Last Comment Bug 400744 - Pure virtual function call and crash invoking context menu
: Pure virtual function call and crash invoking context menu
Status: RESOLVED FIXED
: crash, regression, verified1.8.1.10, verified1.8.1.9
Product: Firefox
Classification: Client Software
Component: General (show other bugs)
: 2.0 Branch
: x86 Windows XP
: -- critical (vote)
: ---
Assigned To: Olli Pettay [:smaug] (reviewing overload)
:
:
Mentors:
http://www.better.se/bindows/test/
Depends on: 400976
Blocks: 384105
  Show dependency treegraph
 
Reported: 2007-10-22 13:49 PDT by John M
Modified: 2007-11-15 08:48 PST (History)
16 users (show)
dveditz: blocking1.8.1.9+
dveditz: blocking1.8.1.10+
jwalden+bmo: in‑testsuite?
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Copy and paste from Talkback (123.16 KB, text/plain)
2007-10-22 13:50 PDT, John M
no flags Details
WinDbg output / stack trace from Windows 2003 (7.86 KB, text/plain)
2007-10-22 13:53 PDT, John M
no flags Details
Screenshot of crash taken from Windows XP SP2 machine (no Talkback) (7.88 KB, image/png)
2007-10-22 14:19 PDT, John M
no flags Details

Description John M 2007-10-22 13:49:35 PDT
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.8) Gecko/20071008 Firefox/2.0.0.8
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.8) Gecko/20071008 Firefox/2.0.0.8

When I click the right mouse button to invoke the context menu on certain web pages, Firefox 2.0.0.8 crashes with a "Pure virtual function call" error. This problem does NOT happen with Firefox 2.0.0.7. 

Reproducible: Always

Steps to Reproduce:
Using Firefox 2.0.0.8 (not 2.0.0.7) on either Windows XP SP2 or Windows 2003 SP1 (both fully patched):
1. Go to http://www.bindows.net/demos/
2. Click the "Bindows Quick Demo" link (a popup will launch)
3. Click the "Grids and Trees" tab
4. Right click twice (sometimes three times) inside the table.
-> Get the "pure virtual function call" error.
Actual Results:  
Pure virtual function call error.

Expected Results:  
A browser-drawn (DHTML) menu appears.

Talkback info was submitted and is attached. Also is attached is an attempt at getting a stack trace using WinDbg on Windows 2003.
Comment 1 John M 2007-10-22 13:50:50 PDT
Created attachment 285773 [details]
Copy and paste from Talkback

This is what Talkback reported.
Comment 2 John M 2007-10-22 13:53:44 PDT
Created attachment 285774 [details]
WinDbg output / stack trace from Windows 2003

This is what WinDbg output reported when run on a retail (sorry, not a debug version) Windows 2003 machine. I also tried a Windows XP machine, but was could not get WinDbg to give me a stack trace; instead, the "Pure virtual function call" dialog appeared instead. On the Windows 2003 box, the "Pure virtual function call" dialog did not appear.
Comment 3 John M 2007-10-22 14:05:57 PDT
Additional info for keyword searchers: R6025
Comment 4 John M 2007-10-22 14:19:05 PDT
Created attachment 285783 [details]
Screenshot of crash taken from Windows XP SP2 machine (no Talkback)

Here's a screenshot from my WinXP SP2 machine. Talkback was not enabled. The text is:
-------------------
Runtime Error!
Program: c:\Program Files\Mozilla_Firefox_2_0_0\firefox.exe

R6025
 - pure virtual function call
----------
with an OK button.
Comment 5 timeless 2007-10-23 01:58:09 PDT
Comment on attachment 285773 [details]
Copy and paste from Talkback

reporter: you can't get useful information from the talkback client. please see a wiki page for information on how to get your incident id.

In this case, I spent the time to retrieve your incident for you (and it took way too long, so I hope never to need to do it again):
Incident ID: 37241314
Stack Signature	Detecting 2fc684bf
Product ID	Firefox2
Build ID	2007100816
Trigger Time	2007-10-22 13:32:11.0
Platform	Win32
Operating System	Windows NT 5.2 build 3790
Module	js3250.dll + (0003224c)
URL visited	http://www.bindows.net/demos/
User Comments	1) Click "Bindows Quick Demo" 2) Click "Grids and Tree" 3) Right click two or three times.
Since Last Crash	24 sec
Total Uptime	24 sec
Trigger Reason	Access violation
Source File, Line No.	c:/builds/tinderbox/Fx-Mozilla1.8-Release/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 3122
Stack Trace 	
Detecting  [mozilla/js/src/jsobj.c, line 3122]
js_LookupProperty  [mozilla/js/src/jsobj.c, line 3165]
js_GetProperty  [mozilla/js/src/jsobj.c, line 3543]
nsXPCWrappedJSClass::CallQueryInterfaceOnJSObject  [mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp, line 243]
nsXPCWrappedJSClass::DelegatedQueryInterface  [mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp, line 633]
nsXPCWrappedJS::QueryInterface  [mozilla/js/src/xpconnect/src/xpcwrappedjs.cpp, line 106]
nsEventListenerManager::HandleEvent  [mozilla/content/events/src/nsEventListenerManager.cpp, line 1752]
nsXULElement::HandleDOMEvent  [mozilla/content/xul/content/src/nsXULElement.cpp, line 2232]
nsXULElement::HandleDOMEvent  [mozilla/content/xul/content/src/nsXULElement.cpp, line 2255]
nsXULElement::HandleDOMEvent  [mozilla/content/xul/content/src/nsXULElement.cpp, line 2255]
nsXULElement::HandleDOMEvent  [mozilla/content/xul/content/src/nsXULElement.cpp, line 2255]
nsXULElement::HandleDOMEvent  [mozilla/content/xul/content/src/nsXULElement.cpp, line 2255]
nsXULElement::HandleChromeEvent  [mozilla/content/xul/content/src/nsXULElement.cpp, line 2897]
nsGlobalWindow::HandleDOMEvent  [mozilla/dom/src/base/nsGlobalWindow.cpp, line 1761]
nsDocument::HandleDOMEvent  [mozilla/content/base/src/nsDocument.cpp, line 4099]
nsGenericElement::HandleDOMEvent  [mozilla/content/base/src/nsGenericElement.cpp, line 2269]
nsGenericElement::HandleDOMEvent  [mozilla/content/base/src/nsGenericElement.cpp, line 2261]
nsGenericElement::HandleDOMEvent  [mozilla/content/base/src/nsGenericElement.cpp, line 2261]
nsGenericElement::HandleDOMEvent  [mozilla/content/base/src/nsGenericElement.cpp, line 2261]
nsGenericElement::HandleDOMEvent  [mozilla/content/base/src/nsGenericElement.cpp, line 2261]
nsGenericElement::HandleDOMEvent  [mozilla/content/base/src/nsGenericElement.cpp, line 2261]
nsGenericElement::HandleDOMEvent  [mozilla/content/base/src/nsGenericElement.cpp, line 2261]
nsGenericElement::HandleDOMEvent  [mozilla/content/base/src/nsGenericElement.cpp, line 2261]
nsGenericElement::HandleDOMEvent  [mozilla/content/base/src/nsGenericElement.cpp, line 2261]
nsGenericElement::HandleDOMEvent  [mozilla/content/base/src/nsGenericElement.cpp, line 2261]
nsGenericElement::HandleDOMEvent  [mozilla/content/base/src/nsGenericElement.cpp, line 2261]
nsGenericElement::HandleDOMEvent  [mozilla/content/base/src/nsGenericElement.cpp, line 2261]
nsGenericElement::HandleDOMEvent  [mozilla/content/base/src/nsGenericElement.cpp, line 2261]
nsGenericElement::HandleDOMEvent  [mozilla/content/base/src/nsGenericElement.cpp, line 2261]
nsGenericElement::HandleDOMEvent  [mozilla/content/base/src/nsGenericElement.cpp, line 2261]
nsEventStateManager::DispatchMouseEvent  [mozilla/content/events/src/nsEventStateManager.cpp, line 2797]
nsEventStateManager::NotifyMouseOver  [mozilla/content/events/src/nsEventStateManager.cpp, line 2922]
nsEventStateManager::GenerateMouseEnterExit  [mozilla/content/events/src/nsEventStateManager.cpp, line 2954]
nsEventStateManager::PreHandleEvent  [mozilla/content/events/src/nsEventStateManager.cpp, line 567]
PresShell::HandleEventInternal  [mozilla/layout/base/nsPresShell.cpp, line 6468]
PresShell::HandleEvent  [mozilla/layout/base/nsPresShell.cpp, line 6310]
nsViewManager::HandleEvent  [mozilla/view/src/nsViewManager.cpp, line 2566]
nsViewManager::DispatchEvent  [mozilla/view/src/nsViewManager.cpp, line 2253]
HandleEvent  [mozilla/view/src/nsView.cpp, line 174]
nsWindow::DispatchEvent  [mozilla/widget/src/windows/nsWindow.cpp, line 1319]
nsWindow::DispatchMouseEvent  [mozilla/widget/src/windows/nsWindow.cpp, line 6329]
ChildWindow::DispatchMouseEvent  [mozilla/widget/src/windows/nsWindow.cpp, line 6576]
nsWindow::WindowProc  [mozilla/widget/src/windows/nsWindow.cpp, line 1507]
USER32.dll + 0x1b6e3 (0x7739b6e3)
USER32.dll + 0x1b874 (0x7739b874)
USER32.dll + 0x1ba92 (0x7739ba92)
USER32.dll + 0x1bad0 (0x7739bad0)
nsAppShell::Run  [mozilla/widget/src/windows/nsAppShell.cpp, line 159]
nsAppStartup::Run  [mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 152]
main  [mozilla/browser/app/nsBrowserApp.cpp, line 61]
kernel32.dll + 0x2f23b (0x77e6f23b)

However, detecting shouldn't be a Pure Virtual crash
Comment 6 timeless 2007-10-23 02:02:28 PDT
Comment on attachment 285774 [details]
WinDbg output / stack trace from Windows 2003

In order o use windbg w/ firefox, you need to have symbols, see: http://developer.mozilla.org/en/docs/How_to_get_a_stacktrace_with_WinDbg

I think this is one of a dozen pages that migh explain how to get a talkback incident id (again, you don't need it for the incident you've already reported as I retrieved it in comment 5):
http://kb.mozillazine.org/Talkback
Comment 7 Martijn Wargers [:mwargers] (not working for Mozilla) 2007-10-23 14:17:19 PDT
This is worksforme, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.8) Gecko/20071008 Firefox/2.0.0.8

John, if you can reproduce this consistently, you could try out older branch builds (directories ending with mozilla-1.8) to see in which of the builds it started crashing: 
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/
Comment 8 Mats Palmgren (:mats) 2007-10-24 05:42:54 PDT
WFM, Firefox 2.0.0.8 on Windows XP, Vista and Linux.

John, can you reproduce the crash in Firefox Safe Mode?
(it temporarily disables add-ons and themes, this test will help us narrow
down the cause of the problem) --  See http://kb.mozillazine.org/Safe_Mode
Comment 9 John M 2007-10-24 08:31:05 PDT
Good news, bad news.

The good news is that I can reproduce the crash in safe mode, with or without a debugger. I can reproduce it in the build from http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2007-10-05-03-mozilla1.8/firefox-2.0.0.8pre.en-US.win32.zip but not in the build from http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2007-10-03-03-mozilla1.8/firefox-2.0.0.8pre.en-US.win32.zip . So it looks like the problematic checkin happened between 10-03 and 10-05 (thanks, Martin).

The bad news is that I can no longer reproduce the problem with the original URL http://www.bindows.net/demos/ and repro steps. I can still reproduce the problem, though, but the web site that I'm using is only on my company's intranet. (A little background here: the intranet site was written using the Bindows JavaScript toolkit from the URL above). The Bindows site may have been patched to work around the problem.

Another piece of bad news is that I cannot get a stack trace by following the instructions at http://developer.mozilla.org/en/docs/How_to_get_a_stacktrace_with_WinDbg . I tried WinDbg and MS VC++ 2005 Express  I get errors such as:

'firefox.exe': Loaded 'C:\ff-test\2007-10-07-03-firefox-2.0.0.8pre.en-US.win32\firefox\firefox.exe', No symbols loaded.
...snip MS binaries....
'firefox.exe': Loaded 'C:\ff-test\2007-10-07-03-firefox-2.0.0.8pre.en-US.win32\firefox\js3250.dll', No symbols loaded.
...etc....

for all of the Firefox binaries. I'm new to using a debugger, but it looks like the symbols aren't getting downloaded.
 
Comment 10 Martijn Wargers [:mwargers] (not working for Mozilla) 2007-10-24 11:15:24 PDT
John, thanks for finding out the regression range.
This is a bonsai links that contains all the check-ins to the 1.8 branch:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=MOZILLA_1_8_BRANCH&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2007-10-03+03&maxdate=2007-10-05+04&cvsroot=%2Fcvsroot
Maybe somehow a regression from bug 384105?

Unfortunate that it doesn't work anymore on the bindows demo site. An example/testcase that reproducible crashes would be very helpful. 
Comment 11 Mats Palmgren (:mats) 2007-10-24 12:39:38 PDT
Maybe the symbol server have symbols for 2.0.0.8?
http://developer.mozilla.org/en/docs/Using_the_Mozilla_symbol_server
Comment 12 Mats Palmgren (:mats) 2007-10-24 12:41:49 PDT
Looks like a branch regression...
Comment 13 John M 2007-10-24 15:37:13 PDT
Mats, I *had* read that page on using the symbol server. I still don't get symbols downloaded to my machine. See http://developer.mozilla.org/en/docs/Talk:Using_the_Mozilla_symbol_server for gory details.

All - sorry, I still don't have a site where it can be demoed.
Comment 14 Niclas Norgren 2007-10-25 00:43:12 PDT
The referred site, http://www.bindows.net/demos/ does no longer reproduce the problem. Since this is our public demos, we worked around the issue temporarily by adding a short break (timer) in the rendering of a context meny.

In isolated testcase posted by Marcus Better in #400976 reproduces the issue

Some additional observations: 
In some cases, the browser indeed crashes, in others such as using a slower computer or running the Linux version of 2.0.0.8, the context menu disappears just after showing.
Comment 15 Olli Pettay [:smaug] (reviewing overload) 2007-10-25 06:38:45 PDT
Are there any ways to reproduce this?
The patch in bug 400976 may or may not help with this.
Comment 16 Marcus Better 2007-10-25 09:15:46 PDT
(In reply to comment #15)
> Are there any ways to reproduce this?

I've put an unpatched version of the demo referred to above at

  http://www.better.se/bindows/test/

for the time being.
Comment 17 Daniel Veditz [:dveditz] 2007-10-25 10:24:35 PDT
Ooh, thanks! I reproduced it right away. Now I can check to see if the patch in 400976 really does fix it, or if it's a separate problem.

In a debug build I crashed in js_LookupPropertyWithFlags, below that it was the same as comment 5. Looks like an uninitialized variable (0xcccccccc in a debug build).
Comment 18 Carsten Book [:Tomcat] 2007-10-25 11:14:07 PDT
i can confirm this crash. 

Does not crash on Firefox 2.0.0.6/2.0.0.7 and does crash on Firefox 2.0.0.8 with the steps to reproduce 
Comment 19 Daniel Veditz [:dveditz] 2007-10-25 11:16:18 PDT
The patch in bug 400976 fixes the crash for me on the test version of bindows linked from comment 16

For a potential branch update I don't think we should mark this a duplicate of bug 400976, for testing purposes and clarity.
Comment 20 Carsten Book [:Tomcat] 2007-10-26 07:09:39 PDT
This bug is fixed by the checkin from Bug 400976 -> Fixed

verified fixed 1.8.1.9 using Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1.9) Gecko/2007102514 Firefox/2.0.0.9 (Firefox 2.0.0.9 RC1) and the testurl from comment #16. I do not crash on the RC1 on this link anymore, so adding the verified keyword.
Comment 21 John M 2007-10-26 08:44:48 PDT
Changed URL in bug to the test site from comment #16 (thanks, Marcus).
Comment 22 Daniel Veditz [:dveditz] 2007-10-29 17:10:17 PDT
This was also checked into the 1.8 branch --> fixed1.8.1.10
Comment 23 Carsten Book [:Tomcat] 2007-11-15 08:11:28 PST
the test case from comment #16 is no longer available, so its not possible to verify this bug for 1.8.1.10 currently
Comment 24 Marcus Better 2007-11-15 08:23:49 PST
(In reply to comment #23)
> the test case from comment #16 is no longer available, so its not possible
> to verify this bug for 1.8.1.10 currently

Sorry, I thought you were already done with this bug. The test case is back now. (Please tell me when I can remove it.)
Comment 25 Carsten Book [:Tomcat] 2007-11-15 08:39:38 PST
(In reply to comment #24)
> (In reply to comment #23)
> > the test case from comment #16 is no longer available, so its not possible
> > to verify this bug for 1.8.1.10 currently
> 
> Sorry, I thought you were already done with this bug. The test case is back
> now. (Please tell me when I can remove it.)
> 

hi Marcus, many thanks for putting this online again. 

I can now verify this bug also fixed for 1.8.1.10 with Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.10) Gecko/2007111504 Firefox/2.0.0.10 - no crash on testcase and so the bug is completely done verified now. 

thanks for your help again.

- adding verified keyword
Comment 26 Boris Zbarsky [:bz] (still a bit busy) 2007-11-15 08:48:44 PST
We need to get a version of this test into our automated test suite, if possible.  We wouldn't want to regress this in a few days because of some other change...

Note You need to log in before you can comment on or make changes to this bug.