Closed Bug 342219 Opened 18 years ago Closed 18 years ago

Crash starting Download Manager from Tools menu [@ nsXPConnect::WrapNative] [@ nsJSContext::ConvertSupportsTojsvals]

Categories

(Core :: DOM: Core & HTML, defect, P1)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9alpha1

People

(Reporter: smedleys, Assigned: mrbkap)

References

Details

(Keywords: crash, regression, topcrash)

Crash Data

Attachments

(2 files)

stacktrace
20.46 KB, text/plain
Details
Obvious patch
1.79 KB, patch
bzbarsky
: review+
bzbarsky
: superreview+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060620 SeaMonkey/1.5a
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060620 SeaMonkey/1.5a

In the current nightly build selecting Tools > Download Manager causes a crash in Seamonkey

The Seamon~1.EXE Application Error reads:

The instruction at "0x603fc2e2" referenced memory at "0x00000000". The memory could not be "read".

Click on OK to terminate the program
Click on CANCEL to debug the program

The Netscape Quality Feedback Agent - Mozella Trunk is then run and it sends back a report if I tell it to, which I always do.


Reproducible: Always

Steps to Reproduce:
1. Select Tool Menu
2. Select Download Manager
3. Brings up Seamon~1.EXE Application Error

Actual Results:  
The Seamon~1.EXE Application Error reads:

The instruction at "0x603fc2e2" referenced memory at "0x00000000". The memory could not be "read".

Click on OK to terminate the program
Click on CANCEL to debug the program

The Netscape Quality Feedback Agent - Mozella Trunk is then run

Expected Results:  
Download Manager should run as expected.  It runs when a download is selected from a web page.
Attached file stacktrace 
(gdb) frame 6
#6  0x0060985b in nsXPConnect::WrapNative (this=0xa057038, aJSContext=0xa691228, aScope=0xa6de578, aCOMObj=0x0, aIID=@0x69ffdb8, _retval=0xbf964828)
    at /build/andrew/moz-debug/mozilla/js/src/xpconnect/src/nsXPConnect.cpp:578
578         (*_retval)->GetJSObject(&returnObj);
(gdb) p _retval
$1 = (class nsIXPConnectJSObjectHolder **) 0xbf964828
(gdb) p *_retval
$2 = (class nsIXPConnectJSObjectHolder *) 0x0
I'm seeing this with linux seamonkey trunk 2006062008.

A debug build also asserts (2 of each)

###!!! ASSERTION: Array elt doesn't have nsISupports?: 'NS_SUCCEEDED(rv)', file /build/andrew/moz-debug/mozilla/dom/src/base/nsJSEnvironment.cpp, line 2175
###!!! ASSERTION: Empty arg: 'aArg', file /build/andrew/moz-debug/mozilla/dom/src/base/nsJSEnvironment.cpp, line 2231
###!!! ASSERTION: bad param: 'aCOMObj', file /build/andrew/moz-debug/mozilla/js/src/xpconnect/src/nsXPConnect.cpp, line 561

==> Download manager for now
Assignee: general → download-manager
Severity: normal → critical
Status: UNCONFIRMED → NEW
Component: General → Download Manager
Ever confirmed: true
Keywords: crash, regression
OS: Windows XP → All
QA Contact: general
Version: unspecified → Trunk
This regressed between linux seamonkey trunk builds 2006061409 and 2006061508, perhaps bug 337095?
this shows up in talkback as nsJSContext::ConvertSupportsTojsvals
Keywords: topcrash
Summary: Crash starting Download Manager from Tools menu → Crash starting Download Manager from Tools menu [@ nsXPConnect::WrapNative] [@ nsJSContext::ConvertSupportsTojsvals]
No, this is a "regression" from bug 341362.  Or rather the code in nsJSContext::ConvertSupportsTojsvals that was added for bug 255942 is bogus.

What happens in this case is that tasksOverlay.js does:

 62     dlmgr.open(window, null);

Then we get to:

677 nsDownloadManager::Open(nsIDOMWindow* aParent, nsIDownload* aDownload)

which does:

689   nsCOMPtr<nsISupports> dlSupports(do_QueryInterface(aDownload));
...
709   params->AppendElement(dlSupports);

and passes |params| to nsIWindowWatcher::OpenWindow.  This code _used_ to convert (in nsWindowWatcher::AddSupportsTojsvals) a null nsISupports* into JSVAL_NULL.  Now (in nsJSContext::ConvertSupportsTojsvals) it asserts a couple times and then crashes, as observed in this bug.

I see nothing in the window watcher API that prevents passing an array containing nulls in it as the arguments array; when that happens we should deal appropriately (convert them to JSVAL_NULL).
Assignee: download-manager → general
Blocks: dom-agnostic
Component: Download Manager → DOM
Product: Mozilla Application Suite → Core
QA Contact: ian
Assignee: general → mhammond
Flags: blocking1.9a1+
*** Bug 341666 has been marked as a duplicate of this bug. ***
Attached patch Obvious patchSplinter Review 
So, it seems like this should fix things?
Attachment #226509 - Flags: superreview?(bzbarsky)
Attachment #226509 - Flags: review?(bzbarsky)
Comment on attachment 226509 [details] [diff] [review]
Obvious patch

Looks ok (please do test!), but there's no reason to assign rv from QueryElementAt now...  So take that part out.
Attachment #226509 - Flags: superreview?(bzbarsky)
Attachment #226509 - Flags: superreview+
Attachment #226509 - Flags: review?(bzbarsky)
Attachment #226509 - Flags: review+
Assignee: mhammond → mrbkap
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → mozilla1.9alpha
Fix checked in with Boris' comment addressed.
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Verified FIXED using build 2006-06-21-16 of SeaMonkey trunk on Windows XP; I can now open the Download Manager without crashing.
Status: RESOLVED → VERIFIED
Crash Signature: [@ nsXPConnect::WrapNative] [@ nsJSContext::ConvertSupportsTojsvals]
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: