Closed Bug 431346 Opened 16 years ago Closed 16 years ago

File -> Import -> Browsing History crash Firefox [@ nsCOMPtr.h:931]

Categories

(Toolkit :: Downloads API, defect, P1)

Product:
Toolkit
Component:
Downloads API
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9

People

(Reporter: cbook, Assigned: Mardak)

References

(
URL
)

Details

(Keywords: crash, regression, Whiteboard: [fixes bug 431597])

Crash Data

Attachments

(3 files)

crash stack
39.50 KB, text/plain
Details
stack when deleting entries from history menu
42.16 KB, text/plain
Details
v1
4.20 KB, patch
sdwilsh
: review+
shaver
: approval1.9+
Details | Diff | Splinter Review
Attached file crash stack 
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9pre) Gecko/2008042814 Firefox/3.0pre

Steps to reproduce:
-> File -> Import -> Safari 
-> Select "Browsing History>
--> Crash
Flags: blocking-firefox3?
This might be 10.5 only, as I do not crash importing data from Safari using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-US; rv:1.9pre) Gecko/2008042904 Minefield/3.0pre.
see the URL, this started on the day bug X was checked in. from the reports, seems like this can happen even when singly deleting URLs from the history sidebar.
Blocks: 251337
URL: http://crash-stats.mozilla.com/report...
(In reply to comment #2)
> see the URL, this started on the day bug X was checked in. 

er, bug 251337
This is the offending line of the patch from bug 251337:

http://hg.mozilla.org/mozilla-central/index.cgi/rev/5e8fa7e3f219#l3.123

 if (mHistoryTransaction) {
   // Delete the transaction and cause it to commit
*  delete mHistoryTransaction;
   mHistoryTransaction = nsnull;
 }

where mHistoryTransaction is created earlier with..
mHistoryTransaction = new mozStorageTransaction(mDBConn, PR_TRUE);

From the stack trace..
0   libtoolkitcomps.dylib         	0x0a639479 nsCOMPtr<mozIStorageConnection>::get_DerivedSafe() const + 9 (nsCOMPtr.h:931)
1   libtoolkitcomps.dylib         	0x0a63948f nsCOMPtr<mozIStorageConnection>::operator nsDerivedSafe<mozIStorageConnection>*() const + 17 (nsCOMPtr.h:862)
2   libtoolkitcomps.dylib         	0x0a6394fd mozStorageTransaction::~mozStorageTransaction() + 17 (mozStorageHelper.h:81)

It looks like it's checking mConnection here:
http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/storage/public/mozStorageHelper.h&rev=1.2&mark=81#79
if (mConnection && mHasTransaction && ! mCompleted) {

that was added by bug 384224 to check for non-null connection (which should be mDBConn of nsDownlaodManager.)


Any idea if this is happening when things are shutting down?
(In reply to comment #4)

> 
> Any idea if this is happening when things are shutting down?
> 

it's not. i could reproduce using the steps in comment #0.
The problem is this:
2   libtoolkitcomps.dylib         	0x0a6394fd mozStorageTransaction::~mozStorageTransaction() + 17 (mozStorageHelper.h:81)
3   libtoolkitcomps.dylib         	0x0a639583 mozStorageTransaction::~mozStorageTransaction() + 17 (mozStorageHelper.h:87)

Somehow, it's hitting that twice?  Are we calling this on two different threads perhaps?  Otherwise, I don't see how we could call that twice given the code.
Does this happen when migrating over from Safari (ie: on profile creation)? If not, then I don't *think* it blocks, it just sucks. If so, renom.

Also, if we have to back out bug 251337 to fix this, I'd be fine with doing that as much as it would pain me.
Flags: wanted-firefox3+
Flags: blocking-firefox3?
Flags: blocking-firefox3-
I believe that we should back out the aging patch and observe the effects on crash stats, to confirm or refute dietrich's hypothesis that it is also responsible for the single-delete crash cases.  We can debug this with a locally-patched build without much difficulty, and that would put our default state to be "ship without aging, and with fewer poorly-understood crashes".  I assert that we should (vastly) prefer that state to the current one, given our desire to ship.
Alternatively, we can just back out the mozStorageTransaction part. According to the comments, I believe this crash will happen when you select multiple entries in the Library and hit delete.
Does that put us in a state that has had any testing?  That we are in "impossible" call sequences here makes me want to revert very conservatively.  If the parallel debugging gives us confidence that aging-minus-transaction-changes (are the transaction changes not necessary for aging? if not, why were they taken?) is a good risk-reward tradeoff for inclusion, we can take it then, but I'm willing to get shouty about the need to retreat to known-better states rather than working to preserve late-breaking feature additions.  Post-beta additions need to be very safe, because we will lack widespread testing before we're ready to ship, and I don't think that the aging patch passes that test at this point -- for all its many virtues, which are many indeed.

If we knew that the patch had these side-effects, we would not have taken it, I'm pretty sure.  I don't think that we should always go backwards, but if we can't construct a solid explanation of why the bug happens, I think going forward with more speculative changes is the wrong approach at this late date.  Wish it weren't so. :/
This crash looks a lot like something Mano was talking about when I was working on bug 405497 and why locks were (wrongly) added in Bug 382073.  Maybe he can provide more details...

It's my opinion that this patch exposed a bug in places that is not understood (given the fact that the aging code for the DM is straight-forward).  This is just a gut instinct though, and I haven't found anything to back that up.
JS Stack from this crash:

(gdb) call DumpJSStack()
0 [native frame]
1 anonymous(aOuter = [object Object], 3)
["chrome://browser/content/migration/migration.js":367]
    this = [object ChromeWindow @ 0x11a8da80 (native @ 0x11a8cc5c)]

ok, this crash is not only on import, the problem is also when you select one or more entries from the history menu and when you delete this entries (like the comments in the crash reports).

My steps to reproduce:
- Selected 10 (or so) entries from the History Libary
- Context Menu -> Delete 
--> Crash
Blocking per comment 13
Flags: blocking-firefox3- → blocking-firefox3+
What does this mean?

2   libtoolkitcomps.dylib         	0x0a70c4fd mozStorageTransaction::~mozStorageTransaction() + 17 (mozStorageHelper.h:81)
3   libtoolkitcomps.dylib         	0x0a70c583 mozStorageTransaction::~mozStorageTransaction() + 17 (mozStorageHelper.h:87)

frame 3 is at the close } of the ~mozStorageTransaction destructor which calls the destructor for frame 2 and now mDBConn is junk. I'm assuming that's because the first destructor (frame 3) killed mDBConn.... ??
(Well, why is the destructor calling the destructor in the first place.)

Shawn: Should we just back out the mozStorageTransaction part that you suggested I add in before checkin? It was added for potential performance gain if users happen to mass delete downloads from Library. But more often than not, no/few downloads will be deleted in the transaction because most items are pages without downloads.

It doesn't seem like Expire starts/ends transactions before expiring pages, and OnClearHistory just uses CleanUp.

I suppose if we back out everything, should we just disable the downlaod expiration test?
http://hg.mozilla.org/mozilla-central/index.cgi/rev/5e8fa7e3f219#l8.41
Note: also crashed with the steps to reproduce from comment#13 also again, but this time with a different stack - filed Bug 431597 for this
Tomcat asked me to test this on my machine, I crashed when importing all data from Safari: my report ID is http://crash-stats.mozilla.com/report/index/7434c74c-170a-11dd-aa2e-001cc45a2c28. It is interesting that the top stack is in nsDownload Manager. My Build ID is  Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9pre) Gecko/2008043004 Minefield/3.0pre.
Attached patch v1Splinter Review 
mm smart pointers mmm
Assignee: nobody → edilee
Status: NEW → ASSIGNED
Attachment #318747 - Flags: review?(sdwilsh)
Comment on attachment 318747 [details] [diff] [review]
v1

ugh - I thought this *was* a smart pointer.  Shame on me for missing that the first time around.

r=sdwilsh
Attachment #318747 - Flags: review?(sdwilsh) → review+
I've verified the safari data importing now works and does not crash anymore on the tryserver build provided here.  Thanks Mardak!  

Also, i can't repro the steps to crash from comment 13. 

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9pre) Gecko/2008043021 Minefield/3.0pre.
Blocks: 431597
Component: Places → Download Manager
Flags: in-testsuite?
OS: Mac OS X → All
Priority: -- → P1
QA Contact: places → download.manager
Hardware: PC → All
Whiteboard: [has patch][need approval][fixes bug 431597]
Target Milestone: --- → Firefox 3
(In reply to comment #22)
> I've verified the safari data importing now works and does not crash anymore on
> the tryserver build provided here.  Thanks Mardak!  
> 
> Also, i can't repro the steps to crash from comment 13. 
> 
Confirmed, the Tryserver Build fixes my crashes, also the crash from Bug 431597, thanks guys !


Comment on attachment 318747 [details] [diff] [review]
v1

a=shaver, please proceed to target with all haste.
Attachment #318747 - Flags: approval1.9? → approval1.9+
http://hg.mozilla.org/cvs-trunk-mirror/index.cgi/rev/f29989c8508c
http://hg.mozilla.org/mozilla-central/index.cgi/rev/f29989c8508c

Checking in toolkit/components/downloads/src/nsDownloadManager.cpp;
/cvsroot/mozilla/toolkit/components/downloads/src/nsDownloadManager.cpp,v  <--  nsDownloadManager.cpp
new revision: 1.185; previous revision: 1.184
done
Checking in toolkit/components/downloads/src/nsDownloadManager.h;
/cvsroot/mozilla/toolkit/components/downloads/src/nsDownloadManager.h,v  <--  nsDownloadManager.h
new revision: 1.67; previous revision: 1.66
done
Checking in toolkit/components/downloads/test/unit/test_history_expiration.js;
/cvsroot/mozilla/toolkit/components/downloads/test/unit/test_history_expiration.js,v  <--  test_history_expiration.js
new revision: 1.4; previous revision: 1.3
done
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Flags: in-testsuite? → in-testsuite+
Resolution: --- → FIXED
Whiteboard: [has patch][need approval][fixes bug 431597] → [fixes bug 431597]
I was crashing on Win XP importing IE data, but using the Tryserver Build in Comment 21 I don't get a crash. Cool.
No crash, Verified using Vista HP SP1 and the latest hourly:

Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9pre) Gecko/2008050114 Minefield/3.0pre Firefox/2.0.0.14 ID:2008050114
verified fixed per comment #26/27 and my own testing, thanks everyone for fixing this so fast !
Status: RESOLVED → VERIFIED
Blocks: 431091
Product: Firefox → Toolkit
Crash Signature: [@ nsCOMPtr.h:931]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: