Closed Bug 334177 Opened 18 years ago Closed 18 years ago

topcrash (not at shutdown) [@ PL_DHashTableRawRemove] called from nsGenericElement::~nsGenericElement

Categories

(Core :: DOM: Core & HTML, defect, P1)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.8.1alpha2

People

(Reporter: dbaron, Assigned: dbaron)

Details

(4 keywords, Whiteboard: [patch])

Crash Data

Attachments

(3 files)

detailed analysis of TB17589254, a Linux Fx 1.5.0.1 incident
21.51 KB, text/plain; charset=utf-8
Details
trunk patch
2.32 KB, patch
jst
: review+
jst
: superreview+
Details | Diff | Splinter Review
patch for 1.8 branch
4.92 KB, patch
jst
: review+
jst
: superreview+
jst
: approval-branch-1.8.1+
dveditz
: approval1.8.0.4+
Details | Diff | Splinter Review 
Bug 237736 has tracked crashes in PL_DHashTableRawRemove called from ~nsGenericElement.  It was originally filed on a shutdown crash, but has come to track both that problem and the topcrash we've been seeing.  I'm filing this bug as a separate bug to analyze the topcrash.

I did a detailed analysis of one of the stacks in talkback with this signature, figured out on which instruction the crash was happening (the crash is on the line:
        MARK_ENTRY_REMOVED(entry);
assigning 0x1 into entry->keyHash.

And I've finally figured out *why* this is happening -- the clearEntry callback used for sEventListenerManagersHash can mutate (shrink, most likely) the table!
Assignee: general → dbaron
Status: NEW → ASSIGNED

    
    

    
  
In particular, what I suspect is happening is that we end up with a stack something like (this entire stack is written by hand):

ChangeTable
PL_DHashTableOperate
nsGenericElement::~nsGenericElement
...
<removal of a C++-implemented event listener>
nsEventListenerManager::ReleaseListeners
nsEventListenerManager::RemoveAllListeners
nsEventListenerManager::~nsEventListenerManager
nsEventListenerManager::Release
nsCOMPtr_base::~nsCOMPtr_base
nsCOMPtr<nsIEventListenerManager>::~nsCOMPtr<nsIEventListenerManager>
EventListenerManagerMapEntry::~EventListenerManagerMapEntry
EventListenerManagerClearEntry
PL_DHashTableRawRemove   <== crash here on un-wind
PL_DHashTableOperate
nsGenericElement::~nsGenericElement
Flags: blocking1.8.1?
Flags: blocking1.8.0.3?

    
  
Summary: talkback crashes (not at shutdown) [@ PL_DHashTableRawRemove] called from nsGenericElement::~nsGenericElement → topcrash (not at shutdown) [@ PL_DHashTableRawRemove] called from nsGenericElement::~nsGenericElement

    
    

    
  
FWIW, I filed bug 334180 on making pldhash assert about this type of problem.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        trunk patchSplinter Review
      

    


  
The branch patch will look a bit different thanks to bug 315901.

        Attachment #218870 -
        Flags: superreview?(jst)

        Attachment #218870 -
        Flags: review?(jst)

    
    

    
  


  

        Attachment #218872 -
        Flags: superreview?(jst)

        Attachment #218872 -
        Flags: review?(jst)

        Attachment #218872 -
        Flags: approval1.8.0.3?

        Attachment #218872 -
        Flags: approval-branch-1.8.1?(jst)
Priority: -- → P1
Whiteboard: [patch]
Target Milestone: --- → mozilla1.8.1alpha2

    
    

    
  
Comment on attachment 218870 [details] [diff] [review]
trunk patch

r+sr=jst

        Attachment #218870 -
        Flags: superreview?(jst)

        Attachment #218870 -
        Flags: superreview+

        Attachment #218870 -
        Flags: review?(jst)

        Attachment #218870 -
        Flags: review+

        Attachment #218872 -
        Flags: superreview?(jst)

        Attachment #218872 -
        Flags: superreview+

        Attachment #218872 -
        Flags: review?(jst)

        Attachment #218872 -
        Flags: review+

        Attachment #218872 -
        Flags: approval-branch-1.8.1?(jst)

        Attachment #218872 -
        Flags: approval-branch-1.8.1+

    
    

    
  
Checked in to trunk and MOZILLA_1_8_BRANCH.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Keywords: fixed1.8.1
Resolution: --- → FIXED

    
  
Flags: blocking1.8.1?
Flags: blocking1.8.1+
Flags: blocking1.8.0.3?
Flags: blocking1.8.0.3+

    
    

    
  
Comment on attachment 218872 [details] [diff] [review]
patch for 1.8 branch

aproved for 1.8.0 branch, a=dveditz for drivers

        Attachment #218872 -
        Flags: approval1.8.0.3? → approval1.8.0.3+

    
    

    
  
Fix checked in to MOZILLA_1_8_0_BRANCH.
Keywords: fixed1.8.0.3

    
    

    
  
no longer appearing on topcrash reports for branch. However, PL_DHashTableRawRemove still appears on trunk topcrash reports. But that may be related to bug 234169. Can't tell right now as incedent query is broken.
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.0.4, 
          
            fixed1.8.1, 
          
            topcrashtopcrash-, 
          
            verified1.8.0.4, 
          
            verified1.8.1
Crash Signature: [@ PL_DHashTableRawRemove]
Component: DOM → DOM: Core & HTML

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: