Closed Bug 319293 Opened 15 years ago Closed 15 years ago

Crash [@ nsDOMClassInfo::MarkReachablePreservedWrappers]

Categories

(Core :: DOM: Core & HTML, defect, P1)

x86
Linux
defect

Tracking

()

VERIFIED FIXED
mozilla1.9alpha1

People

(Reporter: aguertin+bugzilla, Assigned: dbaron)

References

Details

(4 keywords, Whiteboard: [patch])

Crash Data

Attachments

(2 files)

I'm crashing on trunk trying to look at an svg file in DOM Inspector. FF1.5 works fine.

Talkbacks 12659844, TB12659807, TB12659594, TB12659568, TB12659561

Testcase (not minimized, but it's small anyway) coming up.
Attached image testcase
To crash:
Open DOM Inspector
Select the #document node
In the right pane, change view to Javascript Object
Expand Subject (or just wait?)
Assignee: general → dbaron
Severity: normal → critical
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051206 Firefox/1.6a1 ID:2005120605

Only trunk, don't see this in branch builds.
That's because bug 241518 hasn't landed on branch.

For what it's worth, this looks like bug 319333 which has a description of the code-level problem.  This bug has better steps to reproduce, though.
Blocks: 241518
Depends on: 319333
*** Bug 319333 has been marked as a duplicate of this bug. ***
No longer depends on: 319333
#6  0xb6b1b9d9 in nsDOMClassInfo::MarkReachablePreservedWrappers
(aParticipant=0x0, cx=0x8b62718, arg=0x0) at
/moz/mozilla/dom/src/base/nsDOMClassInfo.cpp:5067
#7  0xb6b1c6d0 in nsEventReceiverSH::Mark (this=0x8c799d8, wrapper=0x8c79b40,
cx=0x8b62718, obj=0x8b6ea08, arg=0x0, _retval=0xbfa14a8c) at
/moz/mozilla/dom/src/base/nsDOMClassInfo.cpp:6691
#8  0xb6fce10c in XPC_WN_Helper_Mark (cx=0x8b62718, obj=0x8b6ea08, arg=0x0) at
/moz/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp:1029
#9  0xb7e714d9 in js_Mark (cx=0x8b62718, obj=0x8b6ea08, arg=0x0) at
/moz/mozilla/js/src/jsobj.c:4229
...


(gdb) frame 8
#8  0xb6fce10c in XPC_WN_Helper_Mark (cx=0x8b62718, obj=0x8b6ea08, arg=0x0) at
/moz/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp:1029
1029            wrapper->GetScriptableCallback()->Mark(wrapper, cx, obj, arg,
&ignored);
(gdb) p *wrapper
$1 = {<nsIXPConnectWrappedNative> = {<nsIXPConnectJSObjectHolder> =
{<nsISupports> = {_vptr.nsISupports = 0xb6ff14e8}, <No data fields>}, mIdentity
= 0x88f9470}, mRefCnt = {mValue = 1}, _mOwningThread = {mThread = 0x804a548},
{mMaybeScope = 0x8c79a50, mMaybeProto = 0x8c79a50}, mSet = 0x8c79a08,
mFlatJSObject = 0x8b6ea08, mScriptableInfo = 0x8c53450, mFirstChunk =
{mTearOffs = {{mInterface = 0x864e000, mNative = 0x88f948c, mJSObject = 0x0}},
mNextChunk = 0x8c81158}, mNativeWrapper = 0x0, mThread = 0x804a548, static
gMainThread = 0x804a548}
(gdb) p wrapper->mIdentity
$2 = (nsISupports *) 0x88f9470
(gdb) x *(void**) wrapper->mIdentity
0xb6d918a8 <_ZTV17nsDOMDocumentType+8>: 0xb68b6f46

bz noted that nsDOMDocumentType doesn't forward QI to nsGenericDOMDataNode,
that it doesn't implement nsIDOMEventReceiver either, and that
nsDOMDocumentType uses nsNodeSH, too.
*** Bug 320157 has been marked as a duplicate of this bug. ***
Attached patch patchSplinter Review
Still need to look into why the testcase leaks, though...
Attachment #205793 - Flags: superreview?
Attachment #205793 - Flags: review?(mrbkap)
Attachment #205793 - Flags: superreview? → superreview?(jst)
Comment on attachment 205793 [details] [diff] [review]
patch

I probably should have caught this before :-(.
Attachment #205793 - Flags: review?(mrbkap) → review+
Status: NEW → ASSIGNED
Priority: -- → P1
Whiteboard: [patch]
Target Milestone: --- → mozilla1.9alpha
Comment on attachment 205793 [details] [diff] [review]
patch

sr=jst
Attachment #205793 - Flags: superreview?(jst) → superreview+
Checked in to trunk.
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
(In reply to comment #7)
> Still need to look into why the testcase leaks, though...

See bug 320211.
*** Bug 320317 has been marked as a duplicate of this bug. ***
Fixed on MOZILLA_1_8_BRANCH by checkin of bug 336791.
Keywords: fixed1.8.1
verified fixed 1.8 20061010 1.9 20061011 windows/linux
Status: RESOLVED → VERIFIED
Crash Signature: [@ nsDOMClassInfo::MarkReachablePreservedWrappers]
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.