[dogfood]Ctrl-W to close window crashes

VERIFIED FIXED in M12

Status

()

P2
critical
VERIFIED FIXED
19 years ago
6 years ago

People

(Reporter: warrensomebody, Assigned: danm.moz)

Tracking

Trunk
x86
Windows NT
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [PDT+])

(Reporter)

Description

19 years ago
I tried typing ctrl-W to close a window and got the following crash. The void
array was deleted 0xdddddddd:

nsVoidArray::Count() line 43 + 3 bytes
nsEventListenerManager::HandleEvent(nsIPresContext * 0x02b4e800, nsEvent *
0x0012fba8, nsIDOMEvent * * 0x0012f914, unsigned int 0x00000004, nsEventStatus *
0x0012fb14) line 911 + 33 bytes
nsXULDocument::HandleDOMEvent(nsXULDocument * const 0x01b6fda0, nsIPresContext *
0x02b4e800, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x0012f914, unsigned int
0x00000004, nsEventStatus * 0x0012fb14) line 1738
nsXULElement::HandleDOMEvent(nsXULElement * const 0x01e421c0, nsIPresContext *
0x02b4e800, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x0012f914, unsigned int
0x00000004, nsEventStatus * 0x0012fb14) line 2576 + 39 bytes
nsXULElement::HandleDOMEvent(nsXULElement * const 0x01eebfa0, nsIPresContext *
0x02b4e800, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x0012f914, unsigned int
0x00000004, nsEventStatus * 0x0012fb14) line 2574
nsXULElement::HandleDOMEvent(nsXULElement * const 0x01eebbf0, nsIPresContext *
0x02b4e800, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x0012f914, unsigned int
0x00000004, nsEventStatus * 0x0012fb14) line 2574
nsXULElement::HandleDOMEvent(nsXULElement * const 0x01eeb8e0, nsIPresContext *
0x02b4e800, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x0012f914, unsigned int
0x00000004, nsEventStatus * 0x0012fb14) line 2574
nsXULElement::HandleDOMEvent(nsXULElement * const 0x01eeb5d0, nsIPresContext *
0x02b4e800, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x0012f914, unsigned int
0x00000004, nsEventStatus * 0x0012fb14) line 2574
nsXULElement::HandleChromeEvent(nsXULElement * const 0x01eeb5f4, nsIPresContext
* 0x02b4e800, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x0012f914, unsigned int
0x00000004, nsEventStatus * 0x0012fb14) line 3489
GlobalWindowImpl::HandleDOMEvent(GlobalWindowImpl * const 0x022a4a24,
nsIPresContext * 0x02b4e800, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x0012f914,
unsigned int 0x00000004, nsEventStatus * 0x0012fb14) line 2975
nsDocument::HandleDOMEvent(nsDocument * const 0x02b4aad0, nsIPresContext *
0x02b4e800, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x0012f914, unsigned int
0x00000001, nsEventStatus * 0x0012fb14) line 2379
nsHTMLHtmlElement::HandleDOMEvent(nsHTMLHtmlElement * const 0x02b4ef5c,
nsIPresContext * 0x02b4e800, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x00000000,
unsigned int 0x00000001, nsEventStatus * 0x0012fb14) line 192 + 41 bytes
PresShell::HandleEvent(PresShell * const 0x025dff64, nsIView * 0x025fcb10,
nsGUIEvent * 0x0012fba8, nsEventStatus * 0x0012fb14) line 2444 + 39 bytes
nsView::HandleEvent(nsView * const 0x025fcb10, nsGUIEvent * 0x0012fba8, unsigned
int 0x00000008, nsEventStatus * 0x0012fb14, int & 0x00000000) line 841
nsView::HandleEvent(nsView * const 0x025f8320, nsGUIEvent * 0x0012fba8, unsigned
int 0x00000008, nsEventStatus * 0x0012fb14, int & 0x00000000) line 826
nsView::HandleEvent(nsView * const 0x025de4c0, nsGUIEvent * 0x0012fba8, unsigned
int 0x0000001c, nsEventStatus * 0x0012fb14, int & 0x00000000) line 826
nsViewManager::DispatchEvent(nsViewManager * const 0x025de640, nsGUIEvent *
0x0012fba8, nsEventStatus * 0x0012fb14) line 1725
HandleEvent(nsGUIEvent * 0x0012fba8) line 69
nsWindow::DispatchEvent(nsWindow * const 0x025da284, nsGUIEvent * 0x0012fba8,
nsEventStatus & nsEventStatus_eIgnore) line 438 + 10 bytes
nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012fba8) line 459
nsWindow::DispatchKeyEvent(unsigned int 0x00000083, unsigned short 0x0077,
unsigned int 0x00000000) line 2184 + 15 bytes
nsWindow::OnChar(unsigned int 0x00000017, unsigned int 0x00000000, unsigned char
0x00) line 2493
nsWindow::ProcessMessage(unsigned int 0x00000102, unsigned int 0x00000017, long
0x00110001, long * 0x0012fde0) line 2665 + 32 bytes
nsWindow::WindowProc(HWND__ * 0x0072083a, unsigned int 0x00000102, unsigned int
0x00000017, long 0x00110001) line 625 + 27 bytes
USER32! 77e7


That was running after visiting a few pages. I then tried it again just after
launching the browser and got a different crash. To reproduce, launch the
browser, type Cntl-N to create a new window, and then Cntl-W to close it. Here
the comptr is deleted 0xdddddddd (mTerminationFunction in nsJSContext):

nsCOMPtr_base::assign_assuming_AddRef(nsISupports * 0x00000000) line 391 + 3
bytes
nsCOMPtr_base::assign_with_AddRef(nsISupports * 0x00000000) line 54
nsCOMPtr<nsISupports>::operator=(nsISupports * 0x00000000) line 675
nsJSContext::ScriptEvaluated(nsJSContext * const 0x0279f1a0) line 642
nsJSContext::CallFunction(nsJSContext * const 0x0279f1a0, void * 0x01f058a8,
void * 0x02954490, unsigned int 0x00000001, void * 0x0012daf8, int * 0x0012daf4)
line 476
nsJSEventListener::HandleEvent(nsIDOMEvent * 0x02954554) line 133 + 51 bytes
nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x02883f30,
nsIDOMEvent * 0x02954554, unsigned int 0x00000004) line 623 + 19 bytes
nsEventListenerManager::HandleEvent(nsIPresContext * 0x027c8d80, nsEvent *
0x0012e89c, nsIDOMEvent * * 0x0012df10, unsigned int 0x00000007, nsEventStatus *
0x0012e8dc) line 1357 + 31 bytes
nsXULElement::HandleDOMEvent(nsXULElement * const 0x0281bc70, nsIPresContext *
0x027c8d80, nsEvent * 0x0012e89c, nsIDOMEvent * * 0x0012df10, unsigned int
0x00000001, nsEventStatus * 0x0012e8dc) line 2588
nsXULKeyListenerImpl::DoKey(nsIDOMEvent * 0x02954964, eEventType eKeyPress) line
675
nsXULKeyListenerImpl::KeyPress(nsIDOMEvent * 0x02954964) line 337
nsEventListenerManager::HandleEvent(nsIPresContext * 0x02966f10, nsEvent *
0x0012fba8, nsIDOMEvent * * 0x0012f91c, unsigned int 0x00000004, nsEventStatus *
0x0012fb14) line 927 + 17 bytes
nsXULDocument::HandleDOMEvent(nsXULDocument * const 0x027c6350, nsIPresContext *
0x02966f10, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x0012f91c, unsigned int
0x00000004, nsEventStatus * 0x0012fb14) line 1738
nsXULElement::HandleDOMEvent(nsXULElement * const 0x027e4240, nsIPresContext *
0x02966f10, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x0012f91c, unsigned int
0x00000004, nsEventStatus * 0x0012fb14) line 2576 + 39 bytes
nsXULElement::HandleDOMEvent(nsXULElement * const 0x02817230, nsIPresContext *
0x02966f10, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x0012f91c, unsigned int
0x00000004, nsEventStatus * 0x0012fb14) line 2574
nsXULElement::HandleDOMEvent(nsXULElement * const 0x020f4d70, nsIPresContext *
0x02966f10, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x0012f91c, unsigned int
0x00000004, nsEventStatus * 0x0012fb14) line 2574
nsXULElement::HandleDOMEvent(nsXULElement * const 0x0260fa20, nsIPresContext *
0x02966f10, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x0012f91c, unsigned int
0x00000004, nsEventStatus * 0x0012fb14) line 2574
nsXULElement::HandleDOMEvent(nsXULElement * const 0x02818db0, nsIPresContext *
0x02966f10, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x0012f91c, unsigned int
0x00000004, nsEventStatus * 0x0012fb14) line 2574
nsXULElement::HandleChromeEvent(nsXULElement * const 0x02818dd4, nsIPresContext
* 0x02966f10, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x0012f91c, unsigned int
0x00000004, nsEventStatus * 0x0012fb14) line 3489
GlobalWindowImpl::HandleDOMEvent(GlobalWindowImpl * const 0x02904d34,
nsIPresContext * 0x02966f10, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x0012f91c,
unsigned int 0x00000004, nsEventStatus * 0x0012fb14) line 2975
nsDocument::HandleDOMEvent(nsDocument * const 0x029649a0, nsIPresContext *
0x02966f10, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x0012f91c, unsigned int
0x00000004, nsEventStatus * 0x0012fb14) line 2379
nsHTMLHtmlElement::HandleDOMEvent(nsHTMLHtmlElement * const 0x02965cac,
nsIPresContext * 0x02966f10, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x0012f91c,
unsigned int 0x00000004, nsEventStatus * 0x0012fb14) line 192 + 41 bytes
nsGenericElement::HandleDOMEvent(nsIPresContext * 0x02966f10, nsEvent *
0x0012fba8, nsIDOMEvent * * 0x0012f91c, unsigned int 0x00000004, nsEventStatus *
0x0012fb14) line 778
nsHTMLBodyElement::HandleDOMEvent(nsHTMLBodyElement * const 0x0291ed2c,
nsIPresContext * 0x02966f10, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x0012f91c,
unsigned int 0x00000004, nsEventStatus * 0x0012fb14) line 723
nsGenericElement::HandleDOMEvent(nsIPresContext * 0x02966f10, nsEvent *
0x0012fba8, nsIDOMEvent * * 0x0012f91c, unsigned int 0x00000004, nsEventStatus *
0x0012fb14) line 778
nsHTMLTableElement::HandleDOMEvent(nsHTMLTableElement * const 0x0296e76c,
nsIPresContext * 0x02966f10, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x0012f91c,
unsigned int 0x00000004, nsEventStatus * 0x0012fb14) line 1303
nsGenericElement::HandleDOMEvent(nsIPresContext * 0x02966f10, nsEvent *
0x0012fba8, nsIDOMEvent * * 0x0012f91c, unsigned int 0x00000004, nsEventStatus *
0x0012fb14) line 778
nsHTMLTableSectionElement::HandleDOMEvent(nsHTMLTableSectionElement * const
0x0296e3ec, nsIPresContext * 0x02966f10, nsEvent * 0x0012fba8, nsIDOMEvent * *
0x0012f91c, unsigned int 0x00000004, nsEventStatus * 0x0012fb14) line 374
nsGenericElement::HandleDOMEvent(nsIPresContext * 0x02966f10, nsEvent *
0x0012fba8, nsIDOMEvent * * 0x0012f91c, unsigned int 0x00000004, nsEventStatus *
0x0012fb14) line 778
nsHTMLTableRowElement::HandleDOMEvent(nsHTMLTableRowElement * const 0x0296e36c,
nsIPresContext * 0x02966f10, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x0012f91c,
unsigned int 0x00000004, nsEventStatus * 0x0012fb14) line 739
nsGenericElement::HandleDOMEvent(nsIPresContext * 0x02966f10, nsEvent *
0x0012fba8, nsIDOMEvent * * 0x0012f91c, unsigned int 0x00000004, nsEventStatus *
0x0012fb14) line 778
nsHTMLTableCellElement::HandleDOMEvent(nsHTMLTableCellElement * const
0x0296e1a0, nsIPresContext * 0x02966f10, nsEvent * 0x0012fba8, nsIDOMEvent * *
0x0012f91c, unsigned int 0x00000004, nsEventStatus * 0x0012fb14) line 559
nsGenericElement::HandleDOMEvent(nsIPresContext * 0x02966f10, nsEvent *
0x0012fba8, nsIDOMEvent * * 0x0012f91c, unsigned int 0x00000001, nsEventStatus *
0x0012fb14) line 778
nsHTMLImageElement::HandleDOMEvent(nsHTMLImageElement * const 0x0296fe2c,
nsIPresContext * 0x02966f10, nsEvent * 0x0012fba8, nsIDOMEvent * * 0x00000000,
unsigned int 0x00000001, nsEventStatus * 0x0012fb14) line 334
PresShell::HandleEvent(PresShell * const 0x02930644, nsIView * 0x0293e930,
nsGUIEvent * 0x0012fba8, nsEventStatus * 0x0012fb14) line 2444 + 39 bytes
nsView::HandleEvent(nsView * const 0x0293e930, nsGUIEvent * 0x0012fba8, unsigned
int 0x00000008, nsEventStatus * 0x0012fb14, int & 0x00000000) line 841
nsView::HandleEvent(nsView * const 0x0293d090, nsGUIEvent * 0x0012fba8, unsigned
int 0x00000008, nsEventStatus * 0x0012fb14, int & 0x00000000) line 826
nsView::HandleEvent(nsView * const 0x02930a20, nsGUIEvent * 0x0012fba8, unsigned
int 0x0000001c, nsEventStatus * 0x0012fb14, int & 0x00000000) line 826
nsViewManager::DispatchEvent(nsViewManager * const 0x02930df0, nsGUIEvent *
0x0012fba8, nsEventStatus * 0x0012fb14) line 1725
HandleEvent(nsGUIEvent * 0x0012fba8) line 69
nsWindow::DispatchEvent(nsWindow * const 0x029308e4, nsGUIEvent * 0x0012fba8,
nsEventStatus & nsEventStatus_eIgnore) line 438 + 10 bytes
nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012fba8) line 459
nsWindow::DispatchKeyEvent(unsigned int 0x00000083, unsigned short 0x0077,
unsigned int 0x00000000) line 2184 + 15 bytes
nsWindow::OnChar(unsigned int 0x00000017, unsigned int 0x00000000, unsigned char
0x00) line 2493
nsWindow::ProcessMessage(unsigned int 0x00000102, unsigned int 0x00000017, long
0x00110001, long * 0x0012fde0) line 2665 + 32 bytes
nsWindow::WindowProc(HWND__ * 0x006e0820, unsigned int 0x00000102, unsigned int
0x00000017, long 0x00110001) line 625 + 27 bytes
USER32! 77e71820()

Updated

19 years ago
Severity: normal → critical

Updated

19 years ago
Assignee: trudelle → saari
Priority: P3 → P2

Comment 1

19 years ago
Verified that Ctrl-Q crashes on Win98, and that File>Quit does not. assigning to
saari as p2 for m13

Updated

19 years ago
Summary: [crash] ctrl-W to close window crashes → [dogfood][crash] ctrl-W to close window crashes
Target Milestone: M13

Comment 2

19 years ago
putting on dogfood radar.  Do we really need the word 'crash' twice in the
summary?

Updated

19 years ago
Whiteboard: [PDT+]

Comment 3

19 years ago
Putting on PDT+ radar.

Updated

19 years ago
Whiteboard: [PDT+] → [PDT+] Why do I have this one?

Comment 4

19 years ago
You might want to give this to someone less doomed...

Updated

19 years ago
Assignee: saari → danm
Summary: [dogfood][crash] ctrl-W to close window crashes → [dogfood]Ctrl-W to close window crashes
Whiteboard: [PDT+] Why do I have this one? → [PDT+]12/10

Comment 5

19 years ago
reassigning to danm, cuz saari is doomed, and danm is already familiar with the
seamy world of window-closing. also adding tentative fix date.
*** Bug 18655 has been marked as a duplicate of this bug. ***
The problem here is pretty obvious but solution ( at least to me ) isn't all
that obvious.  The problem is that the document will dispatch the key event down
to the DOM handlers and when it gets into nsEventListenerManager::HandleEvent()
the key event will cause the document to go out of scope, invalidating the
nsIEventListener object that the event was dispatched from.

The actual crash is caused because it tries to call into the list of key
listeners which is null.

So, the question here is where does the addref / release pair go?  You shouldn't
destroy a document while it stil has active events passing through it but it
passes through so many levels of code that I'm not familiar with I'm not sure
where it should go.
(Assignee)

Updated

19 years ago
Status: NEW → ASSIGNED
(Assignee)

Comment 8

19 years ago
Welcome to my world.

Updated

19 years ago
Target Milestone: M13 → M12

Comment 9

19 years ago
moving to m12, since it is going out later now.
(Assignee)

Updated

19 years ago
Status: ASSIGNED → RESOLVED
Last Resolved: 19 years ago
Resolution: --- → FIXED
(Assignee)

Comment 10

19 years ago
Added a kungFuDeathGrip to the JSContext.

Updated

19 years ago
Status: RESOLVED → REOPENED

Comment 11

19 years ago
must've been one helluva kungFuGrip.
sigh. now the second window won't close with Crtl-W, or quit with Ctrl-Q, or anything with
Ctrl-anything. If that's a different bug and you want to claim tihs is fixed b/c it no longer
'crashes' I won't protest but in the meantime, i'm reopening.

Updated

19 years ago
Status: REOPENED → RESOLVED
Last Resolved: 19 years ago19 years ago

Comment 12

19 years ago
lets open a new bug and mark that one dogfood if you think its so..
(Assignee)

Comment 13

19 years ago
I fixed the crash and at the time, ctrl-W was working to close the window. There's
been work done on event handling recently that may have broken that. As Chris
says, though, that'd be a different bug.

Updated

19 years ago
Status: RESOLVED → VERIFIED

Comment 14

19 years ago
okay this bug is fixed, it no longer crashes. i've verified that with the 1999120715 build.
Marking VERIFIED.

Updated

19 years ago
Status: VERIFIED → REOPENED

Comment 15

19 years ago
nsCOMPtr should be wrapping and interface reference as
opposed to wrapping a class reference. Since this breaks
AIX, I am reopening, checking in the following change
(r=chofmann@netscape.com & danm@netscape.com).
We need to verify that this additional change still
fixes the original bug.

Index: nsJSEnvironment.cpp
===================================================================
RCS file: /cvsroot/mozilla/dom/src/base/nsJSEnvironment.cpp,v
retrieving revision 1.62
diff -r1.62 nsJSEnvironment.cpp
539c539
<   nsCOMPtr<nsJSContext> kungFuDeathGrip(this);
---
>   nsCOMPtr<nsIScriptContext> kungFuDeathGrip(this);

Comment 16

19 years ago
I just checked in the change, should be able to
re-verify on the next set of builds.

Updated

19 years ago
Status: REOPENED → RESOLVED
Last Resolved: 19 years ago19 years ago

Comment 17

19 years ago
Setting to Resolved/Fixed per last comments

Updated

19 years ago
Status: RESOLVED → REOPENED

Comment 18

19 years ago
now according to jdunn's comments I shouldn't be able to notice possible repurcussions from HIS checkins in an opt build until
later or tomorrow. Nonetheless, i'm looking at the 1999120910 opt comm builds and they are crashing left and right
with Crtl-W on all 3 platforms. So looks like someone else broke that?

Comment 19

19 years ago
The Call stack from my WinNT talkback report with the 1999120908 build. I also
repo'd this with the corresponding Mac build and the newest linux
build(1999120912). These are all comm. opt builds.

   0x0e1ef5a4


   ViewportFrame::Destroy
                                                      [d:\builds\seamonkey\
mozilla\layout\html\base\src\nsViewportFrame.cpp, line 138]

   FrameManager::~FrameManager
                                                      [d:\builds\seamonkey\
mozilla\layout\html\base\src\nsFrameManager.cpp, line 341]

   FrameManager::`scalar deleting destructor'


   FrameManager::Release
                                                      [d:\builds\seamonkey\
mozilla\layout\html\base\src\nsFrameManager.cpp, line 329]

   PresShell::~PresShell
                                                      [d:\builds\seamonkey\
mozilla\layout\html\base\src\nsPresShell.cpp, line 685]

   PresShell::`scalar deleting destructor'


   PresShell::Release
                                                      [d:\builds\seamonkey\
mozilla\layout\html\base\src\nsPresShell.cpp, line 618]

   nsCOMPtr_base::~nsCOMPtr_base
                                                      [d:\builds\seamonkey\
mozilla\xpcom\base\nsCOMPtr.cpp, line 45]

   nsXULKeyListenerImpl::HandleEventUsingKeyset
                                                      [d:\builds\seamonkey\
mozilla\rdf\content\src\nsXULKeyListener.cpp, line 563]

   gkhtml.dll + 0xfa4c0 (0x0126a4c0)
(Assignee)

Updated

19 years ago
Status: REOPENED → ASSIGNED
(Assignee)

Comment 20

19 years ago
Alright. I see the new crasher. The original one remains fixed, but a new way to crash was
introduced with the "massive rewrite of the key binding system" on 8 Dec. Working on it.
(Assignee)

Updated

19 years ago
Resolution: FIXED → ---
(Assignee)

Updated

19 years ago
Status: ASSIGNED → RESOLVED
Last Resolved: 19 years ago19 years ago
Resolution: --- → FIXED
Whiteboard: [PDT+]12/10 → [PDT+]
(Assignee)

Comment 21

19 years ago
New key binding system now more carefully follows what turns out to be a rule: never
let a PresShell outlive the ViewManager it's using. The second avatar of this bug is now
fixed. However, for more non-stop crashing action, see related bug 21397.

Updated

19 years ago
Status: RESOLVED → VERIFIED

Comment 22

19 years ago
VERFIED Fixed with the 1999121308 builds on all platforms.
You need to log in before you can comment on or make changes to this bug.