Closed Bug 358755 Opened 13 years ago Closed 13 years ago

crash [@ nsDOMClassInfo::PreCreate] when going back

Categories

(Core :: DOM: Core & HTML, defect, critical)

defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: bugzilla, Assigned: jst)

References

Details

(Keywords: crash, regression, verified1.8.1.1)

Crash Data

Attachments

(1 file)

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20061029 Minefield/3.0a1 ID:2006102904 [cairo]

When I go back I'm crashing
TB25254823Q
TB25254766W
TB25254487Z

nsDOMClassInfo::PreCreate  [mozilla\dom\src\base\nsdomclassinfo.cpp, line 3310]
XPCWrappedNative::GetNewOrUsed  [mozilla\js\src\xpconnect\src\xpcwrappednative.cpp, line 320]
XPCConvert::NativeInterface2JSObject  [mozilla\js\src\xpconnect\src\xpcconvert.cpp, line 1098]
XPCConvert::NativeData2JS  [mozilla\js\src\xpconnect\src\xpcconvert.cpp, line 474]
XPCWrappedNative::CallMethod  [mozilla\js\src\xpconnect\src\xpcwrappednative.cpp, line 2252]
WFM Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20061026 SeaMonkey/1.5a - maybe something checked in over the weekend?
What site(s) does this occur on?
Severity: normal → critical
Summary: crash at nsDOMClassInfo::PreCreate → crash [@ nsDOMClassInfo::PreCreate] when going back
This looks like it could be fallout from bug 355161. Henrik, are you using any extensions that might be provoking this?
*** Bug 360855 has been marked as a duplicate of this bug. ***
Flags: blocking1.9?
Keywords: qawanted
Whiteboard: [need info]
Actually, this is probably indeed fallout from bug 355161.  The line those talkbacks are crashing on is:

 3309    *parentObj = ((nsGlobalWindow *)piwin.get())->
 3310                   GetCurrentInnerWindowInternal()->GetGlobalJSObject();

The change in bug 355161 made it so the outer window is frozen until we get an explicit inner, so this code in nsWindowSH::NewResolve:

 5968 if ((!innerWin || !innerWin->GetExtantDocument()) && !win->IsFrozen()) {

now basically never tests true.  So you get crashes, a la bug 348990 and bug 323641.  I bet the steps in those bugs will reproduce this nicely.
Blocks: 355161
Flags: blocking1.8.1.1?
Keywords: qawanted
OS: Windows XP → All
Hardware: PC → All
Whiteboard: [need info]
Attached patch Untested fix.Splinter Review
This reverts the behavior in the piece of code that bz pointed at to what it was before bug 355161 was fixed. I have yet to see this happen, but this should at least revert this code to work as it used to.
Attachment #245805 - Flags: superreview?(bzbarsky)
Attachment #245805 - Flags: review?(bzbarsky)
Comment on attachment 245805 [details] [diff] [review]
Untested fix.

Makes sense.

Like I said, bug 323641 and bug 348990 have steps to reproduce (one of them even has a testcase).
Attachment #245805 - Flags: superreview?(bzbarsky)
Attachment #245805 - Flags: superreview+
Attachment #245805 - Flags: review?(bzbarsky)
Attachment #245805 - Flags: review+
Yeah, but that testcase does *not* show this crash, or at least not here (installed as chrome n' all).
Fix landed, let's see if the fix really fixed this bug. (Reopen if it didn't).
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Maybe Wladimir can help us verify this using his steps to reproduce from bug 360855.
Tested with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20061117 Minefield/3.0a1
The crash from bug 360855 is fixed. And all the testcases for bug 355161 that I found seem to be fine as well.
Assignee: general → jst
Flags: blocking1.8.1.1? → blocking1.8.1.1+
Keywords: regression
Comment on attachment 245805 [details] [diff] [review]
Untested fix.

Approved for 1.8.1 branch, a=jay for drivers.
Attachment #245805 - Flags: approval1.8.1.1+
Fixed on the branch.
Keywords: fixed1.8.1
Keywords: fixed1.8.1fixed1.8.1.1
Verified using steps mentioned in comment #10 (bug 360855) and comment #11 (bug 355161) on: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1pre) Gecko/20061130 BonEcho/2.0.0.1pre
Flags: blocking1.9?
Crash Signature: [@ nsDOMClassInfo::PreCreate]
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.