Closed
Bug 353881
Opened 18 years ago
Closed 18 years ago
crash on quit [@ nsAttrAndChildArray::~nsAttrAndChildArray] (tooltip related?)
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: moco, Unassigned)
References
Details
(Keywords: crash, fixed1.8.1)
Crash Data
Attachments
(3 files)
41.49 KB,
text/plain
|
Details | |
1.21 KB,
patch
|
bzbarsky
:
review+
brendan
:
superreview+
mtschrep
:
approval1.8.1+
|
Details | Diff | Splinter Review |
1.04 KB,
patch
|
Details | Diff | Splinter Review |
crash on quit [@nsAttrAndChildArray::~nsAttrAndChildArray ?]
this was on my own trunk, debug, mac os x, build from 9/22/06.
here's the top of the stack:
Exception: EXC_BAD_ACCESS (0x0001)
Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000000
Thread 0 Crashed:
0 <<00000000>> 0x00000000 0 + 0
1 libgklayout.dylib 0x1656ee9f nsAttrAndChildArray::~nsAttrA
ndChildArray [in-charge]() + 23 (nsAttrAndChildArray.cpp:135)
2 libgklayout.dylib 0x165ddb71 nsGenericElement::~nsGenericE
lement [in-charge deleting]() + 91 (nsIContent.h:89)
3 libgklayout.dylib 0x165f88e5 nsNodeUtils::LastRelease(nsIN
ode*, int) + 1109 (nsNodeUtils.cpp:219)
4 libgklayout.dylib 0x165d90bc nsGenericElement::Release() +
206 (nsGenericElement.cpp:3018)
5 libgklayout.dylib 0x1653cc76 nsXULTooltipListener::~nsXULT
ooltipListener [in-charge deleting]() + 272 (nsXULTooltipListener.cpp:88)
6 libgklayout.dylib 0x16537fbb nsXULTooltipListener::Release
() + 211 (nsXULTooltipListener.cpp:91)
7 libgklayout.dylib 0x16525953 TooltipListenerPropertyDtor(v
oid*, nsIAtom*, void*, void*) + 37 (nsRootBoxFrame.cpp:332)
I'll attach the whole crash report.
Reporter | ||
Comment 1•18 years ago
|
||
Reporter | ||
Comment 2•18 years ago
|
||
from the crash report:
5 libgklayout.dylib 0x1653cc76 nsXULTooltipListener::~nsXULTooltipListener [in-charge deleting]() + 272 (nsXULTooltipListener.cpp:88)
...
22 libmozjs.dylib 0x0104507b js_GC + 3794 (jsgc.c:3039)
23 libmozjs.dylib 0x0101ec43 js_DestroyContext + 502 (jscntxt.c:407)
24 libmozjs.dylib 0x01010394 JS_DestroyContext + 25 (jsapi.c:968)
...
66 libgklayout.dylib 0x1653cc76 nsXULTooltipListener::~nsXULTooltipListener [in-charge deleting]() + 272 (nsXULTooltipListener.cpp:88)
we're calling the dtor twice on the stack, the second time as a result of a GC.
note: I have not been able to reproduce this yet.
Updated•18 years ago
|
Assignee: nobody → general
Severity: normal → critical
Component: General → DOM
Keywords: crash
Product: Firefox → Core
QA Contact: general → ian
Summary: crash on quit [@nsAttrAndChildArray::~nsAttrAndChildArray ?] (tooltip related?) → crash on quit [@ nsAttrAndChildArray::~nsAttrAndChildArray] (tooltip related?)
Comment 3•18 years ago
|
||
The hash table remove operation at http://lxr.mozilla.org/mozilla/source/content/base/src/nsPropertyTable.cpp#351 should happen before the callback just above it, or that may lead through a long stack back into the same code, and double-destroy.
Whether the gc callback should nest is another question. Cc'ing igor.
/be
This may be a duplicate fo bug 351468.
Comment 5•18 years ago
|
||
So like this?
Attachment #239810 -
Flags: superreview?(brendan)
Attachment #239810 -
Flags: review?(brendan)
Comment 6•18 years ago
|
||
Comment on attachment 239810 [details] [diff] [review]
remove from hashtable before calling dtor func
I'd be happier if peterv or another module owner or peer r+'ed, but it looks good to me.
/be
Attachment #239810 -
Flags: superreview?(brendan)
Attachment #239810 -
Flags: superreview+
Attachment #239810 -
Flags: review?(peterv)
Attachment #239810 -
Flags: review?(brendan)
Attachment #239810 -
Flags: approval1.8.1?
Comment 7•18 years ago
|
||
Comment on attachment 239810 [details] [diff] [review]
remove from hashtable before calling dtor func
Looks good. If you really do want peterv's review that's fine, but if peer review in general is good, r=bzbarsky.
Attachment #239810 -
Flags: review?(peterv) → review+
Comment 8•18 years ago
|
||
A bz or a peterv will do ;-). I chose peterv based on cvsblame, but peer review is what it's all about.
This should go into the trunk ASAP and could ride along for 1.8.1 IMO.
/be
Comment 9•18 years ago
|
||
Comment on attachment 239810 [details] [diff] [review]
remove from hashtable before calling dtor func
Checked in to trunk
Comment 10•18 years ago
|
||
Comment on attachment 239810 [details] [diff] [review]
remove from hashtable before calling dtor func
Approved for RC2.
Attachment #239810 -
Flags: approval1.8.1? → approval1.8.1+
Comment 11•18 years ago
|
||
because 1.8 uses const void* aObject, not nsPropertyOwner aObject.
Comment 12•18 years ago
|
||
Checked in to branch.
(btw, not sure whether this is a dup of bug 351468)
Comment 13•18 years ago
|
||
*** Bug 351468 has been marked as a duplicate of this bug. ***
Comment 14•18 years ago
|
||
I am not sure this was fixed in Fx2 RC2 the signature is #20 on the crash reports http://talkback-public.mozilla.org/reports/firefox/FF2rc2/index.html
Updated•13 years ago
|
Crash Signature: [@ nsAttrAndChildArray::~nsAttrAndChildArray]
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•