Closed Bug 428478 Opened 17 years ago Closed 16 years ago

Crash after closing tab on which I had Gmail opened (with remember the milk extension)

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: miguel.ventura, Unassigned)

Details

(Keywords: crash)

Attachments

(3 files)

Output from WinDbg kb,kP n,lm and !heap -v commands
18.31 KB, text/plain
Details
Output from WinDbg for commands asked in #2 for frames 0b and 0d
8.25 KB, text/plain
Details
Output from WinDbg for commands asked in #4
1.09 KB, text/plain
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5 This happened after some interaction with Gmail. It was the tab that was currently opened. When it crashed, windbg was attached and I was able to create a dump. Reproducible: Couldn't Reproduce Steps to Reproduce: 1. Open Gmail in a new tab. 2. Interact for a while with it (leave it open for some hours). 3. Close that tab! Actual Results: Browser crashed Expected Results: Browser should have closed the tab and remain working properly. Stack from the dump: 0:000> kb ChildEBP RetAddr Args to Child 0012e61c 7c90e9ab 7c86372c 00000002 0012e790 ntdll!KiFastSystemCallRet 0012e620 7c86372c 00000002 0012e790 00000001 ntdll!ZwWaitForMultipleObjects+0xc 0012ed8c 7c8436da 0012edb4 7c839b09 0012edbc kernel32!UnhandledExceptionFilter+0x8e4 0012ed94 7c839b09 0012edbc 00000000 0012edbc kernel32!BaseProcessStart+0x39 0012edbc 7c9037bf 0012eea8 0012ffe0 0012eec4 kernel32!_except_handler3+0x61 0012ede0 7c90378b 0012eea8 0012ffe0 0012eec4 ntdll!ExecuteHandler2+0x26 0012ee90 7c90eafa 00000000 0012eec4 0012eea8 ntdll!ExecuteHandler+0x24 0012ee90 60006b6c 00000000 0012eec4 0012eea8 ntdll!KiUserExceptionDispatcher+0xe 0012f194 60006c3e 00290040 01600000 01637000 mozcrt19!arena_dalloc_small+0x1c [e:\fx19rel\winnt_5.2_depend\mozilla\obj-fx-trunk\memory\jemalloc\src\jemalloc.c @ 4016] 0012f1ac 60007c90 01637000 0012f26d 0012f3b8 mozcrt19!arena_dalloc+0x2e [e:\fx19rel\winnt_5.2_depend\mozilla\obj-fx-trunk\memory\jemalloc\src\jemalloc.c @ 4209] 0012f1bc 604ef8eb 01637000 00377c80 00000000 mozcrt19!free+0x20 [e:\fx19rel\winnt_5.2_depend\mozilla\obj-fx-trunk\memory\jemalloc\src\jemalloc.c @ 6067] 0012f394 604f3152 00000000 0434d028 00377c80 xul!XPCWrappedNative::CallMethod+0xc6b [e:\fx19rel\winnt_5.2_depend\mozilla\js\src\xpconnect\src\xpcwrappednative.cpp @ 2547] 0012f45c 60131d4c 00377c80 04da3a80 00000000 xul!XPC_WN_CallMethod+0x122 [e:\fx19rel\winnt_5.2_depend\mozilla\js\src\xpconnect\src\xpcwrappednativejsops.cpp @ 1470] 0012f520 6013222a 00377c80 00000000 0434d020 js3250!js_Invoke+0x2cc [e:\fx19rel\winnt_5.2_depend\mozilla\js\src\jsinterp.c @ 1287] 0012f554 60135522 00377c80 04da3a80 031e3cb0 js3250!js_InternalInvoke+0xea [e:\fx19rel\winnt_5.2_depend\mozilla\js\src\jsinterp.c @ 1359] 0012f580 601363df 04da3a80 00dd124c 00000000 js3250!js_TryMethod+0x82 [e:\fx19rel\winnt_5.2_depend\mozilla\js\src\jsobj.c @ 4756] 0012f5a8 60134791 00377c80 04da3a80 00000003 js3250!js_DefaultValue+0x7f [e:\fx19rel\winnt_5.2_depend\mozilla\js\src\jsobj.c @ 4055] 0012f610 6014164b 00377c80 04da3a80 00000000 js3250!js_ValueToString+0x101 [e:\fx19rel\winnt_5.2_depend\mozilla\js\src\jsstr.c @ 2694] 0012f684 60135d56 00000000 04da3a60 60504b6b js3250!js_ReportUncaughtException+0xab [e:\fx19rel\winnt_5.2_depend\mozilla\js\src\jsexn.c @ 1304] 0012f690 60504b6b 00377c80 04020660 01758b28 js3250!JS_CallFunctionValue+0x56 [e:\fx19rel\winnt_5.2_depend\mozilla\js\src\jsapi.c @ 5037]
wrt attachments, combining output is fine, if there are pieces someone wants to see prominently in the bug, they can paste them later, and for commands someone (esp. me) wants run, they can use find to jump through a log. try this (written from memory, if they don't work as written, please check the docs and try to get something akin to the spirit): .frame 0b dv dt -v methodInfo dt -v ifaceInfo what i'm fishing for here is the name of the interface/method being called. The methdo name is typically only easily available as a number, but if you get the interface name, then xpt_dump.exe will give you the items in order and we can count. (you can also do the counting using the .idl files, it's basically 0=qi, 1=addref, 2=release, 3=first method in interface closest to nsisupports along the direct [* there's only one inheritance path, we don't allow MI for interfaces] inheritance path to the named interface, attributes that aren't readonly count for 2 (get+set)) - but we can do this later. The other way is to try to convert jsval name into a string, which requires some bit twiddling, which I'd rather skip today. .frame 0d dv dt cx dt cx JSContext fp dt cx JSContext fp->down dt cx JSContext fp->down->pc dt cx JSContext fp->down->script. dt cx JSContext fp->down->down (repeat as with previous down) what i'm fishing for here is the filenames and linenumbers for each function frame (from down->script), you use (pc) - (script->main) or something like that to calculate the byte offset into the script. and jsshell (info on this later) to find out the actual code that's unhappy. references: .hh dv .hh dt .hh ?? http://blogs.msdn.com/doronh/archive/2006/03/22/558329.aspx
Component: General → XPConnect
Keywords: crash
Product: Firefox → Core
QA Contact: general → xpconnect
Version: unspecified → Trunk
.frame 0b can you fish through param_iid, the goal is to find the iid. also, try using view locals and poking through callee, you should be able to find out which class it is (typically the QueryInterface method will include the proper c++ classname). hey, i missed the obvious one :), .frame 0d dt cx JSContext fp->pc dt cx JSContext fp->script.
Sorry for the late reply... I thought I had done it already. @timeless: sorry, I don't know how to fish iid through param_iid :(
0:000> dt -v param_iid Local var [AddrFlags 90 AddrOff ffffff50 Reg/Val ebp (8)] @ 0x12f2e4 Type nsID struct nsID, 8 elements, 0x10 bytes +0x000 m0 : 0 +0x004 m1 : 0x2f5 +0x006 m2 : 0x604f +0x008 m3 : [8] "@???" try searching components/xpti.dat for 604f ? the fields in param_iid are indeed what we're looking for... I'm getting sick so i'm not going to try to write more detailed instructions.
I can find no 604f nor 24655 (same in decimal) nor "\0x60\0x4f" in components\xpti.dat or <my profile dir>\xpti.dat. Hope you get well soon :)
Miguel, still seeing this?
No, I haven't hit this crash again for a while now. I've been upgrading to the latest 3.5 nightly every week or so.
it's been too much time without occurring again changing status as per Wayne's suggestion
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: