Closed Bug 386735 Opened 18 years ago Closed 18 years ago

closing a tab (I think with flash) crashes during GC / CycleCollection (calling npobj->_class->deallocate?)

Categories

(Core :: General, defect)

Product:
Core
Component:
General
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 347743

People

(Reporter: moco, Unassigned)

Details

closing a tab (I think with flash) crashes during GC / CycleCollection I write "I think with flash" based on my console output. from about:plugins, I have "Shockwave Flash 9.0 r45" in case that helps. I am using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a6pre) Gecko/20070628 Minefield/3.0a6pre Here's the stack: 672e7777() > gkplugin.dll!_releaseobject(NPObject * npobj=0x0983e6d8) Line 1551 + 0xe bytes C++ gkplugin.dll!NPObjWrapper_Finalize(JSContext * cx=0x03e15180, JSObject * obj=0x05e6fd80) Line 1430 + 0x9 bytes C++ js3250.dll!js_FinalizeObject(JSContext * cx=0x03e15180, JSObject * obj=0x05e6fd80) Line 2774 + 0x16 bytes C js3250.dll!js_GC(JSContext * cx=0x03e15180, JSGCInvocationKind gckind=GC_NORMAL) Line 2839 + 0xb bytes C js3250.dll!JS_GC(JSContext * cx=0x03e15180) Line 2359 + 0xb bytes C xpc3250.dll!nsXPConnect::BeginCycleCollection() Line 571 + 0xa bytes C++ xpcom_core.dll!nsCycleCollector::Collect(unsigned int aTryCollections=1) Line 1991 C++ xpcom_core.dll!nsCycleCollector_collect() Line 2412 C++ gklayout.dll!nsJSContext::Notify(nsITimer * timer=0x08033a90) Line 3208 C++ xpcom_core.dll!nsTimerImpl::Fire() Line 387 C++ xpcom_core.dll!nsTimerEvent::Run() Line 458 C++ xpcom_core.dll!nsThread::ProcessNextEvent(int mayWait=1, int * result=0x0012fb54) Line 483 C++ xpcom_core.dll!NS_ProcessNextEvent_P(nsIThread * thread=0x00b8d518, int mayWait=1) Line 227 + 0x16 bytes C++ gkwidget.dll!nsBaseAppShell::Run() Line 154 + 0xc bytes C++ tkitcmps.dll!nsAppStartup::Run() Line 171 + 0x1c bytes C++ xul.dll!XRE_main(int argc=1, char * * argv=0x00b89898, const nsXREAppData * aAppData=0x004036e0) Line 2810 + 0x25 bytes C++ firefox.exe!main(int argc=1, char * * argv=0x00b89898) Line 69 + 0x13 bytes C++ firefox.exe!__tmainCRTStartup() Line 586 + 0x19 bytes C firefox.exe!mainCRTStartup() Line 403 C kernel32.dll!7c816fd7() [Frames below may be incorrect and/or missing, no symbols loaded for kernel32.dll] We were calling npobj->_class->deallocate From the debugger: - npobj 0x0983e6d8 {_class=0x0983e458 referenceCount=0 } NPObject * - _class 0x0983e458 {structVersion=159638456 allocate=0x772f2f3a deallocate=0x672e7777 ...} NPClass * structVersion 159638456 unsigned int allocate 0x772f2f3a NPObject * (_NPP *, NPClass *)* deallocate 0x672e7777 void (NPObject *)* invalidate 0x6863726f void (NPObject *)* hasMethod 0x632e766f bool (NPObject *, void *)* invoke 0x692f6d6f bool (NPObject *, void *, const _NPVariant *, unsigned int, _NPVariant *)* invokeDefault 0x7865646e bool (NPObject *, const _NPVariant *, unsigned int, _NPVariant *)* hasProperty 0x796c756a bool (NPObject *, void *)* getProperty 0x6677732e bool (NPObject *, void *, _NPVariant *)* setProperty 0x00000000 bool (NPObject *, void *, const _NPVariant *)* removeProperty 0x0983e340 bool (NPObject *, void *)* enumerate 0x6c456574 bool (NPObject *, void * * *, unsigned int *)* referenceCount 0 unsigned int + npobj->_class 0x0983e458 {structVersion=159638456 allocate=0x772f2f3a deallocate=0x672e7777 ...} NPClass * npobj->_class->deallocate 0x672e7777 void (NPObject *)*
Unfortunately, I have not been able to reproduce this.
This is the GC before cycle collection, so cycle collection hasn't really done anything yet. The top two frames on the stack are the plugin scriptability stuff. There was a topcrash in that code that was backed out a few days ago; how old is your build?
Product: Firefox → Core
QA Contact: general → general
David, thanks for the quick responst. >how old is your build? I am using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a6pre) Gecko/20070628 Minefield/3.0a6pre my last full checkout finished on Thu Jun 28 02:20:18 PDT 2007. Could I be hitting that topcrash? (I'll update and rebuild either way, as I'm over due.)
dup, thanks again David.
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.