Closed
Bug 349974
Opened 19 years ago
Closed 19 years ago
Crash [@nsCOMPtr<nsIWidget>::assign_assuming_AddRef(...) Line 568]
Categories
(Core :: Widget, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: bc, Assigned: bzbarsky)
References
()
Details
(Keywords: crash, helpwanted, Whiteboard: [sg:critical])
Crash Data
forked from Bug 309640 Comment #34
windows xp, trunk debug build only so far.
- this 0x03bed8f8 {mRawPtr=0x04a71694 } nsCOMPtr<nsIWidget> * const
- mRawPtr 0x04a71694 nsIWidget *
+ [ChildWindow] {...} ChildWindow
+ nsISupports {...} nsISupports
+ mFirstChild {mRawPtr=0x00000000 } nsCOMPtr<nsIWidget>
+ mLastChild 0x00000000 {mFirstChild={...} mLastChild=??? mNextSibling={...} ...} nsIWidget *
+ mNextSibling {mRawPtr=0x00000000 } nsCOMPtr<nsIWidget>
+ mPrevSibling 0x00000000 {mFirstChild={...} mLastChild=??? mNextSibling={...} ...} nsIWidget *
- newPtr 0x04a71694 nsIWidget *
+ [ChildWindow] {...} ChildWindow
+ nsISupports {...} nsISupports
+ mFirstChild {mRawPtr=0x00000000 } nsCOMPtr<nsIWidget>
+ mLastChild 0x00000000 {mFirstChild={...} mLastChild=??? mNextSibling={...} ...} nsIWidget *
+ mNextSibling {mRawPtr=0x00000000 } nsCOMPtr<nsIWidget>
+ mPrevSibling 0x00000000 {mFirstChild={...} mLastChild=??? mNextSibling={...} ...} nsIWidget *
+ oldPtr 0xcdcdcdcd {mFirstChild={...} mLastChild=??? mNextSibling={...} ...} nsIWidget *
*NOTE* turn off the ability for JavaScript to update the status bar. When I turned that on I could not reproduce this crash but as soon as I turned if off, I could reproduce again. Previous stacks found oldPtr as 0xfdfdfdfd, 0xdddddddd. This one is for 0xcdcdcdcd.
> gkwidget.dll!nsCOMPtr<nsIWidget>::assign_assuming_AddRef(nsIWidget * newPtr=0x04a71694) Line 568 + 0x3 bytes C++
gkwidget.dll!nsCOMPtr<nsIWidget>::assign_with_AddRef(nsISupports * rawPtr=0x04a71694) Line 1225 C++
gkwidget.dll!nsCOMPtr<nsIWidget>::operator=(nsIWidget * rhs=0x04a71694) Line 714 C++
gkwidget.dll!nsIWidget::SetNextSibling(nsIWidget * aSibling=0x04a71694) Line 402 C++
gkwidget.dll!nsBaseWidget::AddChild(nsIWidget * aChild=0x04a71694) Line 293 C++
gkwidget.dll!nsBaseWidget::BaseCreate(nsIWidget * aParent=0x049e5fd4, const nsRect & aRect={...}, nsEventStatus (nsGUIEvent *)* aHandleEventFunction=0x0236e8b0, nsIDeviceContext * aContext=0x039ea9a8, nsIAppShell * aAppShell=0x00000000, nsIToolkit * aToolkit=0x00000000, nsWidgetInitData * aInitData=0x0012f1e8) Line 196 C++
gkwidget.dll!nsWindow::StandardWindowCreate(nsIWidget * aParent=0x049e5fd4, const nsRect & aRect={...}, nsEventStatus (nsGUIEvent *)* aHandleEventFunction=0x0236e8b0, nsIDeviceContext * aContext=0x039ea9a8, nsIAppShell * aAppShell=0x00000000, nsIToolkit * aToolkit=0x00000000, nsWidgetInitData * aInitData=0x0012f1e8, void * aNativeParent=0x00000000) Line 1351 C++
gkwidget.dll!nsWindow::Create(nsIWidget * aParent=0x049e5fd4, const nsRect & aRect={...}, nsEventStatus (nsGUIEvent *)* aHandleEventFunction=0x0236e8b0, nsIDeviceContext * aContext=0x039ea9a8, nsIAppShell * aAppShell=0x00000000, nsIToolkit * aToolkit=0x00000000, nsWidgetInitData * aInitData=0x0012f1e8) Line 1530 C++
gklayout.dll!nsIView::CreateWidget(const nsID & aWindowIID={...}, nsWidgetInitData * aWidgetInitData=0x0012f1e8, void * aNative=0x00000000, int aEnableDragDrop=1, int aResetVisibility=1, nsContentType aContentType=eContentTypeInherit) Line 684 C++
gklayout.dll!nsScrollPortView::CreateScrollControls(void * aNative=0x00000000) Line 157 C++
gklayout.dll!nsGfxScrollFrameInner::CreateScrollableView() Line 1447 C++
gklayout.dll!nsHTMLScrollFrame::SetInitialChildList(nsIAtom * aListName=0x00000000, nsIFrame * aChildList=0x03bae344) Line 174 C++
gklayout.dll!nsCSSFrameConstructor::BeginBuildingScrollFrame(nsFrameConstructorState & aState={...}, nsIContent * aContent=0x04a04ad0, nsStyleContext * aContentStyle=0x04ad5e54, nsIFrame * aParentFrame=0x04a6a93c, nsIFrame * aContentParentFrame=0x0496a1f0, nsIAtom * aScrolledPseudo=0x00b5ee98, int aIsRoot=0, nsIFrame * & aNewFrame=0x04aeb3d0) Line 6651 C++
gklayout.dll!nsCSSFrameConstructor::ConstructFrameByDisplayType(nsFrameConstructorState & aState={...}, const nsStyleDisplay * aDisplay=0x03bfcab0, nsIContent * aContent=0x04a04ad0, int aNameSpaceID=0, nsIAtom * aTag=0x02a096d8, nsIFrame * aParentFrame=0x0496a1f0, nsStyleContext * aStyleContext=0x04ad5e54, nsFrameItems & aFrameItems={...}, int aHasPseudoParent=0) Line 6785 + 0x3a bytes C++
gklayout.dll!nsCSSFrameConstructor::ConstructFrameInternal(nsFrameConstructorState & aState={...}, nsIContent * aContent=0x04a04ad0, nsIFrame * aParentFrame=0x0496a1f0, nsIAtom * aTag=0x02a096d8, int aNameSpaceID=0, nsStyleContext * aStyleContext=0x04ad5e54, nsFrameItems & aFrameItems={...}, int aXBLBaseTag=0) Line 8157 + 0x34 bytes C++
gklayout.dll!nsCSSFrameConstructor::ConstructFrame(nsFrameConstructorState & aState={...}, nsIContent * aContent=0x04a04ad0, nsIFrame * aParentFrame=0x0496a1f0, nsFrameItems & aFrameItems={...}) Line 7965 + 0x35 bytes C++
gklayout.dll!nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState & aState={...}, nsIContent * aContent=0x049f1620, nsIFrame * aFrame=0x0496a1f0, int aCanHaveGeneratedContent=0, nsFrameItems & aFrameItems={...}, int aParentIsBlock=0, nsTableCreator * aTableCreator=0x00000000) Line 11836 + 0x3a bytes C++
gklayout.dll!nsCSSFrameConstructor::ConstructXULFrame(nsFrameConstructorState & aState={...}, nsIContent * aContent=0x049f1620, nsIFrame * aParentFrame=0x04a44cb4, nsIAtom * aTag=0x00b5f958, int aNameSpaceID=0, nsStyleContext * aStyleContext=0x04a6a380, nsFrameItems & aFrameItems={...}, int aXBLBaseTag=0, int aHasPseudoParent=0, int * aHaltProcessing=0x0012f654) Line 6541 + 0x21 bytes C++
gklayout.dll!nsCSSFrameConstructor::ConstructFrameInternal(nsFrameConstructorState & aState={...}, nsIContent * aContent=0x049f1620, nsIFrame * aParentFrame=0x04a6a93c, nsIAtom * aTag=0x00b5f958, int aNameSpaceID=0, nsStyleContext * aStyleContext=0x03bb2e8c, nsFrameItems & aFrameItems={...}, int aXBLBaseTag=0) Line 8097 + 0x38 bytes C++
gklayout.dll!nsCSSFrameConstructor::ConstructFrame(nsFrameConstructorState & aState={...}, nsIContent * aContent=0x049f1620, nsIFrame * aParentFrame=0x04a6a93c, nsFrameItems & aFrameItems={...}) Line 7965 + 0x35 bytes C++
gklayout.dll!nsCSSFrameConstructor::ContentInserted(nsIContent * aContainer=0x049d41c0, nsIContent * aChild=0x049f1620, int aIndexInContainer=4, nsILayoutHistoryState * aFrameState=0x049e6260, int aInReinsertContent=0) Line 9585 C++
gklayout.dll!nsCSSFrameConstructor::RecreateFramesForContent(nsIContent * aContent=0x049f1620) Line 11716 + 0x27 bytes C++
gklayout.dll!nsCSSFrameConstructor::RestyleElement(nsIContent * aContent=0x049f1620, nsIFrame * aPrimaryFrame=0x04a44cb4, nsChangeHint aMinHint=0) Line 10574 C++
gklayout.dll!nsCSSFrameConstructor::ProcessOneRestyle(nsIContent * aContent=0x049f1620, nsReStyleHint aRestyleHint=eReStyle_Self, nsChangeHint aChangeHint=0) Line 13420 C++
gklayout.dll!nsCSSFrameConstructor::ProcessPendingRestyles() Line 13473 C++
gklayout.dll!nsCSSFrameConstructor::RestyleEvent::Run() Line 13536 C++
xpcom_core.dll!nsThread::ProcessNextEvent(int mayWait=1, int * result=0x0012fbc4) Line 483 C++
xpcom_core.dll!NS_ProcessNextEvent_P(nsIThread * thread=0x00b5b260, int mayWait=1) Line 225 + 0x16 bytes C++
gkwidget.dll!nsBaseAppShell::Run() Line 153 + 0xc bytes C++
tkitcmps.dll!nsAppStartup::Run() Line 171 + 0x1c bytes C++
These widget trees have been a reoccurring source of bugs for me. The interesting thing is that allowing the script to update the status bar hides the bug. Maybe that is partly why many of my other bugs were not reproducible.
|
Assignee | |
Comment 1•19 years ago
|
||
Note: this comes from bug 306940, not bug 309640.
|
Reporter | |
Comment 2•19 years ago
|
||
(In reply to comment #1)
> Note: this comes from bug 306940, not bug 309640.
>
I blame my new MS ergonomic keyboard, yep thats the ticket.
|
||
Updated•19 years ago
|
Flags: blocking1.9?
Flags: blocking1.8.0.8?
Whiteboard: [sg:critical]
|
||
Comment 3•19 years ago
|
||
This bug, bug 322704, bug 330480, bug 330486, and bug 336899 all have nsIWidget::SetNextSibling at the top of the stack (usually with nsCOMPtr functions above it). Perhaps some of them are dups?
Bug 322704 is the only one of these with a reduced testcase.
|
|
||
Comment 6•19 years ago
|
||
Critical security bugs must have owners. If you can't work on this bug please help us find another active owner for it.
Assignee: general → bzbarsky
|
|
Assignee | |
Comment 7•19 years ago
|
||
So.... my problem is that I have no Windows development environment, hence can't even reproduce this bug.
Ere, this sounds like a Windows widget issue. Would you be willing to look into it?
|
|
Assignee | |
Updated•19 years ago
|
Keywords: helpwanted
|
|
Reporter | |
Comment 8•19 years ago
|
||
attachment 194750 [details] no longer crashes debug winxp trunk even when the counter exceeds 100,000. Whatever I was seeing has changed sufficiently to not be tickled by this testcase or has been fixed by something else. I still see lots of assertions, but no crash.
marking wfm unless someone objects.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → WORKSFORME
|
||
Updated•15 years ago
|
Crash Signature: [@nsCOMPtr<nsIWidget>::assign_assuming_AddRef(...) Line 568]
|
||
Updated•10 years ago
|
Group: core-security → core-security-release
|
|
||
Updated•10 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•