Closed Bug 233953 Opened 21 years ago Closed 21 years ago

crash exiting mozilla after referencing InstallTrigger (or installing XPI)

Categories

(Core :: XPCOM, defect)

x86
All
defect
Not set
critical

Tracking

()

VERIFIED FIXED

People

(Reporter: danm.moz, Assigned: jst)

References

Details

(Keywords: crash)

Attachments

(3 files)

A build made from today's source (just after the 1.7a freeze) reliably crashes on exit after viewing a page with script that references InstallTrigger. (It's from an extension installer page that behaves differently depending on whether the function is available, i.e. if you're running Mozilla.) It crashes in somewhat random places, so I've picked this bug's component somewhat at random. Sorry. I don't know the cause. This didn't happen in my last build, which was dated 20040203, so this began happening sometime since then. The three stack traces I've seen, most common to least common: --- #1 --- nsCOMPtr<nsIDOMWindow>::~nsCOMPtr<nsIDOMWindow>() line 476 + 10 bytes nsTypeAheadFind::~nsTypeAheadFind() line 182 + 50 bytes nsTypeAheadFind::`scalar deleting destructor'(unsigned int 1) + 15 bytes nsTypeAheadFind::Release(nsTypeAheadFind * const 0x00cf7080) line 135 + 215 bytes nsTypeAheadFind::ReleaseInstance() line 249 + 26 bytes TypeAheadFindModuleDtor(nsIModule * 0x00d1be08) line 92 nsGenericModule::Shutdown() line 368 + 10 bytes ... in nsTypeAheadFind's destructor. its refcnt is 1, but mFocusedWindow.mRawPtr points to invalid memory --- #2 --- nsCOMPtr<nsIDOMWindow>::~nsCOMPtr<nsIDOMWindow>() line 476 + 13 bytes nsSecureBrowserUIImpl::~nsSecureBrowserUIImpl() line 158 + 75 bytes nsSecureBrowserUIImpl::`scalar deleting destructor'(unsigned int 1) + 15 bytes nsSecureBrowserUIImpl::Release(nsSecureBrowserUIImpl * const 0x02c1ce98) line 166 + 215 bytes XPCJSRuntime::GCCallback(JSContext * 0x03387500, JSGCStatus JSGC_END) line 556 + 18 bytes DOMGCCallback(JSContext * 0x03387500, JSGCStatus JSGC_END) line 1811 + 23 bytes js_GC(JSContext * 0x03387500, unsigned int 0) line 1419 + 12 bytes js_ForceGC(JSContext * 0x03387500, unsigned int 0) line 1000 + 13 bytes JS_GC(JSContext * 0x03387500) line 1684 + 11 bytes ... in nsSecureBrowserUIImpl's destructor. its refcnt is 1, but mWindow.mRawPtr points to invalid memory --- #3 --- XPCWrappedNative::GetNative(XPCWrappedNative * const 0x031abaa8, nsISupports * * 0x0012fcac) line 2234 + 13 bytes nsWindowSH::Finalize(nsWindowSH * const 0x031ab560, nsIXPConnectWrappedNative * 0x031abaa8, JSContext * 0x00c42f88, JSObject * 0x03190d08) line 4386 XPC_WN_Helper_Finalize(JSContext * 0x00c42f88, JSObject * 0x03190d08) line 869 js_FinalizeObject(JSContext * 0x00c42f88, JSObject * 0x03190d08) line 2016 + 96 bytes js_GC(JSContext * 0x00c42f88, unsigned int 0) line 1324 + 11 bytes js_ForceGC(JSContext * 0x00c42f88, unsigned int 0) line 1000 + 13 bytes js_DestroyContext(JSContext * 0x00c42f88, int 2) line 248 + 11 bytes JS_DestroyContext(JSContext * 0x00c42f88) line 914 + 11 bytes _destroyJSDContext(JSDContext * 0x00cc1028) line 182 + 13 bytes jsd_DebuggerOff(JSDContext * 0x00cc1028) line 247 + 9 bytes JSD_DebuggerOff(JSDContext * 0x00cc1028) line 65 + 9 bytes jsdService::Off(jsdService * const 0x00cb5080) line 2533 + 12 bytes jsdService::~jsdService() line 3217 jsdService::`scalar deleting destructor'(unsigned int 1) + 15 bytes jsdService::Release(jsdService * const 0x00cb5080) line 2250 + 150 bytes ... we're in XPCWrappedNative::GetNative, at *aNative = mIdentity; NS_ADDREF(*aNative); |this| is valid. its refcnt is 1, but mIdentity points to deleted memory.
Flags: blocking1.7a?
(Um, the testpage's text says something about my 20040215 build but obviously it's a 20040211 build.)
jst, I think this is related to your recent changes in xpinstall. I am most conserned with the changes to nsJSInstallTriggerGlobal.cpp versions 1.32 and 1.33. Also, this function scares the hell out of me: http://lxr.mozilla.org/seamonkey/source/dom/public/nsIScriptContext.h#337
Assignee: dougt → jst
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.7a? → blocking1.7a+
*** Bug 234299 has been marked as a duplicate of this bug. ***
Severity: major → critical
OS: Windows XP → All
Summary: crash exiting mozilla after referencing InstallTrigger → crash exiting mozilla after referencing InstallTrigger (or installing XPI)
This was a goofup on my account in the install trigger code, the old code wasn't using nsCOMPtr's, it did manual refcounting and I simply missed the release call, and forgot to remove it now that we don't bother refcounting nsIScript* thingies as often. This is really a one-liner, except for removing some extra pointless casts from the code.
Attachment #141563 - Flags: superreview?(dougt)
Attachment #141563 - Flags: review?(danm-moz)
Comment on attachment 141563 [details] [diff] [review] Remove extra release call. looks good.
Attachment #141563 - Flags: superreview?(dougt) → superreview+
Attachment #141563 - Flags: review?(danm-moz) → review+
Attachment #141563 - Flags: approval1.7a?
Comment on attachment 141563 [details] [diff] [review] Remove extra release call. a=chofmann for 1.7a
Attachment #141563 - Flags: approval1.7a? → approval1.7a+
Fix checked in.
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Is it in the CVS? I checked out and compiled with "make -f client.mk" on Wed Feb 18 10:54:50 CET 2004, and I still have the same problem.
Yes it's checked in. cd xpinstall/src cvs up nsInstallTrigger.cpp make is all you need do. Takes ten seconds if you type fast. After doing that I no longer get the crash on exit. But I do get two scary assertions. See bug 234842.
Status: RESOLVED → VERIFIED
*** Bug 234754 has been marked as a duplicate of this bug. ***
I don't know if it is still this Bug, but after installing an *.xpi and Exiting Mozilla, it still crash again. Using: Mozilla/5.0 (Windows; U; Windows NT 5.0; de-AT; rv:1.7a) Gecko/20040218 [2004021814], same with [2004021716] before. Have unpacked the newest mozilla-i586-pc-msvc.zip Build from Tinderbox, no additional plugins, then installed "messageidfinder-1.9.2.xpi" and exit Mozilla to restart ==> Crash. Adding DrWatson Stack as Attachement. Before the Fix was checked in, the [20040215] Builds are crashing in MailNews too while going to next unread Message with "space", this seems to be fixed now. If the crash is resulted by this Bug ==> Reopen? Otherwise I have to file a new one.
I do have the latest version of nsInstallTrigger.cpp (md5: 08811e41d12f5fd2681e606c46753b25); the "cvs up nsInstallTrigger.cpp" did nothing. In my case, I got the crash when quitting after installing the tabextensions XPI. Could the bug be reopened please?
I see this crash, too. It's different. See new bug 234910.
Bug 234910 seems to be a dup of bug 234299, which has been dupped to this one.
/me thinks bug 234299 was not a dupe of this one. I just reopened it.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: