Last Comment Bug 348990 - [FIX]Crash [@ nsDOMClassInfo::PreCreate] when loading gmail, suddenly going offline while loading and pressing reload a few times
: [FIX]Crash [@ nsDOMClassInfo::PreCreate] when loading gmail, suddenly going o...
Status: RESOLVED FIXED
: crash, fixed1.8.0.7, fixed1.8.1, regression, topcrash
Product: Core
Classification: Components
Component: DOM (show other bugs)
: 1.8 Branch
: All All
: P1 critical (vote)
: mozilla1.9alpha1
Assigned To: Boris Zbarsky [:bz] (Out June 25-July 6)
: Hixie (not reading bugmail)
Mentors:
http://gmail.com
Depends on:
Blocks: 323641 345991
  Show dependency treegraph
 
Reported: 2006-08-17 03:59 PDT by Martijn Wargers [:mwargers] (not working for Mozilla)
Modified: 2007-07-15 17:17 PDT (History)
15 users (show)
mbeltzner: blocking1.8.1+
jaymoz: blocking1.8.0.7+
bzbarsky: in‑testsuite?
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Proposed fix (2.04 KB, patch)
2006-09-06 17:48 PDT, Boris Zbarsky [:bz] (Out June 25-July 6)
jst: review+
jst: superreview+
jaymoz: approval1.8.0.7+
mbeltzner: approval1.8.1+
Details | Diff | Review
Patch with more context; might be easier to review (3.89 KB, patch)
2006-09-06 17:49 PDT, Boris Zbarsky [:bz] (Out June 25-July 6)
no flags Details | Diff | Review

Description Martijn Wargers [:mwargers] (not working for Mozilla) 2006-08-17 03:59:04 PDT
I am able to crash Mozilla pretty reliably when I am loading GMail and suddenly going offline.
I can reproduce it on 1.8.0.x, 1.8.1 and trunk branch.
But it only happens in combination with the livehttp headers extension:
http://livehttpheaders.mozdev.org/installation.html

To reproduce:
- Install live http headers extension, restart
- Load gmail.com (you need to have an account an be logged in)
- Suddenly go offline (by using File->Work Offline)
- Press reload a couple of times

Result:
crash

It seems to be timing dependant. It seems you need to go offline when the back button gets activated (when you are able to press back).

Talkback ID: TB22184979X
nsDOMClassInfo::PreCreate   XPCWrappedNative::GetNewOrUsed   XPCConvert::NativeInterface2JSObject   XPCConvert::NativeData2JS   XPCWrappedNative::CallMethod  

This might very well be the same bug as bug 323641. Marking a dependancy on that bug.
Comment 1 Martijn Wargers [:mwargers] (not working for Mozilla) 2006-08-23 15:37:24 PDT
Better way to reproduce (you still need Live http headers installed):
- Load Gmail
- Go offline
- Press the back button
- Press reload a couple of times
Comment 2 Martijn Wargers [:mwargers] (not working for Mozilla) 2006-09-02 04:56:19 PDT
From talkback ID: 22767488
Tryed to download FlashFxp from download.com. Reproducible: always. click on the "download now" link:
http://www.download.com/FlashFXP/3000-2160-10037696.html?part=dl-FlashFXP&subj=dl&tag=button
Indeed, this always crashes for me when clicking on the download now link, so this is a much more reliable way of crashing with the livehttpheaders extension.
Comment 3 David Baron :dbaron: ⌚️UTC-7 (review requests must explain patch) 2006-09-05 16:24:38 PDT
Was this a regression shortly before you filed it?  I see nsDOMClassInfo::PreCreate crashes starting to appear in Firefox2 (1.8 branch) talkback on 2006-08-08 (although at an average rate around 1 per day, so hard to tell exactly).

The user comments and the stack signature below the top seem a bit similar to bug 317283.
Comment 4 Martijn Wargers [:mwargers] (not working for Mozilla) 2006-09-05 17:16:34 PDT
(In reply to comment #3)
> Was this a regression shortly before you filed it?  
Yeah, apparently it is (although 1.8.7pre branch also crashes for me).
The regression range I get for both trunk and 1.8 branch is between 2006-07-27 and 2006-07-28.
Bonsai link trunk:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2006-07-27+05&maxdate=2006-07-28+06&cvsroot=%2Fcvsroot
Bonsai link 1.8 branch:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=MOZILLA_1_8_BRANCH&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2006-07-27+06&maxdate=2006-07-28+06&cvsroot=%2Fcvsroot

The patch for bug 345991 was checked in that day on 1.8 branch and on trunk. The patch was also checked in on 1.8.0.x branch, so that could explain why my 1.8.0.7pre (2006-08-24) branch build is also crashing.
Comment 5 David Baron :dbaron: ⌚️UTC-7 (review requests must explain patch) 2006-09-05 17:25:34 PDT
I'm adding topcrash, although it's a little borderline for "top".
Comment 6 Martijn Wargers [:mwargers] (not working for Mozilla) 2006-09-05 18:20:36 PDT
I just verified in my debug trunk build that backing out the patch from bug 345991 does fix the crash.
Comment 7 Jay Patel [:jay] 2006-09-06 14:24:55 PDT
Too late for 1.5.0.7, but nominating for 1.5.0.8 and adding regression keyword.  Let's try to get a handle on this for the next release.  Backing out bug 345991 has been suggested, but I wonder if there is a better way...

If people think this is a common enough case, we could relnote it.
Comment 8 Boris Zbarsky [:bz] (Out June 25-July 6) 2006-09-06 15:42:29 PDT
Jay, this is a topcrash regression on the 1.8.0.x branch.  In my opinion we should hold 1.8.0.7 for fixing this one way or another; worst-case we do back out bug 345991.  I plan to spend tonight working on this in hopes of finding something better.

Note that I think that unlike security fixes for old problems (which I can understand slipping to the next security release if we want to release on a regular cycle), regressions should NOT get slipped once found; otherwise people will be afraid to update to the security releases we make...
Comment 9 David Baron :dbaron: ⌚️UTC-7 (review requests must explain patch) 2006-09-06 17:35:06 PDT
Probably not really a topcrash -- it's 42 crashes across 14 users in Firefox2 nightlies (including the Fx2b2 release, although only a few there; most of the spike in nightlies has been since then).
Comment 10 Steve England [:stevee] 2006-09-06 17:45:33 PDT
Boris, I can't see any [@ nsDOMClassInfo::PreCreate] crashes listed at the firefox 1.5.0.6 talkback analysis page:
http://talkback-public.mozilla.org/reports/firefox/FF1506/index.html
Comment 11 Boris Zbarsky [:bz] (Out June 25-July 6) 2006-09-06 17:48:37 PDT
Created attachment 237036 [details] [diff] [review]
Proposed fix

This fixes the bug for me.  When splitwindow landed, there was code added to ensure inner windows for gets.  This code wasn't on for XPCNativeWrappers, however.  All this patch does is give XPCNativeWrapper parity with the raw Window object in terms of whether we force creation of an inner.  We continue to not forward the get to the inner in the XPCNativeWrapper case.

This fixes bug 323641 (where we always had an XPCNativeWrapper because we were performing a content access from chrome) and this bug (where we started getting an XPCNativeWrapper because of bug 345991).
Comment 12 Boris Zbarsky [:bz] (Out June 25-July 6) 2006-09-06 17:49:30 PDT
Created attachment 237037 [details] [diff] [review]
Patch with more context; might be easier to review
Comment 13 Johnny Stenback (:jst, jst@mozilla.com) 2006-09-06 19:39:35 PDT
Comment on attachment 237036 [details] [diff] [review]
Proposed fix

r+sr=jst
Comment 14 Boris Zbarsky [:bz] (Out June 25-July 6) 2006-09-06 19:54:26 PDT
Fixed on trunk.
Comment 15 Boris Zbarsky [:bz] (Out June 25-July 6) 2006-09-06 19:54:43 PDT
Comment on attachment 237036 [details] [diff] [review]
Proposed fix

Requesting branch approvals.  I think this should be quite safe.
Comment 16 Jay Patel [:jay] 2006-09-06 20:47:59 PDT
Comment on attachment 237036 [details] [diff] [review]
Proposed fix

Approved for 1.8.0 branch, a=jay for drivers.  Please land this ASAP.
Comment 17 Boris Zbarsky [:bz] (Out June 25-July 6) 2006-09-06 20:51:22 PDT
Fixed on the 1.8.0 branch for 1.8.0.7.  Thanks for the speedy reviews and approvals!
Comment 18 Mike Beltzner [:beltzner, not reading bugmail] 2006-09-07 10:24:51 PDT
Comment on attachment 237036 [details] [diff] [review]
Proposed fix

a=beltzner on behalf of 181drivers
Comment 19 Boris Zbarsky [:bz] (Out June 25-July 6) 2006-09-08 21:44:29 PDT
Fixed on 1.8.1 branch.

Note You need to log in before you can comment on or make changes to this bug.