Closed Bug 366828 Opened 18 years ago Closed 17 years ago

crash in venkman [@ nsContentTreeOwner::SetEnabled]

Categories

(Core :: XUL, defect)

Product:
Core
Component:
XUL
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: asrail, Assigned: asrail)

References

Details

(Keywords: crash)

Crash Data

Attachments

(2 files, 8 obsolete files)

Stacktrace of this bug
5.21 KB, text/plain
Details
Not breaking if it wouldn't actually crash
21.04 KB, patch
timeless
: review+
neil
: superreview+
Details | Diff | Splinter Review
Attached file Stacktrace of this bug 
1 - Start SeaMonkey browser.
2 - Start Venkman within SeaMonkey.
3 - Trigger an exception or hit a breakpoint in Venkman.  Do not hit
"Continue".
4 - Leave Venkman open and close the Navigator window
5 - Close Venkman (in the 'x' at the window corner), clicking "OK" on the Debugging in progress dialog.

SeaMonkey crash at nsContentTreeOwner::SetEnabled with the attached stacktrace.


It's related to bug 235453, but I don't think any depends on another.
Assignee: nobody → asrail
Status: NEW → ASSIGNED
Attached patch Purposed fix to the bug (obsolete) — Splinter Review 
Something interesting I've seen is that Venkman won't quit if you follow comment #0 steps.
It will just stop debugging and you'll have to click the 'x' again or File->Quit.

I don't believe I've introduced this bug with the patch, because Venkman closes itself after clicking 'OK' in the 'debug is running' dialog if the browser still open.
Attached patch Purposed fix (obsolete) — Splinter Review 
Sorry, I've changed idea.

It now returns OK if the window had been closed.

It makes sense since we didn't had anything more to do.

Now it closes Venkman fine when following comment #0 steps.
Attachment #251394 - Attachment is obsolete: true
Attachment #251401 - Flags: superreview?
Attachment #251401 - Flags: review?
Attached patch Another purposed fix (obsolete) — Splinter Review 
This fixes the bug, but still raising some warnings:


###!!! ASSERTION: Uh, IsInModalState() called w/o a reachable top window?: 'Error', file nsGlobalWindow.cpp, line 4906
vnk: Application venkman, 'JavaScript Debugger' unloading.

###!!! ASSERTION: XPConnect is being called on a scope without a 'Components' property!

This is pretty much always bad. It usually means that native code is
making a callback to an interface implemented in JavaScript, but the
document where the JS object was created has already been cleared and the
global properties of that document's window are *gone*. Generally this
indicates a problem that should be addressed in the design and use of the
callback code.
: 'Error', file xpcwrappednativescope.cpp, line 597



Should we make it impossible to close the Navigator window while debugging JS in Venkman?
Attachment #251401 - Attachment is obsolete: true
Attachment #251401 - Flags: superreview?
Attachment #251401 - Flags: review?
Attachment #251407 - Flags: superreview?
Attachment #251407 - Flags: review?
You probably want to ask someone in particular for review....
Comment on attachment 251407 [details] [diff] [review]
Another purposed fix

It's obsolete, sorry for leaving it here.
I'll update it soon.
Attachment #251407 - Attachment is obsolete: true
Attachment #251407 - Flags: superreview?
Attachment #251407 - Flags: review?
Well...

the patch fixes the bug, but the way venkman handles the closing of the tab witht he page it was inspecting is still ugly.

It should be better to open the dialog about stopping the debugging  when closing the source tab (or the source window).
I don't know how to do this, yet, and I think it's another bug (since this one is a crash).
Component: General → XP Miscellany
Comment on attachment 253907 [details] [diff] [review]
Fix the possible crashes while using a closed window

Since the touched code is under xpfe, asking for Neil's review.
Attachment #253907 - Flags: review?(neil)
Comment on attachment 253907 [details] [diff] [review]
Fix the possible crashes while using a closed window

Notes: 1) NS_ENSURE_STATE should always be before nsCOMPtr<nsIDOMElement> (or whatever) 2) are you sure it doesn't need to be added anywhere else?
Attachment #253907 - Flags: review?(neil) → review+
Assuming a bad extension writer or a mad extension writer, I'm guarding everything that could eventually get called in a closed window.
I also moved the ensure-state to most near as possible to the top of the methods (it is not on the top of them when there is another check condition which could exit).
Attachment #253907 - Attachment is obsolete: true
Attachment #254003 - Flags: superreview?(neil)
Attachment #254003 - Flags: review?(neil)
just to make my life simpler, did you use comment 1 at all? :|
Comment on attachment 254003 [details] [diff] [review]
Patch with changes regarding Neil's comment on the previous one

I can't actually reproduce your crash. Windows won't let me close a debugged window, and Linux crashes in ::JS_ClearScope instead.
Attachment #254003 - Flags: superreview?(neil)
Attachment #254003 - Flags: review?(neil)
timeless: Yes, off course. Why did you asked?

Neil...

this bug was about the crash you see because of the SetEnabled method.
Asqueela told me to guard all places, so I did it.

I already have crashed at JS_ClearScope too, inside the debugger:
[...]
#7  0xb7dc0a83 in JS_ClearScope (cx=0x9609c00, obj=0x97ae460) at jsapi.c:3222
#8  0xb690c939 in nsJSContext::ClearScope (this=0x9641c68, aGlobalObj=0x97ae460, aClearFromProtoChain=1) at nsJSEnvironment.cpp:2971
#9  0xb692eed6 in nsGlobalWindow::FreeInnerObjects (this=0x98380e8, aClearScope=1) at nsGlobalWindow.cpp:636
#10 0xb693174e in nsGlobalWindow::SetDocShell (this=0x975da18, aDocShell=0x0) at nsGlobalWindow.cpp:1693
#11 0xb6f90d54 in nsDocShell::Destroy (this=0x9641d80) at nsDocShell.cpp:3482
#12 0xb6725d3a in nsFrameLoader::Destroy (this=0x9641c48) at nsFrameLoader.cpp:274
#13 0xb655203c in nsSubDocumentFrame::Destroy (this=0x9779cc8) at nsFrameFrame.cpp:623
#14 0xb655445f in nsFrameList::DestroyFrames (this=0x9779c70) at nsFrameList.cpp:60
#15 0xb653d35a in nsContainerFrame::Destroy (this=0x9779c3c) at nsContainerFrame.cpp:281
#16 0xb6692955 in nsBoxFrame::Destroy (this=0x9779c3c) at nsBoxFrame.cpp:980
#17 0xb6692807 in nsBoxFrame::RemoveFrame (this=0x949c7e8, aListName=0x0, aOldFrame=0x9779c3c) at nsBoxFrame.cpp:1043
#18 0xb64f04a8 in nsFrameManager::RemoveFrame (this=0x8ea7444, aParentFrame=0x949c7e8, aListName=0x0, aOldFrame=0x9779c3c) at nsFrameManager.cpp:709
#19 0xb64b5fba in nsCSSFrameConstructor::ContentRemoved (this=0x8ea87c8, aContainer=0x9008ae0, aChild=0x96bdb48, aIndexInContainer=0, aInReinsertContent=0)
    at nsCSSFrameConstructor.cpp:9588
#20 0xb65072d0 in PresShell::ContentRemoved (this=0x8ea7428, aDocument=0x8ea3e50, aContainer=0x9008ae0, aChild=0x96bdb48, aIndexInContainer=0) at nsPresShell.cpp:4841
#21 0xb68d388c in nsBindingManager::ContentRemoved (this=0x8ea4760, aDocument=0x8ea3e50, aContainer=0x9008ae0, aChild=0x96bdb48, aIndexInContainer=0) at nsBindingManager.cpp:1387
#24 0xb67351e0 in nsGenericElement::RemoveChildAt (this=0x9008ae0, aIndex=0, aNotify=1) at nsGenericElement.cpp:2370
#25 0xb69b2ff0 in nsXULElement::RemoveChildAt (this=0x9008ae0, aIndex=0, aNotify=1) at nsXULElement.cpp:1055
#26 0xb672e501 in nsGenericElement::doRemoveChild (aOldChild=0x96bdb64, aParent=0x9008ae0, aDocument=0x8ea3e50, aReturn=0xbfee67b0) at nsGenericElement.cpp:2983
#27 0xb672e564 in nsGenericElement::RemoveChild (this=0x9008ae0, aOldChild=0x96bdb64, aReturn=0xbfee67b0) at nsGenericElement.cpp:2552
#28 0xb69b5a9f in nsXULElement::RemoveChild (this=0x9008ae0, oldChild=0x96bdb64, _retval=0xbfee67b0) at ./nsXULElement.h:576
#29 0xb7f297c9 in NS_InvokeByIndex () at xptiInterfaceInfo.cpp:73
#30 0xb6d6a13b in XPCWrappedNative::CallMethod (ccx=@0xbfee68dc, mode=XPCWrappedNative::CALL_METHOD) at xpcwrappednative.cpp:2215
#31 0xb6d76f5c in XPC_WN_CallMethod (cx=0x83c1f68, obj=0x95e0220, argc=1, argv=0x96536cc, vp=0xbfee69fc) at xpcwrappednativejsops.cpp:1470
#32 0xb7e0d832 in js_Invoke (cx=0x83c1f68, argc=1, flags=0) at jsinterp.c:1348
#33 0xb7e045fd in js_Interpret (cx=0x83c1f68, pc=0x906a7b7 ":", result=0xbfee6e0c) at jsinterp.c:4047
#34 0xb7e0d8a9 in js_Invoke (cx=0x83c1f68, argc=1, flags=2) at jsinterp.c:1367
#35 0xb6d6478a in nsXPCWrappedJSClass::CallMethod (this=0x917be30, wrapper=0x917be70, methodIndex=4, info=0x82abe98, nativeParams=0xbfee7140) at xpcwrappedjsclass.cpp:1419
#36 0xb6d5db85 in nsXPCWrappedJS::CallMethod (this=0x917be70, methodIndex=4, info=0x82abe98, params=0xbfee7140) at xpcwrappedjs.cpp:530
#37 0xb7f2a59b in PrepareAndDispatch (methodIndex=<value optimized out>, self=0x917bea8, args=<value optimized out>) at xptcstubs_gcc_x86_unix.cpp:95
[...]


So... this bug has a lot of associated stacktraces, since it's different for each of those methods.

And... yes, this patch fixes this bug too...

(In reply to comment #13)
>timeless: Yes, off course. Why did you asked?
It looks as if you missed nsChromeTreeOwner::OnLocationChange?

>I already have crashed at JS_ClearScope too
OK, but that means that I won't grant r+ on the patch, only sr+
(In reply to comment #14)
> (In reply to comment #13)
> >timeless: Yes, off course. Why did you asked?
> It looks as if you missed nsChromeTreeOwner::OnLocationChange?

OnLocationChange is not called on a closed window...
it is a listener called when the URL bar or the active tab changes.

Is there any security issue involved?
If not, it's better to leave it alone.

> >I already have crashed at JS_ClearScope too
> OK, but that means that I won't grant r+ on the patch, only sr+
> 

Sorry, but...
the touched code is only on xpfe/appshell.
It's crashing somewhere, but it's because of the methods inside those two classes (it est, nothing should be done to a closed window).

Why couldn't you grant r+?
Who should do this?

(In reply to comment #15)
>OnLocationChange is not called on a closed window...
Aren't you supposed to assume a bad or a mad extension writer?

>Why couldn't you grant r+?
>Who should do this?
I don't grant r+ on a bug I can't easily reproduce. timeless might grant r+.
Comment on attachment 254003 [details] [diff] [review]
Patch with changes regarding Neil's comment on the previous one

not covering all bases from evil extensions (or my original check list) isn't going to get an r+ from me :).
Attachment #254003 - Flags: review-
Thanks a lot timeless.
Attachment #254003 - Attachment is obsolete: true
Attachment #254078 - Flags: review?(timeless)
Wrong file above =/.
Attachment #254078 - Attachment is obsolete: true
Attachment #254079 - Flags: review?(timeless)
Attachment #254078 - Flags: review?(timeless)
Assignee: asrail → jag
Status: ASSIGNED → NEW
Component: XP Miscellany → XP Toolkit/Widgets
QA Contact: general → xptoolkit.widgets
Assignee: jag → asrail
Status: NEW → ASSIGNED
Comment on attachment 254079 [details] [diff] [review]
Patch covering OnLocationChange (checked, a null mXULWindow can't be called anywhere)

please talk w/ bz, but i don't like the change to nsChromeTreeOwner::FindItemWithName.

there's a difference between crashing and not allowing something that normally worked to work. (i'm nor asaying that _content or _main should crash, just that you don't need to check that early for just that one case). everything else basically involves the window mediator which is perfectly fine to use.

same concern about nsContentTreeOwner::FindItemWithName
Attachment #254079 - Flags: review?(timeless)
Attachment #254079 - Flags: review?(bzbarsky)
Attachment #254079 - Flags: review-
Yeah, I'd rather change the behavior of those methods as little as possible...
I've changed GetInterface and OnLocationChange as well.
Now it's allowing the extensions to work with closed windows except where it would actually crash.
Attachment #254079 - Attachment is obsolete: true
Attachment #255414 - Flags: review?(bzbarsky)
Attachment #254079 - Flags: review?(bzbarsky)
I'm not the right person to review this.  The only part of this code I know is the window-targeting code (which is what timeless asked me about).  The changes to that look fine.
Comment on attachment 255414 [details] [diff] [review]
Not breaking if it wouldn't actually crash

Asking again for timeless, so.
Attachment #255414 - Flags: review?(bzbarsky) → review?(timeless)
Attachment #255414 - Flags: review?(timeless) → review+
Attachment #255414 - Flags: superreview?(neil)
Comment on attachment 255414 [details] [diff] [review]
Not breaking if it wouldn't actually crash

>+  if(aIID.Equals(NS_GET_IID(nsIPrompt))) {
>+    NS_ENSURE_STATE(mXULWindow);
>     return mXULWindow->GetInterface(aIID, aSink);
>+  }
>+  if(aIID.Equals(NS_GET_IID(nsIAuthPrompt))) {
>+    NS_ENSURE_STATE(mXULWindow);
>     return mXULWindow->GetInterface(aIID, aSink);
>+  }
>+  if(aIID.Equals(NS_GET_IID(nsIWebBrowserChrome))) {
>+    NS_ENSURE_STATE(mXULWindow);
>     return mXULWindow->GetInterface(aIID, aSink);
>+  }
>+  if (aIID.Equals(NS_GET_IID(nsIEmbeddingSiteWindow))) {
>+    NS_ENSURE_STATE(mXULWindow);
>     return mXULWindow->GetInterface(aIID, aSink);
>+  }
>+  if (aIID.Equals(NS_GET_IID(nsIEmbeddingSiteWindow2))) {
>+    NS_ENSURE_STATE(mXULWindow);
>     return mXULWindow->GetInterface(aIID, aSink);
>+  }
>+  if (aIID.Equals(NS_GET_IID(nsIXULWindow))) {
>+    NS_ENSURE_STATE(mXULWindow);
>     return mXULWindow->QueryInterface(aIID, aSink);
>+  }
This is a bit ugly but I guess it will get optimised into a big || anyway.
Attachment #255414 - Flags: superreview?(neil) → superreview+
Changing what you told Neil.
Attachment #255414 - Attachment is obsolete: true
Attachment #255582 - Flags: superreview?(neil)
Attachment #255582 - Flags: review?
Attachment #255582 - Flags: review? → review?(timeless)
Comment on attachment 255582 [details] [diff] [review]
Last patch changing the check in QueryInterface

Sorry, but I think this is worse, partly because you left your bracing changes in and partly because you've now testing the same condition twice.
Attachment #255582 - Flags: superreview?(neil) → superreview-
Comment on attachment 255582 [details] [diff] [review]
Last patch changing the check in QueryInterface

I'll go back to the older version, so.
Attachment #255582 - Attachment is obsolete: true
Attachment #255582 - Flags: review?(timeless)
Comment on attachment 255414 [details] [diff] [review]
Not breaking if it wouldn't actually crash

Use this version so...

can someone check in this one?
Attachment #255414 - Attachment is obsolete: false
Whiteboard: [checkin needed]
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Whiteboard: [checkin needed]
Crash Signature: [@ nsContentTreeOwner::SetEnabled]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: