Crash [@ nsDOMClassInfo::MarkReachablePreservedWrappers]

VERIFIED FIXED in mozilla1.9alpha1

Status

()

P1
critical
VERIFIED FIXED
13 years ago
12 years ago

People

(Reporter: bugzilla, Assigned: dbaron)

Tracking

(4 keywords)

Trunk
mozilla1.9alpha1
x86
Linux
crash, regression, testcase, verified1.8.1
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [patch], crash signature)

Attachments

(2 attachments)

(Reporter)

Description

13 years ago
I'm crashing on trunk trying to look at an svg file in DOM Inspector. FF1.5 works fine.

Talkbacks 12659844, TB12659807, TB12659594, TB12659568, TB12659561

Testcase (not minimized, but it's small anyway) coming up.
(Reporter)

Comment 1

13 years ago
Created attachment 205138 [details]
testcase

To crash:
Open DOM Inspector
Select the #document node
In the right pane, change view to Javascript Object
Expand Subject (or just wait?)

Updated

13 years ago
Assignee: general → dbaron
Severity: normal → critical
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051206 Firefox/1.6a1 ID:2005120605

Only trunk, don't see this in branch builds.
That's because bug 241518 hasn't landed on branch.

For what it's worth, this looks like bug 319333 which has a description of the code-level problem.  This bug has better steps to reproduce, though.
Blocks: 241518
Depends on: 319333

Comment 4

13 years ago
*** Bug 319333 has been marked as a duplicate of this bug. ***
No longer depends on: 319333

Comment 5

13 years ago
#6  0xb6b1b9d9 in nsDOMClassInfo::MarkReachablePreservedWrappers
(aParticipant=0x0, cx=0x8b62718, arg=0x0) at
/moz/mozilla/dom/src/base/nsDOMClassInfo.cpp:5067
#7  0xb6b1c6d0 in nsEventReceiverSH::Mark (this=0x8c799d8, wrapper=0x8c79b40,
cx=0x8b62718, obj=0x8b6ea08, arg=0x0, _retval=0xbfa14a8c) at
/moz/mozilla/dom/src/base/nsDOMClassInfo.cpp:6691
#8  0xb6fce10c in XPC_WN_Helper_Mark (cx=0x8b62718, obj=0x8b6ea08, arg=0x0) at
/moz/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp:1029
#9  0xb7e714d9 in js_Mark (cx=0x8b62718, obj=0x8b6ea08, arg=0x0) at
/moz/mozilla/js/src/jsobj.c:4229
...


(gdb) frame 8
#8  0xb6fce10c in XPC_WN_Helper_Mark (cx=0x8b62718, obj=0x8b6ea08, arg=0x0) at
/moz/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp:1029
1029            wrapper->GetScriptableCallback()->Mark(wrapper, cx, obj, arg,
&ignored);
(gdb) p *wrapper
$1 = {<nsIXPConnectWrappedNative> = {<nsIXPConnectJSObjectHolder> =
{<nsISupports> = {_vptr.nsISupports = 0xb6ff14e8}, <No data fields>}, mIdentity
= 0x88f9470}, mRefCnt = {mValue = 1}, _mOwningThread = {mThread = 0x804a548},
{mMaybeScope = 0x8c79a50, mMaybeProto = 0x8c79a50}, mSet = 0x8c79a08,
mFlatJSObject = 0x8b6ea08, mScriptableInfo = 0x8c53450, mFirstChunk =
{mTearOffs = {{mInterface = 0x864e000, mNative = 0x88f948c, mJSObject = 0x0}},
mNextChunk = 0x8c81158}, mNativeWrapper = 0x0, mThread = 0x804a548, static
gMainThread = 0x804a548}
(gdb) p wrapper->mIdentity
$2 = (nsISupports *) 0x88f9470
(gdb) x *(void**) wrapper->mIdentity
0xb6d918a8 <_ZTV17nsDOMDocumentType+8>: 0xb68b6f46

bz noted that nsDOMDocumentType doesn't forward QI to nsGenericDOMDataNode,
that it doesn't implement nsIDOMEventReceiver either, and that
nsDOMDocumentType uses nsNodeSH, too.

Comment 6

13 years ago
*** Bug 320157 has been marked as a duplicate of this bug. ***
Created attachment 205793 [details] [diff] [review]
patch

Still need to look into why the testcase leaks, though...
Attachment #205793 - Flags: superreview?
Attachment #205793 - Flags: review?(mrbkap)
Comment on attachment 205793 [details] [diff] [review]
patch

I probably should have caught this before :-(.
Attachment #205793 - Flags: review?(mrbkap) → review+
Status: NEW → ASSIGNED
Priority: -- → P1
Whiteboard: [patch]
Target Milestone: --- → mozilla1.9alpha
Comment on attachment 205793 [details] [diff] [review]
patch

sr=jst
Attachment #205793 - Flags: superreview?(jst) → superreview+
Checked in to trunk.
Status: ASSIGNED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → FIXED

Comment 12

13 years ago
*** Bug 320317 has been marked as a duplicate of this bug. ***

Comment 14

12 years ago
verified fixed 1.8 20061010 1.9 20061011 windows/linux
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.1 → verified1.8.1
Crash Signature: [@ nsDOMClassInfo::MarkReachablePreservedWrappers]
You need to log in before you can comment on or make changes to this bug.