498639 - Crash [@ nsXULDocument::GetElementById] with observes, DOMAttrModified and overflow event handler

Status: RESOLVED WORKSFORME

(Core :: XUL, defect)

Description

[Martijn Wargers (dead)]

Attachment: testcase

See testcase, which usually crashes within 1 minute or so.
It doesn't seem to crash in Firefox3.0.x, but it does crash in Firefox3.5.
I'm not sure if it would be able to make a testcase that crashes in Firefox3.0.x, I suspect it would be possible. That this testcase doesn't crash in Firefox3.0.x might very well be because of unrelated code changes on trunk/Firefox 3.5. 

http://crash-stats.mozilla.com/report/index/2dc92dbe-573b-4a6c-9a6f-8ff402090615?p=1
0  	ntdll.dll  	ntdll.dll@0xe514  	
1 	xul.dll 	google_breakpad::ExceptionHandler::WriteMinidumpOnHandlerThread 	toolkit/crashreporter/google-breakpad/src/client/windows/handler/exception_handler.cc:562
2 	xul.dll 	google_breakpad::ExceptionHandler::HandlePureVirtualCall 	toolkit/crashreporter/google-breakpad/src/client/windows/handler/exception_handler.cc:506
3 	mozcrt19.dll 	_purecall 	obj-firefox/memory/jemalloc/crtsrc/purevirt.c:47
4 	xul.dll 	nsXULDocument::GetElementById 	content/xul/document/src/nsXULDocument.cpp:1666
5 	xul.dll 	xul.dll@0x8e70ef 

Firefox3.5 crash report:
http://crash-stats.mozilla.com/report/index/65b7723c-9b2b-4f82-8449-9f3b92090616?p=1
0  	ntdll.dll  	ntdll.dll@0xe514  	
1 	kernel32.dll 	kernel32.dll@0x2541 	
2 	xul.dll 	google_breakpad::ExceptionHandler::WriteMinidumpOnHandlerThread 	toolkit/crashreporter/google-breakpad/src/client/windows/handler/exception_handler.cc:562
3 	xul.dll 	google_breakpad::ExceptionHandler::HandlePureVirtualCall 	toolkit/crashreporter/google-breakpad/src/client/windows/handler/exception_handler.cc:506
4 	mozcrt19.dll 	_purecall 	obj-firefox/memory/jemalloc/src/purevirt.c:47
5 	xul.dll 	nsXULDocument::GetElementById 	content/xul/document/src/nsXULDocument.cpp:1666
6 	xul.dll 	nsXULElement::QueryInterface 	content/xul/content/src/nsXULElement.cpp:378
7 	xul.dll 	nsXULDocument::FindBroadcaster 	content/xul/document/src/nsXULDocument.cpp:4327
8 	xul.dll 	nsXULDocument::RemoveSubtreeFromDocument 	content/xul/document/src/nsXULDocument.cpp:1837
9 	mozcrt19.dll 	arena_dalloc 	obj-firefox/memory/jemalloc/src/jemalloc.c:4565
10 	xul.dll 	xptiInterfaceInfo::Release 	xpcom/reflect/xptinfo/src/xptiInterfaceInfo.cpp:786
11 	xul.dll 	nsDependentString::~nsDependentString 	
12 	xul.dll 	nsWindowSH::GlobalResolve 	dom/src/base/nsDOMClassInfo.cpp:5812
13 	xul.dll 	nsWindowSH::NewResolve 	dom/src/base/nsDOMClassInfo.cpp:6213
14 	xul.dll 	nsBindingManager::GetBindingImplementation 	content/xbl/src/nsBindingManager.cpp:1249
15 	xul.dll 	nsBindingManager::GetNestedInsertionPoint 	content/xbl/src/nsBindingManager.cpp:1371

Comment 1

[Martijn Wargers (dead)]

It doesn't seem to crash online. In that case, test it locally, or test 'offline'.
Multiple tabs open with the testcase may also speed up the occurrence of the crash.

Comment 2

[Martijn Wargers (dead)]

I suspect this is related to bug 497448.

Comment 3

[Brandon Sterne (:bsterne)]

Martijn, when was the last time you reproduced this crash?  I could not get a crash on any Windows build from 1.9.0 thru 1.9.2, and I did test locally.

Comment 4

[Brandon Sterne (:bsterne)]

I'm uncomfortable marking this WFM as I'm unable to reproduce the crash, even using Firefox 3.5.  Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5 (.NET CLR 3.5.30729)

I'm wondering if I'm not running the test the same way you originally did when you filed the bug.  I did save the testcase locally and load it from there.  Any other tips on getting this to reproduce?