list on the FF 1.5/Gecko 1.8 branch.
*** Bug 304529 has been marked as a duplicate of this bug. ***
Are these all shutdown crashes?  Moving the call to nsGenericElement::Shutdown
from the module destructor to a shutdown observer (bug 209804, along with many
other things) was probably a bad idea, at least for the hashtable destruction. 
That probably belongs in the module destructor (when it's against the rules to
call across libraries).  nsGenericElement::Shutdown may need to be split. 
However, that change was made after this bug was filed, so it may be something else.
No, these crashes happen randomly while surfing or doing other actions (for
example i crashed once when focusing a already visible tab in the tabbar).
Renominating. This is the #3 topcrash for Firefox on the Gecko 1.8 branch for
the last 10 days.
Flags: blocking1.8b5- → blocking1.8b5?
Confirmed in Deer Park Alpha 2
Flags: blocking1.8b5? → blocking1.8b5+
Severity: minor → critical
Jonas doesn't seem to be around. Who can help out here? Dbaron, any suggestions
on a new owner for this problem?
reassigning to default owner to avoid confusion then
Assignee: bugmail → general
Summary: M17x FF10 crash [@ PL_DHashTableRawRemove] → M17x FF10 crash [@ PL_DHashTableRawRemove] (nsGenericElement::~nsGenericElement)
Do we have a stack for a non-shutdown version of this crash?
(In reply to comment #15)
> Do we have a stack for a non-shutdown version of this crash?

I get this crash a lot, always when closing a tab, hardly ever the last tab.

However the stack is probably useless: they all look like talback id 9763100.
Johnny, we need your help :-) This is a major topcrash and it seems to be
stalled for want of a good owner.
Assignee: general → jst
I doubt all crashes with PL_DHashTableRawRemove are the same bug.  Which one
does this bug cover?  Which bugs cover the ones that are critical to fix for 1.5?
I understood this bug to be about the crash from the removal of an
nsGenericElement (in its destructor) from the eventlistenermanager hash.
I've done a bunch of code inspection to see if I could figure out what could be
causing this, but I have yet to come up with anything obvious, and I have yet to
see this happen. So I don't really have an ETA on this one yet :(
We'll revisit this after we get beta2 topcrash data in. I suspect it's not
really the topcrash that it appears and is actually several crashes, at least
one of which is old.
Flags: blocking1.8b5+ → blocking1.8b5-
I got an identical or similar crash, see talkback id TB10204610Z. Erratic bug
AFAICT (i.e., does not happen every time).

I'm using "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4)
Gecko/20050908 Firefox/1.4" on WinXP SP2.
I see something similar (TB10612742W) on beta2 - and I suspect greasemonkey of
making it show -- I know it has some problems between its contentUnload and
chromeUnload events.
(In reply to comment #23)
> I see something similar (TB10612742W) on beta2 - and I suspect greasemonkey of
> making it show -- I know it has some problems between its contentUnload and
> chromeUnload events.

Oh, you found a version of Greasemonkey which supports Firefox versions higher
than 1.0+? Where? (And somehow I can reach any web site _but_ mozdev.org tonight.)
google:greasemonkey+0.6.2.1
Talkbacks are more indicative on MacOSX ex: (TB10857568, TB10575301, TB10668206,
TB10383002)
I just hit this on Mac OS X, closing a tab (which seems to be a recurring theme).

TB14008282X

I had the pizza wheel of death for about 2 minutes after clicking the close button on that tab before it actually crashed.
Renominating. This is still a topcrasher in 1.5 and 1.5.0.1. 

There are 2318 /exact/ matches of this stack in talkback right now:
PL_DHashTableRawRemove  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/xpcom/build/pldhash.c, line 594]
nsGenericElement::~nsGenericElement  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 900]
DOMGCCallback  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp, line 2192]
js_ForceGC  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsgc.c, line 1510]

People mention Greasemonkey... is it possible Greasemonkey is messing with something that we're trying to destroy? Many of the comments say that the crash happened when closing FF or closing a tab.
Flags: blocking1.8.1?
Flags: blocking1.8.0.2?
OS: Windows XP → All
Hardware: PC → All
Summary: M17x FF10 crash [@ PL_DHashTableRawRemove] (nsGenericElement::~nsGenericElement) → FF15 crash [@ PL_DHashTableRawRemove] (nsGenericElement::~nsGenericElement)
Whiteboard: [no l10n impact]
Version: Trunk → 1.8 Branch
I had this crash recently:

TB15044865H

And it seems to happen quite often as well (on OsX, never seen it on linux or windows). I have only undoclosetab installed, not greasemonkey...
No fix, misses 1.5.0.2
Flags: blocking1.8.0.3?
Flags: blocking1.8.0.2?
Flags: blocking1.8.0.2-
This looks like something we should try to fix for 1.8.0.x (maybe 1.8.0.3 if a patch materializes).  Johnny, is this on your radar?  Need help finding someone to work on this?
Would love a fix for this topcrasher, but may later get bumped to the next release again.
Flags: blocking1.8.0.3? → blocking1.8.0.3+
I'm pretty sure my patch in bug 331117 (will probably need a little brachifying).
Assignee: jst → benjamin
Depends on: 331117
Priority: -- → P1
Target Milestone: --- → mozilla1.8final
I have greasemonkey installed, but there are no scripts running. I have seen this
crash a few times now, sadly.

I got this crash after closing one of two windows with multiple tabs, which 
makes me wonder if the shutdown cleanup from bsmedberg would be triggered.
Plus, it didn't instantly crash, but I closed the window, switched apps and
after a short pause, talkback popped up. Which seems like the js GC may be
kicking this off after the document went away. Or something like that.
Confirmed in epiphany on linux with greasemonkey extension (although i have yet to figure out how to load a script into it)

Looks like it's definitely a greasemonkey thing, and not just confined to firefox, but gecko in general.
Happens very often on osX here. Never ever used Greasemonkey.
Just for reference, this crash is occuring for some users when closing ChatZilla.
This bug has always been about a shutdown crash.  The crashes in talkback are *not* shutdown crashes.  I filed the non-shutdown crash as bug 334177, with explanation of why they are happening.
If they're not shutdown crashes, you need to say so.

Also, surely it's not a topcrash bug if the talkback ones aren't (so you claim) this bug?
Summary: FF15 crash [@ PL_DHashTableRawRemove] (nsGenericElement::~nsGenericElement) → FF15 crash at shutdown [@ PL_DHashTableRawRemove] (nsGenericElement::~nsGenericElement)
Note that it's possible that there actually are no shutdown issues here -- I actually don't see any.  So it may be that bug 334177 will fix all the problems here.  But bsmedberg seemed to think otherwise in comment 33, so I'm leaving the two separate.

Restoring timeless's almost-original summary.
Summary: FF15 crash at shutdown [@ PL_DHashTableRawRemove] (nsGenericElement::~nsGenericElement) → hacked pre mozilla1.7a crashes on exit [@ PL_DHashTableRawRemove] (nsGenericElement::~nsGenericElement)
Maybe bug 334177 fixes this or part of this, and bug 331117 looks pretty scary for the current 1.8.0.x release --> moving out for reevaluation after we talkback numbers from a release containing bug 334177
Flags: blocking1.8.0.5?
Flags: blocking1.8.0.4-
Flags: blocking1.8.0.4+
This stack has dropped completely off talkback so we presume bug 334177 did in fact fix this.
Status: NEW → RESOLVED
Closed: 18 years ago
Flags: blocking1.8.1?
Flags: blocking1.8.1-
Flags: blocking1.8.0.5?
Flags: blocking1.8.0.5-
Keywords: topcrash+topcrash-
Resolution: --- → WORKSFORME
Component: DOM: Core → DOM: Core & HTML
QA Contact: ian → general
Crash Signature: [@ PL_DHashTableRawRemove]
Flags: needinfo?(timeless)

I'm 3 employers and >15 years away from when I filed this and don't have any of the systems (I don't even have a mozilla build environment, and might not have the resources for one). I technically remember enough about the various things, but I'm unlikely to develop the pieces to verify this.

I'm sorry, but I can't really spend the time auditing the code to determine if there is still a code path like this.

Additionally, in trying to verify this bug as inactive (which is more accurate), I got this:

You tried to change the Resolution field from WORKSFORME to INACTIVE , but only a user with the required permissions may change that field.
Additonal information:
You require "editbugs" permission to reopen a verified bug.

Which is amusing (I know I eventually lost editbugs, for a while I could grant editbugs).

Status: RESOLVED → VERIFIED
Flags: needinfo?(timeless)
You need to log in before you can comment on or make changes to this bug.