Crash [@ nsGenericElement::cycleCollection::Traverse] with focus() method, popup, menulist, treecols

RESOLVED FIXED in mozilla1.9.2a1

Status

()

Core
XPConnect
--
critical
RESOLVED FIXED
9 years ago
7 years ago

People

(Reporter: Martijn Wargers (zombie), Assigned: peterv)

Tracking

({crash, regression, testcase})

Trunk
mozilla1.9.2a1
x86
All
crash, regression, testcase
Points:
---
Bug Flags:
blocking1.9.2 +
in-testsuite ?

Firefox Tracking Flags

(status1.9.2 beta1-fixed)

Details

(Whiteboard: [ss:b2], crash signature)

Attachments

(3 attachments)

509 bytes, application/vnd.mozilla.xul+xml
Details
v1
2.40 KB, patch
jst
: review+
mrbkap
: superreview+
Details | Diff | Splinter Review
721 bytes, application/vnd.mozilla.xul+xml
Details
(Reporter)

Description

9 years ago
Created attachment 388517 [details]
testcase

See testcase, which crashes current trunk builds within 20 seconds or so.
This seems to have regressed between 2009-07-05 and 2009-07-06:
http://hg.mozilla.org/mozilla-central/pushloghtml?startdate=2009-07-05+05%3A00%3A00&enddate=2009-07-06+06%3A00%3A00
I guess a regression from bug 482788.

http://crash-stats.mozilla.com/report/index/b1d9c9ec-3c94-419c-b9b5-26f712090713
0  	XUL  	nsGenericElement::cycleCollection::Traverse  	 nsISupportsImpl.h:229
1 	XUL 	nsXULElement::cycleCollection::Traverse 	content/xul/content/src/nsXULElement.cpp:362
2 	XUL 	nsCycleCollector::MarkRoots 	xpcom/base/nsCycleCollector.cpp:1372
3 	XUL 	nsCycleCollector::BeginCollection 	xpcom/base/nsCycleCollector.cpp:2527
4 	XUL 	nsCycleCollector_beginCollection 	xpcom/base/nsCycleCollector.cpp:3109
5 	XUL 	XPCCycleCollectGCCallback 	js/src/xpconnect/src/nsXPConnect.cpp:390
6 	libmozjs.dylib 	js_GC 	js/src/jsgc.cpp:3505
7 	libmozjs.dylib 	libmozjs.dylib@0x5f07 	
8 	XUL 	nsXPConnect::Collect 	js/src/xpconnect/src/nsXPConnect.cpp:477
9 	XUL 	nsCycleCollector::Collect 	xpcom/base/nsCycleCollector.cpp:2407
10 	XUL 	nsCycleCollector_collect 	xpcom/base/nsCycleCollector.cpp:3097
11 	XUL 	GCTimerFired 	dom/base/nsJSEnvironment.cpp:3517
12 	XUL 	nsTimerImpl::Fire 	xpcom/threads/nsTimerImpl.cpp:427
13 	XUL 	nsTimerEvent::Run 	xpcom/threads/nsTimerImpl.cpp:519
14 	XUL 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:527
15 	XUL 	NS_ProcessPendingEvents_P 	nsThreadUtils.cpp:180
16 	XUL 	nsBaseAppShell::NativeEventCallback 	widget/src/xpwidgets/nsBaseAppShell.cpp:121
17 	XUL 	nsAppShell::ProcessGeckoEvents 	widget/src/cocoa/nsAppShell.mm:413
18 	CoreFoundation 	CFRunLoopRunSpecific
(Assignee)

Updated

9 years ago
Assignee: nobody → peterv
Target Milestone: --- → mozilla1.9.2a1
(Assignee)

Comment 1

9 years ago
Created attachment 388716 [details] [diff] [review]
v1

We end up creating two wrappers (during the call to the PreCreate hook). The fix is to detect that and return. Note that I return after checking for NS_SUCCESS_ALLOW_SLIM_WRAPPERS and checking the scopes. If the PreCreate hook returns NS_SUCCESS_ALLOW_SLIM_WRAPPERS or we're crossing scopes we'll return false to NativeInterface2JSObject, which tries to reget the cached wrapper and then does it cross-scope wrapping (after morphing if the cached wrapper is a slim wrapper).
 Not sure what to do about the testcase. Martijn, does it crash quickly if you add calls to CC (I think you can do that through nsWindowUtils)?
Attachment #388716 - Flags: superreview?(mrbkap)
Attachment #388716 - Flags: review?(jst)
(Reporter)

Comment 2

9 years ago
Created attachment 388720 [details]
testcase2

Yeah, indeed, after using that and a location.reload(), it crashes reliably.

Updated

9 years ago
Attachment #388716 - Flags: superreview?(mrbkap) → superreview+

Updated

9 years ago
Attachment #388716 - Flags: review?(jst) → review+
Flags: blocking1.9.2?
Whiteboard: [ss:b2]
(Assignee)

Comment 3

9 years ago
http://hg.mozilla.org/mozilla-central/rev/f2c08c358c87

Working on the testcase. Had this ready to run as a crashtest, but they don't have the privileges needed to run CC. I'll probably do it as a mochitest.
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Flags: in-testsuite?
Resolution: --- → FIXED

Updated

9 years ago
Flags: blocking1.9.2? → blocking1.9.2+
Mass change: adding fixed1.9.2 keyword

(This bug was identified as a mozilla1.9.2 blocker which was fixed before the mozilla-1.9.2 repository was branched (August 13th, 2009) as per this query: http://is.gd/2ydcb - if this bug is not actually fixed on mozilla1.9.2, please remove the keyword. Apologies for the bugspam)
Keywords: fixed1.9.2
status1.9.2: --- → beta1-fixed
Keywords: fixed1.9.2
Crash Signature: [@ nsGenericElement::cycleCollection::Traverse]
You need to log in before you can comment on or make changes to this bug.