Closed Bug 319293 Opened 19 years ago Closed 19 years ago

Crash [@ nsDOMClassInfo::MarkReachablePreservedWrappers]

Categories

(Core :: DOM: Core & HTML, defect, P1)

x86
Linux
defect

Tracking

()

VERIFIED FIXED
mozilla1.9alpha1

People

(Reporter: aguertin+bugzilla, Assigned: dbaron)

References

Details

(4 keywords, Whiteboard: [patch])

Crash Data

Attachments

(2 files)

I'm crashing on trunk trying to look at an svg file in DOM Inspector. FF1.5 works fine. Talkbacks 12659844, TB12659807, TB12659594, TB12659568, TB12659561 Testcase (not minimized, but it's small anyway) coming up.
Attached image testcase
To crash: Open DOM Inspector Select the #document node In the right pane, change view to Javascript Object Expand Subject (or just wait?)
Assignee: general → dbaron
Severity: normal → critical
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051206 Firefox/1.6a1 ID:2005120605 Only trunk, don't see this in branch builds.
That's because bug 241518 hasn't landed on branch. For what it's worth, this looks like bug 319333 which has a description of the code-level problem. This bug has better steps to reproduce, though.
Blocks: 241518
Depends on: 319333
*** Bug 319333 has been marked as a duplicate of this bug. ***
No longer depends on: 319333
#6 0xb6b1b9d9 in nsDOMClassInfo::MarkReachablePreservedWrappers (aParticipant=0x0, cx=0x8b62718, arg=0x0) at /moz/mozilla/dom/src/base/nsDOMClassInfo.cpp:5067 #7 0xb6b1c6d0 in nsEventReceiverSH::Mark (this=0x8c799d8, wrapper=0x8c79b40, cx=0x8b62718, obj=0x8b6ea08, arg=0x0, _retval=0xbfa14a8c) at /moz/mozilla/dom/src/base/nsDOMClassInfo.cpp:6691 #8 0xb6fce10c in XPC_WN_Helper_Mark (cx=0x8b62718, obj=0x8b6ea08, arg=0x0) at /moz/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp:1029 #9 0xb7e714d9 in js_Mark (cx=0x8b62718, obj=0x8b6ea08, arg=0x0) at /moz/mozilla/js/src/jsobj.c:4229 ... (gdb) frame 8 #8 0xb6fce10c in XPC_WN_Helper_Mark (cx=0x8b62718, obj=0x8b6ea08, arg=0x0) at /moz/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp:1029 1029 wrapper->GetScriptableCallback()->Mark(wrapper, cx, obj, arg, &ignored); (gdb) p *wrapper $1 = {<nsIXPConnectWrappedNative> = {<nsIXPConnectJSObjectHolder> = {<nsISupports> = {_vptr.nsISupports = 0xb6ff14e8}, <No data fields>}, mIdentity = 0x88f9470}, mRefCnt = {mValue = 1}, _mOwningThread = {mThread = 0x804a548}, {mMaybeScope = 0x8c79a50, mMaybeProto = 0x8c79a50}, mSet = 0x8c79a08, mFlatJSObject = 0x8b6ea08, mScriptableInfo = 0x8c53450, mFirstChunk = {mTearOffs = {{mInterface = 0x864e000, mNative = 0x88f948c, mJSObject = 0x0}}, mNextChunk = 0x8c81158}, mNativeWrapper = 0x0, mThread = 0x804a548, static gMainThread = 0x804a548} (gdb) p wrapper->mIdentity $2 = (nsISupports *) 0x88f9470 (gdb) x *(void**) wrapper->mIdentity 0xb6d918a8 <_ZTV17nsDOMDocumentType+8>: 0xb68b6f46 bz noted that nsDOMDocumentType doesn't forward QI to nsGenericDOMDataNode, that it doesn't implement nsIDOMEventReceiver either, and that nsDOMDocumentType uses nsNodeSH, too.
*** Bug 320157 has been marked as a duplicate of this bug. ***
Attached patch patchSplinter Review
Still need to look into why the testcase leaks, though...
Attachment #205793 - Flags: superreview?
Attachment #205793 - Flags: review?(mrbkap)
Attachment #205793 - Flags: superreview? → superreview?(jst)
Comment on attachment 205793 [details] [diff] [review] patch I probably should have caught this before :-(.
Attachment #205793 - Flags: review?(mrbkap) → review+
Status: NEW → ASSIGNED
Priority: -- → P1
Whiteboard: [patch]
Target Milestone: --- → mozilla1.9alpha
Comment on attachment 205793 [details] [diff] [review] patch sr=jst
Attachment #205793 - Flags: superreview?(jst) → superreview+
Checked in to trunk.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
(In reply to comment #7) > Still need to look into why the testcase leaks, though... See bug 320211.
*** Bug 320317 has been marked as a duplicate of this bug. ***
Fixed on MOZILLA_1_8_BRANCH by checkin of bug 336791.
Keywords: fixed1.8.1
verified fixed 1.8 20061010 1.9 20061011 windows/linux
Status: RESOLVED → VERIFIED
Crash Signature: [@ nsDOMClassInfo::MarkReachablePreservedWrappers]
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: