Closed Bug 492325 Opened 15 years ago Closed 15 years ago

crash while installing addon CSSParserImpl::`scalar deleting destructor' under ScopedXPCOMStartup::~ScopedXPCOMStartup

Categories

(Firefox for Android Graveyard :: General, defect)

Product:
Firefox for Android Graveyard
Component:
General
Platform:
All
Windows Mobile 6 Professional
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: blassey, Unassigned)

Details

Data Abort: Thread=88ad9880 Proc=80458840 'fennec.exe'
AKY=00400001 PC=79177014(mozce_shunt.dll+0x00007014) RA=7917b790(mozce_shunt.dll+0x0000b790) BVA=68200408 FSR=00000007
Unhandled exception at 0x79177014 in fennec.exe: 0xC0000005: Access violation reading location 0x68200408.


stack:
>	mozce_shunt.dll!arena_avail_tree_remove(arena_avail_tree_t* tree = 0x64a000f0, arena_chunk_map_s* node = 0x64a000f0) Line: 3062, Byte Offsets: 0x2c	C
 	mozce_shunt.dll!arena_run_dalloc(arena_s* arena = 0x64a000f0, arena_run_s* run = 0x64a000f0, unsigned char dirty = 255 'ÿ') Line: 3673, Byte Offsets: 0x260	C
 	mozce_shunt.dll!arena_dalloc_large(arena_s* arena = 0x64a000f0, arena_chunk_s* chunk = 0x64a000f0, void* ptr = 0x00000fff) Line: 4527, Byte Offsets: 0x90	C
 	mozce_shunt.dll!arena_dalloc(arena_s* arena = 0x64a000f0, arena_chunk_s* chunk = 0x64a000f0, void* ptr = 0x00000fff) Line: 4553, Byte Offsets: 0x268	C
 	mozce_shunt.dll!idalloc(void* ptr = 0x64a000f0) Line: 4567, Byte Offsets: 0x7c	C
 	mozce_shunt.dll!free(void* ptr = 0x64a000f0) Line: 6389, Byte Offsets: 0x74	C
 	xul.dll!CSSParserImpl::`scalar deleting destructor'(void) Line: 0, Byte Offsets: 0xffffffff	C++
 	xul.dll!CSSParserImpl::Release(void) Line: 704, Byte Offsets: 0xb0	C++
 	xul.dll!nsCanvasRenderingContext2D::~nsCanvasRenderingContext2D(void) Line: 688, Byte Offsets: 0xbc	C++
 	xul.dll!nsCanvasRenderingContext2D::`scalar deleting destructor'(void) Line: 0, Byte Offsets: 0xffffffff	C++
 	xul.dll!nsCanvasRenderingContext2D::Release(void) Line: 654, Byte Offsets: 0xb4	C++
 	xul.dll!nsHTMLCanvasElement::~nsHTMLCanvasElement(void) Line: 157, Byte Offsets: 0x14c	C++
 	xul.dll!nsHTMLCanvasElement::`scalar deleting destructor'(void) Line: 0, Byte Offsets: 0xffffffff	C++
 	xul.dll!nsNodeUtils::LastRelease(nsINode* aNode = 0x64a000f0) Line: 247, Byte Offsets: 0x460	C++
 	xul.dll!nsGenericElement::Release(void) Line: 4147, Byte Offsets: 0xb8	C++
 	xul.dll!nsHTMLCanvasElement::Release(void) Line: 160, Byte Offsets: 0x0c	C++
 	xul.dll!nsXPCOMCycleCollectionParticipant::Unroot(void* p = 0x64a000f0) Line: 75, Byte Offsets: 0x14	C++
 	xul.dll!nsCycleCollector::CollectWhite(void) Line: 1728, Byte Offsets: 0xf4	C++
 	xul.dll!nsCycleCollector::FinishCollection(void) Line: 2555, Byte Offsets: 0x0c	C++
 	xul.dll!XPCCycleCollectGCCallback(JSContext* cx = 0x64a000f0, JSGCStatus status = 1688207600) Line: 403, Byte Offsets: 0xd0	C++
 	js3250.dll!js_GC(JSContext* cx = 0x64a000f0, JSGCInvocationKind gckind = 1688207600) Line: 3780, Byte Offsets: 0xaa8	C++
 	xul.dll!nsXPConnect::Collect(void) Line: 478, Byte Offsets: 0xe0	C++
 	xul.dll!nsCycleCollector::Collect(unsigned int aTryCollections = 1688207600) Line: 2369, Byte Offsets: 0xc0	C++
 	xul.dll!nsJSContext::CC(void) Line: 3430, Byte Offsets: 0x3c	C++
 	xul.dll!nsJSContext::MaybeCC(int aHigherProbability = 1688207600) Line: 3499, Byte Offsets: 0x134	C++
 	xul.dll!GCTimerFired(nsITimer* aTimer = 0x64a000f0, void* aClosure = 0x64a000f0) Line: 3543, Byte Offsets: 0x60	C++
 	xul.dll!nsTimerImpl::Fire(void) Line: 428, Byte Offsets: 0x338	C++
 	xul.dll!nsTimerEvent::Run(void) Line: 521, Byte Offsets: 0xd4	C++
 	xul.dll!nsThread::ProcessNextEvent(int mayWait = 1688207600, int* result = 0x00000fff) Line: 511, Byte Offsets: 0x24c	C++
 	xul.dll!NS_ProcessNextEvent_P(nsIThread* thread = 0x64a000f0, int mayWait = 1688207600) Line: 230, Byte Offsets: 0x64	C++
 	xul.dll!nsThread::Shutdown(void) Line: 465, Byte Offsets: 0x1d0	C++
 	xul.dll!nsSocketTransportService::Shutdown(void) Line: 459, Byte Offsets: 0x110	C++
 	xul.dll!nsIOService::SetOffline(int offline = 1688207600) Line: 662, Byte Offsets: 0x194	C++
 	xul.dll!nsIOService::Observe(nsISupports* subject = 0x64a000f0, const char* topic = 0x00000fff, const wchar_t* data = 0x011301f0) Line: 830, Byte Offsets: 0xec	C++
 	xul.dll!nsObserverList::NotifyObservers(nsISupports* aSubject = 0x64a000f0, const char* aTopic = 0x00000fff, const wchar_t* someData = 0x011301f0) Line: 128, Byte Offsets: 0xa8	C++
 	xul.dll!nsObserverService::NotifyObservers(nsISupports* aSubject = 0x64a000f0, const char* aTopic = 0x00000fff, const wchar_t* someData = 0x011301f0) Line: 184, Byte Offsets: 0x10c	C++
 	xul.dll!nsXREDirProvider::DoShutdown(void) Line: 862, Byte Offsets: 0xe8	C++
 	xul.dll!ScopedXPCOMStartup::~ScopedXPCOMStartup(void) Line: 993, Byte Offsets: 0x48	C++
 	xul.dll!XRE_main(int argc = 1688207600, char** argv = 0x64a000f0, nsXREAppData* aAppData = 0x00000fff) Line: 3407, Byte Offsets: 0x2604	C++
 	0x00012220	
 	0x00012404	
 	0x0001295c	
 	0x03f67274
Is this after you attempt to "restart"?
This is before the restart, but I had been stepping the through the code so the expected timing of things may have been way off.
I faced this crash, but in my case it is in arena_avail_tree_insert instead of arena_avail_tree_remove. And I can reproduce this crash without add-ons installation. The step to reproduce is:

1. Run fennec
2. Open add-ons preference
3. Kill fennec from task manager
4. Bomb!

But the crash does not always happen.

Anyway, I guess this is an issue of tracemonkey.

    mozce_shunt.dll!arena_avail_tree_insert(arena_avail_tree_t* tree = 0x510000f0, arena_chunk_map_s* node
    mozce_shunt.dll!arena_run_dalloc(arena_s* arena = 0x51000040, arena_run_s* run = 0x518f8000, unsigned
    mozce_shunt.dll!arena_dalloc_large(arena_s* arena = 0x51000040, arena_chunk_s* chunk = 0x51800000, voi
    mozce_shunt.dll!arena_dalloc(arena_s* arena = 0x51000040, arena_chunk_s* chunk = 0x51800000, void* ptr
    mozce_shunt.dll!idalloc(void* ptr = 0x518f8000) Line: 4565, Byte Offsets: 0xb4  C
    mozce_shunt.dll!free(void* ptr = 0x518f8000) Line: 6389, Byte Offsets: 0x90 C
    mozce_shunt.dll!operator delete(void* ptr = 0x518f8000) Line: 52, Byte Offsets: 0x14    C++
    xul.dll!CSSParserImpl::`scalar deleting destructor'(void) Line: 0, Byte Offsets: 0xffffffff C++
    xul.dll!CSSParserImpl::Release(void) Line: 704, Byte Offsets: 0x12c C++
    xul.dll!nsCOMPtr<nsICSSParser>::~nsCOMPtr<nsICSSParser>(void) Line: 511, Byte Offsets: 0x60 C++
    xul.dll!nsCanvasRenderingContext2D::~nsCanvasRenderingContext2D(void) Line: 688, Byte Offsets: 0x60 C+
    xul.dll!nsCanvasRenderingContext2D::`scalar deleting destructor'(void) Line: 0, Byte Offsets: 0xffffff
    xul.dll!nsCanvasRenderingContext2D::Release(void) Line: 654, Byte Offsets: 0x134    C++
    xul.dll!nsCOMPtr<nsICanvasRenderingContextInternal>::~nsCOMPtr<nsICanvasRenderingContextInternal>(void
    xul.dll!nsHTMLCanvasElement::~nsHTMLCanvasElement(void) Line: 157, Byte Offsets: 0xe0   C++
    xul.dll!nsHTMLCanvasElement::`scalar deleting destructor'(void) Line: 0, Byte Offsets: 0xffffffff   C+
    xul.dll!nsNodeUtils::LastRelease(nsINode* aNode = 0x513f3700) Line: 246, Byte Offsets: 0x3b4    C++
    xul.dll!nsGenericElement::Release(void) Line: 4147, Byte Offsets: 0x104 C++
    xul.dll!nsHTMLCanvasElement::Release(void) Line: 160, Byte Offsets: 0x18    C++
    xul.dll!nsXPCOMCycleCollectionParticipant::Unroot(void* p = 0x513f3700) Line: 74, Byte Offsets: 0x34
    xul.dll!nsCycleCollector::CollectWhite(void) Line: 1727, Byte Offsets: 0x154    C++
    xul.dll!nsCycleCollector::FinishCollection(void) Line: 2555, Byte Offsets: 0x18 C++
    xul.dll!nsCycleCollector_finishCollection(void) Line: 3070, Byte Offsets: 0x24  C++
    xul.dll!XPCCycleCollectGCCallback(JSContext* cx = 0x512a8000, JSGCStatus status = 1) Line: 403, Byte O
    js3250.dll!js_GC(JSContext* cx = 0x512a8000, JSGCInvocationKind gckind = 0) Line: 3785, Byte Offsets:
    js3250.dll!JS_GC(JSContext* cx = 0x512a8000) Line: 2463, Byte Offsets: 0x70 C++
    xul.dll!nsXPConnect::Collect(void) Line: 478, Byte Offsets: 0x12c   C++
    xul.dll!nsCycleCollector::Collect(unsigned int aTryCollections = 1) Line: 2369, Byte Offsets: 0x1b4 C+
    xul.dll!nsCycleCollector_collect(void) Line: 3052, Byte Offsets: 0x28   C++
    xul.dll!nsJSContext::CC(void) Line: 3445, Byte Offsets: 0x68    C++
    xul.dll!nsJSContext::CCIfUserInactive(void) Line: 3534, Byte Offsets: 0x24  C++
    xul.dll!GCTimerFired(nsITimer* aTimer = 0x513e8c40, void* aClosure = 0x00000000) Line: 3554, Byte Offs
    xul.dll!nsTimerImpl::Fire(void) Line: 428, Byte Offsets: 0x4e0  C++
    xul.dll!nsTimerEvent::Run(void) Line: 521, Byte Offsets: 0x11c  C++
    xul.dll!nsThread::ProcessNextEvent(int mayWait = 0, int* result = 0x1bbae970) Line: 511, Byte Offsets:
    xul.dll!NS_ProcessPendingEvents_P(nsIThread* thread = 0x5122b0b0, unsigned int timeout = 4294967295) L
    xul.dll!NS_ShutdownXPCOM_P(nsIServiceManager* servMgr = 0x51245104) Line: 775, Byte Offsets: 0x1e4  C+
    xul.dll!ScopedXPCOMStartup::~ScopedXPCOMStartup(void) Line: 996, Byte Offsets: 0xb0 C++
    xul.dll!XRE_main(int argc = 1, char** argv = 0x51204060, nsXREAppData* aAppData = 0x5122a040) Line: 33
    0x0001224c
    0x0001137c
    0x0001348c
    0x03f67274
I can not get valid stack traces for a few days, but still sometimes face crash.

Stack trace at this time:

    0x7a092fd0
    0x7820c108
    0x78205308
    0x78209b54
    0x03f6732c

Unfortunately, there is no symbols since these addresses (at least top four addresses) seem to be functions in xul.dll. But xul.dll is already unloaded.

The last log is:

Unload module: xpcom.dll
Unload module: softokn3.dll
nsStringStats
 => mAllocCount:          13354
 => mReallocCount:         2151
 => mFreeCount:           12264  --  LEAKED 1090 !!!
 => mShareCount:          14363
 => mAdoptCount:           1150
 => mAdoptFreeCount:       1148  --  LEAKED 2 !!!
Unload module: xul.dll
Unload module: sqlite3.dll
Unload module: js3250.dll
Unload module: smime3.dll
Unload module: ssl3.dll
Prefetch Abort: Thread=9fc01000 Proc=80096ec0 'fennec.exe'
Unload module: nss3.dll
AKY=00001001 PC=7a092fd0(???+0x7a092fd0) RA=7820c108(nspr4.dll+0x0003c108) BVA=7a092fd0 FSR=00000407
Unload module: nssutil3.dll
Unload module: plc4.dll
Unhandled exception at 0x7a092fd0 in fennec.exe: 0xC0000005: Access violation reading location 0x7a092fd0.
~
(In reply to comment #4)
> I can not get valid stack traces for a few days, but still sometimes face
> crash.
> 
> Stack trace at this time:
> 
>     0x7a092fd0
>     0x7820c108
>     0x78205308
>     0x78209b54
>     0x03f6732c

The first address (0x7a092fd0) seems to be this line.

http://mxr.mozilla.org/mozilla-central/source/js/src/xpconnect/src/xpcjsruntime.cpp#807
ok, that's a different crash.

specifically what it means is that someone managed to unload xul.dll before the watchdogthread noticed it was dead and quit.
(In reply to comment #6)
> ok, that's a different crash.

Yes. I can not reproduce original crash any more. 
Brad, can you still reproduce this crash?
hiroyuki: we don't keep using a bug every time the general description matches. if we did, we'd only need 5 bugs ("make it fast", "something crashed", "it looks wrong", "do something cool", "it hurts my eyes"). please file a new bug.

For bugs involving module unloading, please get stack traces to where the module is unloaded.
Summary: crash while installing addon → crash while installing addon CSSParserImpl::`scalar deleting destructor' under ScopedXPCOMStartup::~ScopedXPCOMStartup
(In reply to comment #7)
> Brad, can you still reproduce this crash?

I haven't seen this crash since I reported it, but I haven't been exercising this code path since then either.
I thought this crash can reproduce when the crash (bug 494721) I mentioned in comment #4 is fixed because fix for the crash must make GC working again. I confirmed ScopedXPCOMStartup::~ScopedXPCOMStartup had never called at exit of Fennec while I faced the bug 494721. Now bug 494721 is fixed by patch for bug 494973, and ScopedXPCOMStartup::~ScopedXPCOMStartup is called again, nevertheless I can not reproduce this crash. 
So if Brad can not confirm this crash again, this bug should be closed.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
I was able to install GeoGuide and URL Fixer addons without any issue. Moving to verified via build:

Mozilla/5.0 (Windows; U; WindowsCE 5.2; en-US; rv:1.9.3a1pre) Gecko/20090826 Fennec/1.0a3pre
Status: RESOLVED → VERIFIED
Component: Windows Mobile → General
QA Contact: mobile-windows → general
Hardware: ARM → All
You need to log in before you can comment on or make changes to this bug.