Closed Bug 353881 Opened 18 years ago Closed 18 years ago

crash on quit [@ nsAttrAndChildArray::~nsAttrAndChildArray] (tooltip related?)

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: moco, Unassigned)

References

Details

(Keywords: crash, fixed1.8.1)

Crash Data

Attachments

(3 files)

complete crash report
41.49 KB, text/plain
Details
remove from hashtable before calling dtor func
1.21 KB, patch
bzbarsky
: review+
brendan
: superreview+
mtschrep
: approval1.8.1+
Details | Diff | Splinter Review
1.8. patch.
1.04 KB, patch
Details | Diff | Splinter Review
crash on quit [@nsAttrAndChildArray::~nsAttrAndChildArray ?] this was on my own trunk, debug, mac os x, build from 9/22/06. here's the top of the stack: Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000000 Thread 0 Crashed: 0 <<00000000>> 0x00000000 0 + 0 1 libgklayout.dylib 0x1656ee9f nsAttrAndChildArray::~nsAttrA ndChildArray [in-charge]() + 23 (nsAttrAndChildArray.cpp:135) 2 libgklayout.dylib 0x165ddb71 nsGenericElement::~nsGenericE lement [in-charge deleting]() + 91 (nsIContent.h:89) 3 libgklayout.dylib 0x165f88e5 nsNodeUtils::LastRelease(nsIN ode*, int) + 1109 (nsNodeUtils.cpp:219) 4 libgklayout.dylib 0x165d90bc nsGenericElement::Release() + 206 (nsGenericElement.cpp:3018) 5 libgklayout.dylib 0x1653cc76 nsXULTooltipListener::~nsXULT ooltipListener [in-charge deleting]() + 272 (nsXULTooltipListener.cpp:88) 6 libgklayout.dylib 0x16537fbb nsXULTooltipListener::Release () + 211 (nsXULTooltipListener.cpp:91) 7 libgklayout.dylib 0x16525953 TooltipListenerPropertyDtor(v oid*, nsIAtom*, void*, void*) + 37 (nsRootBoxFrame.cpp:332) I'll attach the whole crash report.
from the crash report: 5 libgklayout.dylib 0x1653cc76 nsXULTooltipListener::~nsXULTooltipListener [in-charge deleting]() + 272 (nsXULTooltipListener.cpp:88) ... 22 libmozjs.dylib 0x0104507b js_GC + 3794 (jsgc.c:3039) 23 libmozjs.dylib 0x0101ec43 js_DestroyContext + 502 (jscntxt.c:407) 24 libmozjs.dylib 0x01010394 JS_DestroyContext + 25 (jsapi.c:968) ... 66 libgklayout.dylib 0x1653cc76 nsXULTooltipListener::~nsXULTooltipListener [in-charge deleting]() + 272 (nsXULTooltipListener.cpp:88) we're calling the dtor twice on the stack, the second time as a result of a GC. note: I have not been able to reproduce this yet.
Assignee: nobody → general
Severity: normal → critical
Component: General → DOM
Keywords: crash
Product: Firefox → Core
QA Contact: general → ian
Summary: crash on quit [@nsAttrAndChildArray::~nsAttrAndChildArray ?] (tooltip related?) → crash on quit [@ nsAttrAndChildArray::~nsAttrAndChildArray] (tooltip related?)
The hash table remove operation at http://lxr.mozilla.org/mozilla/source/content/base/src/nsPropertyTable.cpp#351 should happen before the callback just above it, or that may lead through a long stack back into the same code, and double-destroy. Whether the gc callback should nest is another question. Cc'ing igor. /be
So like this?
Attachment #239810 - Flags: superreview?(brendan)
Attachment #239810 - Flags: review?(brendan)
Comment on attachment 239810 [details] [diff] [review] remove from hashtable before calling dtor func I'd be happier if peterv or another module owner or peer r+'ed, but it looks good to me. /be
Attachment #239810 - Flags: superreview?(brendan)
Attachment #239810 - Flags: superreview+
Attachment #239810 - Flags: review?(peterv)
Attachment #239810 - Flags: review?(brendan)
Attachment #239810 - Flags: approval1.8.1?
Blocks: 351468
Comment on attachment 239810 [details] [diff] [review] remove from hashtable before calling dtor func Looks good. If you really do want peterv's review that's fine, but if peer review in general is good, r=bzbarsky.
Attachment #239810 - Flags: review?(peterv) → review+
A bz or a peterv will do ;-). I chose peterv based on cvsblame, but peer review is what it's all about. This should go into the trunk ASAP and could ride along for 1.8.1 IMO. /be
Comment on attachment 239810 [details] [diff] [review] remove from hashtable before calling dtor func Checked in to trunk
Comment on attachment 239810 [details] [diff] [review] remove from hashtable before calling dtor func Approved for RC2.
Attachment #239810 - Flags: approval1.8.1? → approval1.8.1+
Attached patch 1.8. patch.Splinter Review
because 1.8 uses const void* aObject, not nsPropertyOwner aObject.
Checked in to branch. (btw, not sure whether this is a dup of bug 351468)
Status: NEW → RESOLVED
Closed: 18 years ago
Keywords: fixed1.8.1
Resolution: --- → FIXED
*** Bug 351468 has been marked as a duplicate of this bug. ***
I am not sure this was fixed in Fx2 RC2 the signature is #20 on the crash reports http://talkback-public.mozilla.org/reports/firefox/FF2rc2/index.html
Crash Signature: [@ nsAttrAndChildArray::~nsAttrAndChildArray]
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: