Closed Bug 44093 Opened 24 years ago Closed 23 years ago

crash scrolling folder pane [@ nsXULTreeOuterGroupFrame::FindPreviousRowContent]


(Core :: XUL, defect, P1)

Windows NT





(Reporter: Bienvenu, Assigned: hyatt)



(Keywords: crash, topcrash, Whiteboard: [nsbeta3-][PDTP1][rtm++])

Crash Data


(2 files)

parentContent is null, here's the stack trace.  What happens is that I'll read a 
few messages, scroll the folder pane around a bit, and then get in a situation 
where the folder pane stops painting, so that it ends up blank. Right after 
that, I crash. Nothing interesting is displayed on the console.

nsXULTreeOuterGroupFrame::FindPreviousRowContent(int & 0x00000001, nsIContent * 
0x00000000, nsIContent * 0x00000000, nsIContent * * 0x0012f38c) line 813 + 47 
nsXULTreeOuterGroupFrame::InternalPositionChanged(nsXULTreeOuterGroupFrame * 
const 0x02838970, int 0x00000001, int 0x00000001) line 494 + 47 bytes
nsXULTreeOuterGroupFrame::PositionChanged(nsXULTreeOuterGroupFrame * const 
0x02838a24, int 0x000002c1, int 0x000002b2) line 452
nsSliderFrame::SetCurrentPosition(nsIContent * 0x033d2180, nsIFrame * 
0x028393b8, int 0x000002b2) line 692
nsSliderFrame::HandleEvent(nsSliderFrame * const 0x028392f8, nsIPresContext * 
0x02527b70, nsGUIEvent * 0x0012f8a8, nsEventStatus * 0x0012f798) line 454
PresShell::HandleEventInternal(nsEvent * 0x0012f8a8, nsIView * 0x033d96d0, 
nsEventStatus * 0x0012f798) line 3917 + 38 bytes
PresShell::HandleEvent(PresShell * const 0x02679b54, nsIView * 0x033d96d0, 
nsGUIEvent * 0x0012f8a8, nsEventStatus * 0x0012f798, int & 0x00000001) line 3837 
+ 23 bytes
nsView::HandleEvent(nsView * const 0x033d96d0, nsGUIEvent * 0x0012f8a8, unsigned 
int 0x0000001c, nsEventStatus * 0x0012f798, int & 0x00000001) line 782
nsViewManager2::DispatchEvent(nsViewManager2 * const 0x026783c0, nsGUIEvent * 
0x0012f8a8, nsEventStatus * 0x0012f798) line 1389
HandleEvent(nsGUIEvent * 0x0012f8a8) line 69
nsWindow::DispatchEvent(nsWindow * const 0x026780b4, nsGUIEvent * 0x0012f8a8, 
nsEventStatus & nsEventStatus_eIgnore) line 560 + 10 bytes
nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012f8a8) line 581
nsWindow::DispatchMouseEvent(unsigned int 0x0000012c, nsPoint * 0x00000000) line 
3679 + 21 bytes
ChildWindow::DispatchMouseEvent(unsigned int 0x0000012c, nsPoint * 0x00000000) 
line 3886
nsWindow::ProcessMessage(unsigned int 0x00000200, unsigned int 0x00000001, long 
0x01c900bf, long * 0x0012fc24) line 2779 + 24 bytes
adding crash keyword. This seems to be new behaviour since the new tree control 
Keywords: crash
adding crash keyword
Adding topcrash keywork, made top10 talkback crash list today.
Keywords: topcrash
Summary: crash scrolling folder pane → crash scrolling folder pane [@ nsXULTreeOuterGroupFrame::FindPreviousRowContent]
Closed: 24 years ago
Resolution: --- → FIXED
This crash still happens in the latest builds. Atleast 10+ crashes are reported 
in the last 10 days.

Stack Trace: 
nsView::HandleEvent [d:\builds\seamonkey\mozilla\view\src\nsView.cpp
HandleEvent [d:\builds\seamonkey\mozilla\view\src\nsView.cpp
USER32.dll + 0x1820 (0x77e71820)

nsXULTreeOuterGroupFrame::FindPreviousRowContent 1cf70567
line 838
Build: 2000072409 CrashDate: 2000-07-24 UptimeMinutes: 165 Total: 165 
OS: Windows NT 4.0 build 1381
Comment: Crashed when scrolling in Mail
Stacktrace: http://cyclone/reports/stackcommentemail.cfm?dynamicBBID=14725791

nsXULTreeOuterGroupFrame::FindPreviousRowContent 4907d116
line 838
Build: 2000072409 CrashDate: 2000-07-24 UptimeMinutes: 16 Total: 68 
OS: Windows NT 5.0 build 2195
Comment: scrolling "viciously" in the bookmarks manager (grab and drag up and
down rapidly).
Stacktrace: http://cyclone/reports/stackcommentemail.cfm?dynamicBBID=14727639

nsXULTreeOuterGroupFrame::FindPreviousRowContent a13d3555
line 838
Build: 2000072409 CrashDate: 2000-07-24 UptimeMinutes: 37 Total: 37 
OS: Windows NT 4.0 build 1381
Comment: crash again with deleting the last message in thread pane and then
scrolling in the folder pane. Known bug reported. 7-24 am build. win32.
Stacktrace: http://cyclone/reports/stackcommentemail.cfm?dynamicBBID=14729525

nsXULTreeOuterGroupFrame::FindPreviousRowContent 660a97b5
line 838
Build: 2000072409 CrashDate: 2000-07-25 UptimeMinutes: 231 Total: 396 
OS: Windows NT 4.0 build 1381
Comment: Crashed while scrolling in Mail
Stacktrace: http://cyclone/reports/stackcommentemail.cfm?dynamicBBID=14767992

nsXULTreeOuterGroupFrame::FindPreviousRowContent 6f5baa51
line 838
Build: 2000072409 CrashDate: 2000-07-25 UptimeMinutes: 108 Total: 108 
OS: Windows NT 4.0 build 1381
Stacktrace: http://cyclone/reports/stackcommentemail.cfm?dynamicBBID=14787009

nsXULTreeOuterGroupFrame::FindPreviousRowContent 233b26b5
line 838
Build: 2000072421 CrashDate: 2000-07-25 UptimeMinutes: 54 Total: 54 
OS: Windows 98 4.10 build 67766446
Comment: Opening IMAP "INBOX" after having selected another folder and not
waited for action to be finished.
Stacktrace: http://cyclone/reports/stackcommentemail.cfm?dynamicBBID=14835330

nsXULTreeOuterGroupFrame::FindPreviousRowContent 5747ba5a
line 838
Build: 2000072509 CrashDate: 2000-07-26 UptimeMinutes: 267 Total: 267 
OS: Windows NT 4.0 build 1381
Comment: trying to leave the page.
Stacktrace: http://cyclone/reports/stackcommentemail.cfm?dynamicBBID=14851509

nsXULTreeOuterGroupFrame::FindPreviousRowContent eaada389
line 838
Build: 2000072609 CrashDate: 2000-07-27 UptimeMinutes: 16 Total: 25 
OS: Windows NT 5.0 build 2195
Comment: Scrolling the message pane in mail /news
Stacktrace: http://cyclone/reports/stackcommentemail.cfm?dynamicBBID=14881982

nsXULTreeOuterGroupFrame::FindPreviousRowContent 11d4e2e6
line 838
Build: 2000072509 CrashDate: 2000-07-25 UptimeMinutes: 4 Total: 4 
OS: Windows 98 4.10 build 67766222
Stacktrace: http://cyclone/reports/stackcommentemail.cfm?dynamicBBID=14882515

nsXULTreeOuterGroupFrame::FindPreviousRowContent cc949fc6
line 838
Build: 2000072509 CrashDate: 2000-07-27 UptimeMinutes: 84 Total: 87 
OS: Windows NT 4.0 build 1381
Stacktrace: http://cyclone/reports/stackcommentemail.cfm?dynamicBBID=14889612

Resolution: FIXED → ---
FWIW, I no longer see this bug, but it only stopped happening last week, when
43374 was fixed. This would be consistent with the last talkback reports showing
this crash occuring on 7/27, when this 43374 was fixed.
adding myself and laurel to cc: list.  
Keywords: nsbeta3
Whiteboard: [nsbeta3+]
Target Milestone: --- → M18
Has anyone seen this since 7/27?  I haven't been able to get cyclone queries to
show any, so I must be doing something wrong, and now it seems to be down.
Whiteboard: [nsbeta3+] → [nsbeta3+] fixed along with 43374?
P1/Critical, but if nobody can reproduce it, or show evidence of it still
happening, and soon, then I'm going to resolve as WFM.
Severity: normal → critical
Priority: P3 → P1
Whiteboard: [nsbeta3+] fixed along with 43374? → [nsbeta3+] FIXED ALONG WITH 43374?
I did a cyclone query, and got a lot of matches for this, but none after 
08/15 (if I did the query right). Almost all of the ones I found had build ID 
080712, which I believe is the PR2 build ID. The comments mostly revolved 
around something to do with scrolling in trees (mail/ftp/bookmarks).

1) This bug seems to be not occurring in recent builds
2) it wasn't fixed by bug 43374, as that fix went into the PR2 bits, yet 
   PR2 is hitting this crash a lot for people who downloaded it.

I also tried to reproduce this manually, but could not.
Closed: 24 years ago23 years ago
Resolution: --- → FIXED
Reopening. Something has changed to start triggering this again. I hit this
today in the tree in the prefs panel. I then did a talkback query and found
44 recent talkback incidents, all with build ID after 08/28, almost all of
which had the (abbreviated) stack trace of : 

                                     [nsXULTreeOuterGroupFrame.cpp, line 813]
                                     [nsXULTreeOuterGroupFrame.cpp, line 494] 
                                     [nsXULTreeOuterGroupFrame.cpp, line 453] 
nsSliderFrame::SetCurrentPosition               [nsSliderFrame.cpp, line 701] 
nsSliderFrame::HandleEvent                      [nsSliderFrame.cpp, line 480] 
Resolution: FIXED → ---
Whiteboard: [nsbeta3+] FIXED ALONG WITH 43374? → [nsbeta3+]
Here is how to reproduce. With the default set of bookmarks for the commercial
build, open the bookmark manager. 

Expand most of the folders to get a scrollbar. Select one of the folder items
in the middle of the list (e.g. News and Sports). Make sure that the scrollbar 
thumb is neither at the top nor the bottom of the slider.

Now delete the selected folder (which also deletes the child bookmarks). You
should see the "white holes" have opened up in the tree rows. Now, grab the 
scrollbar thumb and yank it up and down. You should crash. 

(That seems contrived, but it is intended so hyatt can reproduce the crash 
easily. The other crashes occurred in various trees, and people were not always
clear on exactly how they had hit this state, but they were hitting it 
(including selmer, asa, phil in the email of the incidents)). 
PDT agrees P1
Whiteboard: [nsbeta3+] → [nsbeta3+][PDTP1]
I nailed it.  I found the core case that caused this again.
Closed: 23 years ago23 years ago
Resolution: --- → FIXED
I just got this crash today in my debug build from this morning (9/21) with the 
exact same crash and with the exact same circumstances as bienvenu originally 
pointed out in the bug while scrolling my folder pane.

It seems like we could protect against the crash in a couple of ways:

  //Add a check for parent content some place in FindPreviousRowContent
  if (tag && tag.get() == nsXULAtoms::tree) {
    // Hopeless. It ain't in there.

Or in the calling function InternalPositionChanged, not call 
FindPreviousRowContent if rowContent is null. It may not solve the problem 
that's causing it, but at least it might prevent the crash.
Resolution: FIXED → ---
adding myself to cc.
It just happened to me again the next time I started up, so something must have 
broken recently since I had never had this crash before.
I'm guessing that nisheeth's async reflow landing has enabled the tree to get 
out of sync.  Yay. :)

*** Bug 53858 has been marked as a duplicate of this bug. ***
This is showing up prominently in talkback data since 2000-09-20-06.
mass-adding rtm keyword to all open nsbeta3+ xptoolkit bugs
Keywords: rtm
nsbeta3-, rtm+, possibly caused by asynch reflow
Whiteboard: [nsbeta3+][PDTP1] → [nsbeta3-][PDTP1][rtm+]
Should also be fixed with eric's landing.
Assignee: hyatt → evaughan
PDT marking [rtm need info] until patch and code reviews are available.
Definitely want a fix for this though.
Whiteboard: [nsbeta3-][PDTP1][rtm+] → [nsbeta3-][PDTP1][rtm need info]
My current build fails when you try to delete bookmarks in this way it crashes 
in javascript somewhere. If I delete a header in the middle of mail it works 
with my new changes. Does this crash in the regular tree?
You can also reproduce this as follows:

1) open mail
2) select a header in about the middle of the list
3) click on the sender header of mail to make it filter by sender.

Poof you crash. Same stack track.
I just got it crash exactly with the same stack while doing mail threading. 
Apparently we are dereferencing a null pointer - parentConten->GetTag(), line 
824. A defensive coding could prevent the hard crash. I'll be testing with the 
following patch.

Index: nsXULTreeOuterGroupFrame.cpp
RCS file: /cvsroot/mozilla/layout/xul/base/src/nsXULTreeOuterGroupFrame.cpp,v
retrieving revision 1.26
diff -c -r1.26 nsXULTreeOuterGroupFrame.cpp
*** nsXULTreeOuterGroupFrame.cpp        2000/09/20 23:10:48     1.26
--- nsXULTreeOuterGroupFrame.cpp        2000/10/03 21:43:49
*** 765,770 ****
--- 765,771 ----
    else if (aDownwardHint) {
      parentContent = dont_QueryInterface(aDownwardHint);
+     if (!parentContent) return;

*** 778,783 ****
--- 779,785 ----
    for (PRInt32 i = index-1; i >= 0; i--) {
      nsCOMPtr<nsIContent> childContent;
      parentContent->ChildAt(i, *getter_AddRefs(childContent));
+     if (!childContent) return;
      nsCOMPtr<nsIAtom> tag;
      if (tag.get() == nsXULAtoms::treerow) {
*** 803,808 ****
--- 805,811 ----
          for (j = childContentCount-1; j >= 0; j--) {

            childContent->ChildAt(j, *getter_AddRefs(grandChild));
+           if (!grandChild) return ;
            nsCOMPtr<nsIAtom> grandChildTag;
            if (grandChildTag.get() == nsXULAtoms::treechildren)
*** 822,827 ****
--- 825,831 ----

+   if (!parentContent) return;
    nsCOMPtr<nsIAtom> tag;
    if (tag && tag.get() == nsXULAtoms::tree) {

-	parentContent	{...}
+	mRawPtr	0x00000000
+	tag	{...}
+	this	0x015226a4

nsXULTreeOuterGroupFrame::FindPreviousRowContent(int & 1, nsIContent * 
0x00000000, nsIContent * 0x00000000, nsIContent * * 0x0012f3c8) line 826 + 47 
nsXULTreeOuterGroupFrame::InternalPositionChanged(nsXULTreeOuterGroupFrame * 
const 0x015226a4, int 1, int 1) line 502 + 47 bytes
nsXULTreeOuterGroupFrame::PositionChanged(nsXULTreeOuterGroupFrame * const 
0x01522758, int 340, int 322) line 462
nsSliderFrame::SetCurrentPosition(nsIContent * 0x0792afa0, nsIFrame * 
0x01449ea0, int 322) line 701
nsSliderFrame::HandleEvent(nsSliderFrame * const 0x01522db4, nsIPresContext * 
0x05d8a110, nsGUIEvent * 0x0012f8c8, nsEventStatus * 0x0012f7b8) line 463
PresShell::HandleEventInternal(nsEvent * 0x0012f8c8, nsIView * 0x079587d0, 
unsigned int 1, nsEventStatus * 0x0012f7b8) line 4270 + 38 bytes
PresShell::HandleEvent(PresShell * const 0x05d8e3f4, nsIView * 0x079587d0, 
nsGUIEvent * 0x0012f8c8, nsEventStatus * 0x0012f7b8, int 1, int & 1) line 4190 + 
25 bytes
nsView::HandleEvent(nsView * const 0x079587d0, nsGUIEvent * 0x0012f8c8, unsigned 
int 28, nsEventStatus * 0x0012f7b8, int 1, int & 1) line 379
nsViewManager2::DispatchEvent(nsViewManager2 * const 0x05d8ecc0, nsGUIEvent * 
0x0012f8c8, nsEventStatus * 0x0012f7b8) line 1439
HandleEvent(nsGUIEvent * 0x0012f8c8) line 68
nsWindow::DispatchEvent(nsWindow * const 0x05d8e944, nsGUIEvent * 0x0012f8c8, 
nsEventStatus & nsEventStatus_eIgnore) line 681 + 10 bytes
nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012f8c8) line 702
nsWindow::DispatchMouseEvent(unsigned int 300, nsPoint * 0x00000000) line 3890 + 
21 bytes
ChildWindow::DispatchMouseEvent(unsigned int 300, nsPoint * 0x00000000) line 
nsWindow::ProcessMessage(unsigned int 512, unsigned int 1, long 14025589, long * 
0x0012fc44) line 2937 + 24 bytes
nsWindow::WindowProc(HWND__ * 0x001905b8, unsigned int 512, unsigned int 1, long 
14025589) line 950 + 27 bytes
USER32! 77e7124c()
Attached patch a defensive fixSplinter Review
Yes but by aborting are we leaving the tree in the right state? Reassigning to 
hyatt to take a look at the patch.
Assignee: evaughan → hyatt
I hit this crash yesterday, and continued past it with the debugger. In my case,
the tree was *not* in a good state, but it's probably better than crashing. I
think we should protect against the crash, since that's easy, and then try to
fix the underlying problem.
throw an assertion in there before the bulletproofing, so at least we can catch
it when it happens
I agree that we should bulletproof this with the assertion.  If anyone can
reproduce this with the null check, can you close the mail window and then open
it up again and have the folder tree work?  If so, the fact that you can recover
added to the fact that you wouldn't crash is a big plus.
yes, closing the mail window and re-opening it worked when I ran into this crash.
Waiting on eric's tree landing before I muck further with trees.
*** Bug 55654 has been marked as a duplicate of this bug. ***
According to today's list on n.p.m.crash-data, this is the #1 topcrash 
(excluding "MSVCRT.DLL", "msvcrt.dll", "", and "gkhtml.dll").
hi hyatt - has eric's tree landing happened yet?  thanks.
Yes, Eric's changes to the tree have landed.
I think this is still a topcrasher.

I think we should check in the defense patch,
but add some NS_ASSERTION(foo,"foo is null, see bug #44093");
everywhere we do the null checks.  that way it will still be a noticable bug in
debugs builds, not in release builds.

hyatt, if you are busy with other bugs and don't have the cycles to land this, I
can get a new patch (with the NS_ASSERTIONS()) and plead with the pdt to let me
check in.
Here is a real patch for this.  You don't need to null-check quite so much,
since retrieved children can never be null.  Also added assertions.

Whiteboard: [nsbeta3-][PDTP1][rtm need info] → [nsbeta3-][PDTP1][rtm+]
Looking for an r= and a= from the mailnews guys for my patch.  Then pdt will ++
it I hope.
This is indeed still a topcrasher (#2 on the list behind 
nsXULDocument::ResumeWalk, excluding MSVCRT.DLL and gkhtml.dll crashes). 
Need an a=.  Alec?
adding mscott for possible super review.
sr=mscott. It'd be great to get this top crasher in rtm.
Ok, PDT, this is ready for you.
arg, would have sr'ed earlier if SERA wasn't so flakey!
*** Bug 56300 has been marked as a duplicate of this bug. ***
PDT says rtm++, please land on branch ASAP, but please do not include cleanup of
the commented out code.
Whiteboard: [nsbeta3-][PDTP1][rtm+] → [nsbeta3-][PDTP1][rtm++]
Closed: 23 years ago23 years ago
Resolution: --- → FIXED
So, I'm seeing this assertion when I sort columns in the bookmarks manager.
Where should I start looking?
verified fixed -- talkback has no crashes for this stack since the patch 
went in, branch or trunk.
Component: XP Toolkit/Widgets: Trees → XUL
QA Contact: jrgmorrison → xptoolkit.widgets
Crash Signature: [@ nsXULTreeOuterGroupFrame::FindPreviousRowContent]
You need to log in before you can comment on or make changes to this bug.