topcrash (not at shutdown) [@ PL_DHashTableRawRemove] called from nsGenericElement::~nsGenericElement

VERIFIED FIXED in mozilla1.8.1alpha2

Status

()

Core
DOM
P1
critical
VERIFIED FIXED
12 years ago
12 years ago

People

(Reporter: dbaron, Assigned: dbaron)

Tracking

(4 keywords)

Trunk
mozilla1.8.1alpha2
x86
Linux
crash, topcrash-, verified1.8.0.4, verified1.8.1
Points:
---
Bug Flags:
blocking1.8.1 +
blocking1.8.0.4 +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [patch], crash signature)

Attachments

(3 attachments)

(Assignee)

Description

12 years ago
Bug 237736 has tracked crashes in PL_DHashTableRawRemove called from ~nsGenericElement.  It was originally filed on a shutdown crash, but has come to track both that problem and the topcrash we've been seeing.  I'm filing this bug as a separate bug to analyze the topcrash.

I did a detailed analysis of one of the stacks in talkback with this signature, figured out on which instruction the crash was happening (the crash is on the line:
        MARK_ENTRY_REMOVED(entry);
assigning 0x1 into entry->keyHash.

And I've finally figured out *why* this is happening -- the clearEntry callback used for sEventListenerManagersHash can mutate (shrink, most likely) the table!
(Assignee)

Comment 1

12 years ago
Created attachment 218567 [details]
detailed analysis of TB17589254, a Linux Fx 1.5.0.1 incident
Assignee: general → dbaron
Status: NEW → ASSIGNED
(Assignee)

Comment 2

12 years ago
In particular, what I suspect is happening is that we end up with a stack something like (this entire stack is written by hand):

ChangeTable
PL_DHashTableOperate
nsGenericElement::~nsGenericElement
...
<removal of a C++-implemented event listener>
nsEventListenerManager::ReleaseListeners
nsEventListenerManager::RemoveAllListeners
nsEventListenerManager::~nsEventListenerManager
nsEventListenerManager::Release
nsCOMPtr_base::~nsCOMPtr_base
nsCOMPtr<nsIEventListenerManager>::~nsCOMPtr<nsIEventListenerManager>
EventListenerManagerMapEntry::~EventListenerManagerMapEntry
EventListenerManagerClearEntry
PL_DHashTableRawRemove   <== crash here on un-wind
PL_DHashTableOperate
nsGenericElement::~nsGenericElement
(Assignee)

Updated

12 years ago
Flags: blocking1.8.1?
Flags: blocking1.8.0.3?

Updated

12 years ago
Summary: talkback crashes (not at shutdown) [@ PL_DHashTableRawRemove] called from nsGenericElement::~nsGenericElement → topcrash (not at shutdown) [@ PL_DHashTableRawRemove] called from nsGenericElement::~nsGenericElement
(Assignee)

Comment 3

12 years ago
FWIW, I filed bug 334180 on making pldhash assert about this type of problem.
(Assignee)

Comment 4

12 years ago
Created attachment 218870 [details] [diff] [review]
trunk patch

The branch patch will look a bit different thanks to bug 315901.
Attachment #218870 - Flags: superreview?(jst)
Attachment #218870 - Flags: review?(jst)
(Assignee)

Comment 5

12 years ago
Created attachment 218872 [details] [diff] [review]
patch for 1.8 branch
Attachment #218872 - Flags: superreview?(jst)
Attachment #218872 - Flags: review?(jst)
Attachment #218872 - Flags: approval1.8.0.3?
Attachment #218872 - Flags: approval-branch-1.8.1?(jst)
(Assignee)

Updated

12 years ago
Priority: -- → P1
Whiteboard: [patch]
Target Milestone: --- → mozilla1.8.1alpha2
Comment on attachment 218870 [details] [diff] [review]
trunk patch

r+sr=jst
Attachment #218870 - Flags: superreview?(jst)
Attachment #218870 - Flags: superreview+
Attachment #218870 - Flags: review?(jst)
Attachment #218870 - Flags: review+

Updated

12 years ago
Attachment #218872 - Flags: superreview?(jst)
Attachment #218872 - Flags: superreview+
Attachment #218872 - Flags: review?(jst)
Attachment #218872 - Flags: review+
Attachment #218872 - Flags: approval-branch-1.8.1?(jst)
Attachment #218872 - Flags: approval-branch-1.8.1+
(Assignee)

Comment 7

12 years ago
Checked in to trunk and MOZILLA_1_8_BRANCH.
Status: ASSIGNED → RESOLVED
Last Resolved: 12 years ago
Keywords: fixed1.8.1
Resolution: --- → FIXED

Updated

12 years ago
Flags: blocking1.8.1?
Flags: blocking1.8.1+
Flags: blocking1.8.0.3?
Flags: blocking1.8.0.3+
Comment on attachment 218872 [details] [diff] [review]
patch for 1.8 branch

aproved for 1.8.0 branch, a=dveditz for drivers
Attachment #218872 - Flags: approval1.8.0.3? → approval1.8.0.3+
(Assignee)

Comment 9

12 years ago
Fix checked in to MOZILLA_1_8_0_BRANCH.
Keywords: fixed1.8.0.3
no longer appearing on topcrash reports for branch. However, PL_DHashTableRawRemove still appears on trunk topcrash reports. But that may be related to bug 234169. Can't tell right now as incedent query is broken.
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.0.4, fixed1.8.1, topcrash → topcrash-, verified1.8.0.4, verified1.8.1
Crash Signature: [@ PL_DHashTableRawRemove]
You need to log in before you can comment on or make changes to this bug.