Closed Bug 346310 Opened 18 years ago Closed 18 years ago

crash clicking on live bookmarks

Categories

(Core :: Widget: Cocoa, defect)

Product:
Core
Component:
Widget: Cocoa
Platform:
PowerPC
macOS
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: jaas, Assigned: jaas)

References

Details

Attachments

(1 file)

crash log
4.17 KB, patch
Details | Diff | Splinter Review 
Cocoa Firefox sometimes crashes when I open up a live bookmark and click on an entry. It does not always crash when I do this, maybe 10% of the time.
Attached patch crash logSplinter Review 

    
  
Blocks: cocoa

    
    

    
  
This is pretty nasty. Someone is writing over the mMenuParent pointer in nsMenuDismissalListener. The bad mMenuParent value that makes us crash is always 0xddddde19. There is only one place in nsMenuDismissalListener where we assign a value to mMenuParent, in the SetCurrentMenuParent method. Logging before that assignment shows that we never set mMenuParent to anything like 0xddddde19 before the crash. mMenuParent is always initialized to nsnull in the class's constructor, so the problem isn't that we fail to initialize mMenuParent.

    
  
Severity: normal → major

    
    

    
  
Set a watchpoint, if you don't mind waiting a day and a half?

    
    

    
  
I made some good progress tonight. Somehow gRollupListener is getting freed and then we're calling Rollup() on it. When we call Rollup(), we crash on "mMenuParent->HideChain();" because mMenuParent is a pointer to 0xdddddddd (the pattern written to freed memory in debug builds) and HideChain() is at such an offset that we try to access 0xddddde19.

Normally when you open a live bookmark menu and click on an item, Rollup() does not get called. When we crash with [ChildView mouseDown:] on the stack, it is because this check succeeds (returns true) in [CHildView mouseDown:]:

if (ourNativeWindow != rollupNativeWindow)

When this check succeeds, we call Rollup(). The check is there to avoid calling Rollup() if the click is in the popup. The crash happens when we click in the popup and this check is true - that shouldn't happen.

I'm too tired to continue this tonight (its almost 4 AM), I just wanted to record this info here.

    
    

    
  
I never see this crash any more, haven't for at least a month or two.
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → WORKSFORME

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: