Closed Bug 233953 Opened 21 years ago Closed 20 years ago

crash exiting mozilla after referencing InstallTrigger (or installing XPI)

Categories

(Core :: XPCOM, defect)

x86
All
defect
Not set
critical

Tracking

()

VERIFIED FIXED

People

(Reporter: danm.moz, Assigned: jst)

References

Details

(Keywords: crash)

Attachments

(3 files)

A build made from today's source (just after the 1.7a freeze) reliably crashes
on exit after viewing a page with script that references InstallTrigger. (It's
from an extension installer page that behaves differently depending on whether
the function is available, i.e. if you're running Mozilla.)

It crashes in somewhat random places, so I've picked this bug's component
somewhat at random. Sorry. I don't know the cause. This didn't happen in my last
build, which was dated 20040203, so this began happening sometime since then.

The three stack traces I've seen, most common to least common:
--- #1 ---
nsCOMPtr<nsIDOMWindow>::~nsCOMPtr<nsIDOMWindow>() line 476 + 10 bytes
nsTypeAheadFind::~nsTypeAheadFind() line 182 + 50 bytes
nsTypeAheadFind::`scalar deleting destructor'(unsigned int 1) + 15 bytes
nsTypeAheadFind::Release(nsTypeAheadFind * const 0x00cf7080) line 135 + 215 bytes
nsTypeAheadFind::ReleaseInstance() line 249 + 26 bytes
TypeAheadFindModuleDtor(nsIModule * 0x00d1be08) line 92
nsGenericModule::Shutdown() line 368 + 10 bytes
...

in nsTypeAheadFind's destructor. its refcnt is 1, but mFocusedWindow.mRawPtr
points to invalid memory

--- #2 ---
nsCOMPtr<nsIDOMWindow>::~nsCOMPtr<nsIDOMWindow>() line 476 + 13 bytes
nsSecureBrowserUIImpl::~nsSecureBrowserUIImpl() line 158 + 75 bytes
nsSecureBrowserUIImpl::`scalar deleting destructor'(unsigned int 1) + 15 bytes
nsSecureBrowserUIImpl::Release(nsSecureBrowserUIImpl * const 0x02c1ce98) line
166 + 215 bytes
XPCJSRuntime::GCCallback(JSContext * 0x03387500, JSGCStatus JSGC_END) line 556 +
18 bytes
DOMGCCallback(JSContext * 0x03387500, JSGCStatus JSGC_END) line 1811 + 23 bytes
js_GC(JSContext * 0x03387500, unsigned int 0) line 1419 + 12 bytes
js_ForceGC(JSContext * 0x03387500, unsigned int 0) line 1000 + 13 bytes
JS_GC(JSContext * 0x03387500) line 1684 + 11 bytes
...
in nsSecureBrowserUIImpl's destructor. its refcnt is 1, but mWindow.mRawPtr
points to invalid memory

--- #3 ---
XPCWrappedNative::GetNative(XPCWrappedNative * const 0x031abaa8, nsISupports * *
0x0012fcac) line 2234 + 13 bytes
nsWindowSH::Finalize(nsWindowSH * const 0x031ab560, nsIXPConnectWrappedNative *
0x031abaa8, JSContext * 0x00c42f88, JSObject * 0x03190d08) line 4386
XPC_WN_Helper_Finalize(JSContext * 0x00c42f88, JSObject * 0x03190d08) line 869
js_FinalizeObject(JSContext * 0x00c42f88, JSObject * 0x03190d08) line 2016 + 96
bytes
js_GC(JSContext * 0x00c42f88, unsigned int 0) line 1324 + 11 bytes
js_ForceGC(JSContext * 0x00c42f88, unsigned int 0) line 1000 + 13 bytes
js_DestroyContext(JSContext * 0x00c42f88, int 2) line 248 + 11 bytes
JS_DestroyContext(JSContext * 0x00c42f88) line 914 + 11 bytes
_destroyJSDContext(JSDContext * 0x00cc1028) line 182 + 13 bytes
jsd_DebuggerOff(JSDContext * 0x00cc1028) line 247 + 9 bytes
JSD_DebuggerOff(JSDContext * 0x00cc1028) line 65 + 9 bytes
jsdService::Off(jsdService * const 0x00cb5080) line 2533 + 12 bytes
jsdService::~jsdService() line 3217
jsdService::`scalar deleting destructor'(unsigned int 1) + 15 bytes
jsdService::Release(jsdService * const 0x00cb5080) line 2250 + 150 bytes
...
we're in XPCWrappedNative::GetNative, at 

  *aNative = mIdentity;
  NS_ADDREF(*aNative);
 
|this| is valid. its refcnt is 1, but mIdentity points to deleted memory.
Flags: blocking1.7a?
(Um, the testpage's text says something about my 20040215 build but obviously
it's a 20040211 build.)
jst, I think this is related to your recent changes in xpinstall.  I am most
conserned with the changes to nsJSInstallTriggerGlobal.cpp versions 1.32 and 1.33.  

Also, this function scares the hell out of me:
http://lxr.mozilla.org/seamonkey/source/dom/public/nsIScriptContext.h#337
Assignee: dougt → jst
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.7a? → blocking1.7a+
*** Bug 234299 has been marked as a duplicate of this bug. ***
Severity: major → critical
OS: Windows XP → All
Summary: crash exiting mozilla after referencing InstallTrigger → crash exiting mozilla after referencing InstallTrigger (or installing XPI)
This was a goofup on my account in the install trigger code, the old code
wasn't using nsCOMPtr's, it did manual refcounting and I simply missed the
release call, and forgot to remove it now that we don't bother refcounting
nsIScript* thingies as often.

This is really a one-liner, except for removing some extra pointless casts from
the code.
Attachment #141563 - Flags: superreview?(dougt)
Attachment #141563 - Flags: review?(danm-moz)
Comment on attachment 141563 [details] [diff] [review]
Remove extra release call.

looks good.
Attachment #141563 - Flags: superreview?(dougt) → superreview+
Attachment #141563 - Flags: review?(danm-moz) → review+
Attachment #141563 - Flags: approval1.7a?
Comment on attachment 141563 [details] [diff] [review]
Remove extra release call.

a=chofmann for 1.7a
Attachment #141563 - Flags: approval1.7a? → approval1.7a+
Fix checked in.
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Is it in the CVS? I checked out and compiled with "make -f client.mk" on Wed Feb
18 10:54:50 CET 2004, and I still have the same problem.
Yes it's checked in.

cd xpinstall/src
cvs up nsInstallTrigger.cpp
make

is all you need do. Takes ten seconds if you type fast.

After doing that I no longer get the crash on exit. But I do get two scary
assertions. See bug 234842.
Status: RESOLVED → VERIFIED
*** Bug 234754 has been marked as a duplicate of this bug. ***
I don't know if it is still this Bug, but after installing an *.xpi and Exiting
Mozilla, it still crash again. Using:
Mozilla/5.0 (Windows; U; Windows NT 5.0; de-AT; rv:1.7a) Gecko/20040218
[2004021814], same with [2004021716]  before. 

Have unpacked the newest mozilla-i586-pc-msvc.zip Build from Tinderbox, no
additional plugins, then installed "messageidfinder-1.9.2.xpi" and exit Mozilla
to restart ==> Crash. 

Adding DrWatson Stack as Attachement. 

Before the Fix was checked in, the [20040215] Builds are crashing in MailNews
too while going to next unread Message with "space", this seems to be fixed now.

If the crash is resulted by this Bug ==> Reopen?
Otherwise I have to file a new one.
I do have the latest version of nsInstallTrigger.cpp (md5:
08811e41d12f5fd2681e606c46753b25); the "cvs up nsInstallTrigger.cpp" did nothing.

In my case, I got the crash when quitting after installing the tabextensions XPI.

Could the bug be reopened please?
I see this crash, too. It's different. See new bug 234910.
Bug 234910 seems to be a dup of bug 234299, which has been dupped to this one.
/me thinks bug 234299 was not a dupe of this one. I just reopened it.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: