353505 - Crash on event creation/changing [@ CalculateUTF8Size::write][@ AppendUTF16toUTF8()][@ XPCConvert::JSData2Native]

Status: RESOLVED FIXED

(Core :: XPConnect, defect)

Description

[Stefan Sitter [:ssitter]]

Crash on event creation/changing

Talkback ID: 23523649, 23523672, 23523802

Another regression from Bug 278236?

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9a1) Gecko/20060920 Calendar/0.3a2+

Comment 1

[Dan Mosedale (:dmosedale, :dmose)]

Those are unusual looking stacks.  I can't reproduce this in today's Lightning nightly on Mac, FWIW.  I wonder if this is some sort of JS/XPConnect regression on the trunk.

Comment 2

[Adam Guthrie]

Incident ID: 23523802
Stack Signature	AppendUTF16toUTF8() d826e73a
Product ID	SunbirdTrunk
Build ID	2006092006
Trigger Time	2006-09-20 08:35:29.0
Platform	LinuxIntel
Operating System	Linux 2.6.15-26-386
Module	libxpcom_core.so + (0009e96a)
URL visited	
User Comments	create new event
Since Last Crash	0 sec
Total Uptime	0 sec
Trigger Reason	SIGSEGV: Segmentation Fault: (signal 11)
Source File, Line No.	N/A
Stack Trace 	
AppendUTF16toUTF8()
CopyUTF16toUTF8()
XPCConvert::JSData2Native()
nsXPCWrappedJSClass::CallMethod()
nsXPCWrappedJS::CallMethod()
PrepareAndDispatch()
XPTC_InvokeByIndex()
XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode)()
XPC_WN_GetterSetter()
js_Invoke()
js_InternalInvoke()
js_InternalGetOrSet()
js_GetProperty()
js_Interpret()
js_Invoke()
js_InternalInvoke()
JS_CallFunctionValue()
nsJSContext::CallEventHandler()
nsJSEventListener::HandleEvent()
nsXBLPrototypeHandler::ExecuteHandler()
nsXBLEventHandler::HandleEvent()
nsEventListenerManager::HandleEventSubType()
nsEventListenerManager::HandleEvent()
nsEventTargetChainItem::HandleEvent()
nsEventTargetChainItem::HandleEventTargetChain()
nsEventDispatcher::Dispatch()
nsEventStateManager::DispatchMouseEvent()
nsEventStateManager::NotifyMouseOver()
nsEventStateManager::GenerateMouseEnterExit()
nsEventStateManager::PreHandleEvent()
PresShell::HandleEventInternal()
PresShell::HandlePositionedEvent()
PresShell::HandleEvent()
nsViewManager::HandleEvent()
nsViewManager::DispatchEvent()
HandleEvent()
nsCommonWidget::DispatchEvent()
nsWindow::OnMotionNotifyEvent()
motion_notify_event_cb()
libgtk-x11-2.0.so.0 + 0x1208e0 (0xb7ba68e0)
libgobject-2.0.so.0 + 0x979f (0xb795f79f)
libgobject-2.0.so.0 + 0x182ea (0xb796e2ea)
libgobject-2.0.so.0 + 0x19886 (0xb796f886)
libgobject-2.0.so.0 + 0x19e89 (0xb796fe89)
libgtk-x11-2.0.so.0 + 0x202dcf (0xb7c88dcf)
libgtk-x11-2.0.so.0 + 0x11f05d (0xb7ba505d)
libgtk-x11-2.0.so.0 + 0x11f46b (0xb7ba546b)
libgdk-x11-2.0.so.0 + 0x3fdec (0xb7a2fdec)
libglib-2.0.so.0 + 0x238d6 (0xb78f48d6)
libglib-2.0.so.0 + 0x26996 (0xb78f7996)
libglib-2.0.so.0 + 0x26e1e (0xb78f7e1e)
nsAppShell::ProcessNextNativeEvent()
nsBaseAppShell::DoProcessNextNativeEvent()
nsBaseAppShell::OnProcessNextEvent()
nsThread::ProcessNextEvent()
NS_ProcessNextEvent_P()
nsBaseAppShell::Run()
nsAppStartup::Run()
XRE_main()
main()
libc.so.6 + 0x14ea2 (0xb73f3ea2)

Comment 3

[Stefan Sitter [:ssitter]]

Branch builds are ok, crash seems trunk only
 
Thunderbird/2.0b1pre (20060920) + Lightning/0.3a2+ (2006092006) Ok
Thunderbird/1.5.0.7  (20060920) + Lightning/0.3a2+ (2006092006) Ok 

Thunderbird/3.0a1 (20060920) + Lightning/0.3a2+ (2006092006) Crash

Talkback ID: TB23525026K, TB23525742Q
  CalculateUTF8Size::write
  XPCConvert::JSData2Native
  nsXPCWrappedJSClass::CallMethod 
  [...]

XPCConvert::JSData2Native is the common element in all win32 and linux stack traces I got today.

Comment 4

[Stefan Sitter [:ssitter]]

Regression range:

Using Sunbird/0.3a2+ (2006-09-19-14) on Windows 2000 and Linux - No crash
Using Sunbird/0.3a2+ (2006-09-19-21) on Windows 2000 and Linux - Crash

Checkins: http://tinyurl.com/gvgj5

Comment 5

[Boris Zbarsky [:bzbarsky]]

Do we have anything resembling steps to reproduce?  Even unreliable ones?  Preferably in one of tbird, firefox, seamonkey?  ;)  Failing that, instructions on building things that I _could_ reproduce with?

Comment 6

[Boris Zbarsky [:bzbarsky]]

Although, I do see a way bug 311582 might have caused an issue here... I'll work on it tonight.

Comment 7

[Boris Zbarsky [:bzbarsky]]

So the problem is that XPCVariant::VariantDataToJS uses mJSVal.

So the options are either to make that copy for strings or to go back to the "avoid copying and root" patch in bug 311582 and work on mitigating the perf cost of rooting...  Thoughts?

Comment 8

[Stefan Sitter [:ssitter]]

(In reply to comment #5)

Steps to Reproduce:
1. Start Sunbird with clean profile
2. Switch to week view and create new default event via drag and drop
3. Drag and drop the event to a different day

Actual Results:
Crash after step 2 or 3.

Comment 9

[Boris Zbarsky [:bzbarsky]]

1)  How do I build sunbird?
2)  Since I've never used sunbird, are there step-by step instructions like "click on the button labeled X, then on the button with an image of a feather, then type 'done' in the third textbox in the resulting dialog" for steps 2 and 3?  Esp. step 2?

Comment 10

[Stefan Sitter [:ssitter]]

(In reply to comment #9)
> 1)  How do I build sunbird?

Add the following lines to your mozconfig file:
  mk_add_options MOZ_CO_PROJECT=calendar
  ac_add_options --enable-application=calendar
and run 
  cd mozilla
  make -f client.mk checkout
  make -f client.mk build

> 2) Since I've never used sunbird, are there step-by step instructions...

Select menu command View - Week View. In main calendar view press left mouse button and hold it. Move mouse pointer down and release left mouse button to create new event with default settings. Click the created event and hold left mouse button down, move mouse pointer to position in next day and release left mouse button.

Comment 11

[Boris Zbarsky [:bzbarsky]]

Ah, excellent.  Yeah, the problem is as described in comment 7.  I backed out the patch for bug 311582.