Closed Bug 460237 Opened 16 years ago Closed 15 years ago

Thunderbird crash on start up [@nsIFrame::GetParent]

Categories

(Core :: Disability Access APIs, defect)

Product:
Core
Component:
Disability Access APIs
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: evan.yan, Unassigned)

Details

(Keywords: access, crash)

Crash Data

Start thunderbird, mouse hover over the new added tab under toolbar, then Thunderbird crashes.

Stack:

#0  0xb7f5d410 in __kernel_vsyscall ()
#1  0xb72d3cb6 in nanosleep () from /lib/tls/i686/cmov/libc.so.6
#2  0xb72d3ac7 in sleep () from /lib/tls/i686/cmov/libc.so.6
#3  0xb7d4f4cb in ah_crap_handler (signum=11)
    at /home/evan/work/thunderbird/comm-central/mozilla/toolkit/xre/nsSigHandlers.cpp:149
#4  0xb7d50792 in nsProfileLock::FatalSignalHandler (signo=11) at nsProfileLock.cpp:216
#5  <signal handler called>
#6  0xb5f069ae in nsIFrame::GetParent (this=0xdddddddd)
    at /home/evan/work/thunderbird/comm-central/mozilla/accessible/src/html/../../../layout/generic/nsIFrame.h:690
#7  0xb5f4701e in nsAccessibleTreeWalker::PopState (this=0xbfbd9180)
    at /home/evan/work/thunderbird/comm-central/mozilla/accessible/src/base/nsAccessibleTreeWalker.cpp:122
#8  0xb5f46b0a in nsAccessibleTreeWalker::GetNextSibling (this=0xbfbd9180)
    at /home/evan/work/thunderbird/comm-central/mozilla/accessible/src/base/nsAccessibleTreeWalker.cpp:191
#9  0xb5f40f74 in nsAccessible::CacheChildren (this=0xafe37290)
    at /home/evan/work/thunderbird/comm-central/mozilla/accessible/src/base/nsAccessible.cpp:784
#10 0xb5f33c78 in nsAccessible::GetChildCount (this=0xafe37290, aAccChildCount=0xbfbd921c)
    at /home/evan/work/thunderbird/comm-central/mozilla/accessible/src/base/nsAccessible.cpp:800
#11 0xb5f066fc in nsAccessNode::Init (this=0xafe371a0)
    at /home/evan/work/thunderbird/comm-central/mozilla/accessible/src/base/nsAccessNode.cpp:211
#12 0xb5f28873 in nsAccessibilityService::InitAccessible (this=0xb08218c0, aAccessibleIn=0xafe371b8, 
    aAccessibleOut=0xbfbd9594, aRoleMapEntry=0x0)
    at /home/evan/work/thunderbird/comm-central/mozilla/accessible/src/base/nsAccessibilityService.cpp:1260
#13 0xb5f2d3a7 in nsAccessibilityService::GetAccessible (this=0xb08218c0, aNode=0xb16bd95c, aPresShell=0xb255f000, 
    aWeakShell=0xb257c790, aFrameHint=0xbfbd94d8, aIsHidden=0xbfbd94d4, aAccessible=0xbfbd9594)
    at /home/evan/work/thunderbird/comm-central/mozilla/accessible/src/base/nsAccessibilityService.cpp:1614
#14 0xb5f284d9 in nsAccessibilityService::GetAccessibleInWeakShell (this=0xb08218c0, aNode=0xb16bd95c, 
    aWeakShell=0xb257c790, aAccessible=0xbfbd9594)
    at /home/evan/work/thunderbird/comm-central/mozilla/accessible/src/base/nsAccessibilityService.cpp:1246
#15 0xb5f11be3 in nsDocAccessible::GetAccessibleInParentChain (this=0xb09de9d0, aNode=0xb16bd9bc, aCanCreate=1, 
    aAccessible=0xbfbd9594)
    at /home/evan/work/thunderbird/comm-central/mozilla/accessible/src/base/nsDocAccessible.cpp:2083
#16 0xb5f066bd in nsAccessNode::Init (this=0xafe37100)
    at /home/evan/work/thunderbird/comm-central/mozilla/accessible/src/base/nsAccessNode.cpp:208
#17 0xb5f28873 in nsAccessibilityService::InitAccessible (this=0xb08218c0, aAccessibleIn=0xafe37118, 
    aAccessibleOut=0xbfbd9b2c, aRoleMapEntry=0x0)


If use Acceciser to explore the accessible tree from top to bottom, Thunderbird doesn't crash.
The accessible tree is like

- nsXULTabBoxAccessible
  - nsXULTooltipAccessible
  - nsXULMenuPopupAccessible
  - nsXULTabsAccessible
  - <crash>

It seems the frame of nsXULTabsAccessible is not correct.

(gdb) p *walker.mState.frame
$5 = {<nsISupports> = {_vptr.nsISupports = 0x0}, mRect = {x = -572662307, y = -572662307, width = -572662307, 
    height = -572662307}, mContent = 0xdddddddd, mStyleContext = 0xdddddddd, mParent = 0xdddddddd, 
  mNextSibling = 0xdddddddd, mState = 3722304989}


I see in nsAccessibleTreeWalker::GetKids(), it says "Don't walk frames in non-HTML content, just walk the DOM". But after mState.frame being updated by nsAccService, we still walk frames. Is that expected?
The most notable thing about the XBL for the Thunderbird tab bar is that given a XUL tree like so from messenger.xul:

- tabmail
 - box (which gets the calendar/tasks buttons)
 - tabpanels

the 'tabmail' XBL binding (in tabmail.xml) roots the 'tabpanels' binding under its 'xul:tabbox' and passes the box to the 'tabmail-tabs' binding.  (The tabpanels is a includes-filtered 'children' element, the box is unfiltered.)

When lightning is present/enabled, both the box and tabpanels will have elements contributed via overlays.

I'm not sure if any of that information is useful... but I was adding myself to the cc list because I have the crash too... :)
I'm not sure I understand the tabmail XBL binding thing... but this bug is reproducible with lightning disabled.

It might be a layout bug which was triggered by a11y code, since that part of a11y code has been unchanged for long time and works well on other places.
Evan, still occurs with latest Thunderbird 3 beta / trunk nightlies?
Whiteboard: closeme 2009-07-23
WFM with latest Thunderbird 3.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → WORKSFORME
Whiteboard: closeme 2009-07-23
Crash Signature: [@nsIFrame::GetParent]
You need to log in before you can comment on or make changes to this bug.