Crash on quit just as an nsXMLHttpRequest is fired [@ nsContentUtils::GetDocShellFromCaller]

RESOLVED FIXED in mozilla1.9alpha5

Status

()

Core
XML
P2
critical
RESOLVED FIXED
12 years ago
10 years ago

People

(Reporter: Simon Fraser, Assigned: Benjamin Smedberg)

Tracking

({crash, fixed1.8.1.5, topcrash})

Trunk
mozilla1.9alpha5
PowerPC
Mac OS X
crash, fixed1.8.1.5, topcrash
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.9 ?
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(crash signature, URL)

Attachments

(1 attachment)

(Reporter)

Description

12 years ago
I just had a crash on quit while sitting on a wired.com page. The stack is interesting:

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0x00000000

Thread 0 Crashed:
0   libgklayout.dylib        	0x0a1c00ac nsContentUtils::GetDocShellFromCaller() + 48 (nsContentUtils.cpp:888)
1   libgklayout.dylib        	0x0a1d48d8 nsDOMImplementation::CreateDocument(nsAString_internal const&, nsAString_internal const&, nsIDOMDocumentType*, nsIDOMDocument**) + 832 (nsDocument.cpp:594)
2   libxmlextras.dylib       	0x2399df44 nsXMLHttpRequest::OnStartRequest(nsIRequest*, nsISupports*) + 688 (nsXMLHttpRequest.cpp:1227)
3   libnecko.dylib           	0x082cb2f4 nsHttpChannel::CallOnStartRequest() + 748 (nsHttpChannel.cpp:760)
4   libnecko.dylib           	0x082d8684 nsHttpChannel::OnStartRequest(nsIRequest*, nsISupports*) + 624 (nsHttpChannel.cpp:4010)
5   libnecko.dylib           	0x082105f4 nsInputStreamPump::OnStateStart() + 280 (nsInputStreamPump.cpp:381)
6   libnecko.dylib           	0x082103bc nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) + 200 (nsInputStreamPump.cpp:337)
7   libxpcom_core.dylib      	0x01945dac nsInputStreamReadyEvent::EventHandler(PLEvent*) + 168 (nsStreamUtils.cpp:120)
8   libxpcom_core.dylib      	0x0188c928 PL_HandleEvent + 116 (plevent.c:688)
9   libxpcom_core.dylib      	0x0188c740 PL_ProcessPendingEvents + 260 (plevent.c:624)
10  libxpcom_core.dylib      	0x0189001c nsEventQueueImpl::ProcessPendingEvents() + 144 (nsEventQueue.cpp:421)
11  libxpcom_core.dylib      	0x01819fb0 NS_ShutdownXPCOM_P + 420 (nsXPComInit.cpp:827)
12  libxpcom.dylib           	0x00d95240 NS_ShutdownXPCOM + 32 (nsXPComStub.cpp:140)
13  org.mozilla.camino       	0x000e8bb0 NS_TermEmbedding + 204 (nsEmbedAPI.cpp:215)
...

We're servicing PLEvents from NS_ShutdownXPCOM, and happen to catch a plevent that involves nsXMLHttpRequest::OnStartRequest.

Updated

12 years ago
Severity: normal → critical
Summary: Crash on quit just as an nsXMLHttpRequest is fired → Crash on quit just as an nsXMLHttpRequest is fired [@ nsContentUtils::GetDocShellFromCaller]

Updated

12 years ago
Keywords: crash
People are calling into the layout module after it's shut down...  Should revisit this after bug 316414 is fixed and see whether we still have a problem.  I suspect we will not.
Depends on: 316414
Assignee: nobody → general
Component: Layout → DOM
QA Contact: layout → ian

Comment 2

12 years ago
xmlhttprequest should probably be listening for some flavor of xpcomshutdown ... although that sounds strange. alternatively the input pump should listen and arrange to discard things when it's notified of shutdown.
Component: DOM → XML
(Assignee)

Comment 3

12 years ago
Or going offline should fire stoprequest notifications on open HTTP channels...
Well, if we fix bug 316414 this event processing thing will happen while we still have references to the various services in nsContentUtils... So we'll be fine.
(In reply to comment #3)
> Or going offline should fire stoprequest notifications on open HTTP channels...

and we do...

er, "it does". at least since bug 202638 was fixed, which was on 2004-08-04.
Keywords: topcrash

Updated

11 years ago
Blocks: 323939

Comment 7

11 years ago
A page containing the script below crashes Firefox 1.5.0.6 on Mac OS X 10.2.8 every once in a while when the window is closed. The crash seems to occur only on that platform; since this bug was reported for Mac OS X 10.2, it's seems likely that it's the same bug. This is forcing us to explicitly launch Safari instead. Is anyone working on this bug?

<script language="javascript">
function doExit () {
  if (self.XMLHttpRequest)
    req = new XMLHttpRequest();
  else
    req = new ActiveXObject("Microsoft.XMLHTTP");
  req.open("GET","/hastalavista");
  req.send (null);
  alert ("YOU ARE LEAVING\nTHE AMERICAN SECTOR");
}
window.onbeforeunload = doExit;
</script>

Comment 8

11 years ago
A correction to comment #7 -- the crash occurs not only under OS X 10.2.8, also under OS X 10.4.7.
> Is anyone working on this bug?

See comment 1.

If people want to try to spot-hack this, you could make nsXMLHttpRequest observe some sort of shutdown notification that comes _before_ XPCOM_SHUTDOWN.  If we have one...

But what I really wonder is whether this is a problem on trunk.  I would bet it's not.
bug 380468 implies that it is still present on trunk.
(Assignee)

Updated

10 years ago
Assignee: general → benjamin
Flags: blocking1.9?
Priority: -- → P2
Target Milestone: --- → mozilla1.9alpha5
(Assignee)

Comment 11

10 years ago
Created attachment 264999 [details] [diff] [review]
Hold the layout module alive while there are xmlhttprequest objects, rev. 1
Attachment #264999 - Flags: superreview?(dbaron)
Attachment #264999 - Flags: review?(dbaron)
Comment on attachment 264999 [details] [diff] [review]
Hold the layout module alive while there are xmlhttprequest objects, rev. 1

r+sr=dbaron
Attachment #264999 - Flags: superreview?(dbaron)
Attachment #264999 - Flags: superreview+
Attachment #264999 - Flags: review?(dbaron)
Attachment #264999 - Flags: review+
(Assignee)

Comment 13

10 years ago
Fixed on trunk. Might be worth putting this on the 1.8.1 branch as well.
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Flags: blocking1.8.1.5?
Resolution: --- → FIXED
(Assignee)

Updated

10 years ago
Attachment #264999 - Flags: approval1.8.1.5?
Flags: in-testsuite?
Don't think this is a branch "blocker" but we'll look at the approval request.
Flags: blocking1.8.1.5?
Comment on attachment 264999 [details] [diff] [review]
Hold the layout module alive while there are xmlhttprequest objects, rev. 1

approved for 1.8.1.5, a=dveditz for release-drivers
Attachment #264999 - Flags: approval1.8.1.5? → approval1.8.1.5+
(Assignee)

Comment 16

10 years ago
Fixed on MOZILLA_1_8_BRANCH
Keywords: fixed1.8.1.5
Crash Signature: [@ nsContentUtils::GetDocShellFromCaller]
You need to log in before you can comment on or make changes to this bug.