crash in nsSupportsHashtable::ReleaseElement()

RESOLVED FIXED

Status

MailNews Core
Composition
--
critical
RESOLVED FIXED
14 years ago
10 years ago

People

(Reporter: Scott MacGregor, Assigned: Scott MacGregor)

Tracking

({crash})

Trunk
x86
Windows 2000
crash

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

(Assignee)

Description

14 years ago
nsSupportsHashtable::ReleaseElement(nsHashKey * 0x0495e210, void * 0x046be5f8,
void * 0x00000000) line 796 + 15 bytes
hashEnumerate(PLDHashTable * 0x0495e050, PLDHashEntryHdr * 0x0495e134, unsigned
int 0, void * 0x0012880c) line 115 + 26 bytes
PL_DHashTableEnumerate(PLDHashTable * 0x0495e050, int (PLDHashTable *,
PLDHashEntryHdr *, unsigned int, void *)* 0x10014760 hashEnumerate(PLDHashTable
*, PLDHashEntryHdr *, unsigned int, void *), void * 0x0012880c) line 619 + 34 bytes
nsHashtable::Enumerate(int (nsHashKey *, void *, void *)* 0x10015ba0
nsSupportsHashtable::ReleaseElement(nsHashKey *, void *, void *), void *
0x00000000) line 303 + 21 bytes
nsSupportsHashtable::Enumerate(int (nsHashKey *, void *, void *)* 0x10015ba0
nsSupportsHashtable::ReleaseElement(nsHashKey *, void *, void *), void *
0x00000000) line 206
nsSupportsHashtable::~nsSupportsHashtable() line 803
nsSupportsHashtable::`scalar deleting destructor'(unsigned int 1) + 16 bytes
nsPresState::~nsPresState() line 93 + 33 bytes
nsPresState::`scalar deleting destructor'(unsigned int 1) + 15 bytes
nsPresState::Release(nsPresState * const 0x0495dff0) line 83 + 209 bytes
nsCOMPtr<nsIPresState>::assign_assuming_AddRef(nsIPresState * 0x00000000) line 495
nsCOMPtr<nsIPresState>::assign_with_AddRef(nsISupports * 0x00000000) line 1023
nsCOMPtr<nsIPresState>::operator=(nsIPresState * 0x00000000) line 608
nsBoxObject::SetDocument(nsBoxObject * const 0x04807cac, nsIDocument *
0x00000000) line 146
nsDocument::SetBoxObjectFor(nsDocument * const 0x043f3dec, nsIDOMElement *
0x041e96cc, nsIBoxObject * 0x00000000) line 2799
nsXULElement::SetDocument(nsIDocument * 0x00000000, int 1, int 1) line 1601
nsXULElement::RemoveChildAt(unsigned int 1, int 1) line 1939
nsGenericElement::doReplaceChild(nsIContent * 0x04519470, nsIDOMNode *
0x04d38e1c, nsIDOMNode * 0x041e96cc, nsIDOMNode * * 0x00128d58) line 2988 + 17 bytes
nsXULElement::ReplaceChild(nsXULElement * const 0x0451947c, nsIDOMNode *
0x04d38e1c, nsIDOMNode * 0x041e96cc, nsIDOMNode * * 0x00128d58) line 850 + 24 bytes
XPTC_InvokeByIndex(nsISupports * 0x0451947c, unsigned int 16, unsigned int 3,
nsXPTCVariant * 0x00128d38) line 102
XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode
CALL_METHOD) line 2027 + 43 bytes
XPC_WN_CallMethod(JSContext * 0x0496c620, JSObject * 0x0460c3a0, unsigned int 2,
long * 0x04c7d1cc, long * 0x00129000) line 1287 + 14 bytes
js_Invoke(JSContext * 0x0496c620, unsigned int 2, unsigned int 0) line 1281 + 23
bytes
js_Interpret(JSContext * 0x0496c620, long * 0x00129a34) line 3366 + 15 bytes
js_Invoke(JSContext * 0x0496c620, unsigned int 1, unsigned int 0) line 1301 + 13
bytes
js_Interpret(JSContext * 0x0496c620, long * 0x0012a418) line 3366 + 15 bytes
js_Invoke(JSContext * 0x0496c620, unsigned int 1, unsigned int 2) line 1301 + 13
bytes
js_InternalInvoke(JSContext * 0x0496c620, JSObject * 0x0475eaf0, long 80093824,
unsigned int 0, unsigned int 1, long * 0x0012a67c, long * 0x0012a678) line 1378
+ 20 bytes
JS_CallFunctionValue(JSContext * 0x0496c620, JSObject * 0x0475eaf0, long
80093824, unsigned int 1, long * 0x0012a67c, long * 0x0012a678) line 3601 + 31 bytes
nsJSContext::CallEventHandler(JSObject * 0x0475eaf0, JSObject * 0x04c62280,
unsigned int 1, long * 0x0012a67c, long * 0x0012a678) line 1293 + 33 bytes
nsJSEventListener::HandleEvent(nsJSEventListener * const 0x04a400f0, nsIDOMEvent
* 0x04c09540) line 175 + 51 bytes
nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x04a401d0,
nsIDOMEvent * 0x04c09540, nsIDOMEventTarget * 0x04c08de0, unsigned int 8,
unsigned int 7) line 1435 + 20 bytes
nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x04a40088,
nsIPresContext * 0x049f6410, nsEvent * 0x0012ad28, nsIDOMEvent * * 0x0012acbc,
nsIDOMEventTarget * 0x04c08de0, unsigned int 7, nsEventStatus * 0x0012ad74) line
1530
nsXULElement::HandleDOMEvent(nsIPresContext * 0x049f6410, nsEvent * 0x0012ad28,
nsIDOMEvent * * 0x0012acbc, unsigned int 7, nsEventStatus * 0x0012ad74) line 2801
PresShell::HandleDOMEventWithTarget(PresShell * const 0x049f7f68, nsIContent *
0x04a40010, nsEvent * 0x0012ad28, nsEventStatus * 0x0012ad74) line 6095
nsButtonBoxFrame::MouseClicked(nsIPresContext * 0x049f6410, nsGUIEvent *
0x0012af4c) line 178
nsButtonBoxFrame::HandleEvent(nsButtonBoxFrame * const 0x04ad25cc,
nsIPresContext * 0x049f6410, nsGUIEvent * 0x0012af4c, nsEventStatus *
0x0012b260) line 150
PresShell::HandleEventInternal(nsEvent * 0x0012af4c, nsIView * 0x00000000,
unsigned int 1, nsEventStatus * 0x0012b260) line 6059 + 39 bytes
PresShell::HandleEventWithTarget(PresShell * const 0x049f7f68, nsEvent *
0x0012af4c, nsIFrame * 0x04ad25cc, nsIContent * 0x04a40010, unsigned int 1,
nsEventStatus * 0x0012b260) line 5970 + 22 bytes
nsEventStateManager::CheckForAndDispatchClick(nsIPresContext * 0x049f6410,
nsMouseEvent * 0x0012b480, nsEventStatus * 0x0012b260) line 2933 + 66 bytes
nsEventStateManager::PostHandleEvent(nsEventStateManager * const 0x049f6ba8,
nsIPresContext * 0x049f6410, nsEvent * 0x0012b480, nsIFrame * 0x04ad25cc,
nsEventStatus * 0x0012b260, nsIView * 0x049f77b8) line 1944 + 23 bytes
PresShell::HandleEventInternal(nsEvent * 0x0012b480, nsIView * 0x049f77b8,
unsigned int 1, nsEventStatus * 0x0012b260) line 6067 + 52 bytes
PresShell::HandleEvent(PresShell * const 0x049f7fdc, nsIView * 0x049f77b8,
nsGUIEvent * 0x0012b480, nsEventStatus * 0x0012b260, int 1, int & 1) line 5908 +
25 bytes
nsViewManager::HandleEvent(nsView * 0x049f77b8, nsGUIEvent * 0x0012b480, int 1)
line 2238
nsViewManager::DispatchEvent(nsViewManager * const 0x049f75e8, nsGUIEvent *
0x0012b480, nsEventStatus * 0x0012b358) line 1978 + 20 bytes
HandleEvent(nsGUIEvent * 0x0012b480) line 79
nsWindow::DispatchEvent(nsWindow * const 0x049f7854, nsGUIEvent * 0x0012b480,
nsEventStatus & nsEventStatus_eIgnore) line 1067 + 10 bytes
nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012b480) line 1088
nsWindow::DispatchMouseEvent(unsigned int 301, unsigned int 0, nsPoint *
0x00000000) line 5259 + 21 bytes
ChildWindow::DispatchMouseEvent(unsigned int 301, unsigned int 0, nsPoint *
0x00000000) line 5514
nsWindow::ProcessMessage(unsigned int 514, unsigned int 0, long 22741406, long *
0x0012b930) line 4045 + 28 bytes
nsWindow::WindowProc(HWND__ * 0x000a08cc, unsigned int 514, unsigned int 0, long
22741406) line 1349 + 27 bytes
USER32! 77e3a2d0()
USER32! 77e145e5()
USER32! 77e1a816()
nsXULWindow::ShowModal(nsXULWindow * const 0x04872d00) line 368
nsWebShellWindow::ShowModal(nsWebShellWindow * const 0x04872d00) line 1104
nsContentTreeOwner::ShowAsModal(nsContentTreeOwner * const 0x04876af4) line 449
nsWindowWatcher::OpenWindowJS(nsWindowWatcher * const 0x00f73664, nsIDOMWindow *
0x03680f84, const char * 0x0486dc40, const char * 0x00000000, const char *
0x0012bf64, int 1, unsigned int 1, long * 0x049839dc, nsIDOMWindow * *
0x0012bfbc) line 784
GlobalWindowImpl::OpenInternal(GlobalWindowImpl * const 0x03680f80, const
nsAString & {...}, const nsAString & {...}, const nsAString & {...}, int 1, long
* 0x049839d0, unsigned int 4, nsISupports * 0x00000000, nsIDOMWindow * *
0x0012c37c) line 4779 + 140 bytes
GlobalWindowImpl::OpenDialog(GlobalWindowImpl * const 0x03680f88, nsIDOMWindow *
* 0x0012c37c) line 3474 + 59 bytes
XPTC_InvokeByIndex(nsISupports * 0x03680f88, unsigned int 16, unsigned int 1,
nsXPTCVariant * 0x0012c37c) line 102
XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode
CALL_METHOD) line 2027 + 43 bytes
XPC_WN_CallMethod(JSContext * 0x04327210, JSObject * 0x025380a0, unsigned int 4,
long * 0x049839d0, long * 0x0012c644) line 1287 + 14 bytes
js_Invoke(JSContext * 0x04327210, unsigned int 4, unsigned int 0) line 1281 + 23
bytes
js_Interpret(JSContext * 0x04327210, long * 0x0012d078) line 3366 + 15 bytes
js_Invoke(JSContext * 0x04327210, unsigned int 1, unsigned int 2) line 1301 + 13
bytes
nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJSClass * const 0x02d125a8,
nsXPCWrappedJS * 0x04743a18, unsigned short 5, const nsXPTMethodInfo *
0x0244c218, nsXPTCMiniVariant * 0x0012d3b8) line 1336 + 22 bytes
nsXPCWrappedJS::CallMethod(nsXPCWrappedJS * const 0x04743a18, unsigned short 5,
const nsXPTMethodInfo * 0x0244c218, nsXPTCMiniVariant * 0x0012d3b8) line 450
PrepareAndDispatch(nsXPTCStubBase * 0x04743a18, unsigned int 5, unsigned int *
0x0012d468, unsigned int * 0x0012d458) line 117 + 31 bytes
SharedStub() line 147
XPTC_InvokeByIndex(nsISupports * 0x04743a18, unsigned int 5, unsigned int 1,
nsXPTCVariant * 0x0012d5d8) line 102
XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode
CALL_METHOD) line 2027 + 43 bytes
XPC_WN_CallMethod(JSContext * 0x04327210, JSObject * 0x024f6cd0, unsigned int 1,
long * 0x049838f8, long * 0x0012d8a0) line 1287 + 14 bytes
js_Invoke(JSContext * 0x04327210, unsigned int 1, unsigned int 0) line 1281 + 23
bytes
js_Interpret(JSContext * 0x04327210, long * 0x0012e2d4) line 3366 + 15 bytes
js_Invoke(JSContext * 0x04327210, unsigned int 1, unsigned int 2) line 1301 + 13
bytes
js_InternalInvoke(JSContext * 0x04327210, JSObject * 0x041a4398, long 68830216,
unsigned int 0, unsigned int 1, long * 0x0012e538, long * 0x0012e534) line 1378
+ 20 bytes
JS_CallFunctionValue(JSContext * 0x04327210, JSObject * 0x041a4398, long
68830216, unsigned int 1, long * 0x0012e538, long * 0x0012e534) line 3601 + 31 bytes
nsJSContext::CallEventHandler(JSObject * 0x041a4398, JSObject * 0x041a4408,
unsigned int 1, long * 0x0012e538, long * 0x0012e534) line 1293 + 33 bytes
nsJSEventListener::HandleEvent(nsJSEventListener * const 0x0450ba98, nsIDOMEvent
* 0x049e57e8) line 175 + 51 bytes
nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x0450bb78,
nsIDOMEvent * 0x049e57e8, nsIDOMEventTarget * 0x048a2348, unsigned int 8,
unsigned int 7) line 1435 + 20 bytes
nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x0450ba30,
nsIPresContext * 0x0442a218, nsEvent * 0x0012f020, nsIDOMEvent * * 0x0012eb78,
nsIDOMEventTarget * 0x048a2348, unsigned int 7, nsEventStatus * 0x0012f06c) line
1530
nsXULElement::HandleDOMEvent(nsIPresContext * 0x0442a218, nsEvent * 0x0012f020,
nsIDOMEvent * * 0x0012eb78, unsigned int 7, nsEventStatus * 0x0012f06c) line 2801
nsXULElement::HandleDOMEvent(nsIPresContext * 0x0442a218, nsEvent * 0x0012f020,
nsIDOMEvent * * 0x00000000, unsigned int 1, nsEventStatus * 0x0012f06c) line
2633 + 50 bytes
PresShell::HandleDOMEventWithTarget(PresShell * const 0x043fc728, nsIContent *
0x04517780, nsEvent * 0x0012f020, nsEventStatus * 0x0012f06c) line 6095
nsButtonBoxFrame::MouseClicked(nsIPresContext * 0x0442a218, nsGUIEvent *
0x0012f244) line 178
nsButtonBoxFrame::HandleEvent(nsButtonBoxFrame * const 0x04695db0,
nsIPresContext * 0x0442a218, nsGUIEvent * 0x0012f244, nsEventStatus *
0x0012f558) line 150
PresShell::HandleEventInternal(nsEvent * 0x0012f244, nsIView * 0x00000000,
unsigned int 1, nsEventStatus * 0x0012f558) line 6059 + 39 bytes
PresShell::HandleEventWithTarget(PresShell * const 0x043fc728, nsEvent *
0x0012f244, nsIFrame * 0x04695db0, nsIContent * 0x04517780, unsigned int 1,
nsEventStatus * 0x0012f558) line 5970 + 22 bytes
nsEventStateManager::CheckForAndDispatchClick(nsIPresContext * 0x0442a218,
nsMouseEvent * 0x0012f778, nsEventStatus * 0x0012f558) line 2933 + 66 bytes
nsEventStateManager::PostHandleEvent(nsEventStateManager * const 0x0442a830,
nsIPresContext * 0x0442a218, nsEvent * 0x0012f778, nsIFrame * 0x04695db0,
nsEventStatus * 0x0012f558, nsIView * 0x043fbe10) line 1944 + 23 bytes
PresShell::HandleEventInternal(nsEvent * 0x0012f778, nsIView * 0x043fbe10,
unsigned int 1, nsEventStatus * 0x0012f558) line 6067 + 52 bytes
PresShell::HandleEvent(PresShell * const 0x043fc79c, nsIView * 0x043fbe10,
nsGUIEvent * 0x0012f778, nsEventStatus * 0x0012f558, int 1, int & 1) line 5908 +
25 bytes
nsViewManager::HandleEvent(nsView * 0x043fbe10, nsGUIEvent * 0x0012f778, int 1)
line 2238
nsViewManager::DispatchEvent(nsViewManager * const 0x043fbc40, nsGUIEvent *
0x0012f778, nsEventStatus * 0x0012f650) line 1978 + 20 bytes
HandleEvent(nsGUIEvent * 0x0012f778) line 79
nsWindow::DispatchEvent(nsWindow * const 0x043fbeac, nsGUIEvent * 0x0012f778,
nsEventStatus & nsEventStatus_eIgnore) line 1067 + 10 bytes
nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012f778) line 1088
nsWindow::DispatchMouseEvent(unsigned int 301, unsigned int 0, nsPoint *
0x00000000) line 5259 + 21 bytes
ChildWindow::DispatchMouseEvent(unsigned int 301, unsigned int 0, nsPoint *
0x00000000) line 5514
nsWindow::ProcessMessage(unsigned int 514, unsigned int 0, long 2687071, long *
0x0012fc28) line 4045 + 28 bytes
nsWindow::WindowProc(HWND__ * 0x001e058e, unsigned int 514, unsigned int 0, long
2687071) line 1349 + 27 bytes
USER32! 77e3a2d0()
USER32! 77e145e5()
USER32! 77e1a816()
nsAppShellService::Run(nsAppShellService * const 0x00f74e50) line 524
main1(int 1, char * * 0x00262508, nsISupports * 0x00eb2330) line 1303 + 32 bytes
main(int 1, char * * 0x00262508) line 1780 + 37 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 7c5987e7()
(Assignee)

Comment 1

14 years ago
sorry, submitted too early.

to reproduce this crash:

1) go to mail compose window
2) use the "select addresses" dialog
3) select lots of addresses (say 50?)
4) add them using the To button
5) hit ok

I crash every time.  element is already deleted (0xdddddddd)
 
Why me?  Need a bit more debugging love, ideally some purify.  This is not a
PLDHashTable bug, I can unboldly predict.

/be
Assignee: brendan → mscott

Comment 3

14 years ago
I'll run Purify on this.

Comment 4

14 years ago
Purify seems to have lost track of when that object was deleted, or
PL_DHashTable has defeated it easily :-) but fwiw, I'm pretty sure Brendan is
right, and this problem is specific to layout, or the addressing widget. I've
only seen this crash replying to existing messages, or as described in this bug
report.

Updated

14 years ago
Severity: normal → critical
Keywords: crash
(Assignee)

Comment 5

14 years ago
I've also see this when bring up the compose window for a new message.

I'll try to get a stack trace for that.

I agree with david that it might be the addressing widget tickling a bug in layout.

fear the addressing widget.
(Assignee)

Comment 6

14 years ago
here's a similar stack for a crash when I do new compose window.

nsSupportsHashtable::ReleaseElement(nsHashKey * 0x04b00b40, void * 0x04847a30,
void * 0x00000000) line 812 + 15 bytes
hashEnumerate(PLDHashTable * 0x04b00980, PLDHashEntryHdr * 0x04b00a64, unsigned
int 0, void * 0x0012a1f0) line 131 + 26 bytes
PL_DHashTableEnumerate(PLDHashTable * 0x04b00980, int (PLDHashTable *,
PLDHashEntryHdr *, unsigned int, void *)* 0x10014760 hashEnumerate(PLDHashTable
*, PLDHashEntryHdr *, unsigned int, void *), void * 0x0012a1f0) line 619 + 34 bytes
nsHashtable::Enumerate(int (nsHashKey *, void *, void *)* 0x10015ba0
nsSupportsHashtable::ReleaseElement(nsHashKey *, void *, void *), void *
0x00000000) line 319 + 21 bytes
nsSupportsHashtable::Enumerate(int (nsHashKey *, void *, void *)* 0x10015ba0
nsSupportsHashtable::ReleaseElement(nsHashKey *, void *, void *), void *
0x00000000) line 222
nsSupportsHashtable::~nsSupportsHashtable() line 819
nsSupportsHashtable::`scalar deleting destructor'(unsigned int 1) + 16 bytes
nsPresState::~nsPresState() line 93 + 33 bytes
nsPresState::`scalar deleting destructor'(unsigned int 1) + 15 bytes
nsPresState::Release(nsPresState * const 0x04b00920) line 83 + 209 bytes
nsCOMPtr<nsIPresState>::assign_assuming_AddRef(nsIPresState * 0x00000000) line 495
nsCOMPtr<nsIPresState>::assign_with_AddRef(nsISupports * 0x00000000) line 1023
nsCOMPtr<nsIPresState>::operator=(nsIPresState * 0x00000000) line 608
nsBoxObject::SetDocument(nsBoxObject * const 0x04ae0314, nsIDocument *
0x00000000) line 146
nsDocument::SetBoxObjectFor(nsDocument * const 0x03c0dbac, nsIDOMElement *
0x04669a4c, nsIBoxObject * 0x00000000) line 2790
nsXULElement::SetDocument(nsIDocument * 0x00000000, int 1, int 1) line 1590
nsXULElement::RemoveChildAt(unsigned int 1, int 1) line 1928
nsGenericElement::doReplaceChild(nsIContent * 0x045981b0, nsIDOMNode *
0x04b3a254, nsIDOMNode * 0x04669a4c, nsIDOMNode * * 0x0012a73c) line 2987 + 17 bytes
nsXULElement::ReplaceChild(nsXULElement * const 0x045981bc, nsIDOMNode *
0x04b3a254, nsIDOMNode * 0x04669a4c, nsIDOMNode * * 0x0012a73c) line 846 + 24 bytes
XPTC_InvokeByIndex(nsISupports * 0x045981bc, unsigned int 16, unsigned int 3,
nsXPTCVariant * 0x0012a71c) line 102
XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode
CALL_METHOD) line 2027 + 43 bytes
XPC_WN_CallMethod(JSContext * 0x024e9c98, JSObject * 0x0492d6b0, unsigned int 2,
long * 0x04b453a8, long * 0x0012a9e4) line 1287 + 14 bytes
js_Invoke(JSContext * 0x024e9c98, unsigned int 2, unsigned int 0) line 1281 + 23
bytes
js_Interpret(JSContext * 0x024e9c98, long * 0x0012b418) line 3366 + 15 bytes
js_Invoke(JSContext * 0x024e9c98, unsigned int 0, unsigned int 0) line 1301 + 13
bytes
js_Interpret(JSContext * 0x024e9c98, long * 0x0012bdfc) line 3366 + 15 bytes
js_Invoke(JSContext * 0x024e9c98, unsigned int 0, unsigned int 2) line 1301 + 13
bytes
nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJSClass * const 0x049c29e0,
nsXPCWrappedJS * 0x04a688e8, unsigned short 3, const nsXPTMethodInfo *
0x03b91b18, nsXPTCMiniVariant * 0x0012c13c) line 1336 + 22 bytes
nsXPCWrappedJS::CallMethod(nsXPCWrappedJS * const 0x04a688e8, unsigned short 3,
const nsXPTMethodInfo * 0x03b91b18, nsXPTCMiniVariant * 0x0012c13c) line 450
PrepareAndDispatch(nsXPTCStubBase * 0x04a688e8, unsigned int 3, unsigned int *
0x0012c1ec, unsigned int * 0x0012c1dc) line 117 + 31 bytes
SharedStub() line 147
nsMsgCompose::NotifyStateListeners(nsMsgCompose * const 0x049deeb0,
TStateListenerNotification eComposeFieldsReady, unsigned int 0) line 3581
nsMsgCompose::InitEditor(nsMsgCompose * const 0x049deeb0, nsIEditor *
0x04a264b8, nsIDOMWindow * 0x0497f37c) line 1355
XPTC_InvokeByIndex(nsISupports * 0x049deeb0, unsigned int 27, unsigned int 2,
nsXPTCVariant * 0x0012c414) line 102
XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode
CALL_METHOD) line 2027 + 43 bytes
XPC_WN_CallMethod(JSContext * 0x024e9c98, JSObject * 0x045b7550, unsigned int 2,
long * 0x04b45294, long * 0x0012c6dc) line 1287 + 14 bytes
js_Invoke(JSContext * 0x024e9c98, unsigned int 2, unsigned int 0) line 1281 + 23
bytes
js_Interpret(JSContext * 0x024e9c98, long * 0x0012d110) line 3366 + 15 bytes
js_Invoke(JSContext * 0x024e9c98, unsigned int 1, unsigned int 2) line 1301 + 13
bytes
nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJSClass * const 0x049deeb0,
nsXPCWrappedJS * 0x049def60, unsigned short 4, const nsXPTMethodInfo *
0x03c5a580, nsXPTCMiniVariant * 0x0012d450) line 1336 + 22 bytes
nsXPCWrappedJS::CallMethod(nsXPCWrappedJS * const 0x049def60, unsigned short 4,
const nsXPTMethodInfo * 0x03c5a580, nsXPTCMiniVariant * 0x0012d450) line 450
PrepareAndDispatch(nsXPTCStubBase * 0x049def60, unsigned int 4, unsigned int *
0x0012d500, unsigned int * 0x0012d4f0) line 117 + 31 bytes
SharedStub() line 147
nsMsgComposeService::OpenWindow(const char * 0x00000000, nsIMsgComposeParams *
0x04a9f150) line 272
nsMsgComposeService::OpenComposeWindow(nsMsgComposeService * const 0x02558e90,
const char * 0x00000000, const char * 0x04ab26c8, int 5, int 0, nsIMsgIdentity *
0x03c5f880, nsIMsgWindow * 0x03b87dd0) line 478 + 21 bytes
XPTC_InvokeByIndex(nsISupports * 0x02558e90, unsigned int 3, unsigned int 6,
nsXPTCVariant * 0x0012da1c) line 102
XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode
CALL_METHOD) line 2027 + 43 bytes
XPC_WN_CallMethod(JSContext * 0x024e9c98, JSObject * 0x03bcb1f0, unsigned int 6,
long * 0x04b4516c, long * 0x0012dce4) line 1287 + 14 bytes
js_Invoke(JSContext * 0x024e9c98, unsigned int 6, unsigned int 0) line 1281 + 23
bytes
js_Interpret(JSContext * 0x024e9c98, long * 0x0012e718) line 3366 + 15 bytes
js_Invoke(JSContext * 0x024e9c98, unsigned int 1, unsigned int 2) line 1301 + 13
bytes
js_InternalInvoke(JSContext * 0x024e9c98, JSObject * 0x0388a2b8, long 69368328,
unsigned int 0, unsigned int 1, long * 0x0012e97c, long * 0x0012e978) line 1378
+ 20 bytes
JS_CallFunctionValue(JSContext * 0x024e9c98, JSObject * 0x0388a2b8, long
69368328, unsigned int 1, long * 0x0012e97c, long * 0x0012e978) line 3618 + 31 bytes
nsJSContext::CallEventHandler(JSObject * 0x0388a2b8, JSObject * 0x04227a08,
unsigned int 1, long * 0x0012e97c, long * 0x0012e978) line 1292 + 33 bytes
nsJSEventListener::HandleEvent(nsJSEventListener * const 0x03671638, nsIDOMEvent
* 0x04aa1000) line 174 + 51 bytes
nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x036716a0,
nsIDOMEvent * 0x04aa1000, nsIDOMEventTarget * 0x04a8e1d8, unsigned int 8,
unsigned int 7) line 1434 + 20 bytes
nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x036715d0,
nsIPresContext * 0x02c3bba8, nsEvent * 0x0012f028, nsIDOMEvent * * 0x0012efbc,
nsIDOMEventTarget * 0x04a8e1d8, unsigned int 7, nsEventStatus * 0x0012f074) line
1529
nsXULElement::HandleDOMEvent(nsIPresContext * 0x02c3bba8, nsEvent * 0x0012f028,
nsIDOMEvent * * 0x0012efbc, unsigned int 7, nsEventStatus * 0x0012f074) line 2790
PresShell::HandleDOMEventWithTarget(PresShell * const 0x02c646e0, nsIContent *
0x03673858, nsEvent * 0x0012f028, nsEventStatus * 0x0012f074) line 6108
nsButtonBoxFrame::MouseClicked(nsIPresContext * 0x02c3bba8, nsGUIEvent *
0x0012f24c) line 178
nsButtonBoxFrame::HandleEvent(nsButtonBoxFrame * const 0x0395c500,
nsIPresContext * 0x02c3bba8, nsGUIEvent * 0x0012f24c, nsEventStatus *
0x0012f560) line 150
PresShell::HandleEventInternal(nsEvent * 0x0012f24c, nsIView * 0x00000000,
unsigned int 1, nsEventStatus * 0x0012f560) line 6072 + 39 bytes
PresShell::HandleEventWithTarget(PresShell * const 0x02c646e0, nsEvent *
0x0012f24c, nsIFrame * 0x0395c500, nsIContent * 0x03673858, unsigned int 1,
nsEventStatus * 0x0012f560) line 5983 + 22 bytes
nsEventStateManager::CheckForAndDispatchClick(nsIPresContext * 0x02c3bba8,
nsMouseEvent * 0x0012f780, nsEventStatus * 0x0012f560) line 2933 + 66 bytes
nsEventStateManager::PostHandleEvent(nsEventStateManager * const 0x02c946f8,
nsIPresContext * 0x02c3bba8, nsEvent * 0x0012f780, nsIFrame * 0x0395c500,
nsEventStatus * 0x0012f560, nsIView * 0x02c64118) line 1944 + 23 bytes
PresShell::HandleEventInternal(nsEvent * 0x0012f780, nsIView * 0x02c64118,
unsigned int 1, nsEventStatus * 0x0012f560) line 6080 + 52 bytes
PresShell::HandleEvent(PresShell * const 0x02c64754, nsIView * 0x02c64118,
nsGUIEvent * 0x0012f780, nsEventStatus * 0x0012f560, int 1, int & 1) line 5921 +
25 bytes
nsViewManager::HandleEvent(nsView * 0x02c64118, nsGUIEvent * 0x0012f780, int 1)
line 2236
nsViewManager::DispatchEvent(nsViewManager * const 0x02c94f88, nsGUIEvent *
0x0012f780, nsEventStatus * 0x0012f658) line 1976 + 20 bytes
HandleEvent(nsGUIEvent * 0x0012f780) line 79
nsWindow::DispatchEvent(nsWindow * const 0x02c641b4, nsGUIEvent * 0x0012f780,
nsEventStatus & nsEventStatus_eIgnore) line 1067 + 10 bytes
nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012f780) line 1088
nsWindow::DispatchMouseEvent(unsigned int 301, unsigned int 0, nsPoint *
0x00000000) line 5189 + 21 bytes
ChildWindow::DispatchMouseEvent(unsigned int 301, unsigned int 0, nsPoint *
0x00000000) line 5444
nsWindow::ProcessMessage(unsigned int 514, unsigned int 0, long 3735673, long *
0x0012fc28) line 3975 + 28 bytes
nsWindow::WindowProc(HWND__ * 0x0037074a, unsigned int 514, unsigned int 0, long
3735673) line 1349 + 27 bytes
USER32! 77e3a2d0()
USER32! 77e145e5()
USER32! 77e1a816()
nsAppShellService::Run(nsAppShellService * const 0x00f75308) line 524
main1(int 1, char * * 0x00264f70, nsISupports * 0x00eb32b0) line 1302 + 32 bytes
main(int 1, char * * 0x00264f70) line 1779 + 37 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 7c5987e7()

Comment 7

14 years ago
This looks a lot like we're over-releasing the presstate. Anyone want to run a
refcnt-balance log on nsPresState?
Looks more like over-releasing one of the objects in the hashtable to me,
especially if this is Windows DEBUG where (I think) deleted objects are marked
with 0xdddddddd.

Comment 9

14 years ago
yes, the object has been deleted. It's odd that Purify doesn't point out where
the error is...
Probably it's an arena-allocated object, most likely an nsIFrame implementation
(which really shouldn't be put in an nsSupportsHashtable).
(If you change the |memset| in FrameArena::FreeFrame in nsPresShell.cpp, does it
end up with something other than 0xdddddddd?)
Don't nsIFrame impls assert in AddRef and Release?

/be
nsFrame::AddRef and nsFrame::Release have NS_WARNING("not supported for
frames"), which is almost an assertion, but some other frame classes override:
http://lxr.mozilla.org/seamonkey/search?string=Frame%3A%3AAddRef
http://lxr.mozilla.org/seamonkey/search?string=Frame%3A%3ARelease

(The ones that return NS_OK are especially clever.)

Comment 14

14 years ago
(In reply to comment #11)
> (If you change the |memset| in FrameArena::FreeFrame in nsPresShell.cpp, does it
> end up with something other than 0xdddddddd?)

yes, it does.  I'll try disabling the frame arena and running purify again.

Comment 15

14 years ago
Yes, here are the error, allocation, and free stacks.

[E] FMR: Free memory read in nsSupportsHashtable::ReleaseElement(nsHashKey
*,void *,void *) {1 occurrence}
        Reading 4 bytes from 0x170074e0 (4 bytes at 0x170074e0 illegal)
        Address 0x170074e0 is 136 bytes into a 232 byte block at 0x17007458
        Address 0x170074e0 points to a malloc'd block in heap 0x02420000
        Thread ID: 0x944
        Error location
            nsSupportsHashtable::ReleaseElement(nsHashKey *,void *,void *)
[nsHashtable.cpp:796]
            hashEnumerate  [nsHashtable.cpp:115]
            PL_DHashTableEnumerate [pldhash.c:619]
            nsHashtable::Enumerate((*)(nsHashKey *,void *,void *),void *)
[nsHashtable.cpp:303]
            nsSupportsHashtable::Enumerate((*)(nsHashKey *,void *,void *),void
*) [nsHashtable.h:205]
            nsSupportsHashtable::~nsSupportsHashtable(void) [nsHashtable.cpp:802]
            nsSupportsHashtable::`vector deleting destructor'(UINT) [gklayout.dll]
            nsPresState::~nsPresState(void) [nsPresState.cpp:93]
            nsPresState::`scalar deleting destructor'(UINT) [gklayout.dll]
            nsPresState::Release(void) [nsPresState.cpp:83]


        Allocation location
            malloc         [dbgheap.c:129]
            PR_Malloc      [prmem.c:474]
            FrameArena::AllocateFrame(UINT) [nsPresShell.cpp:618]
            PresShell::AllocateFrame(UINT) [nsPresShell.cpp:1969]
            nsFrame::new(UINT,nsIPresShell *) [nsFrame.cpp:436]
            NS_NewListBoxBodyFrame(nsIPresShell *,nsIFrame * *,int,nsIBoxLayout
*) [nsListBoxBodyFrame.cpp:1510]
            nsCSSFrameConstructor::ConstructXULFrame(nsIPresShell
*,nsIPresContext *,nsFrameConstructorState&,nsIContent *,nsIFrame *,nsIAtom
*,int,nsStyleContext *,nsFrameItems&,int,int&) [nsCSSFrameConstructor.cpp:5454]
            nsCSSFrameConstructor::ConstructFrameInternal(nsIPresShell
*,nsIPresContext *,nsFrameConstructorState&,nsIContent *,nsIFrame *,nsIAtom
*,int,nsStyleContext *,nsFrameItems&,int) [nsCSSFrameConstructor.cpp:7133]
            nsCSSFrameConstructor::ConstructFrame(nsIPresShell *,nsIPresContext
*,nsFrameConstructorState&,nsIContent *,nsIFrame *,nsFrameItems&)
[nsCSSFrameConstructor.cpp:7026]
            nsCSSFrameConstructor::ProcessChildren(nsIPresShell *,nsIPresContext
*,nsFrameConstructorState&,nsIContent *,nsIFrame
*,int,nsFrameItems&,int,nsTableCreator *) [nsCSSFrameConstructor.cpp:11464]
            nsCSSFrameConstructor::ConstructXULFrame(nsIPresShell
*,nsIPresContext *,nsFrameConstructorState&,nsIContent *,nsIFrame *,nsIAtom
*,int,nsStyleContext *,nsFrameItems&,int,int&) [nsCSSFrameConstructor.cpp:5667]
            nsCSSFrameConstructor::ConstructFrameInternal(nsIPresShell
*,nsIPresContext *,nsFrameConstructorState&,nsIContent *,nsIFrame *,nsIAtom
*,int,nsStyleContext *,nsFrameItems&,int) [nsCSSFrameConstructor.cpp:7133]
            nsCSSFrameConstructor::ConstructFrame(nsIPresShell *,nsIPresContext
*,nsFrameConstructorState&,nsIContent *,nsIFrame *,nsFrameItems&)
[nsCSSFrameConstructor.cpp:7026]
            nsCSSFrameConstructor::ProcessChildren(nsIPresShell *,nsIPresContext
*,nsFrameConstructorState&,nsIContent *,nsIFrame
*,int,nsFrameItems&,int,nsTableCreator *) [nsCSSFrameConstructor.cpp:11464]
            nsCSSFrameConstructor::ConstructXULFrame(nsIPresShell
*,nsIPresContext *,nsFrameConstructorState&,nsIContent *,nsIFrame *,nsIAtom
*,int,nsStyleContext *,nsFrameItems&,int,int&) [nsCSSFrameConstructor.cpp:5667]
            nsCSSFrameConstructor::ConstructFrameInternal(nsIPresShell
*,nsIPresContext *,nsFrameConstructorState&,nsIContent *,nsIFrame *,nsIAtom
*,int,nsStyleContext *,nsFrameItems&,int) [nsCSSFrameConstructor.cpp:7133]
            nsCSSFrameConstructor::ConstructFrame(nsIPresShell *,nsIPresContext
*,nsFrameConstructorState&,nsIContent *,nsIFrame *,nsFrameItems&)
[nsCSSFrameConstructor.cpp:7026]
            nsCSSFrameConstructor::ContentInserted(nsIPresContext *,nsIContent
*,nsIFrame *,nsIContent *,int,nsILayoutHistoryState *,int)
[nsCSSFrameConstructor.cpp:8917]
 

       Free location
            free           [dbgheap.c:955]
            PR_Free        [prmem.c:502]
            FrameArena::FreeFrame(UINT,void *) [nsPresShell.cpp:655]
            PresShell::FreeFrame(UINT,void *) [nsPresShell.cpp:1963]
            nsFrame::Destroy(nsIPresContext *) [nsFrame.cpp:654]
            nsSplittableFrame::Destroy(nsIPresContext *) [nsSplittableFrame.cpp:71]
            nsContainerFrame::Destroy(nsIPresContext *) [nsContainerFrame.cpp:141]
            nsBoxFrame::Destroy(nsIPresContext *) [nsBoxFrame.cpp:1065]
            nsListBoxBodyFrame::Destroy(nsIPresContext *)
[nsListBoxBodyFrame.cpp:278]
            nsFrameList::DestroyFrames(nsIPresContext *) [nsFrameList.cpp:129]
            nsContainerFrame::Destroy(nsIPresContext *) [nsContainerFrame.cpp:134]
            nsBoxFrame::Destroy(nsIPresContext *) [nsBoxFrame.cpp:1065]
            nsFrameList::DestroyFrames(nsIPresContext *) [nsFrameList.cpp:129]
            nsContainerFrame::Destroy(nsIPresContext *) [nsContainerFrame.cpp:134]
            nsBoxFrame::Destroy(nsIPresContext *) [nsBoxFrame.cpp:1065]
            nsGfxScrollFrame::Destroy(nsIPresContext *) [nsGfxScrollFrame.cpp:427]
            nsFrameList::DestroyFrames(nsIPresContext *) [nsFrameList.cpp:129]
            nsContainerFrame::Destroy(nsIPresContext *) [nsContainerFrame.cpp:134]

Comment 16

14 years ago
NS_IMETHODIMP_(nsrefcnt) 
nsListBoxBodyFrame::AddRef(void)
{
  return 2;
}

NS_IMETHODIMP_(nsrefcnt)
nsListBoxBodyFrame::Release(void)
{
  return 1;
}

Argh, what a mess. Are there bugs on file to fix all these broken AddRef and
Release overrides?  Why are they overriding the base class?

/be

Comment 18

14 years ago
Here's the stack trace where the pres state gets deleted:

nsPresState::~nsPresState() line 93
nsPresState::`scalar deleting destructor'(unsigned int 0x00000001) + 15 bytes
nsPresState::Release(nsPresState * const 0x07c776e8) line 83 + 209 bytes
nsCOMPtr<nsIPresState>::assign_assuming_AddRef(nsIPresState * 0x00000000) line 495
nsCOMPtr<nsIPresState>::assign_with_AddRef(nsISupports * 0x00000000) line 1023
nsCOMPtr<nsIPresState>::operator=(nsIPresState * 0x00000000) line 608
nsBoxObject::SetDocument(nsBoxObject * const 0x079fd834, nsIDocument *
0x00000000) line 146
nsDocument::SetBoxObjectFor(nsDocument * const 0x054f6844, nsIDOMElement *
0x0788bec4, nsIBoxObject * 0x00000000) line 2799
nsXULElement::SetDocument(nsIDocument * 0x00000000, int 0x00000001, int
0x00000001) line 1574
nsXULElement::RemoveChildAt(unsigned int 0x00000001, int 0x00000001) line 1912
nsGenericElement::doReplaceChild(nsIContent * 0x0538ed48, nsIDOMNode *
0x07edf684, nsIDOMNode * 0x0788bec4, nsIDOMNode * * 0x00128c4c) line 2988 + 17 bytes
nsXULElement::ReplaceChild(nsXULElement * const 0x0538ed54, nsIDOMNode *
0x07edf684, nsIDOMNode * 0x0788bec4, nsIDOMNode * * 0x00128c4c) line 830 + 24 bytes
XPTC_InvokeByIndex(nsISupports * 0x0538ed54, unsigned int 0x00000010, unsigned
int 0x00000003, nsXPTCVariant * 0x00128c2c) line 102
XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode
CALL_METHOD) line 2027 + 43 bytes
XPC_WN_CallMethod(JSContext * 0x07c5d190, JSObject * 0x07708d68, unsigned int
0x00000002, long * 0x07edbf04, long * 0x00128efc) line 1287 + 14 bytes

 - this is called from the addressing widget js, probably here:

function awAppendNewRow(setFocus)
{
  var listbox = document.getElementById('addressingWidget');
  var listitem1 = awGetListItem(1);

  if ( listbox && listitem1 )
  {
    var lastRecipientType =
awGetPopupElement(top.MAX_RECIPIENTS).selectedItem.getAttribute("value");

    var nextDummy = awGetNextDummyRow();
    var newNode = listitem1.cloneNode(true);
    if (nextDummy)
      listbox.replaceChild(newNode, nextDummy);
    else
      listbox.appendChild(newNode);

Comment 19

14 years ago
bienvenu: you're asking or answering the wrong question.

don't ask where it got killed.

ask why in the world it was put in the array in the first place.

frames have a very specific ownership model and someone blew it.

Comment 20

14 years ago
I understand that's the fundamental problem that has to be fixed...if that's
going to be the quickest fix, that's fine, but if there's some other quick fix
that will stop the trunk from crashing, I think that's worth investigating too -
I'm not sure how hard it is to fix the fundamental problem.

Comment 21

14 years ago
http://lxr.mozilla.org/seamonkey/source/layout/xul/base/src/nsListBoxObject.cpp#237

nsIListBoxObject*
nsListBoxObject::GetListBoxBody()

  // It's a frame. Refcounts are irrelevant.
  nsCOMPtr<nsIListBoxObject> body;
  yeahBaby->QueryInterface(NS_GET_IID(nsIListBoxObject), getter_AddRefs(body));
  SetPropertyAsSupports(listboxbody.get(), body);
  return body;

This code has been doing this for a long time...the object is both an
nsIListBoxObject and an nsIFrame. I wonder if a call to
nsListBoxObject::InvalidatePresentationStuff before the frame is destroyed would
paper over the crash.

Comment 22

14 years ago
i'm willing to write a debug only check on nsSupportsHashtable and similar xpcom
creatures which QIs to nsIFrame and asserts at insertion time. That'd be the
fast way to find your critter today and probably the best way to avoid this
problem tomorrow.

Comment 23

14 years ago
thx, I've already found where it's happening...see
http://bugzilla.mozilla.org/show_bug.cgi?id=240720#c21

Comment 24

14 years ago
Created attachment 146814 [details] [diff] [review]
possible fix

cache a non-refcounted pointer

Comment 25

14 years ago
Comment on attachment 146814 [details] [diff] [review]
possible fix

I haven't had any problems with this patch...but I have no idea if this is
right. It doesn't crash, and it doesn't seem to leak the frames...
Attachment #146814 - Flags: superreview?(dbaron)
Comment on attachment 146814 [details] [diff] [review]
possible fix

>+  if (mListBoxBody) {
>+    nsCOMPtr<nsIListBoxObject> body(do_QueryInterface(mListBoxBody));
>     return body;

This could just be

if (mListBoxBody)
  return mListBoxBody;

but other than that, you need to find someone who knows something about box
objects to review...
Attachment #146814 - Flags: superreview?(dbaron) → superreview+

Comment 27

14 years ago
Comment on attachment 146814 [details] [diff] [review]
possible fix

Ok, looking at the checkin log, I'm going to try jst. I'll remove the QI and
comptr
Attachment #146814 - Flags: review?(jst)
Created attachment 147068 [details] [diff] [review]
How about this instead? This makes sure we invalidate the listbox's box object when the listbox's body frame is destroyed.

I think I'd prefer this over the proposed fix since the proposed fix still
leaves dangling pointers that could easily cause crashes in other situations. I
don't know enough about this code to say if it will happen or not, but it seems
likely that it could.

David, can you test this?

Comment 29

14 years ago
yes, that works, and it seems like that's the way the code was supposed to work...

Updated

14 years ago
Attachment #147068 - Flags: superreview?(dbaron)
Attachment #147068 - Flags: review?(bienvenu)

Updated

14 years ago
Attachment #147068 - Flags: review?(bienvenu) → review+
Comment on attachment 147068 [details] [diff] [review]
How about this instead? This makes sure we invalidate the listbox's box object when the listbox's body frame is destroyed.

sr=dbaron, although I'm not a big fan of calling a variable that iterates over
ancestors |parent|.  I prefer |f| or |a|. :-)  And the loop could also be a for
loop instead of a while loop...
Attachment #147068 - Flags: superreview?(dbaron) → superreview+
(Assignee)

Comment 31

14 years ago
David do you think this crash is in 1.7/0.6?
Fix checked in, let me know if someone wants me to land this on the 1.7 branch too.
Status: NEW → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → FIXED

Comment 33

14 years ago
I doubt it - it popped up right when the tree opened for 1.8, so some change
there probably triggered it (I suspect some de-COM-tamification work exposed
this problem). But we could scour talkback and see if any stack trace like that
shows up in 1.7 builds...

Updated

14 years ago
Attachment #146814 - Flags: review?(jst)
*** Bug 263771 has been marked as a duplicate of this bug. ***
Product: MailNews → Core
Product: Core → MailNews Core
You need to log in before you can comment on or make changes to this bug.