Closed Bug 50990 Opened 24 years ago Closed 24 years ago

crash in GlobalWindowImpl::InsertTimeoutIntoList

Categories

(Core :: DOM: Core & HTML, defect, P2)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
Windows 2000
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: sean, Assigned: jst)

Details

(Keywords: crash, helpwanted, Whiteboard: [nsbeta3-])

Attachments

(4 files)

win2k callstack
739 bytes, text/plain
Details
proposed fix
1.03 KB, patch
Details | Diff | Splinter Review
another patch
3.72 KB, patch
Details | Diff | Splinter Review
patch 'o the hour
2.02 KB, patch
Details | Diff | Splinter Review 
will attach stack trace.

GlobalWindowImpl::InsertTimeoutIntoList takes an argument: nsTimeoutImpl
**aList.  aList is null and a crash occurs in this line in nsGlobalWindow.cpp:
  while ((to = *aList) != nsnull) {

GlobalWindowImpl::InsertTimeoutIntoList is called by
GlobalWindowImpl::RunTimeout and passes mTimeoutInsertionPoint as the aList
argument.

built from the tip 8/30.
Attached file win2k callstack 

    
    

    
  
adding crash keyword

I'm working out a way to get some Beatnik content available that demonstrates
the problem.  This content should also demonstrate the problem with bug 50705 (I
found this bug while getting a testcase together for 50705).

Blocks: 50705
Keywords: crash

    
    

    
  
adding brendan since I see his hand in those lines recently. brendan, if this is
not yours just ignore. sean, when can you have a testcase?

    
    

    
  
I just unhorked all the crappy three-space "Fibonacci" indentation that Travis
inflicted on this file.  I didn't change anything substantive, as cvs diff -w
will confirm (I used GNU indent).

This must be a jst bug, by default -- although he's surely not to blame, he's
just the flak catcher.  Johnny, if you need help, holler.

/be
Assignee: asa → jst

    
    

    
  
Hopefully I'll have the testcase situation sorted out tomorrow.

    
    

    
  
changing dependencies.  There's a pretty good testcase for bug 50705.  Trying 
to build one for this bug, but 50705 is making it difficult.

No longer blocks: 50705

    
    

    
  
Marking nsbeta3+ and setting priority to P2...
Keywords: nsbeta3
Priority: P3 → P2
Whiteboard: [nsbeta3+]

    
    

    
  
This is definitely timing related.  I had a testcase that demonstrated the 
crash about 70% of the time.  However, it only demonstrated the crash on 1 of 3 
servers I tried it from.  The one server it happened from is internal.  And now 
that one case doesn't crash with today's pull but the original content that I 
experienced this with still crashes.

The testcase that used to work can be found at 
http://www.mindspring.com/~sean_/mozilla/timerlist/ (one of the servers that I 
couldn't repro from).

I can set you up with the original content but it requires signing an 
evaluation agreement for an alpha version of our free xpcom plugin (don't get 
me started...).  The plugin is only required because the content won't start if 
it is not installed.


    
    

    
  
The eval form is also required for the content itself.  From the form:
The "Evaluation Technology" shall mean: A modified version of an already 
publicly available currently released eMix... 

adding beatnik keyword


Keywords: beatnik

    
    

    
  
Marking nsbeta3- (ekrock, nisheeth).  Sean, can you try and fix this, please.  
We can't reproduce this in house.
Keywords: helpwanted
Whiteboard: [nsbeta3+] → [nsbeta3-]

    
    

    
  
Well it's easy enough to add:

NS_ASSERTION(aList, "GlobalWindowImpl::InsertTimeoutIntoList null timeoutList");
if (aList == nsnull)
  return;

to the top of GlobalWindowImpl::InsertTimeoutIntoList() to prevent this 
particular crash.

But, the next time GlobalWindowImpl::RunTimeout() is called, there's a crash 
because 'this' has been deleted.  Looks like a timeout is firing on a non-
existent window.

nsGlobalWindow_RunTimeout() does the following:

timeout->window->RunTimeout(timeout)

where window is garbage (0xfeeefeee).


    
    

    
  

      
      
      
      

        Attached patch
          
          
        proposed fixSplinter Review
      

    


  

    
    

    
  
I've attached a proposed fix.  I looked around in nsGlobalWindow.cpp and saw 
this being used:

        insertion_point = (mTimeoutInsertionPoint == NULL)
                          ? &mTimeouts : mTimeoutInsertionPoint;

So I modified the call that was passing in a null pointer so that it doesn't 
blindly pass in mTimeoutInsertionPoint.

This patch addresses the crash and the followup crash I mentioned in my last 
post.  Now I'm only seeing bug 50705 in regards to timeout/intervals.

Johnny or Brendan, care to review?


Keywords: review

    
    

    
  
You know, I always wondered why null was a valid state for the insertion point. 
Typically you can avoid that special case, which seems to cause the insertion
point to be reset to &mTimeouts, simply by initializing mTimeoutInsertionPoint
to &mTimeouts and resetting it directly to that address.

Sean, care to try that state reduction?  Or am I missing something else that a
null value means?

/be

    
    

    
  

      
      
      
      

        Attached patch
          
          
        another patchSplinter Review
      

    


  

    
    

    
  
added another patch that clears up the crash.  I didn't limit changes to only 
the initialization of mTimeoutInsertionPoint since it gets modified in several 
places (and was explicitly set to nsnull in one more place than the class ctor).

    
    

    
  
I'm confused, why did you make changes of this sort:

-  mTimeoutInsertionPoint = last_insertion_point;
+  if (last_insertion_point)
+    mTimeoutInsertionPoint = last_insertion_point;
+  else
+    mTimeoutInsertionPoint = &mTimeouts;

last_insertion_point is never set to null, it is only set (once) to
mTimeoutInsertionPoint.  So there is no need for these changes to its uses.

/be

    
    

    
  


  

    
    

    
  
My fault - missed that initialization of last insertion point.


    
    

    
  
Looks good to me -- jst, can you give an r=?  If so, a=brendan@mozilla.org.

/be

    
    

    
  
Looks good to me. Sean, I assume you've given this a fair ammount of testing
with timeouts in JS, right? If so, then r=jst, thanks for fixing this!

    
    

    
  
thanks guys - checked in.

Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED

    
    

    
  
Works for Me
Platform: PC
OS: Windows 98
Mozilla Version: 2000100508

Marking as Verified

Status: RESOLVED → VERIFIED

    
  
Keywords: beatnik

    
  
Component: Browser-General → DOM Level 0
QA Contact: doron → desale

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: