Closed Bug 13650 Opened 26 years ago Closed 26 years ago

crash in nsPrecContext with bogus mShell memeber

Categories

(Core :: Layout, defect, P3)

Product:
Core
Component:
Layout
Platform:
x86
All
Type:
defect

Tracking

()

Status:
VERIFIED DUPLICATE of bug 13780

People

(Reporter: jband_mozilla, Assigned: peterl-retired)

References

Details

morse wrote... crash on startup -- win32 This is with a fresh tree that I pulled at about 4:30 today. Starting from scratch with no mozregistry.dat. After the crash, the registry is created and rerunning doesn't crash. -- Steve nsPresContext::PreferenceChanged(const char * 0x029b1280) line 257 + 19 bytes PrefChangedCallback(const char * 0x029b1280, void * 0x0207a050) line 55 pref_DoCallback(const char * 0x029b1280) line 2313 + 17 bytes pref_HashPref(const char * 0x029b1280, PrefValue {...}, int 32, int 0) line 1878 + 9 bytes PREF_SetDefaultCharPref(const char * 0x029b1280, const char * 0x029b1200) line 813 + 17 bytes nsPref::SetDefaultCharPref(nsPref * const 0x00a79140, const char * 0x029b1280, const char * 0x029b1200) line 654 + 13 bytes XPTC_InvokeByIndex(nsISupports * 0x00a79140, unsigned int 38, unsigned int 2, nsXPTCVariant * 0x0012e614) line 135 nsXPCWrappedNativeClass::CallWrappedMethod(JSContext * 0x02726cf0, nsXPCWrappedNative * 0x029b1530, const XPCNativeMemberDescriptor * 0x01cbb280, nsXPCWrappedNativeClass::CallMode CALL_METHOD, unsigned int 2, long * 0x01c54e78, long * 0x0012e834) line 661 + 44 bytes WrappedNative_CallMethod(JSContext * 0x02726cf0, JSObject * 0x02552ba8, unsigned int 2, long * 0x01c54e78, long * 0x0012e834) line 170 + 34 bytes js_Invoke(JSContext * 0x02726cf0, unsigned int 2, unsigned int 0) line 654 + 26 bytes js_Interpret(JSContext * 0x02726cf0, long * 0x0012f064) line 2228 + 15 bytes js_Invoke(JSContext * 0x02726cf0, unsigned int 0, unsigned int 0) line 670 + 13 bytes js_Interpret(JSContext * 0x02726cf0, long * 0x0012f850) line 2228 + 15 bytes js_Invoke(JSContext * 0x02726cf0, unsigned int 1, unsigned int 2) line 670 + 13 bytes js_InternalCall(JSContext * 0x02726cf0, JSObject * 0x01c22600, long 30186640, unsigned int 1, long * 0x0012f96c, long * 0x0012f9d4) line 747 + 15 bytes JS_CallFunctionValue(JSContext * 0x02726cf0, JSObject * 0x01c22600, long 30186640, unsigned int 1, long * 0x0012f96c, long * 0x0012f9d4) line 2662 + 29 bytes nsJSEventListener::HandleEvent(nsIDOMEvent * 0x029a81f0) line 110 + 43 bytes nsEventListenerManager::HandleEvent(nsIPresContext & {...}, nsEvent * 0x0012fc58, nsIDOMEvent * * 0x0012fb34, unsigned int 7, nsEventStatus & nsEventStatus_eIgnore) line 991 + 21 bytes GlobalWindowImpl::HandleDOMEvent(GlobalWindowImpl * const 0x02726eb4, nsIPresContext & {...}, nsEvent * 0x0012fc58, nsIDOMEvent * * 0x0012fb34, unsigned int 1, nsEventStatus & nsEventStatus_eIgnore) line 2848 nsWebShell::OnEndDocumentLoad(nsWebShell * const 0x0272cc24, nsIDocumentLoader * 0x0272cba0, nsIChannel * 0x02766ba0, unsigned int 0, nsIDocumentLoaderObserver * 0x0272cc24) line 3480 + 34 bytes nsDocLoaderImpl::FireOnEndDocumentLoad(nsDocLoaderImpl * 0x0272cba0, unsigned int 0) line 1103 nsDocLoaderImpl::OnStopRequest(nsDocLoaderImpl * const 0x0272cba4, nsIChannel * 0x00000000, nsISupports * 0x00000000, unsigned int 0, const unsigned short * 0x00000000) line 974 nsLoadGroup::SubGroupIsEmpty(unsigned int 0) line 119 + 43 bytes nsLoadGroup::RemoveChannel(nsLoadGroup * const 0x028be7c0, nsIChannel * 0x029421d0, nsISupports * 0x00000000, unsigned int 0, const unsigned short * 0x00000000) line 577 nsFileChannel::OnStopRequest(nsFileChannel * const 0x029421dc, nsIChannel * 0x029421d0, nsISupports * 0x00000000, unsigned int 0, const unsigned short * 0x00000000) line 838 nsOnStopRequestEvent::HandleEvent(nsOnStopRequestEvent * const 0x029434e0) line 269 nsStreamListenerEvent::HandlePLEvent(PLEvent * 0x029434e4) line 144 + 12 bytes PL_HandleEvent(PLEvent * 0x029434e4) line 509 + 10 bytes PL_ProcessPendingEvents(PLEventQueue * 0x00a79580) line 470 + 9 bytes _md_EventReceiverProc(HWND__ * 0x01b80692, unsigned int 49329, unsigned int 0, long 10982784) line 938 + 9 bytes USER32! 77e71268() 0 ............................................................. I see this exact thing in a build a couple of days old. It looks like the 'this' of class nsPresContext is basically valid. But the mShell member is bogus. I see that this class does not init mShell in its ctor - the member is only set in the SetShell method. mShell is garbage 'till SetShell is called. mShell is used in various places without checking it for non-null anyway. I don't know enough about the usage of this class to say more. John.
I see the comment: // Note: We don't hold a reference on the shell; it has a reference to // us In this dialog situation is the shell going away before you can call it? If you have a weak ref then what is keeping it in place? Should you be notified if it goes away?
OS: Windows NT → All
marking all, as I see it on Linux too. to reproduce: rm ~/.mozilla ./mozilla-apprunner (create a profile with the profile wizard) after you hit "Finished" you crash here's the Linux stack: #0 0x401728a8 in nsString virtual table () #1 0x40e65e21 in nsPresContext::PreferenceChanged (this=0x8250328, aPrefName=0x86e0be0 "browser.startup.homepage") at nsPresContext.cpp:257 #2 0x40e65247 in PrefChangedCallback (aPrefName=0x86e0be0 "browser.startup.homepage", instance_data=0x8250328) at nsPresContext.cpp:53 #3 0x4081cf44 in pref_DoCallback (changed_pref=0x86e0be0 "browser.startup.homepage") at prefapi.c:2313 #4 0x4081c13b in pref_HashPref (key=0x86e0be0 "browser.startup.homepage", value={stringVal = 0x86e0c18 "www.mozilla.org", intVal = 141429784, boolVal = 141429784}, type=PREF_STRING, action=PREF_SETDEFAULT) at prefapi.c:1878 #5 0x4081a06a in PREF_SetDefaultCharPref (pref_name=0x86e0be0 "browser.startup.homepage", value=0x86e0c18 "www.mozilla.org") at prefapi.c:813 #6 0x4081ec8d in nsPref::SetDefaultCharPref (this=0x80aec00, pref=0x86e0be0 "browser.startup.homepage", value=0x86e0c18 "www.mozilla.org") at nsPref.cpp:654 #7 0x40152dbc in XPTC_InvokeByIndex (that=0x80aec00, methodIndex=38, paramCount=2, params=0xbfffda6c) at xptcinvoke_unixish_x86.cpp:160 #8 0x4102099b in ?? () from /home/sspitzer/MOZILLA/06.20.1999/09.22/mozilla/dist/bin/components/libxpconnect.so #9 0x410227fb in ?? () from /home/sspitzer/MOZILLA/06.20.1999/09.22/mozilla/dist/bin/components/libxpconnect.so #10 0x4007e78e in ?? () from /home/sspitzer/MOZILLA/06.20.1999/09.22/mozilla/dist/bin/libmozjs.so #11 0x4008cf01 in ?? () from /home/sspitzer/MOZILLA/06.20.1999/09.22/mozilla/dist/bin/libmozjs.so #12 0x4007e7ed in ?? () from /home/sspitzer/MOZILLA/06.20.1999/09.22/mozilla/dist/bin/libmozjs.so #13 0x4008cf01 in ?? () from /home/sspitzer/MOZILLA/06.20.1999/09.22/mozilla/dist/bin/libmozjs.so #14 0x4007e7ed in ?? () from /home/sspitzer/MOZILLA/06.20.1999/09.22/mozilla/dist/bin/libmozjs.so #15 0x4007eb08 in ?? () from /home/sspitzer/MOZILLA/06.20.1999/09.22/mozilla/dist/bin/libmozjs.so #16 0x40056a09 in ?? () from /home/sspitzer/MOZILLA/06.20.1999/09.22/mozilla/dist/bin/libmozjs.so #17 0x4042d8b1 in ?? () from /home/sspitzer/MOZILLA/06.20.1999/09.22/mozilla/dist/bin/libjsdom.so #18 0x40c57b36 in nsEventListenerManager::HandleEvent (this=0x852b440, aPresContext=@0x8158d28, aEvent=0xbffff468, aDOMEvent=0xbffff32c, aFlags=7, aEventStatus=@0xbffff4a0) at nsEventListenerManager.cpp:991 #19 0x4040c143 in ?? () from /home/sspitzer/MOZILLA/06.20.1999/09.22/mozilla/dist/bin/libjsdom.so #20 0x409c6a9d in ?? () from /home/sspitzer/MOZILLA/06.20.1999/09.22/mozilla/dist/bin/libraptorwebwidget.so #21 0x409bbe04 in ?? () from /home/sspitzer/MOZILLA/06.20.1999/09.22/mozilla/dist/bin/libraptorwebwidget.so #22 0x409bba5c in ?? () from /home/sspitzer/MOZILLA/06.20.1999/09.22/mozilla/dist/bin/libraptorwebwidget.so #23 0x4096ba90 in ?? () from /home/sspitzer/MOZILLA/06.20.1999/09.22/mozilla/dist/bin/components/libnecko.so #24 0x4096d116 in ?? () from /home/sspitzer/MOZILLA/06.20.1999/09.22/mozilla/dist/bin/components/libnecko.so #25 0x40a37658 in ?? () from /home/sspitzer/MOZILLA/06.20.1999/09.22/mozilla/dist/bin/components/libnecko_file.so #26 0x40960503 in ?? () from /home/sspitzer/MOZILLA/06.20.1999/09.22/mozilla/dist/bin/components/libnecko.so #27 0x4095ff33 in ?? () from /home/sspitzer/MOZILLA/06.20.1999/09.22/mozilla/dist/bin/components/libnecko.so #28 0x4017c29b in ?? () from /home/sspitzer/MOZILLA/06.20.1999/09.22/mozilla/dist/bin/libplds3.so #29 0x4017c1ac in ?? () from /home/sspitzer/MOZILLA/06.20.1999/09.22/mozilla/dist/bin/libplds3.so #30 0x4014534d in nsEventQueueImpl::ProcessPendingEvents (this=0x8078ac8) at nsEventQueue.cpp:118 #31 0x4053c676 in ?? () from /home/sspitzer/MOZILLA/06.20.1999/09.22/mozilla/dist/bin/libwidget_gtk.so #32 0x4071b789 in ?? () from /usr/lib/libgdk-1.2.so.0 #33 0x40747d6a in ?? () from /usr/lib/libglib-1.2.so.0 #34 0x407492c6 in ?? () from /usr/lib/libglib-1.2.so.0 #35 0x40749801 in ?? () from /usr/lib/libglib-1.2.so.0 #36 0x40749979 in ?? () from /usr/lib/libglib-1.2.so.0 #37 0x40678f3a in ?? () from /usr/lib/libgtk-1.2.so.0 #38 0x4053ce49 in ?? () from /home/sspitzer/MOZILLA/06.20.1999/09.22/mozilla/dist/bin/libwidget_gtk.so #39 0x403a6c81 in ?? () from /home/sspitzer/MOZILLA/06.20.1999/09.22/mozilla/dist/bin/libnsappshell.so #40 0x804a7f7 in main1 (argc=1, argv=0xbffff9e4) at nsAppRunner.cpp:555 #41 0x804a915 in main (argc=1, argv=0xbffff9e4) at nsAppRunner.cpp:578 #42 0x4027acb3 in ?? () from /lib/libc.so.6
note, if I do the same thing, except change "./mozilla-apprunner.sh -mail" instead of plain "./mozilla-apprunner.sh" I don't get this crash.
*** Bug 13633 has been marked as a duplicate of this bug. ***
adding alecf to the cc list. wild guess: we are supposed to be passing in a nsIPref* when we call nsPresContext::Init() perhaps we aren't calling Init() when we should, or we aren't passing in a valid nsIPref *?
ignore my guess. I just stepped through in the debugger, and Init() looks like its getting called with a valid prefs.
I think troy fixed this. See bug 13780.
Status: NEW → RESOLVED
Closed: 26 years ago
Resolution: --- → DUPLICATE
*** This bug has been marked as a duplicate of 13780 ***
Status: RESOLVED → VERIFIED
Based on troy's comments, Marking as verified duplicate of 13780.
You need to log in before you can comment on or make changes to this bug.