327973 - Crash removing menu [@ nsMenuPopupFrame::Notify]

Status: RESOLVED FIXED

(Core :: Layout, defect)

Description

[Eli Friedman]

More fun with frames and timers!  Crash with testcase based off of the one I made for Bug 322162; seems like looping JS array allocation when there's a timer is an easy way to force out a crash in a timer.  Not quite sure if this is the same kind of issue, though, because it's a completely different trace.

CC's based off of bug 241733; feel free to take yourselves off if you're not interested, or to add more appropriate people.

Testcase coming up.

Trace:
WARNING: Frame IP not in any known module. Following frames may be wrong.
0012ee0c 015e0a8e 0x2f14e9f
0012ee1c 015ede0f gklayout!nsIFrame::MarkDirtyChildren(class nsBoxLayoutState * aState = 0x0150964a)+0xf [c:\mozilla\mozilla\layout\xul\base\src\nsbox.cpp @ 308]
0012ee4c 0150964a gklayout!nsMenuFrame::RemoveFrame(class nsIAtom * aListName = 0x00000000, class nsIFrame * aOldFrame = 0x02f1b6a4)+0x45 [c:\mozilla\mozilla\layout\xul\base\src\nsmenuframe.cpp @ 1842]
0012ee68 014e9280 gklayout!nsFrameManager::RemoveFrame(class nsIFrame * aParentFrame = 0x02f15edc, class nsIAtom * aListName = 0x00000000, class nsIFrame * aOldFrame = 0x02f1b6a4)+0x36 [c:\mozilla\mozilla\layout\base\nsframemanager.cpp @ 704]
0012ef74 014e9e0e gklayout!nsCSSFrameConstructor::ContentRemoved(class nsIContent * aContainer = 0x02ece4e8, class nsIContent * aChild = 0x02f15edc, int aIndexInContainer = 0, int aInReinsertContent = 0)+0x323 [c:\mozilla\mozilla\layout\base\nscssframeconstructor.cpp @ 10153]
0012ef9c 014ea755 gklayout!nsCSSFrameConstructor::RecreateFramesForContent(class nsIContent * aContent = 0x00000000)+0xc0 [c:\mozilla\mozilla\layout\base\nscssframeconstructor.cpp @ 11723]
0012f03c 014ea87a gklayout!nsCSSFrameConstructor::RestyleElement(class nsIContent * aContent = 0x02ece6b8, class nsIFrame * aPrimaryFrame = 0x02f1b6a4, nsChangeHint aMinHint = 0 (No matching enumerant))+0x79 [c:\mozilla\mozilla\layout\base\nscssframeconstructor.cpp @ 10631]
0012f0e0 014eae88 gklayout!nsCSSFrameConstructor::ProcessOneRestyle(class nsIContent * aContent = 0x02ece6b8, nsReStyleHint aRestyleHint = eReStyle_Self (1), nsChangeHint aChangeHint = 0 (No matching enumerant))+0x63 [c:\mozilla\mozilla\layout\base\nscssframeconstructor.cpp @ 13442]
0012f11c 014f98d8 gklayout!nsCSSFrameConstructor::AttributeChanged(class nsIContent * aContent = 0x02ece6b8, int aNameSpaceID = 9, class nsIAtom * aAttribute = 0x00bc2ef0, int aModType = 1241388)+0x24f [c:\mozilla\mozilla\layout\base\nscssframeconstructor.cpp @ 10832]
0012f140 016cd516 gklayout!PresShell::AttributeChanged(class nsIDocument * aDocument = 0x02e2f940, class nsIContent * aContent = 0x02ece6b8, int aNameSpaceID = 0, class nsIAtom * aAttribute = 0x00af50a0, int aModType = 3)+0x75 [c:\mozilla\mozilla\layout\base\nspresshell.cpp @ 5139]
0012f2ac 0172d210 gklayout!nsXULDocument::AttributeChanged(class nsIContent * aElement = 0x00000001, int aNameSpaceID = 0, class nsIAtom * aAttribute = 0x00af50a0, int aModType = 3)+0x191 [c:\mozilla\mozilla\content\xul\document\src\nsxuldocument.cpp @ 1045]
0012f470 015efc09 gklayout!nsXULElement::UnsetAttr(int aNameSpaceID = 0, class nsIAtom * aName = 0x00af50a0, int aNotify = 1)+0x3c2 [c:\mozilla\mozilla\content\xul\content\src\nsxulelement.cpp @ 1464]
0012f528 015ee237 gklayout!nsMenuFrame::UngenerateMenu(void)+0x81 [c:\mozilla\mozilla\layout\xul\base\src\nsmenuframe.cpp @ 649]
0012f538 015e644d gklayout!nsMenuFrame::Destroy(class nsPresContext * aPresContext = 0x02f15d7c)+0x57 [c:\mozilla\mozilla\layout\xul\base\src\nsmenuframe.cpp @ 354]
0012f56c 0150964a gklayout!nsBoxFrame::RemoveFrame(class nsIAtom * aListName = 0x00000000, class nsIFrame * aOldFrame = 0x02f15edc)+0x71 [c:\mozilla\mozilla\layout\xul\base\src\nsboxframe.cpp @ 1138]
0012f588 014e9280 gklayout!nsFrameManager::RemoveFrame(class nsIFrame * aParentFrame = 0x02f15d7c, class nsIAtom * aListName = 0x00000000, class nsIFrame * aOldFrame = 0x02f15edc)+0x36 [c:\mozilla\mozilla\layout\base\nsframemanager.cpp @ 704]
0012f694 014f9aa6 gklayout!nsCSSFrameConstructor::ContentRemoved(class nsIContent * aContainer = 0x02ece2d0, class nsIContent * aChild = 0x02f15d7c, int aIndexInContainer = 0, int aInReinsertContent = 0)+0x323 [c:\mozilla\mozilla\layout\base\nscssframeconstructor.cpp @ 10153]
0012f6b4 015fd3f0 gklayout!PresShell::ContentRemoved(class nsIDocument * aDocument = 0x0162bfc2, class nsIContent * aContainer = 0x00000000, class nsIContent * aChild = 0x00000001, int aIndexInContainer = 29825628)+0xa8 [c:\mozilla\mozilla\layout\base\nspresshell.cpp @ 5213]
0012f6d4 016c7a1d gklayout!nsDocument::ContentRemoved(class nsIContent * aContainer = 0x0162bfc2, class nsIContent * aChild = 0x00000000, int aIndexInContainer = 1)+0x62 [c:\mozilla\mozilla\content\base\src\nsdocument.cpp @ 2470]
0012f6e8 0172cd31 gklayout!nsXULDocument::ContentRemoved(class nsIContent * aContainer = 0x0162bfc2, class nsIContent * aChild = 0x00000000, int aIndexInContainer = 1)+0x2a [c:\mozilla\mozilla\content\xul\document\src\nsxuldocument.cpp @ 1106]

Comment 1

[Eli Friedman]

Attachment: Testcase

And so starts a stream of bugs, or something like that.  Maybe something more systematic would be good.  We really need to audit every timer.  This is my third timer crash bug (the first two being bug 322162 and bug 322084).

Comment 2

[Boris Zbarsky [:bzbarsky]]

So what do timers have to do with this?  This looks like the usual popup craziness of changing the DOM inside frame code...  Should probably depend on the "redesign popups" bug.

Comment 3

[Eli Friedman]

You're right, sorry about that.  This crashes instantly even without looping (i.e., with 0 in the textbox).  Retitling and setting dependency.  However, I still think there's a timer crash hidden behind the more immediate frame model crash.

Comment 4

[Boris Zbarsky [:bzbarsky]]

Could be!  The answer there is to stop passing around frames as nsISupports to various places.  ;)

Comment 5

[Adam Guthrie]

*** Bug 334780 has been marked as a duplicate of this bug. ***

Comment 6

[Eli Friedman]

New crash! This time, actually triggered by a timer bug! (I guess the other crash got fixed somehow.)

gklayout!nsMenuPopupFrame::Notify+0x28 [c:\mozilla2\mozilla\layout\xul\base\src\nsmenupopupframe.cpp @ 2038]
gklayout!nsMenuPopupTimerMediator::Notify+0x1b [c:\mozilla2\mozilla\layout\xul\base\src\nsmenupopupframe.cpp @ 2171]
xpcom_core!nsTimerImpl::Fire+0x184 [c:\mozilla2\mozilla\xpcom\threads\nstimerimpl.cpp @ 399]
xpcom_core!nsTimerEvent::Run+0x68 [c:\mozilla2\mozilla\xpcom\threads\nstimerimpl.cpp @ 458]
xpcom_core!nsThread::ProcessNextEvent+0x10e [c:\mozilla2\mozilla\xpcom\threads\nsthread.cpp @ 483]
xpcom_core!NS_ProcessNextEvent_P+0x40 [c:\mozilla2\mozilla\vffx\xpcom\build\nsthreadutils.cpp @ 225]
gkwidget!nsBaseAppShell::Run+0x46 [c:\mozilla2\mozilla\widget\src\xpwidgets\nsbaseappshell.cpp @ 153]
tkitcmps!nsAppStartup::Run+0x48 [c:\mozilla2\mozilla\toolkit\components\startup\src\nsappstartup.cpp @ 172]
xul!XRE_main+0xc18
[c:\mozilla2\mozilla\toolkit\xre\nsapprunner.cpp @ 2351]
firefox!main+0x13
[c:\mozilla2\mozilla\browser\app\nsbrowserapp.cpp @ 61]

Comment 7

[Martijn Wargers (dead)]

Does this still crash, it seems to work for me in current trunk build.

Comment 8

[Eli Friedman]

No, doesn't crash anymore.   Marking WORKSFORME.  I am getting the following assertion, though:

###!!! ASSERTION: View is gone, looks like someone forgot to rollup the popup!: 'view', file c:/mozilla/mozilla/layout/xul/base/src/nsMenuFrame.cpp, line 731

It'll probably get fixed by bug 279703 anyway, though.

Comment 9

[Eli Friedman]

(In reply to comment #8)
> No, doesn't crash anymore.

Actually, scratch that; it still crashes.  You might have to try more than once, though.

Comment 10

[Neil Deakin]

Should now be fixed with bug 279703.