Closed Bug 316114 Opened 19 years ago Closed 19 years ago

myspace and other site crash [@ nsXPConnect::ReleaseJSContext]

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Version:
1.0 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: chofmann, Assigned: dbradley)

References

(
URL
)

Details

(Keywords: crash, fixed1.8, topcrash)

Crash Data

This #2 top crash for 1.5 RC1 might be related to the number# top crash reported in Bug 316025 here is stack info out of talkback nsXPConnect::ReleaseJSContext 3ee838a7 Product ID Firefox15 Build ID 2005110712 Trigger Time 2005-11-11 10:54:23.0 Platform Win32 Operating System Windows NT 5.1 build 2600 Module firefox.exe + (0000d8f7) URL visited http://browseusers.myspace.com/Browse/Browse.aspx?z=1&Mytoken=955FB0B2-C094-8404-522777CD4DAF9DFE1662130 User Comments Since Last Crash 3440 sec Total Uptime 3440 sec Trigger Reason Access violation Source File, Line No. c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/nsXPConnect.cpp, line 1176 Stack Trace nsXPConnect::ReleaseJSContext [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/nsXPConnect.cpp, line 1176] nsDocShell::Destroy [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/docshell/base/nsDocShell.cpp, line 3505] nsFrameLoader::Destroy [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsFrameLoader.cpp, line 219] nsGenericHTMLFrameElement::UnbindFromTree [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/html/content/src/nsGenericHTMLElement.cpp, line 3578] nsHTMLBodyElement::UnbindFromTree [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/html/content/src/nsHTMLBodyElement.cpp, line 425] nsDocument::Destroy [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsDocument.cpp, line 4907] DocumentViewerImpl::Close [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsDocumentViewer.cpp, line 1285] nsDocShell::Destroy [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/docshell/base/nsDocShell.cpp, line 3494] nsFrameLoader::Destroy [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsFrameLoader.cpp, line 219] nsSubDocumentFrame::Destroy [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsFrameFrame.cpp, line 572] nsFrameList::DestroyFrames [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsFrameList.cpp, line 138] nsBoxFrame::Destroy [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 1120] nsBoxFrame::Destroy [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 1120] nsBoxFrame::Destroy [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 1120] nsBoxFrame::Destroy [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 1120] nsBoxFrame::Destroy [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 1120] nsBoxFrame::Destroy [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 1120] nsBoxFrame::Destroy [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 1120] nsBoxFrame::Destroy [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 1120] nsPositionedInlineFrame::Destroy [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsInlineFrame.cpp, line 1079] DocumentViewerImpl::Destroy [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsDocumentViewer.cpp, line 1438] nsDocShell::Destroy [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/docshell/base/nsDocShell.cpp, line 3495] nsXULWindow::Destroy [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/xpfe/appshell/src/nsXULWindow.cpp, line 511] nsWebShellWindow::Destroy [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/xpfe/appshell/src/nsWebShellWindow.cpp, line 850] nsWebShellWindow::HandleEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/xpfe/appshell/src/nsWebShellWindow.cpp, line 408] nsWindow::DispatchEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1252] nsWindow::DispatchStandardEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1292] nsWindow::ProcessMessage [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 4292] nsWindow::WindowProc [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1434] USER32.dll + 0x8734 (0x77d18734) USER32.dll + 0x8816 (0x77d18816) USER32.dll + 0xb4c0 (0x77d1b4c0) USER32.dll + 0xb50c (0x77d1b50c) ntdll.dll + 0xeae3 (0x7c91eae3) USER32.dll + 0xb3f9 (0x77d1b3f9) USER32.dll + 0xb393 (0x77d1b393) nsWindow::DefaultWindowProc [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1460] USER32.dll + 0x8734 (0x77d18734) USER32.dll + 0x8816 (0x77d18816) USER32.dll + 0xc63f (0x77d1c63f) USER32.dll + 0xc665 (0x77d1c665) nsWindow::WindowProc [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1441] USER32.dll + 0x8734 (0x77d18734) USER32.dll + 0x8816 (0x77d18816) USER32.dll + 0xb4c0 (0x77d1b4c0) USER32.dll + 0xb50c (0x77d1b50c) ntdll.dll + 0xeae3 (0x7c91eae3) USER32.dll + 0xb3f9 (0x77d1b3f9) USER32.dll + 0xb393 (0x77d1b393) nsWindow::DefaultWindowProc [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1460] USER32.dll + 0x8734 (0x77d18734) USER32.dll + 0x8816 (0x77d18816) USER32.dll + 0xc63f (0x77d1c63f) USER32.dll + 0xc665 (0x77d1c665) nsWindow::WindowProc [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1441] USER32.dll + 0x8734 (0x77d18734) USER32.dll + 0x8816 (0x77d18816) USER32.dll + 0x89cd (0x77d189cd) USER32.dll + 0x8a10 (0x77d18a10) nsAppShell::Run [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsAppShell.cpp, line 159] nsAppStartup::Run [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 151] main [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 61] kernel32.dll + 0x16d4f (0x7c816d4f)
Flags: blocking1.8.1?
Hmm... The top frame looks like this on branch: 1172 for(XPCCallContext* cur = tls->GetCallContext(); 1173 cur; 1174 cur = cur->GetPrevCallContext()) 1175 { 1176 if(cur->GetJSContext() == aJSContext) 1177 { 1178 ccx = cur; 1179 // Keep looping to find the deepest matching call context. 1180 } 1181 } with talkback claming we crash in 1176... This code has been around for forever now (August 2001). The odd part is that nsDocShell::Destroy does not call nsXPConnect::ReleaseJSContext directly. That's called from the nsJSContext destructor, which _could_ be called from Destroy... Except docshell on branch looks like this: 3499 if (mObserveErrorPages) { 3500 nsCOMPtr<nsIPrefBranch2> prefs(do_QueryInterface(mPrefs)); 3501 if (prefs) { 3502 prefs->RemoveObserver("browser.xul.error_pages.enabled", this); 3503 mObserveErrorPages = PR_FALSE; 3504 } 3505 } 3506 3507 // Fire unload event before we blow anything away. 3508 bryner 1.687 (void) FirePageHideNotification(PR_TRUE); Nothing even close to 3505 to be crashing. We'd have to be in line 3540 (the block where we mess with mScriptGlobal) to affect this, I'd think. For the next stack frame, the frame loader calls nsDocShell::Destroy in line 216, not 219. But that's closer to how much talkback is usually off by....
Keywords: crash, topcrash
Summary: myspace and other site crash @[nsXPConnect::ReleaseJSContext 3ee838a7 → myspace and other site crash [@ nsXPConnect::ReleaseJSContext]
http://talkback-public.mozilla.org/reports/firefox/FF107/url-analysis-all.html shows that we have a good deal of trouble with myspace on 1.0.7 but not with a stack signature that shows nsXPConnect::ReleaseJSContext http://talkback-public.mozilla.org/reports/firefox/FF107/FF107-topcrashers.html show the nsXPConnect::ReleaseJSContext signature ranks at #60. 60 nsXPConnect::ReleaseJSContext 0.24% so it's possible that we have wiped out 59 of the top crash bugs in 1.0.7 and this signature has bubbled to the top, or we have raised the visibility of an old bug somewhere in the last year, or some combination of both.
http://talkback-public.mozilla.org/reports/firefox/FF15rc1/FF15rc1-topcrashers.html shows nsXPConnect::ReleaseJSContext ranking 34th in RC1 so it is up in ranking the early days RC2.
ranking was 152 nsXPConnect::ReleaseJSContext 0.08% in FF15b2 (Firefox15)
and about the same in beta1 and alpha2 -> FF15b1 (Firefox15) rank 150 nsXPConnect::ReleaseJSContext 0.06% -> FF11a2 (FirefoxTrunk) rank 206 nsXPConnect::ReleaseJSContext 0.05% with 1 crash in Alpha 2
people seem to be hitting it every few days on the trunk and it ranks 34th where incoming data rate is low. http://talkback-public.mozilla.org/reports/firefox/FFTrunk/FFTrunk-topcrashers.html from this it does look like the exposure to the crash is higher in RC2 than any previous release or the trunk; although its tough to tell when the incoming data rates and number of black boxes are low. Are there any patches that are on the branch that are not on the trunk that have been taken since RC1 and might be related?
areas to test to try and reproduce out of the talkback data http://www.espn.go.com http://www.foxsports.com http://www.pcwelt.de/ http://www.ec.kingston.com/ecom/configurator/modelsinfo.asp?SysID=21208&mfr=Dell&model=PowerEdge+SC1425&Sys=21208-Dell-PowerEdge+SC1425&distributor=0&submit1=Search http://google.com/ig Froze, did not give Not Responding notification, unable to change tabs or open new tabs http://www.Netscape.com http://www.seznam.cz http://twit.tv http://nyspace.com and http://youtube.com Uploading a video to myspace and updating profile. http://myspace.com - windows media caused it Switching pages on myspace and it stalled. Reloading a specific tab, then closing Firefox. http://www.myspace.com - checking myspace mailbox http://myspace.com i had just clicked a link to view someones pictures. http://www.myspace.com - I was just trying to close it anyway. I am not dure why it failed, but it was having prblems loading that page too. http://www.myspace.com/atiim http://www.myspace.com/evildustmite http://www.myspace.com/panicatthedisco Trying to open this page for a second time crashed the browser http://profile.myspace.com/index.cfm?fuseaction=user.viewprofile&friendID=9036085&Mytoken=1140CA3E-54D9-5463-397BBBF171912A739506431 http://browseusers.myspace.com/Browse/Browse.aspx?z=1&Mytoken=955FB0B2-C094-8404-522777CD4DAF9DFE1662130 http://profile.myspace.com/index.cfm?fuseaction=user.viewprofile&friendID=7604148&Mytoken=20050706150139 http://europe.nokia.com/nokia/0,,64474,00.html Just downloaded one INF file (http://europe.nokia.com/popupDisclaimer?productId=421&categoryId=55&disclaimerId=9&fileId=7487&languageId=1) and clicked to download another one http://www.nikeid.com I was closing a Yahoo Sports page that had been automatically pulled up by clicking on a link for Marvin Williams (forward on the Atlanta Hawks). I don't have the URL info, but the page had been up 100% and I was just closing it, with no "end now" prompts http://www.classmates.com Completing Personal Profile when program crashed. http://www.emp3finder.com Closed some tabs http://www.google.com.mx http://www.mikeslist.com/85.htm
grinding down through these tests it seems like http://www.myspace.com/evildustmite is the best way to reproduce. first time I loaded it it had problems getting all the content loaded and try to shut down the window after it had been spinning for awhile, then crashed. second time the page loaded fully, then hit back, then forward, then crashed. the blackboxes should be ready to dig out of talkback in a few hours. search for URL http://www.myspace.com/evildustmite
> grinding down through these tests it seems like > http://www.myspace.com/evildustmite is the best way to reproduce. I just tried this in a debug build (where layout deleted-frame-access crashes crash at access instead of corrupting memory), and crashed with the stack from bug 316025 twice in a row. So Chris, you might have been right in your initial guess... :)
Depends on: 316025
I hope so..;-) I try a couple of older builds I had lying around and can't seem to reproduce Beta 2 - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b5) Gecko/20050924 (No IDN) Firefox/1.4 and seamonkey Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050310 The other thing I notice in testing these builds is the dramtic performance difference in loading the page. RC2 is much slower. I hope we also see perforance come back if the fix for Bug 316025 stops the crash.
> RC2 is much slower. Hmm. If that's still the case in tomorrow's builds, file a separate bug on it and cc me, please?
the orginal blackbox that got us looking at http://www.myspace.com/evildustmite is Incident ID: 11718193 Stack Signature nsXPConnect::ReleaseJSContext ee994bb2 Product ID Firefox15 Build ID 2005110712 Trigger Time 2005-11-11 07:50:04.0 Platform Win32 Operating System Windows NT 5.1 build 2600 Module firefox.exe + (0000d8f7) URL visited http://www.myspace.com/evildustmite User Comments Since Last Crash 136 sec Total Uptime 2459 sec Trigger Reason Access violation Source File, Line No. c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/nsXPConnect.cpp, line 1176 Stack Trace nsXPConnect::ReleaseJSContext [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/nsXPConnect.cpp, line 1176] nsDocShell::Destroy [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/docshell/base/nsDocShell.cpp, line 3505] nsFrameLoader::Destroy [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsFrameLoader.cpp, line 219] nsGenericHTMLFrameElement::UnbindFromTree [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/html/content/src/nsGenericHTMLElement.cpp, line 3578] nsGenericElement::UnbindFromTree [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 1972] nsGenericElement::UnbindFromTree [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 1972] nsGenericElement::UnbindFromTree [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 1972] nsGenericElement::UnbindFromTree [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 1972] nsGenericElement::UnbindFromTree [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 1972] nsHTMLBodyElement::UnbindFromTree [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/html/content/src/nsHTMLBodyElement.cpp, line 425] nsDocument::Destroy [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsDocument.cpp, line 4907] DocumentViewerImpl::Close [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsDocumentViewer.cpp, line 1285] nsDocShell::Destroy [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/docshell/base/nsDocShell.cpp, line 3494] nsFrameLoader::Destroy [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsFrameLoader.cpp, line 219] nsSubDocumentFrame::Destroy [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsFrameFrame.cpp, line 572] nsFrameList::DestroyFrames [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsFrameList.cpp, line 138] nsBoxFrame::Destroy [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 1120] nsBoxFrame::Destroy [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 1120] nsBoxFrame::Destroy [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 1120] nsBoxFrame::Destroy [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 1120] nsBoxFrame::Destroy [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 1120] nsBoxFrame::Destroy [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 1120] nsBoxFrame::Destroy [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 1120] nsBoxFrame::Destroy [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 1120] nsPositionedInlineFrame::Destroy [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsInlineFrame.cpp, line 1079] DocumentViewerImpl::Destroy [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsDocumentViewer.cpp, line 1438] nsDocShell::Destroy [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/docshell/base/nsDocShell.cpp, line 3495] nsXULWindow::Destroy [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/xpfe/appshell/src/nsXULWindow.cpp, line 511] nsWebShellWindow::Destroy [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/xpfe/appshell/src/nsWebShellWindow.cpp, line 850] nsWebShellWindow::HandleEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/xpfe/appshell/src/nsWebShellWindow.cpp, line 408] nsWindow::DispatchEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1252]
Tested http://www.myspace.com/evildustmite on chase's window respin with today's fixes Win32: http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2005-11-11-17-mozilla1.8/ can't seem to crash it now and page loading perf looks good too. "You bet your sweet Aspercreme!" ;-)
marking fixed 1.8 to get on the testing radar for firefox 1.5.
Status: NEW → RESOLVED
Closed: 19 years ago
Keywords: fixed1.8
Resolution: --- → FIXED
Chris - do you know if this is fixed or not on 1.8
Flags: blocking1.8.1? → blocking1.8.1-
Crash Signature: [@ nsXPConnect::ReleaseJSContext]
You need to log in before you can comment on or make changes to this bug.