Closed Bug 143835 Opened 23 years ago Closed 23 years ago

Trunk M1RC2 crashes changing skins [@ nsHashtable::Enumerate]

Categories

(Core :: XBL, defect)

Product:
Core
Component:
XBL
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: greer, Assigned: hyatt)

References

(
URL
)

Details

(Keywords: crash, qawanted, topcrash)

Crash Data

Attachments

(2 files)

Other comments
1.66 KB, text/plain
Details
proposed patch
558 bytes, patch
brendan
: review+
waterson
: superreview+
chofmann
: approval+
Details | Diff | Splinter Review
Crashes under this signature start showing up in M1RC1 and continue on the Trunk and into RC2. Users seem to have specific trouble with the Pinball theme. This one may belong to another component, possibly Themes. I haven't been able to reproduce it yet. Guessing 143710 is a dupe of this one. cc'ing reporter. Stack trace(Frame) nsHashtable::Enumerate [d:\builds\seamonkey\mozilla\xpcom\ds\nsHashtable.cpp line 362] nsBindingManager::FlushSkinBindings [d:\builds\seamonkey\mozilla\content\xbl\src\nsBindingManager.cpp line 1053] FlushSkinBindingsForWindow [d:\builds\seamonkey\mozilla\rdf\chrome\src\nsChromeRegistry.cpp line 1166] nsChromeRegistry::RefreshSkins [d:\builds\seamonkey\mozilla\rdf\chrome\src\nsChromeRegistry.cpp line 1185] XPTC_InvokeByIndex [d:\builds\seamonkey\mozilla\xpcom\reflect\xptcall\src\md\win32\xptcinvoke.cpp line 106] XPCWrappedNative::CallMethod [d:\builds\seamonkey\mozilla\js\src\xpconnect\src\xpcwrappednative.cpp line 2027] XPC_WN_CallMethod [d:\builds\seamonkey\mozilla\js\src\xpconnect\src\xpcwrappednativejsops.cpp line 1267] js_Invoke [d:\builds\seamonkey\mozilla\js\src\jsinterp.c line 790] js_Interpret [d:\builds\seamonkey\mozilla\js\src\jsinterp.c line 2744] js_Invoke [d:\builds\seamonkey\mozilla\js\src\jsinterp.c line 806] js_InternalInvoke [d:\builds\seamonkey\mozilla\js\src\jsinterp.c line 881] JS_CallFunctionValue [d:\builds\seamonkey\mozilla\js\src\jsapi.c line 3426] nsJSContext::CallEventHandler [d:\builds\seamonkey\mozilla\dom\src\base\nsJSEnvironment.cpp line 1019] nsJSEventListener::HandleEvent [d:\builds\seamonkey\mozilla\dom\src\events\nsJSEventListener.cpp line 182] nsEventListenerManager::HandleEventSubType [d:\builds\seamonkey\mozilla\content\events\src\nsEventListenerManager.cpp line 1218] nsEventListenerManager::HandleEvent [d:\builds\seamonkey\mozilla\content\events\src\nsEventListenerManager.cpp line 2210] nsXULElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\xul\content\src\nsXULElement.cpp line 3461] PresShell::HandleDOMEventWithTarget [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp line 6153] nsButtonBoxFrame::MouseClicked [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsButtonBoxFrame.cpp line 195] nsButtonBoxFrame::HandleEvent [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsButtonBoxFrame.cpp line 142] PresShell::HandleEventInternal [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp line 6122] PresShell::HandleEventWithTarget [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp line 6073] nsEventStateManager::CheckForAndDispatchClick [d:\builds\seamonkey\mozilla\content\events\src\nsEventStateManager.cpp line 2634] nsEventStateManager::PostHandleEvent [d:\builds\seamonkey\mozilla\content\events\src\nsEventStateManager.cpp line 1715] PresShell::HandleEventInternal [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp line 6126] PresShell::HandleEvent [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp line 6028] nsViewManager::HandleEvent [d:\builds\seamonkey\mozilla\view\src\nsViewManager.cpp line 2076] nsView::HandleEvent [d:\builds\seamonkey\mozilla\view\src\nsView.cpp line 306] nsViewManager::DispatchEvent [d:\builds\seamonkey\mozilla\view\src\nsViewManager.cpp line 1887] HandleEvent [d:\builds\seamonkey\mozilla\view\src\nsView.cpp line 83] nsWindow::DispatchEvent [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp line 869] nsWindow::DispatchWindowEvent [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp line 886] nsWindow::DispatchMouseEvent [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp line 4713] ChildWindow::DispatchMouseEvent [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp line 4968] nsWindow::ProcessMessage [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp line 3630] nsWindow::WindowProc [d:\builds\seamonkey\mozilla\widget\src\windows\nsWindow.cpp line 1131] USER32.dll + 0x3a5f (0x77d43a5f) USER32.dll + 0x3b2e (0x77d43b2e) USER32.dll + 0x3d6a (0x77d43d6a) USER32.dll + 0x41fd (0x77d441fd) nsAppShellService::Run [d:\builds\seamonkey\mozilla\xpfe\appshell\src\nsAppShellService.cpp line 451] main1 [d:\builds\seamonkey\mozilla\xpfe\bootstrap\nsAppRunner.cpp line 1473] main [d:\builds\seamonkey\mozilla\xpfe\bootstrap\nsAppRunner.cpp line 1809] WinMain [d:\builds\seamonkey\mozilla\xpfe\bootstrap\nsAppRunner.cpp line 1827] WinMainCRTStartup() kernel32.dll + 0x1eb69 (0x77e7eb69) (6164753) Comments: Changing themes repeatedly from "little mozilla" to "pin ball" and back.. was trying to see if I could make the bad irc icon at bottom of browser go away.
Currently a topcrash on early returns of M1RC2.
Keywords: crash, qawanted, topcrash
Attached file Other comments
Other comments for reference, most pointing to theme changes.
cc'ing andre who seems interested in bug 143710. Also cc'ing pmac - Have you seen a recent crash problem changing themes - specifically "pinball"?
xbl for investigation.
Assignee: dougt → hyatt
Component: XPCOM → XBL
QA Contact: scc → ian
I uninstalled all third party themes to track down bug #143712, and while uninstalling the pinball theme, mozilla immediately crashed. After I restarted it, pinball theme seemed to have been completely uninstalled, though.
I reinstalled the pinball theme after having uninstalled it, and this time it didn't crash.
This looks like it just needs a null-check (mBindingTable is checked for null everywhere else), although I'm trying to get the disassembly/registers to double-check. This is the #4 topcrash in 1.0RC2.
from talkback Incident ID: 6254675: x86 Registers: EAX: 0012fc7c EBX: 611769d4 ECX: 00000000 EDX: 0012fcac ESI: 00000000 EDI: 611769a2 ESP: 00000007 EBP: ffffffff EIP: 00000000 cf PF af ZF sf of IF df nt RF vm IOPL: 0 CS: 001b DS: 0023 SS: 0023 ES: 0023 FS: 0038 GS: 0000
Incident ID: 6244968 The EIP register and the first line of Code Around the PC are red. x86 Registers: EAX: 0012fd4c EBX: 611769d4 ECX: 00000000 EDX: 0012fd7c ESI: 00000000 EDI: 611769a2 ESP: 0012fd44 EBP: 0012fd54 EIP: 6113a84a cf PF af ZF sf of IF df nt RF vm IOPL: 0 CS: 001b DS: 0023 SS: 0023 ES: 0023 FS: 0038 GS: 0000 Code Around the PC: 6113a84a 8b7e28 mov edi,[esi+0x28] 6113a84d 50 push eax 6113a84e 8d4608 lea eax,[esi+0x8] 6113a851 686fa81361 push 0x6113a86f 6113a856 50 push eax 6113a857 c7462801000000 mov dword ptr [esi+0x28],0x1 6113a85e e8bdca0300 call 61177320 6113a863 83c40c add esp,0xc 6113a866 897e28 mov [esi+0x28],edi 6113a869 5f pop edi
0x28 is the offset of mEnumerating in nsHashtable (assuming vtable pointer at start) and 0x8 the offset of mHashtable, so this looks exactly like the null check I suggested.
I'll r= in lieu of hyatt, who is on vacation. Cc'ing waterson for sr=. /be
Keywords: mozilla1.0+
Comment on attachment 83628 [details] [diff] [review] proposed patch sr=waterson. very old testament.
Comment on attachment 83628 [details] [diff] [review] proposed patch sr=waterson. very old testament.
Attachment #83628 - Flags: superreview+
Fix checked in to trunk, 2002-05-16 19:33 PDT.
Comment on attachment 83628 [details] [diff] [review] proposed patch a=chofmann,scc, valeksi for the 1.0 branch. check in dbaron!
Attachment #83628 - Flags: approval+
Fix checked in to branch, 2002-05-16 19:40 PDT.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
No longer blocks: 143200
Crash Signature: [@ nsHashtable::Enumerate]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: