crash on quit [@ nsAttrAndChildArray::~nsAttrAndChildArray] (tooltip related?)

RESOLVED FIXED

Status

()

--
critical
RESOLVED FIXED
12 years ago
12 years ago

People

(Reporter: moco, Unassigned)

Tracking

({crash, fixed1.8.1})

Trunk
x86
Mac OS X
crash, fixed1.8.1
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(3 attachments)

crash on quit [@nsAttrAndChildArray::~nsAttrAndChildArray ?]

this was on my own trunk, debug, mac os x, build from 9/22/06.

here's the top of the stack:

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0x00000000

Thread 0 Crashed:
0   <<00000000>>        0x00000000 0 + 0
1   libgklayout.dylib                   0x1656ee9f nsAttrAndChildArray::~nsAttrA
ndChildArray [in-charge]() + 23 (nsAttrAndChildArray.cpp:135)
2   libgklayout.dylib                   0x165ddb71 nsGenericElement::~nsGenericE
lement [in-charge deleting]() + 91 (nsIContent.h:89)
3   libgklayout.dylib                   0x165f88e5 nsNodeUtils::LastRelease(nsIN
ode*, int) + 1109 (nsNodeUtils.cpp:219)
4   libgklayout.dylib                   0x165d90bc nsGenericElement::Release() +
 206 (nsGenericElement.cpp:3018)
5   libgklayout.dylib                   0x1653cc76 nsXULTooltipListener::~nsXULT
ooltipListener [in-charge deleting]() + 272 (nsXULTooltipListener.cpp:88)
6   libgklayout.dylib                   0x16537fbb nsXULTooltipListener::Release
() + 211 (nsXULTooltipListener.cpp:91)
7   libgklayout.dylib                   0x16525953 TooltipListenerPropertyDtor(v
oid*, nsIAtom*, void*, void*) + 37 (nsRootBoxFrame.cpp:332)

I'll attach the whole crash report.
Created attachment 239722 [details]
complete crash report
from the crash report:

5   libgklayout.dylib              	0x1653cc76 nsXULTooltipListener::~nsXULTooltipListener [in-charge deleting]() + 272 (nsXULTooltipListener.cpp:88)

...

22  libmozjs.dylib                 	0x0104507b js_GC + 3794 (jsgc.c:3039)
23  libmozjs.dylib                 	0x0101ec43 js_DestroyContext + 502 (jscntxt.c:407)
24  libmozjs.dylib                 	0x01010394 JS_DestroyContext + 25 (jsapi.c:968)

...

66  libgklayout.dylib              	0x1653cc76 nsXULTooltipListener::~nsXULTooltipListener [in-charge deleting]() + 272 (nsXULTooltipListener.cpp:88)

we're calling the dtor twice on the stack, the second time as a result of a GC.

note:  I have not been able to reproduce this yet.

Updated

12 years ago
Assignee: nobody → general
Severity: normal → critical
Component: General → DOM
Keywords: crash
Product: Firefox → Core
QA Contact: general → ian
Summary: crash on quit [@nsAttrAndChildArray::~nsAttrAndChildArray ?] (tooltip related?) → crash on quit [@ nsAttrAndChildArray::~nsAttrAndChildArray] (tooltip related?)
The hash table remove operation at http://lxr.mozilla.org/mozilla/source/content/base/src/nsPropertyTable.cpp#351 should happen before the callback just above it, or that may lead through a long stack back into the same code, and double-destroy.

Whether the gc callback should nest is another question.  Cc'ing igor.

/be

Comment 5

12 years ago
Created attachment 239810 [details] [diff] [review]
remove from hashtable before calling dtor func

So like this?
Attachment #239810 - Flags: superreview?(brendan)
Attachment #239810 - Flags: review?(brendan)
Comment on attachment 239810 [details] [diff] [review]
remove from hashtable before calling dtor func

I'd be happier if peterv or another module owner or peer r+'ed, but it looks good to me.

/be
Attachment #239810 - Flags: superreview?(brendan)
Attachment #239810 - Flags: superreview+
Attachment #239810 - Flags: review?(peterv)
Attachment #239810 - Flags: review?(brendan)
Attachment #239810 - Flags: approval1.8.1?
Comment on attachment 239810 [details] [diff] [review]
remove from hashtable before calling dtor func

Looks good.  If you really do want peterv's review that's fine, but if peer review in general is good, r=bzbarsky.
Attachment #239810 - Flags: review?(peterv) → review+
A bz or a peterv will do ;-).  I chose peterv based on cvsblame, but peer review is what it's all about.

This should go into the trunk ASAP and could ride along for 1.8.1 IMO.

/be

Comment 9

12 years ago
Comment on attachment 239810 [details] [diff] [review]
remove from hashtable before calling dtor func

Checked in to trunk

Comment 10

12 years ago
Comment on attachment 239810 [details] [diff] [review]
remove from hashtable before calling dtor func

Approved for RC2.
Attachment #239810 - Flags: approval1.8.1? → approval1.8.1+

Comment 11

12 years ago
Created attachment 240039 [details] [diff] [review]
1.8. patch.

because 1.8 uses const void* aObject, not nsPropertyOwner aObject.

Comment 12

12 years ago
Checked in to branch.

(btw, not sure whether this is a dup of bug 351468)
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Keywords: fixed1.8.1
Resolution: --- → FIXED

Comment 13

12 years ago
*** Bug 351468 has been marked as a duplicate of this bug. ***

Comment 14

12 years ago
I am not sure this was fixed in Fx2 RC2 the signature is #20 on the crash reports http://talkback-public.mozilla.org/reports/firefox/FF2rc2/index.html 
Crash Signature: [@ nsAttrAndChildArray::~nsAttrAndChildArray]
You need to log in before you can comment on or make changes to this bug.