Closed Bug 1053839 Opened 11 years ago Closed 11 years ago

Taskbar preview is still crashing

Categories

(Core :: Widget: Win32, defect)

Product:
Core
Component:
Widget: Win32
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla35

People

(Reporter: BenB, Assigned: mkaply)

Details

Attachments

(1 file)

Don't do anything if the window is being destroyed
877 bytes, patch
jimm
: review+
Details | Diff | Splinter Review
Crash stats: https://crash-stats.mozilla.com/report/list?range_unit=days&range_value=3&signature=mozilla%3A%3Awidget%3A%3ATaskbarPreview%3A%3AMainWindowHook%28void*%2C+HWND__*%2C+unsigned+int%2C+unsigned+int%2C+long%2C+long*%29#tab-reports Code crashing: http://mxr.mozilla.org/comm-central/source/mozilla/widget/windows/TaskbarPreview.cpp#395 Previous bugs about crashes in the same function: Bug 557557 Bug 744992 The effects were very bad, it was crashing on startup, not even safemode would work, so these profiles and users were dead in the water. The function is still crashing. Less than before, but this may just be because extensions stopped using this API (we certainly did, due to the bugs), or all users who had them are dead and now happy GChrome users. The fix for bug 557557 was bad. It's still accessing preview in the problem situation.
Severity: normal → major
OS: Linux → Windows 7
Hardware: x86_64 → x86
Assignee: nobody → mozilla
> Crash stats: https://crash-stats.mozilla.com/report/list?range_unit=days&range_value=3&signature=mozilla%3A%3Awidget%3A%3ATaskbarPreview%3A%3AMainWindowHook%28void*%2C+HWND__*%2C+unsigned+int%2C+unsigned+int%2C+long%2C+long*%29#tab-reports In the last month, there have been TB 24.6: 83 crashes TB 31 and newer: 40 crashes FF 30 and newer: 4 crashes Again, the low numbers may just be because extensions stopped using this API (we certainly did, due to the bugs), or all users who had them are dead and now happy GChrome users. The FF crashes seem to be at window shutdown, which suggests bug 557557. The TB might be 2 extensions trying to set the badge.
> The fix for bug 557557 was bad. It's still accessing preview in the problem situation. 395 TaskbarPreview::MainWindowHook(void *aContext, ... 404 if (!aContext) 405 return false; 406 TaskbarPreview *preview = reinterpret_cast<TaskbarPreview*>(aContext); 407 if (nMsg == WM_DESTROY) { 408 // nsWindow is being destroyed 409 // We can't really do anything at this point including removing hooks 410 preview->mWnd = nullptr; Here's my theory: At window destroy time, the TaskbarPreview object has been destroyed. But Windows still holds a pointer to it. For some odd case/reason, it calls MainWindowHook() at this point, with the aContext parameter being that now wild pointer. The pointer won't be null, but an actually memory address, so the null check passes. But the line preview->mWnd = nullptr; then crashes, because it tries to access the object that now no longer exists. This preview->mWnd = nullptr; line was fairly misguided, for that reason.
We shouldn't be messing with the preview at all on destroy. It might be a bad pointer.
Attachment #8489460 - Flags: review?(jmathies)
Attachment #8489460 - Flags: review?(jmathies) → review+
This did land on mozilla-central, though the bug didn't get marked. Sorry for any confusion. https://hg.mozilla.org/mozilla-central/rev/b1d627e9bf5e
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla35
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: