Closed Bug 409343 Opened 12 years ago Closed 12 years ago

Crash [@ nsVariant::Cleanup] using deliciousdirector

Categories

(Core :: XPCOM, defect, critical)

x86
All
defect
Not set
critical

Tracking

()

VERIFIED DUPLICATE of bug 409208

People

(Reporter: wildmyron, Unassigned)

References

()

Details

(Keywords: crash, regression)

Crash Data

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b3pre) Gecko/2007122005 Minefield/3.0b3pre ID:2007122005

STR:
1) Load url
2) Click one or two tags
3) Wait a while for cycle collector to run

Mostly reproducible, sometimes doesn't crash first time and repeating from 2) results in a crash. I can't submit a crash report but do have a stack from WinDBG. I'm not sure if this is a bug in the cycle collector or somewhere else so I'm filing in XPCOM as a start

Can't reproduce in Fx3b1, marking qawanted for regression range search and testcase reduction please.

reported at Mozillazine, see http://forums.mozillazine.org/viewtopic.php?p=3190180#3190180

WinDBG output:

HEAP[firefox.exe]: Invalid Address specified to RtlFreeHeap(00330000, 0151E3B0)
(eb0.c34): Break instruction exception - code 80000003 (first chance)
eax=0151e3a8 ebx=0151e3a8 ecx=7c91eb05 edx=0012f466 esi=00330000 edi=0151e3a8
eip=7c901230 esp=0012f670 ebp=0012f674 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
ntdll!DbgBreakPoint: 

Top of call stack:

0012f680 7c96c943 ntdll!DbgBreakPoint
0012f688 7c96cd80 ntdll!RtlpBreakPointHeap+0x28
0012f69c 7c96df66 ntdll!RtlpValidateHeapEntry+0x113
0012f710 7c94a5d0 ntdll!RtlDebugFreeHeap+0x97
0012f7f8 7c9268ad ntdll!RtlFreeHeapSlowly+0x37
0012f8c8 78134c39 ntdll!RtlFreeHeap+0xf9
0012f914 608af297 MSVCR80!free+0xcd
0012f924 603cef3d xul!nsVariant::Cleanup+0x32 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\xpcom\ds\nsvariant.cpp @ 1640]
0012f930 603cf1fb xul!XPCTraceableVariant::~XPCTraceableVariant+0x1b [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\xpconnect\src\xpcvariant.cpp @ 71]
0012f938 603cf233 xul!XPCTraceableVariant::`scalar deleting destructor'+0x8
0012f948 608aa9e0 xul!XPCVariant::Release+0x24 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\xpconnect\src\xpcvariant.cpp @ 56]
0012f950 608ac581 xul!nsXPCOMCycleCollectionParticipant::Unroot+0xa [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\obj-fx-trunk\xpcom\build\nscyclecollectionparticipant.cpp @ 75]
0012f980 608acd58 xul!nsCycleCollector::CollectWhite+0xe3 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\xpcom\base\nscyclecollector.cpp @ 1527]
0012f9f8 603d189a xul!nsCycleCollector::DoCollect+0xb5 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\xpcom\base\nscyclecollector.cpp @ 2217]
0012fa0c 6006eebc xul!XPCCycleCollectGCCallback+0x1e [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\xpconnect\src\nsxpconnect.cpp @ 430]
0012fab0 60051c28 js3250!js_GC+0x209
0012fac0 603d19dd js3250!JS_GC+0x2b
0012fb84 608ace6d xul!nsXPConnect::Collect+0x87 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\js\src\xpconnect\src\nsxpconnect.cpp @ 517]
0012fb9c 608acedf xul!nsCycleCollector::Collect+0x50 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\xpcom\base\nscyclecollector.cpp @ 2096]
0012fba4 605a0baa xul!nsCycleCollector_collect+0x11 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\xpcom\base\nscyclecollector.cpp @ 2646]
Just realised this is possibly a duplicate of bug 409208
Keywords: crash
Flags: blocking1.9?
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9b3pre) Gecko/2007122005 Minefield/3.0b3pre ID:2007122005

1. New profile, start firefox
2. Load http://johnvey.com/features/deliciousdirector/demo.html in a new tab.
3. Middle click on a default bookmark a load of times so many tabs open.
4. Close one or two of the tabs that just opened.
5. Switch to the http://johnvey.com/features/deliciousdirector/demo.html tab
6. In the Tag Browser at the top, keep clicking on different tags (just move your mouse up and down whilst clicking)
7. Also try wild clicking in the 2nd Tag Browser column (when it is populated)

Firefox should then bail out.

I can't get it to crash with: 20071130_1107_firefox-3.0b2pre.en-US.win32
I have managed to get it to crash with: 20071130_1124_firefox-3.0b2pre.en-US.win32

Checkins to module PhoenixTinderbox between 2007-11-30 11:07 and 2007-11-30 11:23 : 
http://bonsai.mozilla.org/cvsquery.cgi?module=PhoenixTinderbox&date=explicit&mindate=1196449620&maxdate=1196450639

This is the same range as bug 407502.
Backing out bug 406106 locally seems to fix this one too.
Status: NEW → RESOLVED
Closed: 12 years ago
Keywords: qawanted
Resolution: --- → DUPLICATE
Duplicate of bug: 409208
I can't actually reproduce bug 409208 (which was duped to bug 406800) but this doesn't crash for me now that 406800 is fixed.

Verified with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b3pre) Gecko/2008011405 Minefield/3.0b3pre ID:2008011405
Status: RESOLVED → VERIFIED
Crash Signature: [@ nsVariant::Cleanup]
You need to log in before you can comment on or make changes to this bug.