Closed Bug 14775 Opened 25 years ago Closed 25 years ago

[PP][BLOCKER] Crash removing delete observer when closing windows

Categories

(Core :: XUL, defect, P1)

Product:
Core
Component:
XUL
Platform:
PowerPC
Mac System 8.5
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: sfraser_bugs, Assigned: pierre)

References

Details

(Whiteboard: Fix in hand) 

There are a number of different situations that seem to cause this or a similar
crash, when closing windows. One reproducible case is:
1. Start apprunner in the editor.
2. Type stuff.
3. Choose Quit menu item.
4. Click the Don't Save button. Now you'll crash.

Stack looks like:
 Calling chain using A6/R1 links
  Back chain  ISA  Caller
  00000000    PPC  1FB3D680
  0BA3A540    PPC  1FB39DE8  main+0013C
  0BA3A4D0    PPC  1FB3998C  main1(int, char**)+004C4
  0BA3A3D0    PPC  1E4F9620  nsAppShellService::Run()+00020
  0BA3A390    PPC  1E2E1298  nsAppShell::Run()+00050
  0BA3A310    PPC  1E2E203C  nsMacMessagePump::DoMessagePump()+00044
  0BA3A2C0    PPC  1E2E2240  nsMacMessagePump::DispatchEvent(int, EventRecord*)+
00084
  0BA3A270    PPC  1E2E24F8  nsMacMessagePump::DoMouseDown(EventRecord&)+00084
  0BA3A180    PPC  1E2E2E28  nsMacMessagePump::DoMenu(EventRecord&, long)+0004C
  0BA3A140    PPC  1E2E3140
nsMacMessagePump::DispatchMenuCommandToRaptor(EventRecord&, long
)+00050
  0BA3A100    PPC  1E2DC6DC  nsMacMessageSink::DispatchMenuCommand(EventRecord&,
long)+00050
  0BA3A0C0    PPC  1E2D5B20  nsMacWindow::HandleMenuCommand(EventRecord&, long)+
00054
  0BA3A060    PPC  1E2D650C  nsMacEventHandler::HandleMenuCommand(EventRecord&,
long)+001D4
  0BA39FA0    PPC  1E2BDE7C  nsWindow::DispatchWindowEvent(nsGUIEvent&)+00028
  0BA39F60    PPC  1E2BDD68  nsWindow::DispatchEvent(nsGUIEvent*, nsEventStatus&
)+00088
  0BA39F10    PPC  1E2CD47C  nsMenuBar::MenuSelected(const nsMenuEvent&)+0009C
  0BA39EC0    PPC  1E2C86C0  nsMenu::MenuItemSelected(const nsMenuEvent&)+002AC
  0BA39CC0    PPC  1E2CFB88  nsMenuItem::MenuItemSelected(const nsMenuEvent&)+
00050
  0BA39C80    PPC  1E2D03C8  nsMenuItem::DoCommand()+0063C
  0BA39B70    PPC  1E2539E4  RDFElementImpl::HandleDOMEvent(nsIPresContext&,
nsEvent*, nsIDOM
Event**, unsigned int, nsEventStatus&)+00480
  0BA39A30    PPC  1C5E6CEC  nsEventListenerManager::HandleEvent(nsIPresContext&,
nsEvent*, n
sIDOMEvent**, unsigned int, nsEventStatus&)+01780
  0BA398E0    PPC  1D6FB8C0  nsJSEventListener::HandleEvent(nsIDOMEvent*)+001AC
  0BA397C0    PPC  1D67FD6C  nsJSContext::CallFunction(void*, void*, unsigned
int, void*, int
*)+002B4
  0BA396F0    PPC  1D602E48  JS_CallFunction+00044
  0BA396B0    PPC  1D620748  js_InternalCall+000CC
  0BA39600    PPC  1D62049C  js_Invoke+00974
  0BA39500    PPC  1D629388  js_Interpret+082FC
  0BA39180    PPC  1D62049C  js_Invoke+00974
  0BA39080    PPC  1D629388  js_Interpret+082FC
  0BA38D00    PPC  1D620438  js_Invoke+00910
  0BA38C00    PPC  1CA40CE4  WrappedNative_CallMethod(JSContext*, JSObject*,
unsigned int, lo
ng*, long*)+00170
  0BA38B80    PPC  1CA3EE38
nsXPCWrappedNativeClass::CallWrappedMethod(JSContext*, nsXPCWrap
pedNative*, const XPCNativeMemberDescriptor*, nsXPCWrappedNativeClass::CallMode,
unsigned int
, long*, long*)+00E00
  0BA38950    PPC  1D7DAEA0  XPTC_InvokeByIndex+0002C
  0BA38910    PPC  1D7DAFA8  _XPTC_InvokeByIndex+000C8
  0BA3886C    PPC  1E1A1918  nsEditorShell::Exit()+00084
  0BA3881C    PPC  1E4F989C  nsAppShellService::Quit()+00234
  0BA3875C    PPC  1D695870  GlobalWindowImpl::Close()+00038
  0BA3871C    PPC  1E4FC884  nsWebShellWindow::Close()+00038
  0BA386CC    PPC  1E4D9548  nsWebShell::Destroy()+001FC
  0BA3863C    PPC  1E4D785C  nsWebShell::DestroyChildren()+0006C
  0BA385EC    PPC  1E4D9534  nsWebShell::Destroy()+001E8
  0BA3855C    PPC  1C809EDC  DocumentViewerImpl::Release()+00070
  0BA3851C    PPC  1C80A204  DocumentViewerImpl::~DocumentViewerImpl()+000C0
  0BA384BC    PPC  1D691C74  GlobalWindowImpl::SetNewDocument(nsIDOMDocument*)+
00218
  0BA383CC    PPC  1D6807B0  nsJSContext::GC()+00018
  0BA3838C    PPC  1D5FDB5C  JS_GC+00048
  0BA3834C    PPC  1D61E560  js_ForceGC+0003C
  0BA3830C    PPC  1D61EC0C  js_GC+00668
  0BA3824C    PPC  1D633EF8  js_FinalizeObject+000E8
  0BA381FC    PPC  1D7486F8  FinalizeUIEvent(JSContext*, JSObject*)+0001C
  0BA381BC    PPC  1D72A788  nsJSUtils::nsGenericFinalize(JSContext*, JSObject*)+
000A0
  0BA3816C    PPC  1C5E0F9C  nsDOMEvent::Release()+00070
  0BA3812C    PPC  1C5E0DB0  nsDOMEvent::~nsDOMEvent()+00058
  0BA380EC    PPC  1C52D2DC  nsPresContext::Release()+0006C
  0BA380AC    PPC  1C52C530  GalleyContext::~GalleyContext()+00030
  0BA3806C    PPC  1C52D108  nsPresContext::~nsPresContext()+001F8
  0BA3801C    PPC  1C5E7728  nsEventStateManager::Release()+00070
  0BA37FDC    PPC  1C5E75AC  nsEventStateManager::~nsEventStateManager()+001A8
  0BA37F9C    PPC  1E2D15E4  nsBaseWidget::Release()+00070
  0BA37F5C    PPC  1E2EC9DC  nsChildWindow::~nsChildWindow()+0003C
  0BA37F1C    PPC  1E2BAC14  nsWindow::~nsWindow()+00268

The crash happens in nsMacEventHandler::~nsMacEventHandler(), when calling
RemoveDeleteObserver  on mLastWidgetPointed.
Severity: normal → critical
Priority: P3 → P1
Summary: Crash removing delete observer when closing windows → [PP][BLOCKER] Crash removing delete observer when closing windows
OK, it looks like this crash happens when closing the hidden window. davidm?
Target Milestone: M11
M11
Status: NEW → ASSIGNED
Don Cone found the same crash with drop-down lists. It's very likely to come from
a memory leak: the DeleteObserver easily crashes when the objects are not
refCounted correctly. We are both working on it.
I think I see where it comes from. It's not a memory leak: it seems to be related

to the delete of the nsMacWindow that owns the nsMacEventHandler when the

nsMacWindow itself is the 'lastWidgetPointed'. I'll grab something to eat and fix

it when I come back.
Whiteboard: fix in hand
I have a fix. I'll ask tomorrow if it can be checked in for M10.
*** Bug 14517 has been marked as a duplicate of this bug. ***
Whiteboard: fix in hand
Yuchh! The fix doesn't work in all the test cases.
I'm seeing this too, when running "Mozilla Installer"

additional stack trace coming soon...
to reproduce my crash with "Mozilla Installer"

remove your Mozilla Registry
remove your Users50 directory
double click on "Mozilla Installer", it will bring up the Profile Manager
migrate a 4.x account, by selecting it, and then hitting start.
hitting start should bring up a small progress dialog window, which should
automatically close when migration is done.  the Profile Manager should go away,
too.
click on the browser window that comes up.
I have a temporary fix. In nsMacEventHandler::~nsMacEventHandler() and
nsMacEventHandler::NotifyDelete(void* aDeletedObject), do:
		mLastWidgetPointed = nsnull;
		mLastWidgetHit = nsnull;

I don't like it very much because I don't fully understand why my other fix
doesn't work but if you want a solution, here it is. It should be fairly safe:
the only side-effects I see are in cases where you click on a widget, then drag
and point another one and if one of these 2 widgets (or their parent window) is
deleted, you may loose a MOUSE_EXIT or a MOUSE_UP event in the remaining widget.
In the comment above, I should have written "if one of these 2 widgets (or their
parent window) is deleted ***while you are still dragging the mouse***"... It's
unlikely to happen, except in trees where folders can spring open like in the
MacOS.
*** Bug 14600 has been marked as a duplicate of this bug. ***
QA Contact: beppe → sujay
stack crawl after trying to create a new profile on Mac build 1999029

Calling chain using A6/R1 links
  Back chain  ISA  Caller
  00000000    PPC  0AEC6208
  031FB980    PPC  0AEC3558  main+00114
  031FB910    PPC  0AEC321C  main1(int, char**)+00628
  031FB790    PPC  0AC50A3C  nsAppShellService::Run()+00018
  031FB750    PPC  0AC0882C  nsAppShell::Run()+00038
  031FB6D0    PPC  0AC09320  nsMacMessagePump::DoMessagePump()+0003C
  031FB680    PPC  0AC095D8  nsMacMessagePump::DispatchEvent(int,
EventRecord*)+00158
  031FB630    PPC  0AE4346C  Repeater::DoRepeaters(const
EventRecord&)+00030
  031FB5F0    PPC  0ABEC9E4  nsToolkit::RepeatAction(const
EventRecord&)+00048
  031FB5A0    PPC  0ADD7C14
nsEventQueueServiceImpl::ProcessEvents()+00020
  031FB560    PPC  0ADD3790  nsHashtable::Enumerate(int (*)(nsHashKey*,
void*, void*), void*)
+00024
  031FB520    PPC  0AE4A7F4  PL_HashTableEnumerateEntries+00060
  031FB4B0    PPC  0ADD30B4  _hashEnumerate(PLHashEntry*, int,
void*)+00024
  031FB470    PPC  0ADD7B84  EventDispatchingFunc(nsHashKey*, void*,
void*)+0002C
  031FB430    PPC  0ADE9778
nsEventQueueImpl::ProcessPendingEvents()+00010
  031FB3F0    PPC  0AE49BE8  PL_ProcessPendingEvents+00078
  031FB3A0    PPC  0AE49C88  PL_HandleEvent+00028
  031FB360    PPC  0AA589FC
nsStreamListenerEvent::HandlePLEvent(PLEvent*)+00024
  031FB310    PPC  0AA59728
nsOnDataAvailableEvent::HandleEvent()+00034
  031FB2C0    PPC  0A42DA0C
nsHTTPResponseListener::OnDataAvailable(nsIChannel*, nsISupports
*, nsIInputStream*, unsigned int, unsigned int)+00170
  031FB240    PPC  0A42E97C
nsHTTPResponseListener::FinishedResponseHeaders()+0004C
  031FB1F0    PPC  0ADA4F18
nsChannelListener::OnStartRequest(nsIChannel*, nsISupports*)+002
80
  031FB020    PPC  0ADA4168
nsDocumentBindInfo::OnStartRequest(nsIChannel*, nsISupports*)+00
198
  031FAFB0    PPC  0ADA7874  nsWebShell::Embed(nsIContentViewer*, const
char*, nsISupports*)+
00034
  031FAF40    PPC  0A937AC8  DocumentViewerImpl::Release()+00038
  031FAF00    PPC  0A937DCC
DocumentViewerImpl::~DocumentViewerImpl()+00080
  031FAEA0    PPC  0ACE5514
GlobalWindowImpl::SetNewDocument(nsIDOMDocument*)+0021C
  031FAD90    PPC  0ACD7D88  nsJSContext::GC()+00010
  031FAD50    PPC  0AC70EE0  JS_GC+00048
  031FAD10    PPC  0AC8B950  js_ForceGC+00028
  031FACD0    PPC  0AC8BE44  js_GC+004B4
  031FAC50    PPC  0AC9AD68  js_FinalizeObject+00080
  031FAC00    PPC  0AD77068  FinalizeUIEvent(JSContext*,
JSObject*)+0000C
  031FABC0    PPC  0AD5F138  nsJSUtils::nsGenericFinalize(JSContext*,
JSObject*)+00088
  031FAB70    PPC  0A74F464  nsDOMEvent::Release()+00038
  031FAB30    PPC  0A74F320  nsDOMEvent::~nsDOMEvent()+00050
  031FAAE0    PPC  0A6BC49C  nsPresContext::Release()+00030
  031FAAA0    PPC  0A6BBA84  GalleyContext::~GalleyContext()+0002C
  031FAA60    PPC  0A6BC344  nsPresContext::~nsPresContext()+00120
  031FAA00    PPC  0ADDAF00  nsCOMPtr_base::~nsCOMPtr_base()+00030
  031FA9C0    PPC  0A7551AC  nsEventStateManager::Release()+00038
  031FA980    PPC  0A7550C0
nsEventStateManager::~nsEventStateManager()+0017C
  031FA940    PPC  0ABFB290  nsBaseWidget::Release()+00038
  031FA900    PPC  0AC11644  nsChildWindow::~nsChildWindow()+00034
  031FA8C0    PPC  0ABE8BAC  nsWindow::~nsWindow()+00198
 Return addresses on the stack
  Stack Addr  Frame Addr   ISA   Caller
   031FABC8                PPC   0AD77068 FinalizeUIEvent(JSContext*,
JSObject*)+0000C
   031FABA4                68K   028ACEDA
   031FAB88    031FAB80    PPC   0AEAF4B8 free+00030
   031FAB78    031FAB70    PPC   0AD5F138
nsJSUtils::nsGenericFinalize(JSContext*, JSObject*)
+00088
   031FAB64                68K   028ACEDA
   031FAB38    031FAB30    PPC   0A74F464 nsDOMEvent::Release()+00038
   031FAB24    031FAB20    68K   028ACEDA
   031FAAF8    031FAAF0    PPC   0AC70B00 JS_free+00018
   031FAAE8    031FAAE0    PPC   0A74F320
nsDOMEvent::~nsDOMEvent()+00050
   031FAAD4                68K   028ACEDA
   031FAAB8    031FAAB0    PPC   0AEAF4B8 free+00030
   031FAAA8    031FAAA0    PPC   0A6BC49C
nsPresContext::Release()+00030
   031FAA78    031FAA70    PPC   0AE5E230 PR_Free+00014
   031FAA68    031FAA60    PPC   0A6BBA84
GalleyContext::~GalleyContext()+0002C
   031FAA28                68K   028ACEDA
   031FAA18    031FAA10    PPC   0AEAF4B8 free+00030
   031FAA08    031FAA00    PPC   0A6BC344
nsPresContext::~nsPresContext()+00120
   031FA9C8    031FA9C0    PPC   0ADDAF00
nsCOMPtr_base::~nsCOMPtr_base()+00030
   031FA99C                68K   028A426E
   031FA988    031FA980    PPC   0A7551AC
nsEventStateManager::Release()+00038
   031FA968    031FA960    PPC   0AC70B00 JS_free+00018
   031FA95C                68K   028A426E
   031FA948    031FA940    PPC   0A7550C0
nsEventStateManager::~nsEventStateManager()+0017C
   031FA938    031FA930    PPC   0AEAE610 operator delete(void*)+00014
   031FA92C                68K   031FA92E
   031FA928    031FA920    PPC   0AEAF4B8 free+00030
   031FA91C                68K   028A426E
   031FA908    031FA900    PPC   0ABFB290 nsBaseWidget::Release()+00038
   031FA8C8    031FA8C0    PPC   0AC11644
nsChildWindow::~nsChildWindow()+00034
   031FA8A8    031FA8A0    PPC   0AC8B84C gc_mark+00218
   031FA898    031FA890    PPC   0AEAE610 operator delete(void*)+00014
   031FA88C                68K   031FA88E
   031FA888    031FA880    PPC   0AEAE610 operator delete(void*)+00014
   031FA87C                68K   031FA87E
   031FA878    031FA870    PPC   0AC8B580 gc_mark_atom+00048
   031FA868    031FA860    PPC   0AC8B580 gc_mark_atom+00048
   031FA858    031FA850    PPC   0ABE8BAC nsWindow::~nsWindow()+00198
   031FA820                68K   031FA88E
   031FA818    031FA810    PPC   FFD5D114 DisposeRgn+0001C
   031FA7F8    031FA7F0    PPC   0AEAE610 operator delete(void*)+00014
 Displaying memory from 0
  00000000  FFC1 0000 FFC1 0000  001A BDC6 001A BDC8  *¡••*¡••••**••*»
  00000010  001A BDCA 001A BDCC  FFC0 3058 FFC0 305A  ••* ••*Ã*¿0X*¿0Z
 Closing log
chris, here is the nasty window.close() bug on the mac.
Target Milestone: M11 → M10
pierre, if it humanly possible to get this fix into m10 we should try.
putting on the m10 radar to follow status.
A fix should be available tomorrow. The basic problem was that I had the

misconception that the nsToolkit was created once at startup (like the

nsAppShell) and passed to each top level window. Maybe that was true in early

ages.
I have a fix: it doesn't crash anymore with the Editor, the Installer or the
combo boxes. However, it did not fix the bug with zombie windows described in
#14146. That's a separate problem... I'll have a look.
Whiteboard: Fix in hand
I have a fix for the zombie windows too: WidgetToScreen and ScreenToWidget are

leaking the parent window when they go into recursion.
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
Fixed
QA Contact: sujay → claudius
Status: RESOLVED → VERIFIED
QA Contact: claudius → paulmac
verified
You need to log in before you can comment on or make changes to this bug.