Closed Bug 354380 Opened 18 years ago Closed 18 years ago

crashes [@ _PR_MD_ATOMIC_DECREMENT]

Categories

(Core Graveyard :: Plug-ins, defect)

Product:
Core Graveyard
Component:
Plug-ins
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: smaug, Assigned: jst)

Details

(Keywords: topcrash)

Crash Data

Attachments

(1 file)

Possible fix.
2.38 KB, patch
mrbkap
: review+
sicking
: superreview+
Details | Diff | Splinter Review
currently #11 trunk crash. Stack trace looks always like this: _PR_MD_ATOMIC_DECREMENT [mozilla\nsprpub\pr\src\md\windows\ntmisc.c, line 733] JS_GC [mozilla\js\src\jsapi.c, line 1944] NS_ProcessNextEvent_P [mozilla\xpcom\build\nsthreadutils.cpp, line 225] nsBaseAppShell::Run [mozilla\widget\src\xpwidgets\nsbaseappshell.cpp, line 153] 0x003c3dbc 0xccccc3c0
Some of this reports are from my machine, at least: TB24026892E, TB24021037X with: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20061001 Mnenhy/0.7.4.10002 SeaMonkey/1.5a {Build ID: 2006100108} Unfortunately I can't give a propper way to reproduce. Mostly my used SeaMonkey-XPFE-Trunk-Builds will crash after a while of browsing with multiple Tabs open, when I try to open another Tab with Mouse-Middleclick, sometimes when I try to close a Tab with Middleclick. Sometimes I have checked my Mailaccounts before the crash, sometimes SeaMonkey will crash before I opend MailNews. Not too helpful. Installed Add-Ons are: Mnenhy 0.7.4.10002 Message ID Finder 2.0 Flashblock 1.3.1 deutsches_w_ouml_rterbuch-1.0.1-fx+zm+tb.xpi enigmail-trunk-tb-win32-trunk.xpi {Build 20061002} Remembering Bug 322414 I have deinstalled Flashblock for testing, also don't use Enigmail because it was broken on Trunk for a while, but this won't aviod SeaMonkey from crashing. Hmm.
Flags: blocking1.9?
This must be crashing in some function tail-called from JS_GC, which for a trunk build from 2006/10/01 is js_RunCloseHooks. But I don't see any atomic increment macro calls in that function. Cc'ing people who can help diagnose the talkback better than I can. /be
After a while without Crashes and real testing, Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a2pre) Gecko/20070107 Mnenhy/0.7.4.10005 SeaMonkey/1.5a will crash again, TB28143292H, TB28140192X but the stacks won't help. As described in Comment #1, reproduce the crash is not too easy. Best way to get this crash is to open multiple Tabs and finaly a Site with pictures-series like: http://www.sueddeutsche.de/sport/weitere/special/299/67232/index.html/sport/weltfussball/bildstrecke/577/77500/p0/article.html?img=0.0 or http://www.spiegel.de/fotostrecke/0,5538,18404,00.html for example. and click very fast from one picture to the next one; don't wait until the page is fully loaded when click "go next picture". Link open behaviour is set to "Open links meant to open a new window in: A new tab in the current window" in preferences. When I start SeaMonkey, I first open this Sites in Tabs: http://tinderbox.mozilla.org/showbuilds.cgi?tree=SeaMonkey http://www.heise.de/ and than start browsing other Sites like http://www.spiegel.de/ and http://www.sueddeutsche.de/ in new Tabs.
#1 crash now for seamonkey trunk and top 5 crash for FF trunk (lots of them) Examining 30+ talkbacks no variation from TB29582787 and Tobias' stack except a few with no stack, and a couple others pasted below in case they might help... TB29582787 _PR_MD_ATOMIC_DECREMENT [mozilla/nsprpub/pr/src/md/windows/ntmisc.c, line 733] JS_GC [mozilla/js/src/jsapi.c, line 1889] TB28362808 from Nelson Bolyard (examples of same stack TB28267169, TB28255268) Stack Signature _PR_MD_ATOMIC_DECREMENT aeffbdaf Product ID MozillaTrunk Build ID 2006122608 Trigger Time 2007-01-14 20:04:01.0 Platform Win32 Operating System Windows NT 5.1 build 2600 Module nspr4.dll + (00017959) URL visited http://www.filmcritic.com/misc/emporium.nsf/2a460f93626cd4678625624c007f2b46/c86e3975ad708f0188257260006449c0?OpenDocument User Comments followed link from http://movies.yahoo.com/movie/1808718535/critic to this page. Boom. /Nelson Since Last Crash 340438 sec Total Uptime 726611 sec Trigger Reason Access violation Source File, Line No. d:\builds\tinderbox\seamonkeytrunk\winnt_5.2_clobber\mozilla\nsprpub\pr\src\md\windows\ntmisc.c, line 733 Stack Trace _PR_MD_ATOMIC_DECREMENT [mozilla/nsprpub/pr/src/md/windows/ntmisc.c, line 733] JS_GC [mozilla/js/src/jsapi.c, line 1892] NS_ProcessNextEvent_P [mozilla/xpcom/build/nsthreadutils.cpp, line 225] nsBaseAppShell::Run [mozilla/widget/src/xpwidgets/nsbaseappshell.cpp, line 153] main [mozilla/xpfe/bootstrap/nsapprunner.cpp, line 1747] WinMain [mozilla/xpfe/bootstrap/nsapprunner.cpp, line 1771] kernel32.dll + 0x16fd7 (0x7c816fd7) found 3 like TB29631901 "Closed page with Flash playing" and TB29517717 Stack Signature _PR_MD_ATOMIC_DECREMENT 45742d0a Product ID MozillaTrunk Build ID 2007021310 Trigger Time 2007-02-20 10:53:52.0 Platform Win32 Operating System Windows NT 5.0 build 2195 Module nspr4.dll + (000179b9) URL visited User Comments Since Last Crash 874 sec Total Uptime 136731 sec Trigger Reason Access violation Source File, Line No. d:\builds\tinderbox\seamonkeytrunk\winnt_5.2_clobber\mozilla\nsprpub\pr\src\md\windows\ntmisc.c, line 733 Stack Trace _PR_MD_ATOMIC_DECREMENT [mozilla/nsprpub/pr/src/md/windows/ntmisc.c, line 733] JS_GC [mozilla/js/src/jsapi.c, line 1889] DoOnShutdown [mozilla/xpfe/bootstrap/nsapprunner.cpp, line 741] main [mozilla/xpfe/bootstrap/nsapprunner.cpp, line 1730] WinMain [mozilla/xpfe/bootstrap/nsapprunner.cpp, line 1746] KERNEL32.dll + 0x289a5 (0x7c5989a5) An old Sunbird crash TB28199323 _PR_MD_ATOMIC_DECREMENT ef51666c Product ID SunbirdTrunk Build ID 2006100618 Trigger Time 2007-01-09 15:29:04.0 Platform Win32 Operating System Windows NT 5.1 build 2600 Module nspr4.dll + (00017939) URL visited User Comments Since Last Crash 2122 sec Total Uptime 2122 sec Trigger Reason Access violation Source File, Line No. d:\builds\tinderbox\sunbird-trunk\winnt_5.2_depend\mozilla\nsprpub\pr\src\md\windows\ntmisc.c, line 733 Stack Trace _PR_MD_ATOMIC_DECREMENT [mozilla/nsprpub/pr/src/md/windows/ntmisc.c, line 733] DOMGCCallback [mozilla/dom/src/base/nsjsenvironment.cpp, line 3151] JS_GC [mozilla/js/src/jsapi.c, line 1944] NS_ProcessNextEvent_P [mozilla/xpcom/build/nsthreadutils.cpp, line 225] nsXULWindow::ShowModal [mozilla/xpfe/appshell/src/nsxulwindow.cpp, line 402] nsContentTreeOwner::ShowAsModal [mozilla/xpfe/appshell/src/nscontenttreeowner.cpp, line 503] Note the yahoo related crashes of bug 354912 and its ilk are gone from current builds.
Severity: major → critical
Since this build Minefield started crashing a lot (@ _PR_MD_ATOMIC_DECREMENT) Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a6pre) Gecko/20070628 Minefield/3.0a6pre ID:2007062805 Crash reports: 1341e766-25aa-11dc-a5cf-001a4bd43e5c 31ebbee1-2593-11dc-9ee3-001a4bd43ef6 405991ab-2593-11dc-b3d7-001a4bd43e5c c552c75e-2596-11dc-bed6-001a4bd43ef6 e186314f-25ab-11dc-851c-001a4bd43ed6 ff33bfde-25a8-11dc-abe3-001a4bd43e5c
nikolakocicbz@gmail.com: i'm not sure where you're getting your incident ids, but if they come in a form that doesn't include a bp- prefix please let me know asap. if they do come w/ a bp- prefix, please *STOP* stripping it. bugzilla will eventually make links out of the following items, but it *can't* make links out of the ones you pasted into the bug. bp-1341e766-25aa-11dc-a5cf-001a4bd43e5c bp-31ebbee1-2593-11dc-9ee3-001a4bd43ef6 bp-405991ab-2593-11dc-b3d7-001a4bd43e5c bp-c552c75e-2596-11dc-bed6-001a4bd43ef6 bp-e186314f-25ab-11dc-851c-001a4bd43ed6 bp-ff33bfde-25a8-11dc-abe3-001a4bd43e5c
we cant ship alpha 6 crashing this much ive crashes over 30 times today from this
for reference, http://code.google.com/p/socorro/issues/list https://crash-reports.mozilla.com/reports/report/index/1341e766-25aa-11dc-a5cf-001a4bd43e5c shows: frame signature 0 _PR_MD_ATOMIC_DECREMENT 1 _releaseobject 2 NPObjWrapper_Finalize 3 js_FinalizeObject 4 js_GC 5 JS_GC 6 nsXPConnect::BeginCycleCollection() 7 nsXPConnect::GetContext(JSContext *,nsXPConnect *) 8 nsCycleCollector::Collect(unsigned int) 9 nsCycleCollector_collect() which is not really more interesting/useful https://crash-reports.mozilla.com/reports/report/index/e186314f-25ab-11dc-851c-001a4bd43ed6 Stack of Crashing Thread frame signature 0 _PR_MD_ATOMIC_DECREMENT 1 _releaseobject 2 NPObjWrapper_Finalize 3 js_FinalizeObject 4 js_GC 5 JS_GC 6 nsXREDirProvider::DoShutdown() 7 ScopedXPCOMStartup::~ScopedXPCOMStartup() 8 XRE_main 9 main assuming the incidents are the same set, we now have a stack that doesn't appear to suffer from tail call recursion which fingers plugins (not at all surprising). note that one crash was clearly late shutdown, the others were all normal runtime cycle collections.
Assignee: general → nobody
Component: JavaScript Engine → Plug-ins
QA Contact: general → plugins
https://crash-reports.mozilla.com/reports/report/index/d58af714-25db-11dc-9fca-001a4bd46e84 is perhaps the most simpliest of the stacks 0 _PR_MD_ATOMIC_DECREMENT 1 xul.dll@0x3dbd34 2 js_GC 3 JS_GC 4 xul.dll@0xfae0
Attached patch Possible fix.Splinter Review
I haven't thought about this enough to convince myself that this is really the fix here as I don't really know what the problem really is yet. Judging from the call stack it seems like the problem is that a plugin exposed a NPObject to JS and then released and destroyed the NPObject while JS still held a reference to the NPObject. This would make us crash once the JS object is finalized as its private data would point to a deleted NPObject. This patch should fix that, anyone have any way to test this?
well best way to test is check it in since i crash quite reliably with this bug recently ill be able to tell you with 99 percent certainty if it fixes it
gabe: can you build or do you need someone else to produce a build with this patch for you to test? /be
well i cant build myself
I'm contacting Gabe over a build with the patch included, FYI
I just did a build with this patch included and I'm seeing a lot of random crashing now too. I can't confirm that it's this stack, however, as I don't export symbols or anything for my builds. But it certainly seems to fit the M.O. for this crash anyway.
well based on build ryan sent me im pretty sure that patch does nothing
(In reply to comment #16) > I just did a build with this patch included and I'm seeing a lot of random > crashing now too. I can't confirm that it's this stack, however, as I don't > export symbols or anything for my builds. But it certainly seems to fit the > M.O. for this crash anyway. Thanks for testing. Are you seeing more, or the same amount of random crashes with and w/o this patch? If you're seeing more crashes then I might have messed something up in that patch...
jst - this patch could actually be exactly the fix for this bug. The problem is, the bug we were hitting was bug 386332 which crashed at the same point but with a different stack. That's why the patch wasn't fixing our crashes.
(In reply to comment #19) > jst - this patch could actually be exactly the fix for this bug. The problem > is, the bug we were hitting was bug 386332 which crashed at the same point but > with a different stack. That's why the patch wasn't fixing our crashes. > Ah, I see. Any chance you could test again now that bug 386332 is fixed (by backing out bug 347743)?
Blocking- due to lack of feedback here.
Flags: blocking1.9? → blocking1.9-
So, as Ryan pointed out, this bug got hijacked for the crash that was really bug 386332. This crash was the #33 topcrash in 3.0a7 in Breakpad, so there are a lot of more severe topcrashes. That said, we're still getting roughly twenty or thirty crashes a day with this stacktrace -- enough to land jst's patch and see if it fixes the crash. I think we should give it a shot.
Sounds like a bad crash, so reassigning to jst to get this landed and tested.
Assignee: nobody → jst
Flags: blocking1.9- → blocking1.9?
Comment on attachment 270257 [details] [diff] [review] Possible fix. This is an attempt at fixing a problem with us running into dead private data in JSObjects due to plugins not properly managing their object lifetime. Not pretty, but might be worth landing...
Attachment #270257 - Flags: superreview?(jonas)
Attachment #270257 - Flags: review?(mrbkap)
Attachment #270257 - Flags: review?(mrbkap) → review+
Attachment #270257 - Flags: superreview?(jonas) → superreview+
Status: NEW → ASSIGNED
Flags: blocking1.9? → blocking1.9+
Fix checked in. I'm closing this bug, but if this still appears, please reopen this bug.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Crash Signature: [@ _PR_MD_ATOMIC_DECREMENT]
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: