308577 - Crash [@ js_GetSlotThreadSafe] because nsXBLPrototypeHandler::ExecuteHandler did not root handler

Status: RESOLVED FIXED

(Core :: XBL, defect, P2)

Description

[timeless]

00 0x100
01 js3250!js_GetSlotThreadSafe(struct JSContext * cx = 0x0c611ff0, struct 
JSObject * obj = 0x0d4561d0, unsigned long slot = 3)+0x34 (FPO: [Non-Fpo]) 
(CONV: cdecl) [c:\build\chs3\build\mozilla\js\src\jslock.c @ 554]
02 js3250!JS_GetPrivate(struct JSContext * cx = 0x00e5435f, struct JSObject * 
obj = 0x13224448)+0x69 (FPO: [2,0,0]) (CONV: cdecl) [c:\build\chs3
\build\mozilla\js\src\jsapi.c @ 2160]
03 js3250!js_CloneFunctionObject(struct JSContext * cx = 0x00e5435f, struct 
JSObject * funobj = 0x13224448, struct JSObject * parent = 0x00000000)+0x2c 
(FPO: [3,0,0]) (CONV: cdecl) [c:\build\chs3\build\mozilla\js\src\jsfun.c @ 2000]
04 js3250!JS_CloneFunctionObject(struct JSContext * cx = 0x00e5435f, struct 
JSObject * funobj = 0x13224448, struct JSObject * parent = 0x00000000)+0x57 
(FPO: [3,0,0]) (CONV: cdecl) [c:\build\chs3\build\mozilla\js\src\jsapi.c @ 3254]
05 gklayout!nsJSContext::BindCompiledEventHandler(void * aTarget = 0x13224448, 
class nsIAtom * aName = 0x00000000, void * aHandler = 0x0d4561d0)+0x87 (FPO: 
[Non-Fpo]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\dom\src\base\nsjsenvironment.cpp @ 1476]
06 gklayout!nsXBLPrototypeHandler::ExecuteHandler(class nsIDOMEventReceiver * 
aReceiver = 0x1497b390, class nsIDOMEvent * aEvent = 0x07466500)+0x787 (FPO: 
[Uses EBP] [2,240,0]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\content\xbl\src\nsxblprototypehandler.cpp @ 495]
07 gklayout!nsXBLKeyEventHandler::HandleEvent(class nsIDOMEvent * aEvent = 
0x1497b390)+0xd2 (FPO: [Non-Fpo]) (CONV: stdcall) [c:\build\chs3
\build\mozilla\content\xbl\src\nsxbleventhandler.cpp @ 151]
08 gklayout!nsEventListenerManager::HandleEventSubType(struct nsListenerStruct 
* aListenerStruct = 0x13809cf8, class nsIDOMEvent * aDOMEvent = 0x07466500, 
class nsIDOMEventTarget * aCurrentTarget = 0x1497b390, unsigned int aSubType = 
0x7466508, unsigned int aPhaseFlags = 7)+0x14e (FPO: [Uses EBP] [5,54,0]) 
(CONV: thiscall) [c:\build\chs3
\build\mozilla\content\events\src\nseventlistenermanager.cpp @ 1685]
09 gklayout!nsEventListenerManager::HandleEvent(class nsPresContext * 
aPresContext = 0x00000000, class nsEvent * aEvent = 0x0012cba8, class 
nsIDOMEvent ** aDOMEvent = 0x0012c964, class nsIDOMEventTarget * aCurrentTarget 
= 0x1497b390, unsigned int aFlags = 7, nsEventStatus * aEventStatus = 
0x0012caf8)+0x241 (FPO: [Non-Fpo]) (CONV: stdcall) [c:\build\chs3
\build\mozilla\content\events\src\nseventlistenermanager.cpp @ 1786]
0a gklayout!nsXULElement::HandleDOMEvent(class nsPresContext * aPresContext = 
0x0c5ba7a0, class nsEvent * aEvent = 0x00000000, class nsIDOMEvent ** aDOMEvent 
= 0x0012c964, unsigned int aFlags = 7, nsEventStatus * aEventStatus = 
0x0012caf8)+0x5b2 (FPO: [Uses EBP] [5,127,0]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\content\xul\content\src\nsxulelement.cpp @ 2201]
0b gklayout!PresShell::HandleEventInternal(class nsEvent * aEvent = 0x00000000, 
class nsIView * aView = 0x0b929510, unsigned int aFlags = 1, nsEventStatus * 
aStatus = 0x0012caf8)+0x1dc (FPO: [Non-Fpo]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\layout\base\nspresshell.cpp @ 6379]
0c gklayout!PresShell::HandleEvent(class nsIView * aView = 0x0b929510, class 
nsGUIEvent * aEvent = 0x0012cba8, nsEventStatus * aEventStatus = 0x0012caf8, 
int aForceHandle = 1, int * aHandled = 0x0012caf4)+0x210 (FPO: [Non-Fpo]) 
(CONV: stdcall) [c:\build\chs3\build\mozilla\layout\base\nspresshell.cpp @ 6215]
0d gklayout!nsViewManager::HandleEvent(class nsView * aView = 0x00000001, class 
nsGUIEvent * aEvent = 0x00000000, int aCaptured = 0)+0x2bc (FPO: [Non-Fpo]) 
(CONV: thiscall) [c:\build\chs3\build\mozilla\view\src\nsviewmanager.cpp @ 2514]
0e gklayout!nsViewManager::DispatchEvent(class nsGUIEvent * aEvent = 
0x3d888889, nsEventStatus * aStatus = 0x0012cb6c)+0x63a (FPO: [Non-Fpo]) (CONV: 
stdcall) [c:\build\chs3\build\mozilla\view\src\nsviewmanager.cpp @ 2246]
0f gklayout!HandleEvent(class nsGUIEvent * aEvent = 0x0012cba8)+0x27 (FPO: [Non-
Fpo]) (CONV: cdecl) [c:\build\chs3\build\mozilla\view\src\nsview.cpp @ 174]
10 gkwidget!nsWindow::DispatchEvent(class nsGUIEvent * event = 0x00000000, 
nsEventStatus * aStatus = 0x07d8e910)+0x35 (FPO: [3,0,0]) (CONV: stdcall) 
[c:\build\chs3\build\mozilla\widget\src\windows\nswindow.cpp @ 1253]
11 gkwidget!nsWindow::DispatchWindowEvent(class nsGUIEvent * event = 0x00000000)
+0x16 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\widget\src\windows\nswindow.cpp @ 1274]
12 gkwidget!nsWindow::DispatchKeyEvent(unsigned int aEventType = 0x83, unsigned 
short aCharCode = 0, unsigned int aVirtualCharCode = 0x26, long aKeyData = 
0x1480001, unsigned int aFlags = 0)+0xa4 (FPO: [Non-Fpo]) (CONV: thiscall) 
[c:\build\chs3\build\mozilla\widget\src\windows\nswindow.cpp @ 3449]
13 gkwidget!nsWindow::OnKeyDown(unsigned int aVirtualKeyCode = 0x26, unsigned 
int aScanCode = 0x148, long aKeyData = 0x1480001)+0x30e (FPO: [Non-Fpo]) (CONV: 
thiscall) [c:\build\chs3\build\mozilla\widget\src\windows\nswindow.cpp @ 3587]
14 gkwidget!nsWindow::ProcessMessage(unsigned int msg = 0x100, unsigned int 
wParam = 0x26, long lParam = 0x1480001, long * aRetValue = 0x0012cf30)+0xa5b 
(FPO: [Non-Fpo]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\widget\src\windows\nswindow.cpp @ 4490]
15 gkwidget!nsWindow::WindowProc(struct HWND__ * hWnd = 0x001012a0, unsigned 
int msg = 0x100, unsigned int wParam = 0x26, long lParam = 0x7d8e914)+0x9c 
(FPO: [Non-Fpo]) (CONV: stdcall) [c:\build\chs3
\build\mozilla\widget\src\windows\nswindow.cpp @ 1435]
16 USER32!InternalCallWinProc+0x28
17 USER32!UserCallWinProcCheckWow+0x150 (FPO: [Non-Fpo])
18 USER32!DispatchMessageWorker+0x306 (FPO: [Non-Fpo])
19 USER32!DispatchMessageW+0xf (FPO: [Non-Fpo])
1a gkwidget!nsAppShell::DispatchNativeEvent(int aRealEvent = 1, void * aEvent = 
0x00000000)+0xa (FPO: [3,0,0]) (CONV: stdcall) [c:\build\chs3
\build\mozilla\widget\src\windows\nsappshell.cpp @ 221]
1b jsd3250!jsdService::EnterNestedEventLoop(class jsdINestCallback * callback = 
0x00000000, unsigned int * _rval = 0x0012d0ec)+0x127 (FPO: [Non-Fpo]) (CONV: 
stdcall) [c:\build\chs3\build\mozilla\js\jsd\jsd_xpc.cpp @ 2966]
1c xpcom_core!XPTC_InvokeByIndex(class nsISupports * that = 0x01b815e0, 
unsigned int methodIndex = 0x31, unsigned int paramCount = 2, struct 
nsXPTCVariant * params = 0x0012d0dc)+0x27 (CONV: cdecl) [c:\build\chs3
\build\mozilla\xpcom\reflect\xptcall\src\md\win32\xptcinvoke.cpp @ 102]
1d xpc3250!XPCWrappedNative::CallMethod(class XPCCallContext * ccx = 
0x0012d280, XPCWrappedNative::CallMode mode = CALL_METHOD (0))+0x6c4 (FPO: [Non-
Fpo]) (CONV: cdecl) [c:\build\chs3
\build\mozilla\js\src\xpconnect\src\xpcwrappednative.cpp @ 2139]
1e xpc3250!XPC_WN_CallMethod(struct JSContext * cx = 0x01cf31e8, struct 
JSObject * obj = 0x0cd3a040, unsigned int argc = 1, long * argv = 0x0b4ae10c, 
long * vp = 0x0012d340)+0x8e (FPO: [Non-Fpo]) (CONV: cdecl) [c:\build\chs3
\build\mozilla\js\src\xpconnect\src\xpcwrappednativejsops.cpp @ 1402]
1f js3250!js_Invoke(struct JSContext * cx = 0x00000001, unsigned int argc = 1, 
unsigned int flags = 0)+0x539 (FPO: [Uses EBP] [3,35,0]) (CONV: cdecl) 
[c:\build\chs3\build\mozilla\js\src\jsinterp.c @ 1163]
20 js3250!js_Interpret(struct JSContext * cx = 0x01cf31e8, unsigned char * pc = 
0x0c71f78f ":", long * result = 0x0012d5c0)+0x4ff7 (FPO: [Uses EBP] [3,83,0]) 
(CONV: cdecl) [c:\build\chs3\build\mozilla\js\src\jsinterp.c @ 3460]
21 js3250!js_Invoke(struct JSContext * cx = 0x00000001, unsigned int argc = 3, 
unsigned int flags = 2)+0x57a (FPO: [Uses EBP] [3,35,0]) (CONV: cdecl) 
[c:\build\chs3\build\mozilla\js\src\jsinterp.c @ 1183]
22 xpc3250!nsXPCWrappedJSClass::CallMethod(class nsXPCWrappedJS * wrapper = 
0x03d42008, unsigned short methodIndex = 3, class nsXPTMethodInfo * info = 
0x01abcff0, struct nsXPTCMiniVariant * nativeParams = 0x0012d768)+0x6b1 (FPO: 
[Uses EBP] [5,82,0]) (CONV: stdcall) [c:\build\chs3
\build\mozilla\js\src\xpconnect\src\xpcwrappedjsclass.cpp @ 1340]
23 xpc3250!nsXPCWrappedJS::CallMethod(unsigned short methodIndex = 0x2008, 
class nsXPTMethodInfo * info = 0x00000003, struct nsXPTCMiniVariant * params = 
0x0012d824)+0x27 (FPO: [4,0,0]) (CONV: stdcall) [c:\build\chs3
\build\mozilla\js\src\xpconnect\src\xpcwrappedjs.cpp @ 515]
24 xpcom_core!PrepareAndDispatch(class nsXPTCStubBase * self = 0x0cd42008, 
unsigned int methodIndex = 3, unsigned int * args = 0x0012d824, unsigned int * 
stackBytesToPop = 0x0012d814)+0xee (FPO: [Non-Fpo]) (CONV: stdcall) 
[c:\build\chs3\build\mozilla\xpcom\reflect\xptcall\src\md\win32\xptcstubs.cpp @ 
117]
25 xpcom_core!SharedStub(void)+0x16 (CONV: cdecl) [c:\build\chs3
\build\mozilla\xpcom\reflect\xptcall\src\md\win32\xptcstubs.cpp @ 147]
26 jsd3250!jsds_ExecutionHookProc(struct JSDContext * jsdc = 0x01ba9e48, struct 
JSDThreadState * jsdthreadstate = 0x14154fd0, unsigned int type = 1, void * 
callerdata = 0x00000001, long * rval = 0x0012da40)+0x182 (FPO: [Non-Fpo]) 
(CONV: cdecl) [c:\build\chs3\build\mozilla\js\jsd\jsd_xpc.cpp @ 682]
27 jsd3250!jsd_CallExecutionHook(struct JSDContext * jsdc = 0x01ba9e48, struct 
JSContext * cx = 0x01cf31e8, unsigned int type = 1, <function> * hook = 
0x010b7eb1, void * hookData = 0x00000001, long * rval = 0x0012da40)+0x56 (FPO: 
[Non-Fpo]) (CONV: cdecl) [c:\build\chs3\build\mozilla\js\jsd\jsd_hook.c @ 178]
28 jsd3250!jsd_TrapHandler(struct JSContext * cx = 0x01cf31e8, struct JSScript 
* script = 0x0caa9f38, unsigned char * pc = 0x0caa9f69 "S", long * rval = 
0x0012da40, void * closure = 0x13fa4b41)+0x6c (FPO: [Non-Fpo]) (CONV: cdecl) 
[c:\build\chs3\build\mozilla\js\jsd\jsd_scpt.c @ 735]
29 js3250!JS_HandleTrap(struct JSContext * cx = 0x01cf31e8, struct JSScript * 
script = 0x0caa9f38, unsigned char * pc = 0x0caa9f69 "S", long * rval = 
0x0012da40)+0x31 (FPO: [Non-Fpo]) (CONV: cdecl) [c:\build\chs3
\build\mozilla\js\src\jsdbgapi.c @ 212]
2a js3250!js_Interpret(struct JSContext * cx = 0x01cf31e8, unsigned char * pc = 
0x0caa9f69 "S", long * result = 0x0012daec)+0x1e6 (FPO: [Uses EBP] [3,83,0]) 
(CONV: cdecl) [c:\build\chs3\build\mozilla\js\src\jsinterp.c @ 4051]
2b js3250!js_Invoke(struct JSContext * cx = 0x00000001, unsigned int argc = 1, 
unsigned int flags = 0)+0x57a (FPO: [Uses EBP] [3,35,0]) (CONV: cdecl) 
[c:\build\chs3\build\mozilla\js\src\jsinterp.c @ 1183]
2c js3250!js_Interpret(struct JSContext * cx = 0x01cf31e8, unsigned char * pc = 
0x1404fd44 ":", long * result = 0x0012dd04)+0x4ff7 (FPO: [Uses EBP] [3,83,0]) 
(CONV: cdecl) [c:\build\chs3\build\mozilla\js\src\jsinterp.c @ 3460]
2d js3250!js_Invoke(struct JSContext * cx = 0x00000001, unsigned int argc = 2, 
unsigned int flags = 0)+0x57a (FPO: [Uses EBP] [3,35,0]) (CONV: cdecl) 
[c:\build\chs3\build\mozilla\js\src\jsinterp.c @ 1183]
2e js3250!js_Interpret(struct JSContext * cx = 0x01cf31e8, unsigned char * pc = 
0x029f24c6 ":", long * result = 0x0012df1c)+0x4ff7 (FPO: [Uses EBP] [3,83,0]) 
(CONV: cdecl) [c:\build\chs3\build\mozilla\js\src\jsinterp.c @ 3460]
2f js3250!js_Invoke(struct JSContext * cx = 0x00000001, unsigned int argc = 2, 
unsigned int flags = 0)+0x57a (FPO: [Uses EBP] [3,35,0]) (CONV: cdecl) 
[c:\build\chs3\build\mozilla\js\src\jsinterp.c @ 1183]
30 js3250!js_Interpret(struct JSContext * cx = 0x01cf31e8, unsigned char * pc = 
0x01b245dd ":", long * result = 0x0012e134)+0x4ff7 (FPO: [Uses EBP] [3,83,0]) 
(CONV: cdecl) [c:\build\chs3\build\mozilla\js\src\jsinterp.c @ 3460]
31 js3250!js_Invoke(struct JSContext * cx = 0x00000001, unsigned int argc = 3, 
unsigned int flags = 2)+0x57a (FPO: [Uses EBP] [3,35,0]) (CONV: cdecl) 
[c:\build\chs3\build\mozilla\js\src\jsinterp.c @ 1183]
32 xpc3250!nsXPCWrappedJSClass::CallMethod(class nsXPCWrappedJS * wrapper = 
0x03592fa8, unsigned short methodIndex = 3, class nsXPTMethodInfo * info = 
0x019c7150, struct nsXPTCMiniVariant * nativeParams = 0x0012e2dc)+0x6b1 (FPO: 
[Uses EBP] [5,82,0]) (CONV: stdcall) [c:\build\chs3
\build\mozilla\js\src\xpconnect\src\xpcwrappedjsclass.cpp @ 1340]
33 xpc3250!nsXPCWrappedJS::CallMethod(unsigned short methodIndex = 0x2fa8, 
class nsXPTMethodInfo * info = 0x00000003, struct nsXPTCMiniVariant * params = 
0x0012e398)+0x27 (FPO: [4,0,0]) (CONV: stdcall) [c:\build\chs3
\build\mozilla\js\src\xpconnect\src\xpcwrappedjs.cpp @ 515]
34 xpcom_core!PrepareAndDispatch(class nsXPTCStubBase * self = 0x0c592fa8, 
unsigned int methodIndex = 3, unsigned int * args = 0x0012e398, unsigned int * 
stackBytesToPop = 0x0012e388)+0xee (FPO: [Non-Fpo]) (CONV: stdcall) 
[c:\build\chs3\build\mozilla\xpcom\reflect\xptcall\src\md\win32\xptcstubs.cpp @ 
117]
35 xpcom_core!SharedStub(void)+0x16 (CONV: cdecl) [c:\build\chs3
\build\mozilla\xpcom\reflect\xptcall\src\md\win32\xptcstubs.cpp @ 147]
36 xpcom_core!XPTC_InvokeByIndex(class nsISupports * that = 0x0c592fa8, 
unsigned int methodIndex = 3, unsigned int paramCount = 3, struct nsXPTCVariant 
* params = 0x0012e3d4)+0x27 (CONV: cdecl) [c:\build\chs3
\build\mozilla\xpcom\reflect\xptcall\src\md\win32\xptcinvoke.cpp @ 102]
37 xpc3250!XPCWrappedNative::CallMethod(class XPCCallContext * ccx = 
0x0012e578, XPCWrappedNative::CallMode mode = CALL_METHOD (0))+0x6c4 (FPO: [Non-
Fpo]) (CONV: cdecl) [c:\build\chs3
\build\mozilla\js\src\xpconnect\src\xpcwrappednative.cpp @ 2139]
38 xpc3250!XPC_WN_CallMethod(struct JSContext * cx = 0x01cf31e8, struct 
JSObject * obj = 0x028a90f0, unsigned int argc = 3, long * argv = 0x02853a28, 
long * vp = 0x0012e638)+0x8e (FPO: [Non-Fpo]) (CONV: cdecl) [c:\build\chs3
\build\mozilla\js\src\xpconnect\src\xpcwrappednativejsops.cpp @ 1402]
39 js3250!js_Invoke(struct JSContext * cx = 0x00000001, unsigned int argc = 3, 
unsigned int flags = 0)+0x539 (FPO: [Uses EBP] [3,35,0]) (CONV: cdecl) 
[c:\build\chs3\build\mozilla\js\src\jsinterp.c @ 1163]
3a js3250!js_Interpret(struct JSContext * cx = 0x01cf31e8, unsigned char * pc = 
0x00a2ddb2 ":", long * result = 0x0012e8b8)+0x4ff7 (FPO: [Uses EBP] [3,83,0]) 
(CONV: cdecl) [c:\build\chs3\build\mozilla\js\src\jsinterp.c @ 3460]
3b js3250!js_Invoke(struct JSContext * cx = 0x00000001, unsigned int argc = 1, 
unsigned int flags = 2)+0x57a (FPO: [Uses EBP] [3,35,0]) (CONV: cdecl) 
[c:\build\chs3\build\mozilla\js\src\jsinterp.c @ 1183]
3c xpc3250!nsXPCWrappedJSClass::CallMethod(class nsXPCWrappedJS * wrapper = 
0x0107c918, unsigned short methodIndex = 3, class nsXPTMethodInfo * info = 
0x01bff3a0, struct nsXPTCMiniVariant * nativeParams = 0x0012ea60)+0x6b1 (FPO: 
[Uses EBP] [5,82,0]) (CONV: stdcall) [c:\build\chs3
\build\mozilla\js\src\xpconnect\src\xpcwrappedjsclass.cpp @ 1340]
3d xpc3250!nsXPCWrappedJS::CallMethod(unsigned short methodIndex = 0xc918, 
class nsXPTMethodInfo * info = 0x00000003, struct nsXPTCMiniVariant * params = 
0x0012eb1c)+0x27 (FPO: [4,0,0]) (CONV: stdcall) [c:\build\chs3
\build\mozilla\js\src\xpconnect\src\xpcwrappedjs.cpp @ 515]
3e xpcom_core!PrepareAndDispatch(class nsXPTCStubBase * self = 0x0707c918, 
unsigned int methodIndex = 3, unsigned int * args = 0x0012eb1c, unsigned int * 
stackBytesToPop = 0x0012eb0c)+0xee (FPO: [Non-Fpo]) (CONV: stdcall) 
[c:\build\chs3\build\mozilla\xpcom\reflect\xptcall\src\md\win32\xptcstubs.cpp @ 
117]
3f xpcom_core!SharedStub(void)+0x16 (CONV: cdecl) [c:\build\chs3
\build\mozilla\xpcom\reflect\xptcall\src\md\win32\xptcstubs.cpp @ 147]
40 gklayout!nsEventListenerManager::HandleEventSubType(struct nsListenerStruct 
* aListenerStruct = 0x06e95538, class nsIDOMEvent * aDOMEvent = 0x0c504628, 
class nsIDOMEventTarget * aCurrentTarget = 0x01cf2fcc, unsigned int aSubType = 
0xc504630, unsigned int aPhaseFlags = 4)+0x14e (FPO: [Uses EBP] [5,54,0]) 
(CONV: thiscall) [c:\build\chs3
\build\mozilla\content\events\src\nseventlistenermanager.cpp @ 1685]
41 gklayout!nsEventListenerManager::HandleEvent(class nsPresContext * 
aPresContext = 0x00000000, class nsEvent * aEvent = 0x0012f87c, class 
nsIDOMEvent ** aDOMEvent = 0x0012f83c, class nsIDOMEventTarget * aCurrentTarget 
= 0x01cf2fcc, unsigned int aFlags = 4, nsEventStatus * aEventStatus = 
0x0012f910)+0x241 (FPO: [Non-Fpo]) (CONV: stdcall) [c:\build\chs3
\build\mozilla\content\events\src\nseventlistenermanager.cpp @ 1786]
42 gklayout!nsGlobalWindow::HandleDOMEvent(class nsPresContext * aPresContext = 
0x13536228, class nsEvent * aEvent = 0x0012f87c, class nsIDOMEvent ** aDOMEvent 
= 0x0012f83c, unsigned int aFlags = 4, nsEventStatus * aEventStatus = 
0x0012f910)+0x24d (FPO: [Non-Fpo]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\dom\src\base\nsglobalwindow.cpp @ 1525]
43 gklayout!nsXULDocument::HandleDOMEvent(class nsPresContext * aPresContext = 
0x13536228, class nsEvent * aEvent = 0x00000000, class nsIDOMEvent ** aDOMEvent 
= 0x0012f83c, unsigned int aFlags = 4, nsEventStatus * aEventStatus = 
0x0012f910)+0x6f (FPO: [Non-Fpo]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\content\xul\document\src\nsxuldocument.cpp @ 1238]
44 gklayout!nsXULElement::HandleDOMEvent(class nsPresContext * aPresContext = 
0x13536228, class nsEvent * aEvent = 0x00000000, class nsIDOMEvent ** aDOMEvent 
= 0x0012f83c, unsigned int aFlags = 4, nsEventStatus * aEventStatus = 
0x0012f910)+0x54a (FPO: [Uses EBP] [5,127,0]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\content\xul\content\src\nsxulelement.cpp @ 2183]
45 gklayout!nsXULElement::HandleDOMEvent(class nsPresContext * aPresContext = 
0x13536228, class nsEvent * aEvent = 0x00000000, class nsIDOMEvent ** aDOMEvent 
= 0x0012f83c, unsigned int aFlags = 4, nsEventStatus * aEventStatus = 
0x0012f910)+0x523 (FPO: [Uses EBP] [5,127,0]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\content\xul\content\src\nsxulelement.cpp @ 2180]
46 gklayout!nsXULElement::HandleDOMEvent(class nsPresContext * aPresContext = 
0x13536228, class nsEvent * aEvent = 0x00000000, class nsIDOMEvent ** aDOMEvent 
= 0x0012f83c, unsigned int aFlags = 4, nsEventStatus * aEventStatus = 
0x0012f910)+0x523 (FPO: [Uses EBP] [5,127,0]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\content\xul\content\src\nsxulelement.cpp @ 2180]
47 gklayout!nsXULElement::HandleDOMEvent(class nsPresContext * aPresContext = 
0x13536228, class nsEvent * aEvent = 0x00000000, class nsIDOMEvent ** aDOMEvent 
= 0x0012f83c, unsigned int aFlags = 4, nsEventStatus * aEventStatus = 
0x0012f910)+0x523 (FPO: [Uses EBP] [5,127,0]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\content\xul\content\src\nsxulelement.cpp @ 2180]
48 gklayout!nsXULElement::HandleDOMEvent(class nsPresContext * aPresContext = 
0x13536228, class nsEvent * aEvent = 0x00000000, class nsIDOMEvent ** aDOMEvent 
= 0x0012f83c, unsigned int aFlags = 4, nsEventStatus * aEventStatus = 
0x0012f910)+0x523 (FPO: [Uses EBP] [5,127,0]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\content\xul\content\src\nsxulelement.cpp @ 2180]
49 gklayout!nsXULElement::HandleChromeEvent(class nsPresContext * aPresContext 
= 0x13536228, class nsEvent * aEvent = 0x0012f87c, class nsIDOMEvent ** 
aDOMEvent = 0x0012f83c, unsigned int aFlags = 4, nsEventStatus * aEventStatus = 
0x0012f910)+0x30 (FPO: [Non-Fpo]) (CONV: stdcall) [c:\build\chs3
\build\mozilla\content\xul\content\src\nsxulelement.cpp @ 2881]
4a gklayout!nsGlobalWindow::HandleDOMEvent(class nsPresContext * aPresContext = 
0x13536228, class nsEvent * aEvent = 0x0012f87c, class nsIDOMEvent ** aDOMEvent 
= 0x0012f83c, unsigned int aFlags = 7, nsEventStatus * aEventStatus = 
0x0012f910)+0x1e2 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\dom\src\base\nsglobalwindow.cpp @ 1512]
4b gklayout!DocumentViewerImpl::LoadComplete(unsigned int aStatus = 0)+0xa8 
(FPO: [Non-Fpo]) (CONV: stdcall) [c:\build\chs3
\build\mozilla\layout\base\nsdocumentviewer.cpp @ 1012]
4c docshell!nsDocShell::EndPageLoad(class nsIWebProgress * aProgress = 
0x05e70224, class nsIChannel * aChannel = 0x07c7be6c, unsigned int aStatus = 0)
+0x47 (FPO: [Non-Fpo]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\docshell\base\nsdocshell.cpp @ 4661]
4d docshell!nsWebShell::EndPageLoad(class nsIWebProgress * aProgress = 
0x05e70224, class nsIChannel * channel = 0x07c7be6c, unsigned int aStatus = 0)
+0x8d (FPO: [Uses EBP] [3,149,0]) (CONV: thiscall) [c:\build\chs3
\build\mozilla\docshell\base\nswebshell.cpp @ 667]
4e docshell!nsDocShell::OnStateChange(class nsIWebProgress * aProgress = 
0x05e70224, class nsIRequest * aRequest = 0x07c7be6c, unsigned int aStateFlags 
= 0x5e70224, unsigned int aStatus = 0)+0x1df (FPO: [Non-Fpo]) (CONV: stdcall) 
[c:\build\chs3\build\mozilla\docshell\base\nsdocshell.cpp @ 4580]
4f docshell!nsDocLoader::FireOnStateChange(class nsIWebProgress * aProgress = 
0x05e70224, class nsIRequest * aRequest = 0x07c7be6c, int aStateFlags = 
0x20010, unsigned int aStatus = 0)+0xf5 (FPO: [Non-Fpo]) (CONV: thiscall) 
[c:\build\chs3\build\mozilla\uriloader\base\nsdocloader.cpp @ 1220]
50 docshell!nsDocLoader::doStopDocumentLoad(class nsIRequest * request = 
0x00c3463f, unsigned int aStatus = 0)+0x22 (FPO: [2,0,0]) (CONV: thiscall) 
[c:\build\chs3\build\mozilla\uriloader\base\nsdocloader.cpp @ 851]
51 docshell!nsDocLoader::DocLoaderIsEmpty(void)+0x6c (FPO: [Non-Fpo]) (CONV: 
thiscall) [c:\build\chs3\build\mozilla\uriloader\base\nsdocloader.cpp @ 743]
52 docshell!nsDocLoader::OnStopRequest(class nsIRequest * aRequest = 
0x13fc6aa8, class nsISupports * aCtxt = 0x00000000, unsigned int aStatus = 0)
+0x18b (FPO: [Non-Fpo]) (CONV: stdcall) [c:\build\chs3
\build\mozilla\uriloader\base\nsdocloader.cpp @ 667]
53 necko!nsLoadGroup::RemoveRequest(class nsIRequest * request = 0x05e70214, 
class nsISupports * ctxt = 0x00000000, unsigned int aStatus = 0)+0xb6 (FPO: 
[Non-Fpo]) (CONV: stdcall) [c:\build\chs3
\build\mozilla\netwerk\base\src\nsloadgroup.cpp @ 732]
54 gklayout!nsDocument::UnblockOnload(void)+0x3d (FPO: [Non-Fpo]) (CONV: 
thiscall) [c:\build\chs3\build\mozilla\content\base\src\nsdocument.cpp @ 5118]
55 gklayout!DestroyImagePLEvent(struct PLEvent * aEvent = 0x778b0c24)+0x10 
(FPO: [1,0,0]) (CONV: cdecl) [c:\build\chs3
\build\mozilla\content\base\src\nsimageloadingcontent.cpp @ 670]
56 xpcom_core!PL_DestroyEvent(struct PLEvent * self = 0x778b0c24)+0x2b (FPO: 
[1,0,0]) (CONV: cdecl) [c:\build\chs3\build\mozilla\xpcom\threads\plevent.c @ 
727]
57 xpcom_core!PL_HandleEvent(struct PLEvent * self = 0x778b0c24)+0x47 (FPO: 
[1,0,0]) (CONV: cdecl) [c:\build\chs3\build\mozilla\xpcom\threads\plevent.c @ 
699]
58 xpcom_core!PL_ProcessPendingEvents(struct PLEventQueue * self = 0x778b0c24)
+0x61 (FPO: [Uses EBP] [1,0,0]) (CONV: cdecl) [c:\build\chs3
\build\mozilla\xpcom\threads\plevent.c @ 623]
59 xpcom_core!_md_TimerProc(struct HWND__ * hwnd = 0x77d49857, unsigned int 
uMsg = 0x1002bd8c, unsigned int idEvent = 0xbaa03b0, unsigned long dwTime = 
0x113)+0x2d (FPO: [4,0,0]) (CONV: stdcall) [c:\build\chs3
\build\mozilla\xpcom\threads\plevent.c @ 1013]
5a USER32!InternalCallWinProc+0x28
5b USER32!UserCallWinProc+0xf3 (FPO: [Non-Fpo])
5c USER32!DispatchMessageWorker+0x10e (FPO: [Non-Fpo])
5d USER32!DispatchMessageW+0xf (FPO: [Non-Fpo])
5e gkwidget!nsAppShell::Run(void)+0x10c (FPO: [Non-Fpo]) (CONV: stdcall) 
[c:\build\chs3\build\mozilla\widget\src\windows\nsappshell.cpp @ 159]
5f appcomps!nsAppStartup::Run(void)+0xd (FPO: [1,0,0]) (CONV: stdcall) 
[c:\build\chs3\build\mozilla\xpfe\components\startup\src\nsappstartup.cpp @ 208]
60 HsEngine!main1(int argc = 3, char ** argv = 0x002a4728, class nsISupports * 
nativeApp = 0x00000020)+0x355 (FPO: [Non-Fpo]) (CONV: cdecl) [c:\build\chs3
\build\mozilla\xpfe\bootstrap\nsapprunner.cpp @ 1264]
61 HsEngine!main(int argc = 3, char ** argv = 0x002a4728)+0xc5 (FPO: [Non-Fpo]) 
(CONV: cdecl) [c:\build\chs3\build\mozilla\xpfe\bootstrap\nsapprunner.cpp @ 
1765]
62 HsEngine!WinMain(struct HINSTANCE__ * __formal = 0x7c816d4f, struct 
HINSTANCE__ * __formal = 0x80000001, char * args = 
0x0853ee34 "mponents/hsRecord.js", int __formal = 0x7ffd4000)+0x18 (FPO: 
[4,0,0]) (CONV: stdcall) [c:\build\chs3
\build\mozilla\xpfe\bootstrap\nsapprunner.cpp @ 1789]
63 HsEngine!WinMainCRTStartup(void)+0x185 (FPO: [Non-Fpo]) (CONV: cdecl) 
[f:\vs70builds\3077\vc\crtbld\crt\src\crtexe.c @ 390]
64 kernel32!BaseProcessStart+0x23 (FPO: [Non-Fpo])

Comment 1

[timeless]

oops, this is 1.8 branch. i don't see anything protecting handler, and i 
believe it's the thing that was killed.

Comment 2

[Boris Zbarsky [:bzbarsky]]

Attachment: Proposed patch

Most of this patch is just me consolidating the two sets of named root helpers
we had into a single set in nsContentUtils (and fixing up the Add code to
really deal with errors; please check over that carefully!).  The part that
fixes this bug is just the single nsAutoGCRoot in nsXBLPrototypeHandler.

Comment 3

[Brendan Eich [:brendan]]

Comment on attachment 196349 [details] [diff] [review]
Proposed patch

Seems ok to me, just wish we could make nsXULPrototypeScript's ctor fail when
the add-root fails, to avoid the rv out param and extra code in caller.

/be

Comment 4

[Boris Zbarsky [:bzbarsky]]

Yeah, I wish that too.  Just don't know of a way to do it...

Comment 5

[Johnny Stenback (:jst)]

Comment on attachment 196349 [details] [diff] [review]
Proposed patch

+PRInt32 nsContentUtils::sScriptRuntimeRefcnt = 0;

Maybe name that sScriptRootCount or something, it's got nothing to do with the
reference count to or in the script runtime...

- In nsContentUtils::AddJSGCRoot(void* aPtr, const char* aName):

+  if (!sScriptRuntime) {
...
+    if (! sScriptRuntime) {

Remove the space after '!'.

...
+  if (! ok) {

Same here.

r=jst

Comment 6

[Boris Zbarsky [:bzbarsky]]

Attachment: Updated to comments

Comment 7

[Boris Zbarsky [:bzbarsky]]

Attachment: 1.8 branch patch

Requesting approval.  This is pretty safe (just moving code around, mostly) and
should fix some more of these fun GC crashes.

Comment 8

[Boris Zbarsky [:bzbarsky]]

Fixed on trunk

Comment 9

[Brendan Eich [:brendan]]

This bug's patch is safe, and clearly a win for correctness.  It's not the total
solution, but it will help clarify the bugscape in 1.8, and spare users some
real crash hazards.

/be

Comment 10

[Boris Zbarsky [:bzbarsky]]

Fixed on 1.8 branch.

Comment 11

[Darin Fisher]

FYI.  I believe I may have experienced this crash with the 2005092607 1.8 branch
build on Windows.  See talkback ID 9789458.

Based on comment #10, I'm assuming my build was just too old.