Closed Bug 488046 Opened 16 years ago Closed 15 years ago

Some random crash in [@ nsDocShell::EnsureContentViewer]

Categories

(Core Graveyard :: Embedding: APIs, defect)

Product:
Core Graveyard
Component:
Embedding: APIs
Platform:
Other
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: romaxa, Assigned: romaxa)

References

(
URL
)

Details

(Keywords: crash)

Crash Data

Attachments

(7 files, 1 obsolete file)

valgrind log
7.01 KB, text/x-log
Details
log with printf in gtkmozembed, webshell/docshell destructors/constructors...
8.45 KB, text/plain
Details
Log + backtrace
12.04 KB, text/plain
Details
bt DocShell::Destroy()
14.29 KB, text/plain
Details
Changes for docshell
3.21 KB, patch
Details | Diff | Splinter Review
Full backtrace with ContentViewerCreate and Destroy in one stack
12.50 KB, text/plain
Details
Can we do it like this?
459 bytes, patch
bzbarsky
: review+
Details | Diff | Splinter Review
I'm not sure but some crash was happend in EnsureContentViewer Seems even after success CreateAboutBlankContentViewer, mContentViewer is still NULL... Should we check for mContentViewer here? #0 nsDocShell::EnsureContentViewer (this=0x135d178) at docshell/base/nsDocShell.cpp:5342 #1 0x40f77ae0 in nsDocShell::GetInterface (this=0x135d178, aIID=@0x4129244c, aSink=0xbef2973c) at docshell/base/nsDocShell.cpp:465 #2 0x40f8a858 in nsWebShell::GetInterface (this=0x135d178, aIID=@0x0, aInstancePtr=0xbef2973c) at docshell/base/nsWebShell.cpp:634 #3 0x41165580 in nsGetInterface::operator() (this=0xbef29750, aIID=@0x4129244c, aInstancePtr=0xbef2973c) at nsIInterfaceRequestorUtils.cpp:52 #4 0x41163934 in nsCOMPtr_base::assign_from_helper (this=0xbef2975c, helper=@0x2c1, iid=@0x0) at nsCOMPtr.cpp:150 #5 0x40d681f0 in nsGlobalWindow::GetDocument (this=0x18d0940, aDocument=0xbef29780) at ../../dist/include/xpcom/nsCOMPtr.h:621 #6 0x40bfd9d0 in nsDataDocumentContentPolicy::ShouldLoad (this=<value optimized out>, aContentType=6, aContentLocation=<value optimized out>, aRequestingLocation=<value optimized out>, aRequestingContext=0x18d0970, aMimeGuess=@0x4147dce4, aExtra=0x0, aDecision=0xbef2991e) at content/base/src/nsDataDocumentContentPolicy.cpp:71 #7 0x40beacc0 in nsContentPolicy::ShouldLoad (this=0xd95f8, contentType=6, contentLocation=0x1905710, requestingLocation=0xc5c690, requestingContext=0x18d0970, mimeType=@0x4147dce4, extra=0x0, decision=0xbef2991e) at content/base/src/nsContentPolicy.cpp:157 #8 0x40f868c0 in nsDocShell::InternalLoad (this=0x135d178, aURI=0x1905710, aReferrer=0xc5c690, aOwner=0x6edbb8, aFlags=8, aWindowTarget=0x179a348, aTypeHint=0x0, aPostData=0x0, aHeadersData=0x0, aLoadType=1, aSHEntry=0x0, aFirstParty=1, aDocShell=0x0, aRequest=0x0) at ../../dist/include/content/nsContentPolicyUtils.h:223 ---Type <return> to continue, or q <return> to quit--- #9 0x40f7f844 in nsDocShell::LoadURI (this=0x135d178, aURI=0x1905710, aLoadInfo=<value optimized out>, aLoadFlags=16384, aFirstParty=1) at docshell/base/nsDocShell.cpp:959 #10 0x40fb9d74 in nsWindowWatcher::OpenWindowJSInternal (this=0x312318, aParent=0x519ad8, aUrl=<value optimized out>, aName=<value optimized out>, aFeatures=0x0, aDialog=0, argv=0x0, aCalledFromJS=1, _retval=0xbef29e6c) at embedding/components/windowwatcher/src/nsWindowWatcher.cpp:928 #11 0x40fbabdc in nsWindowWatcher::OpenWindowJS (this=0x312318, aParent=0x519ad8, aUrl=0x156c970 "http://docs.google.com/DocAction?action=newdoc", aName=0x0, aFeatures=0x0, aDialog=0, argv=0x0, _retval=0xbef29e6c) at embedding/components/windowwatcher/src/nsWindowWatcher.cpp:486 #12 0x40d79608 in nsGlobalWindow::OpenInternal (this=0x519ad8, aUrl=@0xbef2a1c8, aName=@0x1797468, aOptions=@0x1797d90, aDialog=0, aContentModal=0, aCalledNoScript=0, aDoJSFixups=1, argv=0x0, aExtraArgument=0x0, aCalleePrincipal=0x6edbb8, aJSCallerContext=0x51a208, aReturn=0xbef2a050) at dom/base/nsGlobalWindow.cpp:7312 #13 0x40d79ee0 in nsGlobalWindow::OpenJS (this=0x519ad8, aUrl=@0xbef2a1c8, aName=@0x1797468, aOptions=@0x1797d90, _retval=0xbef2a050) at dom/base/nsGlobalWindow.cpp:5072 #14 0x411afd24 in NS_InvokeByIndex_P (that=0x0, methodIndex=0, paramCount=1099939872, params=<value optimized out>) at xpcom/reflect/xptcall/src/md/unix/xptcinvoke_arm.cpp:247 #15 0x408d6438 in XPCWrappedNative::CallMethod (ccx=@0xbef2a158, mode=3203571808) at js/src/xpconnect/src/xpcwrappednative.cpp:2480 #16 0x408dcad4 in XPC_WN_CallMethod (cx=0x51a208, obj=<value optimized out>, argc=<value optimized out>, argv=<value optimized out>, vp=0xbef2a268) ---Type <return> to continue, or q <return> to quit--- at js/src/xpconnect/src/xpcwrappednativejsops.cpp:1585 #17 0x4154e534 in js_Invoke (cx=0x51a208, argc=1, vp=0x13d0418, flags=2) at js/src/jsinterp.cpp:1347 #18 0x41540f5c in js_Interpret (cx=0x51a208) at js/src/jsinterp.cpp:5040 #19 0x4154e894 in js_Invoke (cx=0x51a208, argc=1, vp=0x13d0230, flags=0) at js/src/jsinterp.cpp:1365 #20 0x4153b138 in js_fun_call (cx=0x51a208, argc=1, vp=0x13d0210) at js/src/jsfun.cpp:1655 #21 0x41547a8c in js_Interpret (cx=0x51a208) at js/src/jsinterp.cpp:5023 #22 0x4154e894 in js_Invoke (cx=0x51a208, argc=1, vp=0x13cfde8, flags=0) at js/src/jsinterp.cpp:1365 #23 0x4153b138 in js_fun_call (cx=0x51a208, argc=1, vp=0x13cfdc8) at js/src/jsfun.cpp:1655 #24 0x41547a8c in js_Interpret (cx=0x51a208) at js/src/jsinterp.cpp:5023 #25 0x4154e894 in js_Invoke (cx=0x51a208, argc=2, vp=0x13cfc70, flags=0) at js/src/jsinterp.cpp:1365 #26 0x4153b138 in js_fun_call (cx=0x51a208, argc=2, vp=0x13cfc4c) at js/src/jsfun.cpp:1655 ---Type <return> to continue, or q <return> to quit--- #27 0x41547a8c in js_Interpret (cx=0x51a208) at js/src/jsinterp.cpp:5023 #28 0x4154e894 in js_Invoke (cx=0x51a208, argc=1, vp=0x13cfc40, flags=0) at js/src/jsinterp.cpp:1365 #29 0x408d3734 in nsXPCWrappedJSClass::CallMethod (this=0x1ee958, wrapper=<value optimized out>, methodIndex=3, info=0x1bf6f8, nativeParams=0xbef2ac88) at js/src/xpconnect/src/xpcwrappedjsclass.cpp:1608 #30 0x408cd56c in nsXPCWrappedJS::CallMethod (this=0x0, methodIndex=3, info=0x1bf6f8, params=0xbef2ac88) at js/src/xpconnect/src/xpcwrappedjs.cpp:561 #31 0x411b08bc in PrepareAndDispatch (self=0x824a58, methodIndex=<value optimized out>, args=0xbef2ad44) at xpcom/reflect/xptcall/src/md/unix/xptcstubs_arm.cpp:132 #32 0x411aff6c in SharedStub () at db/morkreader/nsMorkReader.cpp:150 #33 0x40c76788 in nsEventListenerManager::HandleEventSubType (this=0x8245e0, aListenerStruct=0x824de8, aListener=0x824a58, aDOMEvent=0x1830b84, aCurrentTarget=0xf10f20, aPhaseFlags=2) at content/events/src/nsEventListenerManager.cpp:1090 #34 0x40c76c3c in nsEventListenerManager::HandleEvent (this=0x8245e0, aPresContext=0xfe5ab0, aEvent=0xbef2b25c, aDOMEvent=0xbef2b030, aCurrentTarget=0xf10f20, aFlags=2, aEventStatus=0xbef2b034) at content/events/src/nsEventListenerManager.cpp:1187 #35 0x40c96488 in nsEventTargetChainItem::HandleEvent (this=0x828728, aVisitor=@0xbef2b028, aFlags=2, ---Type <return> to continue, or q <return> to quit--- aMayHaveNewListenerManagers=<value optimized out>) at content/events/src/nsEventDispatcher.cpp:227 #36 0x40c967b0 in nsEventTargetChainItem::HandleEventTargetChain (this=0x8287c8, aVisitor=@0xbef2b028, aFlags=6, aCallback=0xbef2b098, aMayHaveNewListenerManagers=1) at content/events/src/nsEventDispatcher.cpp:315 #37 0x40c973c8 in nsEventDispatcher::Dispatch (aTarget=<value optimized out>, aPresContext=0x8287c8, aEvent=0xbef2b25c, aDOMEvent=0x0, aEventStatus=0xbef2b180, aCallback=0xbef2b098) at content/events/src/nsEventDispatcher.cpp:508 #38 0x40a8e794 in PresShell::HandleEventInternal (this=0xe19c38, aEvent=0xbef2b25c, aView=<value optimized out>, aStatus=0xbef2b180) at layout/base/nsPresShell.cpp:6139 #39 0x40a8fe78 in PresShell::HandlePositionedEvent (this=0xe19c38, aView=0xeab6c0, aTargetFrame=0x1396f1c, aEvent=0xbef2b25c, aEventStatus=0xbef2b180) at layout/base/nsPresShell.cpp:6021 #40 0x40a922a8 in PresShell::HandleEvent (this=0xe19c38, aView=0xeab6c0, aEvent=0xbef2b25c, aEventStatus=0xbef2b180) at layout/base/nsPresShell.cpp:5881 #41 0x40d5164c in nsViewManager::HandleEvent (this=<value optimized out>, aView=0xeab6c0, aPoint=<value optimized out>, aEvent=0xbef2b25c, aCaptured=0) at view/src/nsViewManager.cpp:1340 #42 0x40d53814 in nsViewManager::DispatchEvent (this=0xebd448, aEvent=0xbef2b25c, aStatus=0xbef2b2c4) at view/src/nsViewManager.cpp:1319 ---Type <return> to continue, or q <return> to quit--- #43 0x406f2fd0 in send_event_to_layout (self=0x4c2090, type=3, x=92, y=21, mod=256, button=1, clickcount=1, time=794719) at ../../../src/gecko/gmozillacppwrapper.cpp:2091 #44 0x406db81c in g_mozilla_engine_send_mouse_event (self=0x4c2090, type=3, x=92, y=21, mod=256, button=1, clickcount=1, time=794719) at ../../src/gmozillaengine.c:1234 #45 0x406de070 in web_bus_message_handler (msg_id=<value optimized out>, msg=0xa1ddb8, msg_len=<value optimized out>, web=<value optimized out>) at ../../src/gmozillaweb.c:2402 #46 0x406afbe4 in watch_handler_timeout (data=<value optimized out>) at gwebbus.c:293 #47 0x40109a24 in g_child_watch_dispatch (source=<value optimized out>, callback=0x2c1, user_data=<value optimized out>) at gmain.c:3945 #48 0x4010ba84 in IA__g_main_context_dispatch (context=0x456b0) at gmain.c:2152 #49 0x4010f518 in g_main_context_iterate (context=0x456b0, block=1, dispatch=1, self=<value optimized out>) at gmain.c:2742 #50 0x4010f8f4 in IA__g_main_loop_run (loop=0x95578) at gmain.c:2992 #51 0x0000ee00 in ?? () (gdb) frame 0 #0 nsDocShell::EnsureContentViewer (this=0x135d178) at /home/bifh2/fremantle-arm-prereleased.cs2007q3/work/microb-engine-20090329/docshell/base/nsDocShell.cpp:5342 5342 /home/bifh2/fremantle-arm-prereleased.cs2007q3/work/microb-engine-20090329/docshell/base/nsDocShell.cpp: No such file or directory. in /home/bifh2/fremantle-arm-prereleased.cs2007q3/work/microb-engine-20090329/docshell/base/nsDocShell.cpp (gdb) p this->mContentViewer $25 = {<nsCOMPtr_base> = {mRawPtr = 0x0}, <No data fields>} (gdb) p *this $22 = {<nsDocLoader> = {<nsIDocumentLoader> = {<nsISupports> = { _vptr.nsISupports = 0x414457d8}, <No data fields>}, <nsIRequestObserver> = {<nsISupports> = { _vptr.nsISupports = 0x41445bb0}, <No data fields>}, <nsSupportsWeakReference> = {<nsISupportsWeakReference> = {<nsISupports> = { _vptr.nsISupports = 0x41445bcc}, <No data fields>}, mProxy = 0xb68290}, <nsIProgressEventSink> = {<nsISupports> = { _vptr.nsISupports = 0x41445be4}, <No data fields>}, <nsIWebProgress> = {<nsISupports> = { _vptr.nsISupports = 0x41445c00}, <No data fields>}, <nsIInterfaceRequestor> = {<nsISupports> = { _vptr.nsISupports = 0x41445c24}, <No data fields>}, <nsIChannelEventSink> = {<nsISupports> = { _vptr.nsISupports = 0x41445c3c}, <No data fields>}, <nsISecurityEventSink> = {<nsISupports> = { _vptr.nsISupports = 0x41445c54}, <No data fields>}, <nsISupportsPriority> = {<nsISupports> = { _vptr.nsISupports = 0x41445c6c}, <No data fields>}, mRefCnt = {mValue = 3}, mDocumentRequest = {<nsCOMPtr_base> = { mRawPtr = 0x0}, <No data fields>}, mParent = 0x0, mListenerInfoList = {mImpl = 0x0}, mLoadGroup = {<nsCOMPtr_base> = { mRawPtr = 0x157df98}, <No data fields>}, mChildList = {mImpl = 0x0}, mProgressStateFlags = 16, mCurrentSelfProgress = {mValue = 0}, mMaxSelfProgress = {mValue = 0}, mCurrentTotalProgress = {mValue = 0}, mMaxTotalProgress = {mValue = 0}, mRequestInfoHash = {ops = 0x4146cdd4, data = 0x0, hashShift = 28, maxAlphaFrac = 192 'À', minAlphaFrac = 64 '@', entrySize = 32, entryCount = 0, removedCount = 0, generation = 0, entryStore = 0x1959ee8 ""}, mIsLoadingDocument = 0 '\0', mIsRestoringDocument = 0 '\0', mIsFlushingLayout = 0 '\0', mChildrenInOnload = {<nsCOMArray_base> = {mArray = {mImpl = 0x0}}, <No data fields>}}, <nsIDocShell> = {<nsISupports> = { _vptr.nsISupports = 0x41445c8c}, <No data fields>}, <nsIDocShellTreeItem> = {<nsIDocShellTreeNode> = {<nsISupports> = { _vptr.nsISupports = 0x41445db8}, <No data fields>}, <No data fields>}, <nsIDocShellHistory> = {<nsISupports> = { ---Type <return> to continue, or q <return> to quit--- _vptr.nsISupports = 0x41445e10}, <No data fields>}, <nsIWebNavigation> = {<nsISupports> = { _vptr.nsISupports = 0x41445e34}, <No data fields>}, <nsIBaseWindow> = {<nsISupports> = { _vptr.nsISupports = 0x41445e7c}, <No data fields>}, <nsIScrollable> = {<nsISupports> = { _vptr.nsISupports = 0x41445ef0}, <No data fields>}, <nsITextScroll> = {<nsISupports> = { _vptr.nsISupports = 0x41445f28}, <No data fields>}, <nsIDocCharset> = {<nsISupports> = { _vptr.nsISupports = 0x41445f44}, <No data fields>}, <nsIContentViewerContainer> = {<nsISupports> = { _vptr.nsISupports = 0x41445f60}, <No data fields>}, <nsIScriptGlobalObjectOwner> = {<nsISupports> = { _vptr.nsISupports = 0x41445f7c}, <No data fields>}, <nsIRefreshURI> = {<nsISupports> = { _vptr.nsISupports = 0x41445f94}, <No data fields>}, <nsIWebProgressListener> = {<nsISupports> = { _vptr.nsISupports = 0x41445fc0}, <No data fields>}, <nsIEditorDocShell> = {<nsISupports> = { _vptr.nsISupports = 0x41445fe8}, <No data fields>}, <nsIWebPageDescriptor> = {<nsISupports> = { _vptr.nsISupports = 0x41446010}, <No data fields>}, <nsIAuthPromptProvider> = {<nsISupports> = { _vptr.nsISupports = 0x4144602c}, <No data fields>}, <nsIObserver> = {<nsISupports> = { _vptr.nsISupports = 0x41446044}, <No data fields>}, <nsILoadContext> = {<nsISupports> = { _vptr.nsISupports = 0x4144605c}, <No data fields>}, <nsIDocShell_MOZILLA_1_9_1> = {<nsISupports> = { _vptr.nsISupports = 0x41446080}, <No data fields>}, mAllowSubframes = 1 '\001', mAllowPlugins = 1 '\001', mAllowJavascript = 1 '\001', mAllowMetaRedirects = 1 '\001', mAllowImages = 1 '\001', mFocusDocFirst = 0 '\0', mHasFocus = 0 '\0', mCreatingDocument = 0 '\0', mUseErrorPages = 1 '\001', mObserveErrorPages = 0 '\0', mAllowAuth = 1 '\001', mAllowKeywordFixup = 0 '\0', mIsOffScreenBrowser = 0 '\0', ---Type <return> to continue, or q <return> to quit--- mFiredUnloadEvent = 1 '\001', mEODForCurrentDocument = 0 '\0', mURIResultedInDocument = 0 '\0', mIsBeingDestroyed = 1 '\001', mIsExecutingOnLoadHandler = 0 '\0', mIsPrintingOrPP = 0 '\0', mSavingOldViewer = 0 '\0', mAppType = 0, mChildOffset = 0, mBusyFlags = 0, mMarginWidth = -1, mMarginHeight = -1, mItemType = 1, mLoadType = 0, mName = {<nsAString_internal> = {mData = 0xb5ea70, mLength = 0, mFlags = 5}, <No data fields>}, mTitle = {<nsAString_internal> = {mData = 0x413a5b9a, mLength = 0, mFlags = 1}, <No data fields>}, mContentTypeHint = {<nsACString_internal> = {mData = 0x413a5b9a "", mLength = 0, mFlags = 1}, <No data fields>}, mRefreshURIList = {<nsCOMPtr_base> = {mRawPtr = 0x0}, <No data fields>}, mSavedRefreshURIList = {<nsCOMPtr_base> = { mRawPtr = 0x0}, <No data fields>}, mContentListener = {mRawPtr = 0x191c6b8}, mBounds = {x = 0, y = 0, width = 800, height = 354}, mContentViewer = {<nsCOMPtr_base> = {mRawPtr = 0x0}, <No data fields>}, mDocumentCharsetInfo = {<nsCOMPtr_base> = { mRawPtr = 0x0}, <No data fields>}, mParentWidget = {<nsCOMPtr_base> = {mRawPtr = 0x0}, <No data fields>}, mPrefs = {<nsCOMPtr_base> = { mRawPtr = 0x1d2290}, <No data fields>}, mCurrentURI = {<nsCOMPtr_base> = {mRawPtr = 0x0}, <No data fields>}, mReferrerURI = {<nsCOMPtr_base> = {mRawPtr = 0x0}, <No data fields>}, mScriptGlobal = {<nsCOMPtr_base> = {mRawPtr = 0x0}, <No data fields>}, mSessionHistory = {<nsCOMPtr_base> = {mRawPtr = 0x0}, <No data fields>}, mGlobalHistory = {<nsCOMPtr_base> = { mRawPtr = 0x3dd5e4}, <No data fields>}, mFind = {<nsCOMPtr_base> = {mRawPtr = 0x0}, <No data fields>}, mDefaultScrollbarPref = {x = 1, y = 1}, mOSHE = {<nsCOMPtr_base> = {mRawPtr = 0x0}, <No data fields>}, mLSHE = {<nsCOMPtr_base> = {mRawPtr = 0x0}, <No data fields>}, mRestorePresentationEvent = {mEvent = 0x0}, mStorages = {<nsBaseHashtable<nsCStringHashKey,nsCOMPtr<nsIDOMStorage>,nsIDOMStorage*>> = {<nsTHashtable<nsBaseHashtableET<nsCStringHashKey, nsCOMPtr<nsIDOMStorage> > >> = {mTable = {ops = 0x4146bfc4, data = 0x0, hashShift = 28, maxAlphaFrac = 192 'À', minAlphaFrac = 64 '@', entrySize = 20, entryCount = 0, removedCount = 0, generation = 0, entryStore = 0x18d4970 ""}}, <No data fields>}, <No data fields>}, ---Type <return> to continue, or q <return> to quit--- mPreviousTransIndex = -1, mLoadedTransIndex = -1, mEditorData = {mRawPtr = 0x0}, mTransferableHookData = {<nsCOMPtr_base> = { mRawPtr = 0x0}, <No data fields>}, mSecurityUI = {<nsCOMPtr_base> = {mRawPtr = 0x0}, <No data fields>}, mClassifier = {mRawPtr = 0x0}, mLoadingURI = {<nsCOMPtr_base> = {mRawPtr = 0x0}, <No data fields>}, mTreeOwner = 0x0, mChromeEventHandler = 0x0, static sURIFixup = 0x4caa18} (gdb) frame 44 #44 0x406db81c in g_mozilla_engine_send_mouse_event (self=0x4c2090, type=3, x=92, y=21, mod=256, button=1, clickcount=1, time=794719) at ../../src/gmozillaengine.c:1234 1234 ../../src/gmozillaengine.c: No such file or directory. in ../../src/gmozillaengine.c Current language: auto; currently c (gdb) p *self $23 = {parent = {g_type_instance = {g_class = 0x96e18}, ref_count = 1, qdata = 0x4f5cc0}, engine = 0x43188, global = 0x42e40, doc_index = -1, x = 86, y = 21, ctx_type = 1, moz_ctx_type = 2, ctx_node = 0xdd9b1c, prev_ctx_node = 0x62edd8, ctx_url = 0x192a280 "", ctx_objurl = 0x192a2d0 "", ctx_docurl = 0x176edb0 "http://spreadsheets.google.com/ccc?key=pr8dsww6FN5CzseEhlFmcJg&hl=en", ctx = 0x4fd248, gtkIMContext = 0x4fcee0, im_signal_cb = {238, 239, 242, 241, 240, 0, 0, 0}, extended_im_mode = GDK_EXTENSION_EVENTS_NONE, im_surr_offset = 0, im_surr_num = 0, im_surr_enable = 0, im_do_manual_commit = 0, im_key_pressed = 0, mChromeMask = 0, isFkbShowed = 0, last_event = 0x1710a18, is_loading = 0, username = 0x0, password = 0x0, accept = 0, last_location = 0x1457f60 "http://spreadsheets.google.com/ccc?key=pr8dsww6FN5CzseEhlFmcJg&hl=en", last_net_status = 0, sec_mode = 0, signals_array = 0x2c3930, signals_array_len = 39, current_zoom = 100, optimized_view = 0, will_open_location = 0x14fce38 "http://docs.google.com/drawings/client?xpc=%7B%22cn%22%3A%22k9fcNaq5sG%22%2C%22tp%22%3Anull%2C%22ppu%22%3A%22http%3A%2F%2Fspreadsheets.google.com%2Fobj%2Fblank.html%22%2C%22lpu%22%3A%22http%3A%2F%2Fdo"..., waiting_connection = 0, user_iteraction_happens = 1, progress_bar_state = -1, page_size = 8870, scroll_to_node_timer_id = 0, vkb_up_timeout = 0, mouse_down = 0, mouse_scroll = 0, vkb_shown = 0, key_press_time = {tv_sec = 0, tv_usec = 0}, key_release_time = {tv_sec = 0, tv_usec = 0}, emit_open_uri_signal = 0, generate_shistory_thumbnails = 1, shistory_thumbnail_manager = 0x523cb8, shistory_thumbnail_width = 464, shistory_thumbnail_height = 280, notification_vbox = 0x422e8, shmid = 1605649, xshm_rendering_enabled = 1, mLastVisibleArea = {x = 6, y = 0, width = 800, height = 354}, mLastTargetArea = {x = 0, y = 0, width = 1080, height = 624}, mBlockedUpdates = 0x527260, mBlockedUpdatesSource = 2189, mZoomValue = 1, plug = 0x0, select_node = 0x0, mWindowSize = {x = 6, y = 0, width = 800, height = 354}, prev_eventkey = 0x0, mMinWindowSize = {x = 0, y = 0, width = 0, height = 0}, is_active = 0, kbd_handler_last_ev_time = 315438, kbd_handler_last_ev_key = 0, kbd_handler_release_timer_id = 0, kbd_handler_event_info = {self = 0x4c2090, embed = 0x4cea68, event = {type = GDK_KEY_RELEASE, window = 0x431e8, send_event = 1 '\001', time = 315438, state = 0, keyval = 116, length = 1, string = 0x82ada8 "", hardware_keycode = 28, group = 0 '\0', is_modifier = 0}}}
What steps did you take that led to this crash?
Severity: normal → critical
Component: Layout → Embedding: APIs
Keywords: crash
QA Contact: layout → apis
Summary: Some random crash in nsDocShell::EnsureContentViewer → Some random crash in [@ nsDocShell::EnsureContentViewer]
The only way I can see for this to happen is if Embed() somehow ends up with a null viewer at the end of it. I don't see a way this can happen, offhand. I'd love to see an answer to dbaron's question.
I was playing with google spreadsheet, but I was using some special way to send events to the page content: https://garage.maemo.org/svn/browser/mozilla/trunk/microb-eal/src/gecko/gmozillacppwrapper.cpp:1663 May be it happen because I was sending events to dispatch not in very normal way? But I'm pretty sure that this way is very similar to sending events with DOMWindowUtils Send***Event...
Yeah, that shouldn't cause issues like this. I have no idea how you got into the state that gdb trace shows.
Attached file valgrind log
I can easily reproduce this crash on mozilla-centra 94cb97a93667 without microb patchset... it is not real to reproduce this crash without valgrind on x86, mozilla works too fast, but with valgrind or on device it is possible: Open some google docs document and quickly close it.... I'm not sure yet, but probably it happen when we sending events to the half-destroyed dom window... I will check it more properly... it is also possible that we are sending events to dead domWindow, but not sure...
I have added: NS_ENSURE_TRUE(mContentViewer, NS_ERROR_FAILURE); After CreateAboutBlankContentViewer, and seems not happen anymore...
Also I got this crash,... seems I have some pending Async click events which are coming after webshell destroy... ==26997== ==26997== Invalid read of size 4 ==26997== at 0x46AF570: EmbedProgress::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, unsigned int) (EmbedProgress.cpp:204) ==26997== by 0x7EDFD01: nsDocLoader::FireOnStateChange(nsIWebProgress*, nsIRequest*, int, unsigned int) (nsDocLoader.cpp:1254) ==26997== by 0x7EE036D: nsDocLoader::doStartDocumentLoad() (nsDocLoader.cpp:815) ==26997== by 0x7EE0450: nsDocLoader::OnStartRequest(nsIRequest*, nsISupports*) (nsDocLoader.cpp:531) ==26997== by 0x6D16F89: nsLoadGroup::AddRequest(nsIRequest*, nsISupports*) (nsLoadGroup.cpp:595) ==26997== by 0x6D8E3BA: nsHttpChannel::AsyncOpen(nsIStreamListener*, nsISupports*) (nsHttpChannel.cpp:4144) ==26997== by 0x7EDCAB5: nsURILoader::OpenURI(nsIChannel*, int, nsIInterfaceRequestor*) (nsURILoader.cpp:840) ==26997== by 0x7EC4DD0: nsDocShell::DoChannelLoad(nsIChannel*, nsIURILoader*, int) (nsDocShell.cpp:7814) ==26997== by 0x7ECAE29: nsDocShell::DoURILoad(nsIURI*, nsIURI*, int, nsISupports*, char const*, nsIInputStream*, nsIInputStream*, int, nsIDocShell**, nsIRequest**, int, int) (nsDocShell.cpp:7660) ==26997== by 0x7ECCE44: nsDocShell::InternalLoad(nsIURI*, nsIURI*, nsISupports*, unsigned int, unsigned short const*, char const*, nsIInputStream*, nsIInputStream*, unsigned int, nsISHEntry*, int, nsIDocShell**, nsIRequest**) (nsDocShell.cpp:7348) ==26997== by 0x7ECC527: nsDocShell::InternalLoad(nsIURI*, nsIURI*, nsISupports*, unsigned int, unsigned short const*, char const*, nsIInputStream*, nsIInputStream*, unsigned int, nsISHEntry*, int, nsIDocShell**, nsIRequest**) (nsDocShell.cpp:6993) ==26997== by 0x7ED599B: nsWebShell::OnLinkClickSync(nsIContent*, nsIURI*, unsigned short const*, nsIInputStream*, nsIInputStream*, nsIDocShell**, nsIRequest**) (nsWebShell.cpp:898) ==26997== by 0x7ED6798: OnLinkClickEvent::Run() (nsWebShell.cpp:730) ==26997== by 0x4836424: nsThread::ProcessNextEvent(int, int*) (nsThread.cpp:510) ==26997== by 0x47FA08C: NS_ProcessPendingEvents_P(nsIThread*, unsigned int) (nsThreadUtils.cpp:180) ==26997== by 0xA9EB32E: nsBaseAppShell::NativeEventCallback() (nsBaseAppShell.cpp:121) ==26997== by 0xA9D4F1D: nsAppShell::EventProcessorCallback(_GIOChannel*, GIOCondition, void*) (nsAppShell.cpp:69) ==26997== by 0x4119AD6: g_io_unix_dispatch (giounix.c:162) ==26997== by 0x40E4BAB: g_main_context_dispatch (gmain.c:2142) ==26997== by 0x40E81CE: g_main_context_iterate (gmain.c:2776) ==26997== by 0x40E8537: g_main_loop_run (gmain.c:2984) ==26997== by 0x804E611: start_server (dbus.c:420) ==26997== by 0x804EC55: main (dbus.c:498)
nsWebShell::OnLinkClickSync:813, this:0x8f8c4a0, mContentViewer:0xe25e0b0 nsDocShell::nsDocShell()::339, this:0xdd88ae0, mContentViewer:(nil) nsresult nsDocShell::Init()::364, this:0xdd88ae0, mContentViewer:(nil) ********** nsDocShell::CreateAboutBlankContentViewer::5360, this:0xdd88ae0, mContentViewer:(nil) - <<<<<<Begin to create content viewer>>>>>>>>> nsDocShell::DestroyChildren()::413, this:0xdd88ae0, mContentViewer:0x8f6f950 gmozillaengine.c:destroy_cb:3440: self:0x57b5b68, engine:0xdffd430 gtk_moz_embed_destroy::629, gtk:0xdffd430 embedPr:0xbea37d0 EmbedPrivate::Destroy::520, destroy:0xbea37d0 nsDocShell::DestroyChildren()::413, this:0xdd88ae0, mContentViewer:(nil) ~EmbedPrivate::318, destroy:0xbea37d0 nsDocShell::CreateAboutBlankContentViewer::5454, this:0xdd88ae0, mContentViewer:(nil) - <<<<<< End of create content viewer>>>>>>>>> nsDocShell::EnsureContentViewer()::5340, this:0xdd88ae0, mContentViewer:(nil) - as result we have NULL mContentViewer.
Looks like, while it is possible to destroy embedding window while CreateAboutBlankContentViewer is working, and seems docshell does not expect this behavior...
Attached patch Check for destroyed docshell. (obsolete) — Splinter Review
Attachment #372385 - Flags: review?(bzbarsky)
Wait. What exactly is destroying the docshell that made the CreateAboutBlankContentViewer call? And why?
1) Page opening new window ClickSync 2) EmbedWindow created and initialized as empty window 3) InternalLoad starting to work and loading content in EmbedWindow http://mxr.mozilla.org/mozilla-central/source/docshell/base/nsDocShell.cpp#5448 (with native loop iterations) 4) during CreateAboutBlankContentViewer working user closing EmbedWindow 5) DocShell children destroyed, mContentViewer = null 6) after exiting from CreateAboutBlankContentViewer we have crash.
> 4) during CreateAboutBlankContentViewer working user closing EmbedWindow What's the stack for this, exactly?
Attached file Log + backtrace
Here you can find what is sequence of windowWatcher/docshell calls.. Also backtrace for this log
I meant the stack for the nsDocShell::Destroy call that happens under CreateAboutBlankContentViewer for that same docshell.
I have created global variable and was storing "this" in the beginning of EnsureContentViewer function and "nsnull" at the end. In DocShell::Destroy() I was checking that if global variable "EnsureWindow" == this -> abort.
(gdb) info threads * 12 process 11396 0x090d880d in nsDocShell::Destroy (this=0xdf66d10) at mozilla/docshell/base/nsDocShell.cpp:3765 11 process 11409 0x04c388be in poll () from /lib/libc.so.6 10 process 11428 0x048d42c2 in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib/libpthread.so.0 9 process 11429 0x04c388be in poll () from /lib/libc.so.6 8 process 11430 0x048d42c2 in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib/libpthread.so.0 7 process 11529 0x048d42c2 in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib/libpthread.so.0 6 process 11547 0x048d4051 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib/libpthread.so.0 5 process 11557 0x048d4051 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib/libpthread.so.0 4 process 11558 0x048d4051 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib/libpthread.so.0 3 process 11559 0x048d42c2 in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib/libpthread.so.0 2 process 11560 0x048d42c2 in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib/libpthread.so.0 1 process 11561 0x048d42c2 in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib/libpthread.so.0
Btw: UI is in different process, and destroy event is coming from gtk_plug delete_event...
I don't understand that stack. It doesn't show EnsureContentViewer on the stack. And the threads output doesn't show it running anywhere either, unless it's one of the polling threads there. Or is it? Docshell's not threadsafe, so if you're touching it on multiple threads at once bad things are pretty much guaranteed.
No seems it is happen in the same thread: 1)nsresult EmbedPrivate::Init(GtkMozEmbed*)::341 2)nsresult EmbedPrivate::Realize(PRBool*)::407 3)MicrobEalObserver.cpp:Observe:337: Func:virtual nsresult MicrobEalObserver::Observe(nsISupports*, const char*, const PRUnichar*)::337, aTopic:domwindowopened, aData: 4)>> Before CreateAboutBlankContentViewer Func:virtual nsresult nsDocShell::EnsureContentViewer()::5349 this:0x7d97570, ensW:0x7d97570, mContentViewer:(nil) 5)>> START CreateAboutBlankContentViewer Func:virtual nsresult nsDocShell::EnsureContentViewer()::5353 this:0x7d97570, mContentViewer:(nil), thr:0x559dac0, typ:0, scp:1 6)void EmbedPrivate::Destroy()::519 7)MicrobEalObserver.cpp:Observe:337: Func:virtual nsresult MicrobEalObserver::Observe(nsISupports*, const char*, const PRUnichar*)::337, aTopic:domwindowclosed, aData: 8)>> We are Callling Destroy AAAA Func:virtual nsresult nsDocShell::Destroy()::3768 this:0x7d97570, ensW:0x7d97570, mContentViewer:0x7c5fb88, thr:0x559dac0, typ:0, scp:1 9)virtual nsresult nsDocShell::Destroy()::3784 this:0x7d97570, mContentViewer:0x7c5fb88 10)EmbedPrivate::~EmbedPrivate()::318 11)EmbedPrivate::~EmbedPrivate()::326 12)>> After CreateAboutBlankContentViewer Func:virtual nsresult nsDocShell::EnsureContentViewer()::5360 this:0x7d97570, ensW:0x7d97570, mContentViewer:(nil) ==28180== ==28180== Invalid read of size 4 ==28180== at 0x90D7D9D: nsDocShell::EnsureContentViewer() (nsDocShell.cpp:5366)
I will try to check what is the last call in CreateAboutBlankContentViewer functions tree
Ok, seems we are rotating gtk main loop in location change signal. > START CreateAboutBlankContentViewer Func:virtual nsresult nsDocShell::EnsureContentViewer()::5368 this:0x7e2e150, mContentViewer:(nil), thr:0x559dac0, typ:0, scp:1 >>>Func:SetCurrentURI::1324 >>Func:void nsDocLoader::FireOnLocationChange(nsIWebProgress*, nsIRequest*, nsIURI*)::1298 >>Func:virtual nsresult EmbedProgress::OnLocationChange(nsIWebProgress*, nsIRequest*, nsIURI*)::295 microb-eal:location_changed_cb:2183 - here we are sending location changed signal to UI process and rotating gmain loop >>>>>>Func:void EmbedPrivate::Destroy()::519 >>> Destroy mContentViewer >>>Func:Destroy::3856 location_changed_cb:2199: - exit from signal emitting >>>>>>Func:virtual nsresult EmbedProgress::OnLocationChange(nsIWebProgress*, nsIRequest*, nsIURI*)::325 - exit >>>>>>Func:void nsDocLoader::FireOnLocationChange(nsIWebProgress*, nsIRequest*, nsIURI*)::1303 - exit >>>>>>Func:SetCurrentURI::1326 -exit >>>>>>Func:CreateAboutBlankContentViewer::5479 - exit >>>>>> After CreateAboutBlankContentViewer Func:virtual nsresult nsDocShell::EnsureContentViewer()::5375 this:0x7e2e150, ensW:0x7e2e150, mContentViewer:(nil)
I don't know why gtk is not showing full stack for gmail loop iterations... maybe debug symbols, may be debugger problem...
so bug 462728 comment 5 comes to mind, but there's also a bug /somewhere/ where I showed that gtkmozembed has always been this broken. I can't find it at the moment.
Ah, right. Good catch there. I forgot that CreateAboutBlankContentViewer fired onLocationChange. I think the right thing to do for now is to check for destruction right after the SetCurrentURI call in CreateAboutBlankContentViewer, and if destroyed return error.
What about nsDocShell::CreateContentViewer? it is also sending location change.. should we check for destroy also there? I don't know exactly other places where it is need to be done, or maybe we can create some general solution.
I'd have to look at codepaths calling CreateContentViewer to say for sure... You could test with an onLocationChange listener that closes the window, if you want. Or only closes it for a particular new location if you want to be able to bring the window up first. I can't think of a general solution offhand other than reworking the way onLocationChange notifications happen to make them sane.
Attachment #372801 - Flags: review?(bzbarsky)
Attachment #372385 - Attachment is obsolete: true
Attachment #372385 - Flags: review?(bzbarsky)
Comment on attachment 372801 [details] [diff] [review] Can we do it like this? Make that NS_ERROR_NOT_AVAILABLE and looks good.
Attachment #372801 - Flags: review?(bzbarsky) → review+
Assignee: nobody → romaxa
Blocks: songbird
http://hg.mozilla.org/mozilla-central/rev/fcdd9c7d8bf7
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Crash Signature: [@ nsDocShell::EnsureContentViewer]
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: