Closed Bug 673472 Opened 13 years ago Closed 13 years ago

Segfault when using acceleration event handler that calls console.log

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla8

People

(Reporter: jdm, Assigned: jdm)

References

Details

(Whiteboard: [inbound])

Crash Data

Attachments

(2 files, 2 obsolete files)

Testcase
161 bytes, text/html
Details
Avoid adding multiple copies of device motion listeners.
5.45 KB, patch
Details | Diff | Splinter Review
Attached file Testcase (obsolete) — 
With the attached testcase, I am able to frequently trigger a segfault. It has something to do with an nsIDOMWindow element in mWindowListeners going missing, and it always happens when I switch to a different application. GDB confirms that the nsGlobalWindow elements of mWindowListeners are fine, but the DOM window pointer is corrupt.

https://crash-stats.mozilla.com/report/index/bp-db853315-1ba0-4408-ac0a-672cc2110722
http://hg.mozilla.org/mozilla-central/annotate/6df31af4cca6/dom/system/nsDeviceMotion.cpp#l229
Attached file Testcase 
To make this crash, I open the testcase, open a blank tab, close the testcase, then reopen the closed tab, repeating this until it crashes (usually a couple iterations).
Attachment #547746 - Attachment is obsolete: true
(gdb) fr 1
#1  0x0000000101adc540 in nsDeviceMotion::DeviceMotionChanged (this=0x10694c010, type=0, x=-0.019999999552965164, y=0.012000000104308128, z=1.0479999780654907) at /Users/jdm/src/mozilla-central/dom/system/nsDeviceMotion.cpp:229
229	    mWindowListeners[i]->GetDocument(getter_AddRefs(domdoc));
(gdb) ptarray mWindowListeners
elem[0]: $1 = (class nsIDOMWindow *) 0x100181a10
elem[1]: $2 = (class nsIDOMWindow *) 0x125718040
elem[2]: $3 = (nsGlobalWindow *) 0x11cc204f0
elem[3]: $4 = (nsGlobalWindow *) 0x11cc204f0
nsTArray length = 4
nsTArray capacity = 8
Element Cannot access memory at address 0x0
(gdb) p i
$5 = 1
(gdb) p $1
$6 = (class nsIDOMWindow *) 0x100181a10
(gdb) p $2
$7 = (class nsIDOMWindow *) 0x125718040
(gdb) p *$2
$8 = {
  <nsISupports> = {
    _vptr$nsISupports = 0x125710262
  }, <No data fields>}
(gdb) p *$1
$9 = {
  <nsISupports> = {
    _vptr$nsISupports = 0x10019bc03
  }, <No data fields>}
(gdb)

        Attachment #547765 -
        Flags: review?(doug.turner)

    
    

    
  
Comment on attachment 547765 [details] [diff] [review]
Avoid adding multiple copies of device motion listeners.

should NoIndex also be static?

Want to add a test?

otherwise looks fine.

        Attachment #547765 -
        Flags: review?(doug.turner) → review+

    
  
Assignee: nobody → josh

    
  

        Attachment #547765 -
        Attachment is obsolete: true

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/5381d0941c10
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED

    
  
Target Milestone: --- → mozilla8

    
    

    
  
Also see bug 675126 for fixups

    
    

    
  
FYI, there are still crashes coming in for this signature, on the same
line as in comment 1.  The latest one has Build ID: 20110802030845
bp-db8e07ca-7f1c-4bc2-9217-518ce2110802
Depends on: 676316

    
    

    
  
I hit this on Mac OSX Desktop Nightly: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0a1) Gecko/20110731 Firefox/8.0a1

STR (not 100% reproducible):
1) Visit github
2) click on account settings > Account overview
3) went into Email Addresses, and removed an existing address
4) Hit add
5) Crash


Is it the same bug?  If so, i'll reopen.  if not, i'll file new.


https://crash-stats.mozilla.com/report/index/bp-78ea9f31-03d3-4240-8ffd-2a6032110809

Frame 	Module 	Signature [Expand] 	Source
0 	XUL 	nsDeviceMotion::DeviceMotionChanged 	dom/system/nsDeviceMotion.cpp:236
1 	XUL 	nsDeviceMotionSystem::UpdateHandler 	dom/system/cocoa/nsDeviceMotionSystem.mm:146
2 	XUL 	nsTimerImpl::Fire 	xpcom/threads/nsTimerImpl.cpp:424
3 	XUL 	nsTimerEvent::Run 	xpcom/threads/nsTimerImpl.cpp:520
4 	XUL 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:631
5 	XUL 	NS_ProcessNextEvent_P 	obj-firefox/x86_64/xpcom/build/nsThreadUtils.cpp:245
6 	XUL 	nsXULWindow::CreateNewContentWindow 	xpfe/appshell/src/nsXULWindow.cpp:1808
7 	XUL 	nsAppStartup::CreateChromeWindow2 	toolkit/components/startup/nsAppStartup.cpp:497
8 	XUL 	nsWindowWatcher::OpenWindowJSInternal 	embedding/components/windowwatcher/src/nsWindowWatcher.cpp:721
9 	XUL 	nsWindowWatcher::OpenWindowJS 	embedding/components/windowwatcher/src/nsWindowWatcher.cpp:480
10 	XUL 	nsGlobalWindow::OpenInternal 	dom/base/nsGlobalWindow.cpp:8668
11 	XUL 	nsGlobalWindow::OpenInternal 	dom/base/nsGlobalWindow.cpp:8563
12 	XUL 	nsGlobalWindow::OpenJS 	dom/base/nsGlobalWindow.cpp:5781
13 	XUL 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:195
14 	XUL 	XPCWrappedNative::CallMethod 	js/src/xpconnect/src/xpcwrappednative.cpp:3119
15 	XUL 	XPC_WN_CallMethod 	js/src/xpconnect/src/xpcwrappednativejsops.cpp:1595
16 	XUL 	js::Invoke 	js/src/jscntxtinlines.h:281
17 	XUL 	js::Interpret 	js/src/jsinterp.cpp:4008
18 	XUL 	js::mjit::stubs::UncachedCallHelper 	js/src/methodjit/InvokeHelpers.cpp:345
19 	XUL 	CallCompiler::update 	js/src/methodjit/MonoIC.cpp:964
20 	XUL 	js::mjit::ic::Call 	js/src/methodjit/MonoIC.cpp:1018
21 		@0x1592a4f52 	
22 		@0x1ffffffff 	
23 	XUL 	js::mjit::EnterMethodJIT 	js/src/methodjit/MethodJIT.cpp:686
24 	XUL 	js::mjit::JaegerShot 	js/src/methodjit/MethodJIT.cpp:716
25 	XUL 	js::Interpret 	js/src/jsinterp.cpp:4045
26 	XUL 	js::mjit::stubs::CompileFunction 	js/src/methodjit/InvokeHelpers.cpp:300
27 		@0x1522baed4 	
28 	GeForceGLDriver 	GeForceGLDriver@0x0 	
29 	XUL 	js::mjit::EnterMethodJIT 	js/src/methodjit/MethodJIT.cpp:686
30 	XUL 	js::mjit::JaegerShot 	js/src/methodjit/MethodJIT.cpp:716
31 	XUL 	js::RunScript 	js/src/jsinterp.cpp:610
32 	XUL 	js::Invoke 	js/src/jsinterp.cpp:686
33 	XUL 	js_fun_apply 	js/src/jsinterp.h:169
34 	XUL 	js::Invoke 	js/src/jscntxtinlines.h:281
35 	XUL 	js::Interpret 	js/src/jsinterp.cpp:4008
36 	XUL 	js::mjit::stubs::UncachedCallHelper 	js/src/methodjit/InvokeHelpers.cpp:345
37 	XUL 	CallCompiler::update 	js/src/methodjit/MonoIC.cpp:964
38 	XUL 	js::mjit::ic::Call 	js/src/methodjit/MonoIC.cpp:1018
39 		@0x15284806f 	
40 	XUL 	js::mjit::EnterMethodJIT 	js/src/methodjit/MethodJIT.cpp:686
41 	XUL 	js::mjit::JaegerShot 	js/src/methodjit/MethodJIT.cpp:716
42 	XUL 	js::RunScript 	js/src/jsinterp.cpp:610
43 	XUL 	js::Invoke 	js/src/jsinterp.cpp:686
44 	XUL 	js::ExternalInvoke 	js/src/jsinterp.h:169
45 	XUL 	JS_CallFunctionValue 	js/src/jsapi.cpp:5085
46 	XUL 	nsXPCWrappedJSClass::CallMethod 	js/src/xpconnect/src/xpcwrappedjsclass.cpp:1657
47 	XUL 	nsXPCWrappedJS::CallMethod 	js/src/xpconnect/src/xpcwrappedjs.cpp:585
48 	XUL 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_darwin.cpp:153
49 	XUL 	XUL@0xe81b0a 	
50 	XUL 	nsEventListenerManager::HandleEventSubType 	content/events/src/nsEventListenerManager.cpp:1080
51 	XUL 	nsEventListenerManager::HandleEventInternal 	content/events/src/nsEventListenerManager.cpp:1177
52 	XUL 	nsEventTargetChainItem::HandleEventTargetChain 	content/events/src/nsEventListenerManager.h:155
53 	XUL 	nsEventDispatcher::Dispatch 	content/events/src/nsEventDispatcher.cpp:672
54 	XUL 	PresShell::HandleEventInternal 	layout/base/nsPresShell.cpp:7069
55 	XUL 	PresShell::HandleEventWithTarget 	layout/base/nsPresShell.cpp:6917
56 	XUL 	nsEventStateManager::CheckForAndDispatchClick 	content/events/src/nsEventStateManager.cpp:4229
57 	XUL 	nsEventStateManager::PostHandleEvent 	content/events/src/nsEventStateManager.cpp:3171
58 	XUL 	PresShell::HandleEventInternal 	layout/base/nsPresShell.cpp:7092
59 	XUL 	PresShell::HandlePositionedEvent 	layout/base/nsPresShell.cpp:6902
60 	XUL 	PresShell::HandleEvent 	layout/base/nsPresShell.cpp:6734
61 	XUL 	nsViewManager::DispatchEvent 	view/src/nsViewManager.cpp:1029
62 	XUL 	HandleEvent 	view/src/nsView.cpp:159
63 	XUL 	nsChildView::DispatchEvent 	widget/src/cocoa/nsChildView.mm:1493
64 	XUL 	nsChildView::DispatchWindowEvent 	widget/src/cocoa/nsChildView.mm:1503
65 	XUL 	-[ChildView mouseUp:] 	widget/src/cocoa/nsChildView.mm:3149
66 	AppKit 	AppKit@0x13d7ec 	
67 	CoreFoundation 	CoreFoundation@0x21eca 	
68 	CoreFoundation 	CoreFoundation@0x100cb 	
69 	libSystem.B.dylib 	libSystem.B.dylib@0x65d3 	
70 	CoreFoundation 	CoreFoundation@0x6191 	
71 	CoreFoundation 	CoreFoundation@0xf876 	
72 	CoreFoundation 	CoreFoundation@0x100cb 	
73 	CoreFoundation 	CoreFoundation@0xf876 	
74 	CoreFoundation 	CoreFoundation@0xf6ce 	
75 	libSystem.B.dylib 	libSystem.B.dylib@0x6b19 	
76 	Foundation 	Foundation@0x5ff3 	
77 	libobjc.A.dylib 	libobjc.A.dylib@0x619f 	
78 	XUL 	-[ToolbarWindow sendEvent:] 	widget/src/cocoa/nsCocoaWindow.mm:2363
79 	AppKit 	AppKit@0x72ee1 	
80 	CoreFoundation 	CoreFoundation@0x24228 	
81 	AppKit 	AppKit@0x71904 	
82 	AppKit 	AppKit@0x749ff7 	
83 	AppKit 	AppKit@0x749ff7 	
84 	AppKit 	AppKit@0x43f09

    
    

    
  
I hit this on Mac OSX Desktop Nightly: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0a1) Gecko/20110731 Firefox/8.0a1

STR (not 100% reproducible):
1) Visit github
2) click on account settings > Account overview
3) went into Email Addresses, and removed an existing address
4) Hit add
5) Crash!


Is it the same bug?  If so, i'll reopen.  if not, i'll file new.

https://crash-stats.mozilla.com/report/index/bp-78ea9f31-03d3-4240-8ffd-2a6032110809

Frame 	Module 	Signature [Expand] 	Source
0 	XUL 	nsDeviceMotion::DeviceMotionChanged 	dom/system/nsDeviceMotion.cpp:236
1 	XUL 	nsDeviceMotionSystem::UpdateHandler 	dom/system/cocoa/nsDeviceMotionSystem.mm:146
2 	XUL 	nsTimerImpl::Fire 	xpcom/threads/nsTimerImpl.cpp:424
3 	XUL 	nsTimerEvent::Run 	xpcom/threads/nsTimerImpl.cpp:520
4 	XUL 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:631
5 	XUL 	NS_ProcessNextEvent_P 	obj-firefox/x86_64/xpcom/build/nsThreadUtils.cpp:245
6 	XUL 	nsXULWindow::CreateNewContentWindow 	xpfe/appshell/src/nsXULWindow.cpp:1808
7 	XUL 	nsAppStartup::CreateChromeWindow2 	toolkit/components/startup/nsAppStartup.cpp:497
8 	XUL 	nsWindowWatcher::OpenWindowJSInternal 	embedding/components/windowwatcher/src/nsWindowWatcher.cpp:721
9 	XUL 	nsWindowWatcher::OpenWindowJS 	embedding/components/windowwatcher/src/nsWindowWatcher.cpp:480
10 	XUL 	nsGlobalWindow::OpenInternal 	dom/base/nsGlobalWindow.cpp:8668
11 	XUL 	nsGlobalWindow::OpenInternal 	dom/base/nsGlobalWindow.cpp:8563
12 	XUL 	nsGlobalWindow::OpenJS 	dom/base/nsGlobalWindow.cpp:5781
13 	XUL 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:195
14 	XUL 	XPCWrappedNative::CallMethod 	js/src/xpconnect/src/xpcwrappednative.cpp:3119
15 	XUL 	XPC_WN_CallMethod 	js/src/xpconnect/src/xpcwrappednativejsops.cpp:1595
16 	XUL 	js::Invoke 	js/src/jscntxtinlines.h:281
17 	XUL 	js::Interpret 	js/src/jsinterp.cpp:4008
18 	XUL 	js::mjit::stubs::UncachedCallHelper 	js/src/methodjit/InvokeHelpers.cpp:345
19 	XUL 	CallCompiler::update 	js/src/methodjit/MonoIC.cpp:964
20 	XUL 	js::mjit::ic::Call 	js/src/methodjit/MonoIC.cpp:1018
21 		@0x1592a4f52 	
22 		@0x1ffffffff 	
23 	XUL 	js::mjit::EnterMethodJIT 	js/src/methodjit/MethodJIT.cpp:686
24 	XUL 	js::mjit::JaegerShot 	js/src/methodjit/MethodJIT.cpp:716
25 	XUL 	js::Interpret 	js/src/jsinterp.cpp:4045
26 	XUL 	js::mjit::stubs::CompileFunction 	js/src/methodjit/InvokeHelpers.cpp:300
27 		@0x1522baed4 	
28 	GeForceGLDriver 	GeForceGLDriver@0x0 	
29 	XUL 	js::mjit::EnterMethodJIT 	js/src/methodjit/MethodJIT.cpp:686
30 	XUL 	js::mjit::JaegerShot 	js/src/methodjit/MethodJIT.cpp:716
31 	XUL 	js::RunScript 	js/src/jsinterp.cpp:610
32 	XUL 	js::Invoke 	js/src/jsinterp.cpp:686
33 	XUL 	js_fun_apply 	js/src/jsinterp.h:169
34 	XUL 	js::Invoke 	js/src/jscntxtinlines.h:281
35 	XUL 	js::Interpret 	js/src/jsinterp.cpp:4008
36 	XUL 	js::mjit::stubs::UncachedCallHelper 	js/src/methodjit/InvokeHelpers.cpp:345
37 	XUL 	CallCompiler::update 	js/src/methodjit/MonoIC.cpp:964
38 	XUL 	js::mjit::ic::Call 	js/src/methodjit/MonoIC.cpp:1018
39 		@0x15284806f 	
40 	XUL 	js::mjit::EnterMethodJIT 	js/src/methodjit/MethodJIT.cpp:686
41 	XUL 	js::mjit::JaegerShot 	js/src/methodjit/MethodJIT.cpp:716
42 	XUL 	js::RunScript 	js/src/jsinterp.cpp:610
43 	XUL 	js::Invoke 	js/src/jsinterp.cpp:686
44 	XUL 	js::ExternalInvoke 	js/src/jsinterp.h:169
45 	XUL 	JS_CallFunctionValue 	js/src/jsapi.cpp:5085
46 	XUL 	nsXPCWrappedJSClass::CallMethod 	js/src/xpconnect/src/xpcwrappedjsclass.cpp:1657
47 	XUL 	nsXPCWrappedJS::CallMethod 	js/src/xpconnect/src/xpcwrappedjs.cpp:585
48 	XUL 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_darwin.cpp:153
49 	XUL 	XUL@0xe81b0a 	
50 	XUL 	nsEventListenerManager::HandleEventSubType 	content/events/src/nsEventListenerManager.cpp:1080
51 	XUL 	nsEventListenerManager::HandleEventInternal 	content/events/src/nsEventListenerManager.cpp:1177
52 	XUL 	nsEventTargetChainItem::HandleEventTargetChain 	content/events/src/nsEventListenerManager.h:155
53 	XUL 	nsEventDispatcher::Dispatch 	content/events/src/nsEventDispatcher.cpp:672
54 	XUL 	PresShell::HandleEventInternal 	layout/base/nsPresShell.cpp:7069
55 	XUL 	PresShell::HandleEventWithTarget 	layout/base/nsPresShell.cpp:6917
56 	XUL 	nsEventStateManager::CheckForAndDispatchClick 	content/events/src/nsEventStateManager.cpp:4229
57 	XUL 	nsEventStateManager::PostHandleEvent 	content/events/src/nsEventStateManager.cpp:3171
58 	XUL 	PresShell::HandleEventInternal 	layout/base/nsPresShell.cpp:7092
59 	XUL 	PresShell::HandlePositionedEvent 	layout/base/nsPresShell.cpp:6902
60 	XUL 	PresShell::HandleEvent 	layout/base/nsPresShell.cpp:6734
61 	XUL 	nsViewManager::DispatchEvent 	view/src/nsViewManager.cpp:1029
62 	XUL 	HandleEvent 	view/src/nsView.cpp:159
63 	XUL 	nsChildView::DispatchEvent 	widget/src/cocoa/nsChildView.mm:1493
64 	XUL 	nsChildView::DispatchWindowEvent 	widget/src/cocoa/nsChildView.mm:1503
65 	XUL 	-[ChildView mouseUp:] 	widget/src/cocoa/nsChildView.mm:3149
66 	AppKit 	AppKit@0x13d7ec 	
67 	CoreFoundation 	CoreFoundation@0x21eca 	
68 	CoreFoundation 	CoreFoundation@0x100cb 	
69 	libSystem.B.dylib 	libSystem.B.dylib@0x65d3 	
70 	CoreFoundation 	CoreFoundation@0x6191 	
71 	CoreFoundation 	CoreFoundation@0xf876 	
72 	CoreFoundation 	CoreFoundation@0x100cb 	
73 	CoreFoundation 	CoreFoundation@0xf876 	
74 	CoreFoundation 	CoreFoundation@0xf6ce 	
75 	libSystem.B.dylib 	libSystem.B.dylib@0x6b19 	
76 	Foundation 	Foundation@0x5ff3 	
77 	libobjc.A.dylib 	libobjc.A.dylib@0x619f 	
78 	XUL 	-[ToolbarWindow sendEvent:] 	widget/src/cocoa/nsCocoaWindow.mm:2363
79 	AppKit 	AppKit@0x72ee1 	
80 	CoreFoundation 	CoreFoundation@0x24228 	
81 	AppKit 	AppKit@0x71904 	
82 	AppKit 	AppKit@0x749ff7 	
83 	AppKit 	AppKit@0x749ff7 	
84 	AppKit 	AppKit@0x43f09

    
    

    
  
And here's another crash immediately following, after clicking Save Changes in this bug comment.

https://crash-stats.mozilla.com/report/index/bp-9c309c0f-e8ca-46ba-84e0-465712110809

Signature	@0x0 | nsDeviceMotion::DeviceMotionChanged

    
  
Status: RESOLVED → REOPENED
Resolution: FIXED → ---

    
    

    
  
jdm - if we have multiple callers to AddWindowListener with the same window, the call to RemoveWindowListener will just return the first one.  This is probably the cause to this crash.  do you agree?

    
    

    
  
nevermind ^^.  

mxr is like a week out of sync with the tip.

    
    

    
  
I'm pretty sure any further crashes should be filed as new ones.
Status: REOPENED → RESOLVED
Closed: 13 years ago13 years ago
Resolution: --- → FIXED

    
  
Resolution: FIXED → DUPLICATE

    
    

    
  
This is its own bug, not a duplicate.
Resolution: DUPLICATE → FIXED
Component: DOM → DOM: Core & HTML

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: