Closed Bug 498530 Opened 15 years ago Closed 15 years ago

Firefox crashes [@ memmove | nsTArray_base::ShiftData | nsTArray<nsAutoPtr<PresShell::nsDelayedEvent> >::RemoveElementsAt] after updating text box triggering update of AJAX based page

Categories

(Core :: General, defect)

Product:
Core
Component:
General
Version:
1.9.1 Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9.2a1

People

(Reporter: msrollin, Assigned: bzbarsky)

References

(
URL
)

Details

(Keywords: crash, verified1.9.1)

Crash Data

Attachments

(3 files, 1 obsolete file)

Patch to that effect
1.03 KB, patch
smaug
: review-
smaug
: superreview-
Details | Diff | Splinter Review
correct zipped up testcase2
701 bytes, application/zip
Details
compiles
912 bytes, patch
smaug
: review+
smaug
: superreview+
beltzner
: approval1.9.1.1+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.9) Gecko/2009050519 Iceweasel/3.0.6 (Debian-3.0.6-1)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1b99) Gecko/20090605 Firefox/3.5b99 (.NET CLR 3.5.30729)

Firefox crashes after adding attendee by name (not smtp address) in Scalix Web Access (SWA) in Scalix 11.4.4 installation.

Reproducible: Always

Steps to Reproduce:
1.Log into http://mail.bamail.net/webmail with username: firefox and password: firefox
2.Type CTRL-SHIFT-A or File->New->Appointment in the popup window that appears
3. Click the scheduling tab
4. Type the name "mozilla" (without quotes) into the text box where it says "Click here to add a name"
5. Hit tab to change the focus from the text box
Actual Results:  
Firefox crashes.

Expected Results:  
The text box should update and the firefox should allow the user to click Save at the top of the page.

Worked in Firefox 3.5b4, crashes in Firefox 3.5b99.
No changes to server, all saved content/cookies etc cleared before reproducing crash.
Flags: blocking-firefox3.5?
Can you try this with the JIT off? Go into about:config and flip the value of javascript.options.jit.content to false.
works for me, OSX, latest branch nightly

Error: setting a property that has only a getter
Source File: http://mail.bamail.net/webmail/wnd_ComposeAppt.jsp?locale=en_US
Line: 1

shows in the error console, fwiw
The issue still occurs in the latest nightly.

With respect to comment 2, the error in the console has been there for some time without causing any noticeable issues with Firefox.

Turning off the JIT compiler does not resolve the issue.

Submitted two crash dumps (one with JIT enabled and one with it disabled) with a note to associate it with this bug.
Can you post the link to the crash reports here? I'm assuming you're using Windows?
I can reproduce this with Gecko/20090616 Shiretoko/3.5pre.

>	00841110()	
 	xul.dll!nsAutoPtr<txTemplateItem>::~nsAutoPtr<txTemplateItem>()  Line 105	C++
 	xul.dll!txLocPathPattern::Step::`scalar deleting destructor'()  + 0x9 bytes	C++
 	xul.dll!nsTArrayElementTraits<txLocPathPattern::Step>::Destruct(txLocPathPattern::Step * e=0x6342d290)  Line 198	C++
 	xul.dll!nsTArray<nsAutoPtr<PresShell::nsDelayedEvent> >::DestructRange(unsigned int start=0, unsigned int count=1)  Line 763 + 0x6 bytes	C++
 	xul.dll!nsTArray<nsAutoPtr<PresShell::nsDelayedEvent> >::RemoveElementsAt(unsigned int start=0, unsigned int count=1)  Line 600	C++
 	xul.dll!nsTArray<nsAutoPtr<PresShell::nsDelayedEvent> >::RemoveElementAt(unsigned int index=0)  Line 606	C++
 	xul.dll!PresShell::FireOrClearDelayedEvents(int aFireEvents=9809920)  + 0x14c9f2 bytes	C++
 	xul.dll!FireOrClearDelayedEvents(nsTArray<nsCOMPtr<nsIDocument> > & aDocuments={...}, int aFireEvents=1)  Line 7492	C++
 	xul.dll!nsDelayedEventDispatcher::Run()  Line 7508 + 0xf bytes	C++
 	xul.dll!nsThread::ProcessNextEvent(int mayWait=1, int * result=0x002ef578)  Line 511	C++
 	xul.dll!nsBaseAppShell::Run()  Line 169	C++
 	xul.dll!nsAppStartup::Run()  Line 194	C++
 	xul.dll!XRE_main(int argc=, char * * argv=, const nsXREAppData * aAppData=)  Line 3300	C++
 	xul.dll!nsLocalFile::GetParent(nsIFile * * aParent=0x62c0c8cb)  Line 2250 + 0x94 bytes	C++
 	xul.dll!nsCOMPtr_base::~nsCOMPtr_base()  Line 82	C++
 	firefox.exe!wmain(int argc=1, wchar_t * * argv=0x00819100)  Line 110 + 0xe6 bytes	C++
 	firefox.exe!__tmainCRTStartup()  Line 591 + 0x19 bytes	C
 	kernel32.dll!@BaseThreadInitThunk@12()  + 0x12 bytes	
 	ntdll.dll!___RtlUserThreadStart@8()  + 0x27 bytes	
 	ntdll.dll!__RtlUserThreadStart@8()  + 0x1b bytes
Looks to maybe be cycle collector related, and windows-only?
Keywords: regressionwindow-wanted
Flags: blocking-firefox3.5?
Product: Firefox → Core
QA Contact: general → general
Flags: blocking1.9.1?
Hi guys !
Maybe the same issue like this one :
https://bugzilla.mozilla.org/show_bug.cgi?id=498305
I haven't tested 3.5pre on any linux boxes.  I'll try later.
I can reproduce this:
http://crash-stats.mozilla.com/report/index/f22fe199-046d-4581-8aba-9d6372090616?p=1
0  	mozcrt19.dll  	memmove  	 MEMCPY.ASM:188
1 	xul.dll 	nsTArray_base::ShiftData 	obj-firefox/xpcom/build/nsTArray.cpp:173
2 	xul.dll 	nsTArray<nsAutoPtr<PresShell::nsDelayedEvent> >::RemoveElementsAt 	obj-firefox/dist/include/nsTArray.h:664
3 	xul.dll 	nsTArray<nsAutoPtr<PresShell::nsDelayedEvent> >::RemoveElementAt 	obj-firefox/dist/include/nsTArray.h:669
4 	xul.dll 	xul.dll@0x335743 	
5 	xul.dll 	FireOrClearDelayedEvents 	content/base/src/nsDocument.cpp:7508
6 	xul.dll 	nsDelayedEventDispatcher::Run 	content/base/src/nsDocument.cpp:7525
7 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:510
8 	xul.dll 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:170
9 	xul.dll 	nsAppStartup::Run 	toolkit/components/startup/src/nsAppStartup.cpp:193
10 	nspr4.dll 	PR_GetEnv 	
11 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp:110
12 	firefox.exe 	firefox.exe@0x21a7 	
13 	kernel32.dll 	kernel32.dll@0x17076 

I attached zipped up testcase2 in bug 494617 that seems to trigger the same stacktrace as this crash, so it seems likely related to this. I guess the patch in bug 494617 doesn't fix this crash, as I initially thought the 2nd testcase was related to that bug.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: Firefox crashes after updating text box triggering update of AJAX based page → Firefox crashes [@ memmove] after updating text box triggering update of AJAX based page
This is the zipped up testcase2 that I mentioned. It uses enhanced privileges, so you need to download it to your computer and give it the privileges it asks for.
I hit the crash while keeping the tab key pressed on the testcase.
I haven't looked for a regression range yet, I'll look for it later, in a few hours (if someone else does it before me, thanks).
Almost certainly a regression from bug 333198.

This code in PresShell::FireOrClearDelayedEvents looks suspicious to me:

6784     while (mDelayedEvents.Length() && !doc->EventHandlingSuppressed()) {
6785       mDelayedEvents[0]->Dispatch(this);
6786       mDelayedEvents.RemoveElementAt(0);
6787     }

What ensures that the Dispatch() call won't clear mDelayedEvents (e.g. via reentering this function), or even call Destroy() on the presshell?  I think this would be better written as:

  while (!mIsDestroying && mDelayedEvents.Length() &&
         !doc->EventHandlingSuppressed()) {
    nsAutoPtr<nsDelayedEvent> ev = mDelatedEvents[0].forget();
    mDelayedEvents.RemoveElementAt(0);
    ev->Dispatch(this);
  }

or something along those lines.  Olli, thoughts?
Blocks: 333198
(In reply to comment #13)
>   while (!mIsDestroying && mDelayedEvents.Length() &&
>          !doc->EventHandlingSuppressed()) {
>     nsAutoPtr<nsDelayedEvent> ev = mDelatedEvents[0].forget();
>     mDelayedEvents.RemoveElementAt(0);
>     ev->Dispatch(this);
>   }
> 
> or something along those lines.  Olli, thoughts?
Makes sense.

        Attachment #383498 -
        Flags: superreview?(Olli.Pettay)

        Attachment #383498 -
        Flags: review?(Olli.Pettay)

        Attachment #383498 -
        Flags: superreview?(Olli.Pettay)

        Attachment #383498 -
        Flags: superreview+

        Attachment #383498 -
        Flags: review?(Olli.Pettay)

        Attachment #383498 -
        Flags: review+

    
    

    
  


  
Sorry, I uploaded a wrong zipped up testcase, this one does crash.
Not that it doesn't seem to crash in the latest trunk build, presumably, because of the check-in of the new focus manager patch, but it doesn at least crash in a 2009-06-06 build.

        Attachment #383481 -
        Attachment is obsolete: true

        Attachment #383498 -
        Flags: superreview-

        Attachment #383498 -
        Flags: superreview+

        Attachment #383498 -
        Flags: review-

        Attachment #383498 -
        Flags: review+

    
    

    
  
Comment on attachment 383498 [details] [diff] [review]
Patch to that effect

Doesn't compile on OSX

    
    

    
  

      
      
      
      

        Attached patch
          
          
        compilesSplinter Review
      

    


  
Fixes the latest testcase

    
    

    
  
Comment on attachment 383507 [details] [diff] [review]
compiles

This is bz's patch + a small compilation fix.

        Attachment #383507 -
        Flags: superreview+

        Attachment #383507 -
        Flags: review+

    
    

    
  
Pushed http://hg.mozilla.org/mozilla-central/rev/341423c8e1f6
Assignee: nobody → bzbarsky
Status: NEW → RESOLVED
Closed: 15 years ago
Flags: wanted1.9.1.x?
Flags: in-testsuite?
Keywords: regressionwindow-wanted
Resolution: --- → FIXED

    
  

        Attachment #383507 -
        Flags: approval1.9.1?

    
    

    
  
I uploaded the patch to tryserver (using 1.9.1 hg repo).
If anyone who can reproduce the original crash could test the build.
It will appear here https://build.mozilla.org/tryserver-builds/?C=M;O=D suppression_crash in its name.

    
    

    
  
Verified the issue has been resolved with the suppression_crash build.
No crash and behavior is the same as Firefox 3.5b4.
Status: RESOLVED → VERIFIED

    
    

    
  
bz: should we block 3.5 release on this? Not sure how common a pattern it is. This is our first report.

    
    

    
  
I don't know how common this is... but the fact that we're basically running afoul of touching memory we shouldn't worries me.  It's a very safe patch, so I think we should take in on branch if we're going to take anything else, at the very least.
Flags: blocking1.9.1? → blocking1.9.1+
Keywords: fixed1.9.1

    
    

    
  
Well, not sure if this plays a role for your decision-making process, but it is basically a red flag for 3.5 for our AJAX-based Email and calendaring solution.

We have 10000s of users using Scalix Web Access on Firefox for their desktop mail and calendar and a very basic usecase is affected, i.e. adding an attendee to an appointment, see https://bugzilla.scalix.com/show_bug.cgi?id=20116 for details. 

I am not sure if we could drop-in a code-level workaround, but if that cannot be done in a simple and safe and sensical way, we have to publicly declare FF3.5 unsupported and unuseable for it.

Furthermore, given the JS around the area where the problem occurs is far away from being extremely complex, I must assume that other AJAX-based apps will be affected as well.

So at least in my world, all-in-all, it would qualify as a blocker for a release.

(This bug was filed by Michael as a followup of our QA regression testing of the product on upcoming browser versions)

    
    

    
  
This was pushed to 1.9.1 (see keyword 'verified1.9.1') and will be included in 3.5 RC2.

    
    

    
  
Verified fix on Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1) Gecko/20090616 Firefox/3.5
and Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1) Gecko/20090616 Firefox/3.5

Testcase from comment 0 and comment 16 pass on rc2build2.
Keywords: fixed1.9.1verified1.9.1

    
    

    
  
Verification on Linux would be fine too since it happens on all platforms.
Keywords: crash
OS: Windows XP → All
Hardware: x86 → All
Target Milestone: --- → mozilla1.9.2a1
Version: unspecified → 1.9.1 Branch

    
    

    
  
Also verified on Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1) Gecko/20090616 Firefox/3.5
Flags: wanted1.9.1.x?
Flags: wanted1.9.1.x+
Flags: blocking1.9.1.1+
Blocks: 503560

    
  
Summary: Firefox crashes [@ memmove] after updating text box triggering update of AJAX based page → Firefox crashes [@ memmove | nsTArray_base::ShiftData | nsTArray<nsAutoPtr<PresShell::nsDelayedEvent> >::RemoveElementsAt] after updating text box triggering update of AJAX based page

    
    

    
  
This doesn't need to block 1.9.1.1 since, uh, it's already fixed. :) Please renom if I missed something.
Flags: wanted1.9.1.x+
Flags: blocking1.9.1.1+

        Attachment #383507 -
        Flags: approval1.9.1? → approval1.9.1.1+
Crash Signature: [@ memmove | nsTArray_base::ShiftData | nsTArray<nsAutoPtr<PresShell::nsDelayedEvent> >::RemoveElementsAt]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: