Crash [@ nsDOMClassInfo::MarkReachablePreservedWrappers]

VERIFIED FIXED in mozilla1.9alpha1

Status

()

Core
DOM
P1
critical
VERIFIED FIXED
12 years ago
11 years ago

People

(Reporter: dolphinling, Assigned: dbaron)

Tracking

(4 keywords)

Trunk
mozilla1.9alpha1
x86
Linux
crash, regression, testcase, verified1.8.1
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [patch], crash signature)

Attachments

(2 attachments)

(Reporter)

Description

12 years ago
I'm crashing on trunk trying to look at an svg file in DOM Inspector. FF1.5 works fine.

Talkbacks 12659844, TB12659807, TB12659594, TB12659568, TB12659561

Testcase (not minimized, but it's small anyway) coming up.
(Reporter)

Comment 1

12 years ago
Created attachment 205138 [details]
testcase

To crash:
Open DOM Inspector
Select the #document node
In the right pane, change view to Javascript Object
Expand Subject (or just wait?)

Updated

12 years ago
Assignee: general → dbaron
Severity: normal → critical
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051206 Firefox/1.6a1 ID:2005120605

Only trunk, don't see this in branch builds.
That's because bug 241518 hasn't landed on branch.

For what it's worth, this looks like bug 319333 which has a description of the code-level problem.  This bug has better steps to reproduce, though.
Blocks: 241518
Depends on: 319333

Comment 4

12 years ago
*** Bug 319333 has been marked as a duplicate of this bug. ***
No longer depends on: 319333

Comment 5

12 years ago
#6  0xb6b1b9d9 in nsDOMClassInfo::MarkReachablePreservedWrappers
(aParticipant=0x0, cx=0x8b62718, arg=0x0) at
/moz/mozilla/dom/src/base/nsDOMClassInfo.cpp:5067
#7  0xb6b1c6d0 in nsEventReceiverSH::Mark (this=0x8c799d8, wrapper=0x8c79b40,
cx=0x8b62718, obj=0x8b6ea08, arg=0x0, _retval=0xbfa14a8c) at
/moz/mozilla/dom/src/base/nsDOMClassInfo.cpp:6691
#8  0xb6fce10c in XPC_WN_Helper_Mark (cx=0x8b62718, obj=0x8b6ea08, arg=0x0) at
/moz/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp:1029
#9  0xb7e714d9 in js_Mark (cx=0x8b62718, obj=0x8b6ea08, arg=0x0) at
/moz/mozilla/js/src/jsobj.c:4229
...


(gdb) frame 8
#8  0xb6fce10c in XPC_WN_Helper_Mark (cx=0x8b62718, obj=0x8b6ea08, arg=0x0) at
/moz/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp:1029
1029            wrapper->GetScriptableCallback()->Mark(wrapper, cx, obj, arg,
&ignored);
(gdb) p *wrapper
$1 = {<nsIXPConnectWrappedNative> = {<nsIXPConnectJSObjectHolder> =
{<nsISupports> = {_vptr.nsISupports = 0xb6ff14e8}, <No data fields>}, mIdentity
= 0x88f9470}, mRefCnt = {mValue = 1}, _mOwningThread = {mThread = 0x804a548},
{mMaybeScope = 0x8c79a50, mMaybeProto = 0x8c79a50}, mSet = 0x8c79a08,
mFlatJSObject = 0x8b6ea08, mScriptableInfo = 0x8c53450, mFirstChunk =
{mTearOffs = {{mInterface = 0x864e000, mNative = 0x88f948c, mJSObject = 0x0}},
mNextChunk = 0x8c81158}, mNativeWrapper = 0x0, mThread = 0x804a548, static
gMainThread = 0x804a548}
(gdb) p wrapper->mIdentity
$2 = (nsISupports *) 0x88f9470
(gdb) x *(void**) wrapper->mIdentity
0xb6d918a8 <_ZTV17nsDOMDocumentType+8>: 0xb68b6f46

bz noted that nsDOMDocumentType doesn't forward QI to nsGenericDOMDataNode,
that it doesn't implement nsIDOMEventReceiver either, and that
nsDOMDocumentType uses nsNodeSH, too.

Comment 6

12 years ago
*** Bug 320157 has been marked as a duplicate of this bug. ***
(Assignee)

Comment 7

12 years ago
Created attachment 205793 [details] [diff] [review]
patch

Still need to look into why the testcase leaks, though...
Attachment #205793 - Flags: superreview?
Attachment #205793 - Flags: review?(mrbkap)
(Assignee)

Updated

12 years ago
Attachment #205793 - Flags: superreview? → superreview?(jst)
Comment on attachment 205793 [details] [diff] [review]
patch

I probably should have caught this before :-(.
Attachment #205793 - Flags: review?(mrbkap) → review+
(Assignee)

Updated

12 years ago
Status: NEW → ASSIGNED
Priority: -- → P1
Whiteboard: [patch]
Target Milestone: --- → mozilla1.9alpha
Comment on attachment 205793 [details] [diff] [review]
patch

sr=jst
Attachment #205793 - Flags: superreview?(jst) → superreview+
(Assignee)

Comment 10

12 years ago
Checked in to trunk.
Status: ASSIGNED → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED
(Assignee)

Comment 11

12 years ago
(In reply to comment #7)
> Still need to look into why the testcase leaks, though...

See bug 320211.

Comment 12

12 years ago
*** Bug 320317 has been marked as a duplicate of this bug. ***
(Assignee)

Updated

12 years ago
Blocks: 336791
(Assignee)

Comment 13

12 years ago
Fixed on MOZILLA_1_8_BRANCH by checkin of bug 336791.
Keywords: fixed1.8.1

Comment 14

11 years ago
verified fixed 1.8 20061010 1.9 20061011 windows/linux
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.1 → verified1.8.1
Crash Signature: [@ nsDOMClassInfo::MarkReachablePreservedWrappers]
You need to log in before you can comment on or make changes to this bug.