Closed Bug 304747 Opened 19 years ago Closed 19 years ago

Crash [@ nsQueryInterface::operator()]

Categories

(Core Graveyard :: History: Global, defect)

Product:
Core Graveyard
Component:
History: Global
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: mark, Assigned: MatsPalmgren_bugz)

References

(
URL
)

Details

(Keywords: crash, regression, verified1.8)

Crash Data

Attachments

(4 files, 2 obsolete files)

Stack backtrace
4.38 KB, text/plain
Details
Stack 1
10.74 KB, text/plain
Details
Stack 2
10.68 KB, text/plain
Details
Patch 3
1.35 KB, patch
roc
: review+
roc
: superreview+
cbeard
: approval1.8b4+
Details | Diff | Splinter Review
In Firefox, trunk/1.8 branch: at http://www.meriweather.com/777/over/elect.html , click on the BATTERY button in the image map. You expect a box to pop up in the document via JavaScript. Instead, Firefox crashes. The crash is in nsQueryInterface::operator(), called by nsContentUtils::GetLinkURI. A more complete backtrace will be attached. This bug is not present in the Mac 081008 build, and is present in the Mac 081108 build. I have not tested other platforms personally, but am told that it does not occur in a Win 0812 build. Regression window: http://bonsai.mozilla.org/cvsquery.cgi?date=explicit&mindate=2005-08-10+08%3A00&maxdate=2005-08-11+09%3A00 Most likely cause, bug 78510. This bug does not seem to appear if the page is already in history (or cache?), bolstering the suspicion of bug 78510. Because of this, the bug is most easily reproduced with a clean profile. Using a clean profile, it is consistently reproducible. Talkback IDs TB8392222Z, TB8392333M. They occurred on different sites, but have identical stack signatures.
Attached file Stack backtrace
Severity: normal → critical
Also TB8333287, TB8386098. Adjusting hardware/OS.
Flags: blocking1.8b4?
OS: MacOS X → All
Hardware: Macintosh → All
It doesn't crash in a Win 0811 build or Win 0813 build. Bug 304639 History/frameset related (?) crash has same (10/11) timeframe for regression
Roc, can you take a look at this? Seems to be yours.
Assignee: nobody → roc
Flags: blocking1.8b4? → blocking1.8b4+
It's a re-entrancy problem on nsDocument::mLinkMap...
Attached file Stack 1
First problem: mLinkMap is reallocated while enumerating in nsUint32ToContentHashEntry::VisitContent
Attached file Stack 2
Second problem: the HashSet is relallocted while enumerating
Attached patch Like so? (obsolete) — Splinter Review
What happens is that when enumerating the table to mark links visited, we set the link state to unknown and then tell the style system about it. The style system rechecks the link state, which causes us to add the link to the table as a new style-relevant link. This shouldn't be reallocating the table, however, since the link is already in the table.
That's OK, except you forgot to add to the list
I think your patch is the way to go, but I'd like to understand *why* the reallocation is happening.
Attached patch fix (obsolete) — Splinter Review
Oops, that got lost when I cleaned out the tracing stuff...
Attachment #192892 - Flags: superreview?(roc)
Attachment #192892 - Flags: review?(roc)
(In reply to comment #12) > I think your patch is the way to go, but I'd like to understand *why* the > reallocation is happening. Look in stack 2, since we add stuff through AddStyleRelevantLink (which calls PutContent) while having the enumeration on the stack (frame #15) we will eventually crash when the "backing store" for those structures are reallocted to some other place in memory.
(This bug seems unrelated to bug 304639 / bug 303606 BTW)
Attachment #192891 - Attachment is obsolete: true
Yeah, but since the link element being added is already in the map, adding it again shouldn't be doing anything.
Okay, pldhash can indeed reallocate the table when adding an element that already exists. "blargh". http://lxr.mozilla.org/mozilla/source/xpcom/glue/pldhash.c#506
Comment on attachment 192892 [details] [diff] [review] fix For safety's sake, I think this should be an array of strong references (nsISupportsArray). We don't want one of the content elements to go away somehow if a ContentStatesChanged callback removes elements from the document and map.
Attachment #192892 - Flags: superreview?(roc)
Attachment #192892 - Flags: superreview-
Attachment #192892 - Flags: review?(roc)
Attachment #192892 - Flags: review-
Attached patch Patch 3Splinter Review
I used nsCOMArray<nsIContent> hope that's ok. Regarding removed content - do you think we need to check "IsInDoc()" before calling ContentStatesChanged() also?
Attachment #192892 - Attachment is obsolete: true
Attachment #192899 - Flags: superreview?(roc)
Attachment #192899 - Flags: review?(roc)
Comment on attachment 192899 [details] [diff] [review] Patch 3 if we need to bulletproof for IsInDoc then the right place to do that is inside ContentStateChanged. this will fix a branch crasher.
Attachment #192899 - Flags: superreview?(roc)
Attachment #192899 - Flags: superreview+
Attachment #192899 - Flags: review?(roc)
Attachment #192899 - Flags: review+
Attachment #192899 - Flags: approval1.8b4?
Assignee: roc → mats.palmgren
Attachment #192899 - Flags: approval1.8b4? → approval1.8b4+
Checked in to trunk and 1.8 branch at 2005-08-18 02:54 PDT -> FIXED
Blocks: 78510
Status: NEW → RESOLVED
Closed: 19 years ago
Keywords: fixed1.8
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
Keywords: fixed1.8verified1.8
Crash Signature: [@ nsQueryInterface::operator()]
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: