Closed Bug 165867 Opened 23 years ago Closed 23 years ago

crash when visit URL: www.sina.com.cn - Trunk [@ nsBrowserStatusFilter::ProcessTimeout]

Categories

(SeaMonkey :: UI Design, defect)

Product:
SeaMonkey
Component:
UI Design
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: leon.zhang, Assigned: jag+mozilla)

References

(
URL
)

Details

(Keywords: crash, topcrash+)

Crash Data

Attachments

(1 file)

Cancel timer when filter object is destroyed.
697 bytes, patch
peterv
: review+
darin.moz
: superreview+
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; zh-CN; rv:1.0rc2) Gecko/20020512 Netscape/7.0b1 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; zh-CN; rv:1.0rc2) Gecko/20020512 Netscape/7.0b1 when visit website: www.sina.com.cn,mozilla crash sometimes. trunk: 20020819 when crash,status of func calling stack : nsBrowserStatusFilter::ProcessTimeout() line 289 + 12 bytes nsBrowserStatusFilter::TimeoutHandler(nsITimer * 0x0506e9b8, void * 0x03af1ac0) line 308 nsTimerImpl::Fire() line 337 + 17 bytes nsTimerManager::FireNextIdleTimer(nsTimerManager * const 0x017d08e8) line 579 nsAppShell::Run(nsAppShell * const 0x017a14b0) line 156 nsAppShellService::Run(nsAppShellService * const 0x017c6a38) line 452 main1(int 1, char * * 0x002d6ef8, nsISupports * 0x00000000) line 1509 + 32 bytes main(int 1, char * * 0x002d6ef8) line 1873 + 37 bytes mainCRTStartup() line 338 + 17 bytes KERNEL32! 77e77d08() crash point of code: at **** of code below void nsBrowserStatusFilter::ProcessTimeout() { if (!mListener) return; if (mDelayedStatus) { mDelayedStatus = PR_FALSE; mListener->OnStatusChange(nsnull, nsnull, 0, mStatusMsg.get()); } if (mDelayedProgress) { mDelayedProgress = PR_FALSE; **** mListener->OnProgressChange(nsnull, nsnull, 0, 0, mCurProgress, mMaxProgress); } } the values of varible: 1) mListener->mRawPtr: 0xdddddddd (invalid memory pointer!) 2) mDelayedStatus: PR_TRUIE--> PR_FALSE Reproducible: Sometimes Steps to Reproduce: 1.visit www.sina.com.cn 2.crash often happens,but not always 3.if not happen, reload again. Actual Results: crash
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash
sorry, crash point should be located at line indicated below: void nsBrowserStatusFilter::ProcessTimeout() { if (!mListener) return; if (mDelayedStatus) { mDelayedStatus = PR_FALSE; **** mListener->OnStatusChange(nsnull, nsnull, 0, mStatusMsg.get()); ^^^^^^^^^^Crash here!!!! } if (mDelayedProgress) { mDelayedProgress = PR_FALSE; mListener->OnProgressChange(nsnull, nsnull, 0, 0, mCurProgress, mMaxProgress); } }
Adding topcrash+ and testcase keywords since it looks like the reporter has been able to reproduce this crash at http://www.sina.com.cn . According to Talkback data, this is a current topcrasher on the Trunk for Linux and Windows: Rank StackSignature Count 15 nsBrowserStatusFilter::ProcessTimeout 13 Source File : /builds/client/linux22/seamonkey/mozilla/xpfe/browser/src/nsBrowserStatusFilter.cpp line : 290 ==================================================================================================== Count Offset Real Signature [ 4 nsBrowserStatusFilter::ProcessTimeout() 924a1f36 - nsBrowserStatusFilter::ProcessTimeout() ] Crash date range: 2002-08-31 to 2002-09-02 Min/Max Seconds since last crash: 265 - 7488 Min/Max Runtime: 7488 - 47533 Keyword List : Count Platform List 4 Linux 2.4.19 Count Build Id List 4 2002083005 No of Unique Users 1 Stack trace(Frame) nsBrowserStatusFilter::ProcessTimeout() [/builds/client/linux22/seamonkey/mozilla/xpfe/browser/src/nsBrowserStatusFilter.cpp line 289] nsBrowserStatusFilter::TimeoutHandler() [/builds/client/linux22/seamonkey/mozilla/xpfe/browser/src/nsBrowserStatusFilter.cpp line 308] nsTimerImpl::Fire() [/builds/client/linux22/seamonkey/mozilla/xpcom/threads/nsTimerImpl.cpp line 341] handleTimerEvent() [/builds/client/linux22/seamonkey/mozilla/xpcom/threads/nsTimerImpl.cpp line 399] PL_HandleEvent() [/builds/client/linux22/seamonkey/mozilla/xpcom/threads/plevent.c line 643] PL_ProcessEventsBeforeID() [/builds/client/linux22/seamonkey/mozilla/xpcom/threads/plevent.c line 1540] processQueue() [/builds/client/linux22/seamonkey/mozilla/widget/src/gtk/nsAppShell.cpp line 448] nsVoidArray::EnumerateForwards() [/builds/client/linux22/seamonkey/mozilla/xpcom/ds/nsVoidArray.cpp line 660] nsAppShell::ProcessBeforeID() [/builds/client/linux22/seamonkey/mozilla/widget/src/gtk/nsAppShell.cpp line 456] handle_gdk_event() [/builds/client/linux22/seamonkey/mozilla/widget/src/gtk/nsGtkEventHandler.cpp line 926] libgdk-1.2.so.0 + 0x19075 (0x4039d075) libglib-1.2.so.0 + 0x12ad0 (0x403d0ad0) libglib-1.2.so.0 + 0x12fb9 (0x403d0fb9) libglib-1.2.so.0 + 0x13254 (0x403d1254) libgtk-1.2.so.0 + 0xa880e (0x402d280e) nsAppShell::Run() [/builds/client/linux22/seamonkey/mozilla/widget/src/gtk/nsAppShell.cpp line 334] nsAppShellService::Run() [/builds/client/linux22/seamonkey/mozilla/xpfe/appshell/src/nsAppShellService.cpp line 472] main1() [/builds/client/linux22/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp line 1889] main() [/builds/client/linux22/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp line 1877] libc.so.6 + 0x18602 (0x40545602) ==================================================================================================== Count Offset Real Signature [ 2 nsBrowserStatusFilter::ProcessTimeout() c0b545a1 - nsBrowserStatusFilter::ProcessTimeout() ] Crash date range: 2002-09-07 to 2002-09-08 Min/Max Seconds since last crash: 6304 - 28792 Min/Max Runtime: 7863 - 28792 Keyword List : Count Platform List 2 Linux 2.4.19 Count Build Id List 1 2002090721 1 2002090622 No of Unique Users 2 Stack trace(Frame) nsBrowserStatusFilter::ProcessTimeout() [/builds/client/linux22/seamonkey/mozilla/xpfe/browser/src/nsBrowserStatusFilter.cpp line 290] nsBrowserStatusFilter::TimeoutHandler() [/builds/client/linux22/seamonkey/mozilla/xpfe/browser/src/nsBrowserStatusFilter.cpp line 309] nsTimerImpl::Fire() [/builds/client/linux22/seamonkey/mozilla/xpcom/threads/nsTimerImpl.cpp line 368] handleTimerEvent() [/builds/client/linux22/seamonkey/mozilla/xpcom/threads/nsTimerImpl.cpp line 431] PL_HandleEvent() [/builds/client/linux22/seamonkey/mozilla/xpcom/threads/plevent.c line 643] PL_ProcessEventsBeforeID() [/builds/client/linux22/seamonkey/mozilla/xpcom/threads/plevent.c line 1540] processQueue() [/builds/client/linux22/seamonkey/mozilla/widget/src/gtk/nsAppShell.cpp line 448] nsVoidArray::EnumerateForwards() [/builds/client/linux22/seamonkey/mozilla/xpcom/ds/nsVoidArray.cpp line 660] nsAppShell::ProcessBeforeID() [/builds/client/linux22/seamonkey/mozilla/widget/src/gtk/nsAppShell.cpp line 456] handle_gdk_event() [/builds/client/linux22/seamonkey/mozilla/widget/src/gtk/nsGtkEventHandler.cpp line 926] libgdk-1.2.so.0 + 0x19075 (0x4039e075) libglib-1.2.so.0 + 0x12ad0 (0x403d1ad0) libglib-1.2.so.0 + 0x12fb9 (0x403d1fb9) libglib-1.2.so.0 + 0x13254 (0x403d2254) libgtk-1.2.so.0 + 0xa880e (0x402d380e) nsAppShell::Run() [/builds/client/linux22/seamonkey/mozilla/widget/src/gtk/nsAppShell.cpp line 334] nsAppShellService::Run() [/builds/client/linux22/seamonkey/mozilla/xpfe/appshell/src/nsAppShellService.cpp line 472] main1() [/builds/client/linux22/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp line 1880] main() [/builds/client/linux22/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp line 1868] libc.so.6 + 0x18602 (0x40547602) ==================================================================================================== Count Offset Real Signature [ 1 nsBrowserStatusFilter::ProcessTimeout() 89b8222c - nsBrowserStatusFilter::ProcessTimeout() ] Crash date range: 2002-09-06 to 2002-09-06 Min/Max Seconds since last crash: 15140 - 15140 Min/Max Runtime: 19589 - 19589 Keyword List : Count Platform List 1 Linux 2.4.19 Count Build Id List 1 2002090522 No of Unique Users 1 Stack trace(Frame) nsBrowserStatusFilter::ProcessTimeout() [/builds/client/linux22/seamonkey/mozilla/xpfe/browser/src/nsBrowserStatusFilter.cpp line 294] nsBrowserStatusFilter::TimeoutHandler() [/builds/client/linux22/seamonkey/mozilla/xpfe/browser/src/nsBrowserStatusFilter.cpp line 308] nsTimerImpl::Fire() [/builds/client/linux22/seamonkey/mozilla/xpcom/threads/nsTimerImpl.cpp line 341] handleTimerEvent() [/builds/client/linux22/seamonkey/mozilla/xpcom/threads/nsTimerImpl.cpp line 399] PL_HandleEvent() [/builds/client/linux22/seamonkey/mozilla/xpcom/threads/plevent.c line 643] PL_ProcessEventsBeforeID() [/builds/client/linux22/seamonkey/mozilla/xpcom/threads/plevent.c line 1540] processQueue() [/builds/client/linux22/seamonkey/mozilla/widget/src/gtk/nsAppShell.cpp line 448] nsVoidArray::EnumerateForwards() [/builds/client/linux22/seamonkey/mozilla/xpcom/ds/nsVoidArray.cpp line 660] nsAppShell::ProcessBeforeID() [/builds/client/linux22/seamonkey/mozilla/widget/src/gtk/nsAppShell.cpp line 456] handle_gdk_event() [/builds/client/linux22/seamonkey/mozilla/widget/src/gtk/nsGtkEventHandler.cpp line 926] libgdk-1.2.so.0 + 0x19075 (0x4039e075) libglib-1.2.so.0 + 0x12ad0 (0x403d1ad0) libglib-1.2.so.0 + 0x12fb9 (0x403d1fb9) libglib-1.2.so.0 + 0x13254 (0x403d2254) libgtk-1.2.so.0 + 0xa880e (0x402d380e) nsAppShell::Run() [/builds/client/linux22/seamonkey/mozilla/widget/src/gtk/nsAppShell.cpp line 334] nsAppShellService::Run() [/builds/client/linux22/seamonkey/mozilla/xpfe/appshell/src/nsAppShellService.cpp line 472] main1() [/builds/client/linux22/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp line 1880] main() [/builds/client/linux22/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp line 1868] libc.so.6 + 0x18602 (0x40546602) ==================================================================================================== Count Offset Real Signature [ 1 nsBrowserStatusFilter::ProcessTimeout ef49b342 - nsBrowserStatusFilter::ProcessTimeout ] [ 1 nsBrowserStatusFilter::ProcessTimeout dcc164ed - nsBrowserStatusFilter::ProcessTimeout ] Crash date range: 2002-08-30 to 2002-09-05 Min/Max Seconds since last crash: 7218 - 25993 Min/Max Runtime: 7218 - 189078 Keyword List : Count Platform List 1 Windows NT 4.0 build 1381 1 Windows 98 4.90 build 73010104 Count Build Id List 1 2002083008 1 2002083004 No of Unique Users 2 Stack trace(Frame) nsBrowserStatusFilter::ProcessTimeout [c:/builds/seamonkey/mozilla/xpfe/browser/src/nsBrowserStatusFilter.cpp line 287] nsTimerManager::FireNextIdleTimer [c:/builds/seamonkey/mozilla/xpcom/threads/nsTimerImpl.cpp line 579] nsAppShellService::Run [c:/builds/seamonkey/mozilla/xpfe/appshell/src/nsAppShellService.cpp line 472] main1 [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp line 1529] (10104781) Comments: Just after I send a pop-up ad flying ==================================================================================================== Count Offset Real Signature [ 1 nsBrowserStatusFilter::ProcessTimeout e02c3db7 - nsBrowserStatusFilter::ProcessTimeout ] [ 1 nsBrowserStatusFilter::ProcessTimeout 9d53056b - nsBrowserStatusFilter::ProcessTimeout ] Crash date range: 2002-09-02 to 2002-09-05 Min/Max Seconds since last crash: 65 - 24989 Min/Max Runtime: 31614 - 127497 Keyword List : Count Platform List 1 Windows 98 4.10 build 67766446 1 Windows 95 4.0 build 67306684 Count Build Id List 1 2002090208 1 2002083008 No of Unique Users 2 Stack trace(Frame) nsBrowserStatusFilter::ProcessTimeout [c:/builds/seamonkey/mozilla/xpfe/browser/src/nsBrowserStatusFilter.cpp line 292] nsTimerImpl::Fire [c:/builds/seamonkey/mozilla/xpcom/threads/nsTimerImpl.cpp line 338] USER32.DLL + 0x4d8d (0xbff64d8d) nsAppShellService::Run [c:/builds/seamonkey/mozilla/xpfe/appshell/src/nsAppShellService.cpp line 472] main1 [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp line 1529] main [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp line 1880] WinMain [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp line 1898] WinMainCRTStartup() KERNEL32.DLL + 0x19349 (0xbff89349) KERNEL32.DLL + 0x191fb (0xbff891fb) KERNEL32.DLL + 0x17c38 (0xbff87c38) (10249183) Comments: ARRRAAAAAGGGG!!!!!! ==================================================================================================== Count Offset Real Signature [ 1 nsBrowserStatusFilter::ProcessTimeout cea8ef28 - nsBrowserStatusFilter::ProcessTimeout ] Crash date range: 2002-09-04 to 2002-09-04 Min/Max Seconds since last crash: 2491 - 2491 Min/Max Runtime: 8827 - 8827 Keyword List : Count Platform List 1 Windows 98 4.10 build 67766446 Count Build Id List 1 2002090308 No of Unique Users 1 Stack trace(Frame) nsBrowserStatusFilter::ProcessTimeout [c:/builds/seamonkey/mozilla/xpfe/browser/src/nsBrowserStatusFilter.cpp line 287] ==================================================================================================== Count Offset Real Signature [ 1 nsBrowserStatusFilter::ProcessTimeout 5415a327 - nsBrowserStatusFilter::ProcessTimeout ] Crash date range: 2002-09-07 to 2002-09-07 Min/Max Seconds since last crash: 43140 - 43140 Min/Max Runtime: 43140 - 43140 Keyword List : Count Platform List 1 Windows 98 4.10 build 67766446 Count Build Id List 1 2002090604 No of Unique Users 1 Stack trace(Frame) nsBrowserStatusFilter::ProcessTimeout [c:/builds/seamonkey/mozilla/xpfe/browser/src/nsBrowserStatusFilter.cpp line 296] nsTimerImpl::Fire [c:/builds/seamonkey/mozilla/xpcom/threads/nsTimerImpl.cpp line 338] USER32.DLL + 0x580d (0xbfc0580d) 0x0065006c
Keywords: testcase, topcrash+
OS: Windows 2000 → All
Summary: crash when visit URL: www.sina.com.cn → crash when visit URL: www.sina.com.cn - Trunk [@ nsBrowserStatusFilter::ProcessTimeout]
cc'ing dougt and jaggernaut since it looks like both of them have worked with nsBrowserStatusFilter.cpp recently. maybe one of them can shed some light on this crash. wasn't sure what component to pick or the right owner, so i'll leave it up to someone who knows.
I have only touched this file on and after Sept 6. This bug was written up prior to that date. Looking at the code, this crash can occur if ProcessTimeout is ever called on a non UI thread. You will race with AddProgressListener in that case.
Taking
Assignee: asa → jaggernaut
Component: Browser-General → XP Apps
Humm I think this has a straightforward fix. The line if code mDelayedStatus = PR_FALSE; needs be added to nsBrowserStatusFilter::RemoveProgressListener and probably also to nsBrowserStatusFilter::AddProgressListener whenever listener comes or goes, need to start from not delayed state.
Sam: I don't quite see how that fixes this crash. When you RemoveProgressListener, |mListener = nsnull;| Then in ProcessTimeout we do |if (!mListener) return;| darin and I looked at this and we suspect that the timer is executing the callback function after the filter object has been destroyed. I'm going to try cancelling the timer from the destructor.
jag and i looked at this and the problem is that the timer "subsystem" doesn't own a reference back to the nsBrowserStatusFilter object. as a result, the object can be destroyed before the timer fires, and the timer callback will attempt to dereference a junk memory address. the patch is trivial... we just need to call Cancel on mTimer from ~nsBrowserStatusFilter. jag said he would write up the patch.
Can we get this fixed ASAP? Thanks, /be
I haven't been able to crash my browser on this site, but I hope this patch fixes it. leon.zhang, can you apply this patch and see if it fixes the problem for you?
Comment on attachment 99262 [details] [diff] [review] Cancel timer when filter object is destroyed. r/sr=darin
Attachment #99262 - Flags: superreview+
Comment on attachment 99262 [details] [diff] [review] Cancel timer when filter object is destroyed. r=peterv
Attachment #99262 - Flags: review+
This looks like it is also a problem on the 1.0 branch, right? If so, we need to get this checked in there too.
Not really, since this hasn't been landed on the 1.0.x branch yet
http://bonsai.mozilla.org/cvslog.cgi?file=mozilla/xpfe/browser/src/nsBrowserStatusFilter.cpp shows that this is already checked in. marking FIXED.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Reopening. We don't know for sure that this patch fixes the problem. Thanks for trying to help out, though.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
It seems to have fixed the crash (no more talkback reports for this stack since the checkin).
Status: REOPENED → RESOLVED
Closed: 23 years ago23 years ago
Resolution: --- → FIXED
Product: Core → Mozilla Application Suite
Keywords: testcase
Crash Signature: [@ nsBrowserStatusFilter::ProcessTimeout]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: