Closed Bug 353881 Opened 17 years ago Closed 17 years ago

crash on quit [@ nsAttrAndChildArray::~nsAttrAndChildArray] (tooltip related?)

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: moco, Unassigned)

References

Details

(Keywords: crash, fixed1.8.1)

Crash Data

Attachments

(3 files)

complete crash report
41.49 KB, text/plain
Details
remove from hashtable before calling dtor func
1.21 KB, patch
bzbarsky
: review+
brendan
: superreview+
mtschrep
: approval1.8.1+
Details | Diff | Splinter Review
1.8. patch.
1.04 KB, patch
Details | Diff | Splinter Review 
crash on quit [@nsAttrAndChildArray::~nsAttrAndChildArray ?]

this was on my own trunk, debug, mac os x, build from 9/22/06.

here's the top of the stack:

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0x00000000

Thread 0 Crashed:
0   <<00000000>>        0x00000000 0 + 0
1   libgklayout.dylib                   0x1656ee9f nsAttrAndChildArray::~nsAttrA
ndChildArray [in-charge]() + 23 (nsAttrAndChildArray.cpp:135)
2   libgklayout.dylib                   0x165ddb71 nsGenericElement::~nsGenericE
lement [in-charge deleting]() + 91 (nsIContent.h:89)
3   libgklayout.dylib                   0x165f88e5 nsNodeUtils::LastRelease(nsIN
ode*, int) + 1109 (nsNodeUtils.cpp:219)
4   libgklayout.dylib                   0x165d90bc nsGenericElement::Release() +
 206 (nsGenericElement.cpp:3018)
5   libgklayout.dylib                   0x1653cc76 nsXULTooltipListener::~nsXULT
ooltipListener [in-charge deleting]() + 272 (nsXULTooltipListener.cpp:88)
6   libgklayout.dylib                   0x16537fbb nsXULTooltipListener::Release
() + 211 (nsXULTooltipListener.cpp:91)
7   libgklayout.dylib                   0x16525953 TooltipListenerPropertyDtor(v
oid*, nsIAtom*, void*, void*) + 37 (nsRootBoxFrame.cpp:332)

I'll attach the whole crash report.
from the crash report:

5   libgklayout.dylib              	0x1653cc76 nsXULTooltipListener::~nsXULTooltipListener [in-charge deleting]() + 272 (nsXULTooltipListener.cpp:88)

...

22  libmozjs.dylib                 	0x0104507b js_GC + 3794 (jsgc.c:3039)
23  libmozjs.dylib                 	0x0101ec43 js_DestroyContext + 502 (jscntxt.c:407)
24  libmozjs.dylib                 	0x01010394 JS_DestroyContext + 25 (jsapi.c:968)

...

66  libgklayout.dylib              	0x1653cc76 nsXULTooltipListener::~nsXULTooltipListener [in-charge deleting]() + 272 (nsXULTooltipListener.cpp:88)

we're calling the dtor twice on the stack, the second time as a result of a GC.

note:  I have not been able to reproduce this yet.
Assignee: nobody → general
Severity: normal → critical
Component: General → DOM
Keywords: crash
Product: Firefox → Core
QA Contact: general → ian
Summary: crash on quit [@nsAttrAndChildArray::~nsAttrAndChildArray ?] (tooltip related?) → crash on quit [@ nsAttrAndChildArray::~nsAttrAndChildArray] (tooltip related?)
The hash table remove operation at http://lxr.mozilla.org/mozilla/source/content/base/src/nsPropertyTable.cpp#351 should happen before the callback just above it, or that may lead through a long stack back into the same code, and double-destroy.

Whether the gc callback should nest is another question.  Cc'ing igor.

/be
This may be a duplicate fo bug 351468.
So like this?
Attachment #239810 - Flags: superreview?(brendan)
Attachment #239810 - Flags: review?(brendan)
Comment on attachment 239810 [details] [diff] [review]
remove from hashtable before calling dtor func

I'd be happier if peterv or another module owner or peer r+'ed, but it looks good to me.

/be
Attachment #239810 - Flags: superreview?(brendan)
Attachment #239810 - Flags: superreview+
Attachment #239810 - Flags: review?(peterv)
Attachment #239810 - Flags: review?(brendan)
Attachment #239810 - Flags: approval1.8.1?
Blocks: 351468
Comment on attachment 239810 [details] [diff] [review]
remove from hashtable before calling dtor func

Looks good.  If you really do want peterv's review that's fine, but if peer review in general is good, r=bzbarsky.
Attachment #239810 - Flags: review?(peterv) → review+
A bz or a peterv will do ;-).  I chose peterv based on cvsblame, but peer review is what it's all about.

This should go into the trunk ASAP and could ride along for 1.8.1 IMO.

/be
Comment on attachment 239810 [details] [diff] [review]
remove from hashtable before calling dtor func

Checked in to trunk
Comment on attachment 239810 [details] [diff] [review]
remove from hashtable before calling dtor func

Approved for RC2.
Attachment #239810 - Flags: approval1.8.1? → approval1.8.1+
Attached patch 1.8. patch.Splinter Review 
because 1.8 uses const void* aObject, not nsPropertyOwner aObject.
Checked in to branch.

(btw, not sure whether this is a dup of bug 351468)
Status: NEW → RESOLVED
Closed: 17 years ago
Keywords: fixed1.8.1
Resolution: --- → FIXED
*** Bug 351468 has been marked as a duplicate of this bug. ***
I am not sure this was fixed in Fx2 RC2 the signature is #20 on the crash reports http://talkback-public.mozilla.org/reports/firefox/FF2rc2/index.html
Crash Signature: [@ nsAttrAndChildArray::~nsAttrAndChildArray]
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.