Closed Bug 516113 Opened 15 years ago Closed 15 years ago

Startup crash [@ PL_DHashTableOperate | free | nsEventListenerManager::AddEventListenerByType(nsIDOMEventListener*, nsAString_internal const&, int, nsIDOMEventGroup*)]

Categories

(Core :: XPCOM, defect)

Product:
Core
Component:
XPCOM
Version:
1.9.1 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
status1.9.2 --- beta4-fixed

People

(Reporter: morac, Assigned: smaug)

References

Details

(Keywords: crash, dev-doc-needed, topcrash, Whiteboard: [crashkill])

Crash Data

Attachments

(3 files)

guess fix
991 bytes, patch
sicking
: review+
Details | Diff | Splinter Review
"xpcom-will-shutdown"
5.08 KB, patch
benjamin
: review+
Details | Diff | Splinter Review
Same thing for 1.9.2
3.63 KB, patch
Details | Diff | Splinter Review 
I installed a program which opened a locally stored .htm file.  This launched Firefox which promptly crashed.  The .htm file opened fine when I restarted from the Crash Reporter so it's not reproducible.  This is the first time I've seen it.  The only changes to my system made lately were upgrading to Firefox 3.5.3 and also upgrading from Norton Internet Security 2009 to 2010.

http://crash-stats.mozilla.com/report/index/4e0cefed-bd97-4e5f-9c6d-95f212090911
Summary: [@PL_DHashTableOperate ] crash on browser start up → [@PL_DHashTableOperate | free | nsEventListenerManager::AddEventListenerByType] crash on browser start up
Summary: [@PL_DHashTableOperate | free | nsEventListenerManager::AddEventListenerByType] crash on browser start up → Startup crash [@ nsEventListenerManager::AddEventListenerByType(nsIDOMEventListener*,nsAString_internal const&,int,nsIDOMEventGroup*)]
Summary: Startup crash [@ nsEventListenerManager::AddEventListenerByType(nsIDOMEventListener*,nsAString_internal const&,int,nsIDOMEventGroup*)] → Startup crash [@ PL_DHashTableOperate | free | nsEventListenerManager::AddEventListenerByType(nsIDOMEventListener*, nsAString_internal const&, int, nsIDOMEventGroup*)]
Olli, can you have a look at this topcrash? It appears to be happening on startup, and is possibly simply a nullpointer deref.
Assignee: nobody → Olli.Pettay
Keywords: topcrash
The stack traces like http://crash-stats.mozilla.com/report/index/3a829991-c85d-42cf-8d3b-2eb892091019 have something strange in #10/#11.
Attached patch guess fixSplinter Review 
Though, I'm not sure how this could be happening.
Does something in #11 shutdown gklayout?
Comment on attachment 407239 [details] [diff] [review]
guess fix

jst can hook you up with minidumps which should help you tell is sEventTable is null.

Would be good to verify that that is in fact the case.

r=me on this in any event.
Attachment #407239 - Flags: review+
The stack traces are a bit strange, so it is also possible that
the hashtable isn't initialized. Though, in that case sEventTable
really must be null too, if I read nsContentUtils correctly.
Whiteboard: [crashkill]
(In reply to comment #4)
> (From update of attachment 407239 [details] [diff] [review])
> jst can hook you up with minidumps which should help you tell is sEventTable is
> null.
Minidumps do show that the table is null when PL_DHashTableOperate is called.

But I still don't understand why. Is the gklayout not yet initialized properly?
Ah, hmm, the stack something strange.

...
xul!nsAppShellService::CreateTopLevelWindow+0x46
xul!nsAppStartup::CreateChromeWindow2+0x75
xul!nsWindowWatcher::OpenWindowJSInternal+0x404
xul!nsWindowWatcher::OpenWindow+0x150
xul!NS_InvokeByIndex_P+0x27
xul!XPCWrappedNative::CallMethod+0x4c0
mozcrt19!arena_malloc_small+0x125
js3250!js_DefineNativeProperty+0x19c

Why on earth do we have the js part there, and what is malloc doing?
Group: core-security
Looks like  Bug 524256 is needed.
Depends on: 524256
Any progress here?
This is blocked by bug 524256. So when some new release with that fixed
gives reasonable minidumps, I can re-try.
Currently I can't see this in 3.5.6pre or 3.6.b2pre crash list.

Jst, could you check if there are 3.5.6pre or 3.6b2pre minidumps for this?
Bug 524256 is fixed now (for 1.9.2 and trunk), but I'm not sure that helps.
For the record, I found one (and only one) minidump for smaug for the requested version(s).
The stack doesn't still go all the way up.

...
nsWindowWatcher::OpenWindow
NS_InvokeByIndex_P
XPCWrappedNative::CallMethod
js_DefineNativeProperty


Ted, do we have stack size limit or something like that for crash dumps?
I would expect main() to be somewhere in the stack, but that is not what I
get from minidumps in this case.

What is really needed here is to understand who calls the method OpenWindow
Somehow OpenWindow is called either before gklayout is initialized, or after
it has been shutdown.

Or, is it possible that js_DefineNativeProperty does something wrong :/
We just call MinidumpWriteDump from Microsoft's dbghelp.dll on Windows. I don't know what that method does internally, but I would expect that it simply dumps the raw contents of stack memory. (this is what Breakpad's implementation on Mac and Linux does)

Is the dump you're using from a 3.5.x release? bug 524256 only landed on trunk and 1.9.2 so far (I just requested approval for 1.9.1.7). You can probably manually reconstruct the stack, there's a MSDN article on how to do that with WinDBG:
http://msdn.microsoft.com/en-us/library/cc267826.aspx
(In reply to comment #14)
> Is the dump you're using from a 3.5.x release? bug 524256 only landed on trunk
> and 1.9.2 so far (I just requested approval for 1.9.1.7).
Oh, I thought it landed to 1.9.1 too, since there is the comment
"Pushed changeset e3756eea61f0 to releases/mozilla-1.9.1"
That is confusing, I'll ask Neil what happened there.
So here's a manually unwound stack part of the way. I'll see if I can get the stuff that comes after XPC_WN_CallMethod

Thread 0 (crashed)
FUNC 56030 2f3 4 PL_DHashTableOperate
 0  xul.dll + 0x56039
    eip = 0x10056039   esp = 0x0012e64c   ebp = 0x0012e738   ebx = 0x00000000
    esi = 0x0093ba00   edi = 0x00000000   eax = 0x01ba119c   ecx = 0x00000000
    edx = 0x01ba119c   efl = 0x00010206
    Found by: given as instruction pointer in context

FUNC 158016 e1 0 nsWindowRoot::nsWindowRoot(nsIDOMWindow *)
1  xul.dll + 0x1580a4
    eip = 0x101580a5   esp = 0x0012e740   ebp = 0x0012e76c
    Found by: previous frame's frame pointer

FUNC 1b8569 3f 8 NS_NewWindowRoot(nsIDOMWindow *,nsPIDOMEventTarget * *)
 2  xul.dll + 0x1b8580
    eip = 0x101b8581   esp = 0x0012e774   ebp = 0x0012e79c
    Found by: previous frame's frame pointer

FUNC 14be0 166 4 nsDocShell::EnsureScriptEnvironment()
 3  xul.dll + 0x14cef
    eip = 0x10014cf0   esp = 0x0012e7a4   ebp = 0x0012e7d4
    Found by: previous frame's frame pointer

FUNC 16e60 4af c nsDocShell::GetInterface(nsID const &,void * *)
 4  xul.dll + 0x16ff8
    eip = 0x10016ff9   esp = 0x0012e7dc   ebp = 0x0012e830
    Found by: previous frame's frame pointer

FUNC 51a00 30 4 nsCOMPtr_base::assign_from_helper(nsCOMPtr_helper const &,nsID const &)
 5  xul.dll + 0x51a16
    eip = 0x10051a17   esp = 0x0012e838   ebp = 0x0012e874
    Found by: previous frame's frame pointer

FUNC 1bf350 68 20 nsAppShellService::CreateTopLevelWindow(nsIXULWindow *,nsIURI *,unsigned int,int,int,nsIAppShell *,nsIXULWindow * *)
 6  xul.dll + 0x1bf395
    eip = 0x101bf396   esp = 0x0012e87c   ebp = 0x0012e894
    Found by: previous frame's frame pointer

 7  xul.dll + 0x1a0f1f
    eip = 0x101a0f20   esp = 0x0012e89c   ebp = 0x0012e8d4
    Found by: previous frame's frame pointer

FUNC 114494 918 1c nsWindowWatcher::OpenWindowJSInternal(nsIDOMWindow *,char const *,char const *,char const *,int,nsIArray *,int,nsIDOMWindow * *)
 8  xul.dll + 0x114886
    eip = 0x10114887   esp = 0x0012e8dc   ebp = 0x0012eb24
    Found by: previous frame's frame pointer

FUNC 167346 161 1c nsWindowWatcher::OpenWindow(nsIDOMWindow *,char const *,char const *,char const *,nsISupports *,nsIDOMWindow * *)
 9  xul.dll + 0x167484
    eip = 0x10167485   esp = 0x0012eb2c   ebp = 0x0012eb8c
    Found by: previous frame's frame pointer

FUNC 21134a 2b 10 NS_InvokeByIndex_P
10  xul.dll + 0x211370
    eip = 0x10211371   esp = 0x0012eb94   ebp = 0x0012ebc8
    Found by: previous frame's frame pointer

FUNC 58e00 1a78 8 XPCWrappedNative::CallMethod(XPCCallContext &,XPCWrappedNative::CallMode)
11  xul.dll + 0x592d7
    eip = 0x100592d8   esp = 0x0012ebd0   ebp = 0x0012eda8
    Found by: previous frame's frame pointer

FUNC 5c970 1c6 14 XPC_WN_CallMethod(JSContext *,JSObject *,unsigned int,int *,int *)
12  xul.dll + 0x5ca86
    eip = 0x1005ca87   esp = 0x0012edb0   ebp = 0x00000000
    Found by: previous frame's frame pointer

13  xul.dll + 0x8b78df
    eip = 0x108b78e0   esp = 0x0012edd4   ebp = 0x00000000
    Found by: stack scanning
Here's some stuff that comes after that:

1005c970
FUNC 5c970 1c6 14 XPC_WN_CallMethod(JSContext *,JSObject *,unsigned int,int *,int *)

1008bd16
FUNC 8bbd0 14e 8 nsXPCWrappedJS::nsXPCWrappedJS(XPCCallContext &,JSObject *,nsXPCWrappedJSClass *,nsXPCWrappedJS *,nsISupports *)

FUNC 5f150 109b 2c XPCConvert::NativeInterface2JSObject(XPCCallContext &,int *,nsIXPConnectJSObjectHolder * *,nsISupports *,nsID const *,XPCNativeInt
1005f3ef

FUNC 5f150 109b 2c XPCConvert::NativeInterface2JSObject(XPCCallContext &,int *,nsIXPConnectJSObjectHolder * *,nsISupports *,nsID const *,XPCNativeInt
1005f4f2

FUNC 5f150 109b 2c XPCConvert::NativeInterface2JSObject(XPCCallContext &,int *,n
1005f494

FUNC 5d920 12a2 14 nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS *,unsigned short,XPTMethodDescriptor const *,nsXPTCMiniVariant *)
1005df64

FUNC bcb20 53 c nsLocalFile::Equals(nsIHashable *,int *)
100bcb6c

1005694e

FUNC 2b830 48c c mozJSComponentLoader::LoadModule(nsILocalFile *,nsIModule * *)
1002bc8d

FUNC 2114d6 138 10 PrepareAndDispatch
102115bd

1003bb9e

FUNC 28f102 19 c Substring(nsACString_internal const &,unsigned int,unsigned int)
1028f116


More to come...
Here's the rest. Note: these stacks can be pretty inaccurate but should still be useful.

1003bb9e

FUNC 28f102 19 c Substring(nsACString_internal const &,unsigned int,unsigned int)
1028f116

FUNC 72bc0 3b 10 nsXPCWrappedJS::CallMethod(unsigned short,XPTMethodDescriptor const *,nsXPTCMiniVariant *)
10072bf8

FUNC 2114d6 138 10 PrepareAndDispatch
102115bd

FUNC 6e7a0 22e 4 nsXPCWrappedJS::Release()
1006e7e7

FUNC 52760 557 10 nsComponentManagerImpl::GetServiceByContractID(char const *,nsID const &,void * *)
10052c03

FUNC 21160e 26 0 SharedStub
10211624

FUNC 1e02bc f c EnumValidate
101e02ca

FUNC 132bb2 20d c nsCommandLine::EnumerateHandlers(unsigned int (*)(nsICommandLineHandler *,nsICommandLine *,void *),voi
d *)
10132d39

FUNC 1e02bc f c EnumValidate
101e02bc

FUNC 1c27f5 3d 4 nsCommandLine::Run()
101c2821

FUNC 1e02bc f c EnumValidate
101e02bc

FUNC 6ccea2 24a c nsNativeAppSupportWin::HandleCommandLine(char const *,nsIFile *,unsigned int)
106cd0ce

FUNC 4861bb 8e c nsNativeAppSupportWin::ParseDDEArg(unsigned short const *,int,nsString &)
1048620c

FUNC 4861bb 8e c nsNativeAppSupportWin::ParseDDEArg(unsigned short const *,int,nsString &)
10486232

FUNC 4861bb 8e c nsNativeAppSupportWin::ParseDDEArg(unsigned short const *,int,nsString &)
10486245

FUNC 3eaaa3 19 c nsAString_internal::Replace(unsigned int,unsigned int,nsAString_internal const &)
103eaab9

FUNC 73e403 5bd 20 nsNativeAppSupportWin::HandleDDENotification(unsigned int,unsigned int,HCONV__ *,HSZ__ *,HSZ__ *,HDDEDATA__ *,unsigned long,unsign
1073e97e

FUNC 73e403 5bd 20 nsNativeAppSupportWin::HandleDDENotification(unsigned int,unsigned int,HCONV__ *,HSZ__ *,HSZ__ *,HDDEDATA__ *,unsigned long,unsign
1073e403

FUNC a04c0 c5 4 nsAppShell::ProcessNextNativeEvent(int)
100a056e

FUNC 88850 2cc 10 nsBaseAppShell::OnProcessNextEvent(nsIThreadInternal *,int,unsigned int)
100888ea

FUNC 872f0 45e c nsThread::ProcessNextEvent(int,int *)
10087475

FUNC f1a4c 33 8 NS_ProcessNextEvent_P(nsIThread *,int)
100f1a6c

FUNC f1a7f d0 4 nsThread::Shutdown()
100f1b47

FUNC 1a02d4 ea 4 nsSocketTransportService::Shutdown()
101a035a

FUNC 178440 d3 8 nsIOService::SetOffline(int)
101784ea

FUNC 1ad38b 63 0 nsIOService::TrackNetworkLinkStatusForOffline()
101ad335

FUNC a5180 a0 4 nsTimerImpl::Release()
100a51d8

FUNC 17a640 ae 0 mozJSComponentLoader::CloseFastLoad()
1017a6ec

FUNC 1afc1e 56 10 mozJSComponentLoader::Observe(nsISupports *,char const *,unsigned short const *)
101afc4c

FUNC 28420 fb 10 nsObserverService::NotifyObservers(nsISupports *,char const *,unsigned short const *)
10028509

FUNC 172904 223 4 NS_ShutdownXPCOM_P
10172995

FUNC 1be3c0 44 0 ScopedXPCOMStartup::~ScopedXPCOMStartup()
101be3f5

FUNC 10f988 f88 c XRE_main
10110814

FUNC 51250 61f 8 nsLocalFile::GetParent(nsIFile * *)
100517a9

FUNC 54680 d9 4 nsLocalFile::Release()
10054693

FUNC 56940 f 0 nsCOMPtr_base::~nsCOMPtr_base()
1005694e

FUNC 1b3e4b bf 8 XRE_CreateAppData
101b3f04
To me this looks like we're processing DDE/commandline handlers *after*
shutting down gklayout. And that is bad.

Benjamin, perhaps you know the reason for that, or
is that just a bug?
The same reason might cause Bug 525575.
And Jeff, thanks!
Could you please write down somewhere how to get that data out of
minidumps.
I think that's just a bug. There is a nsINativeAppSupport::Quit API, but we don't appear to be using it any more. I'm going to have to troll through history a bit and figure out if/when it got removed.
Assignee: Olli.Pettay → benjamin
(In reply to comment #22)
> And Jeff, thanks!
> Could you please write down somewhere how to get that data out of
> minidumps.

I've added some instructions to https://developer.mozilla.org/en/Debugging_a_minidump Hopefully they make sense.
nsNativeAppSupportWin::Quit is called by a quit-application observer. We don't always fire quit-application observers, though, especially when we're in the initial restart sequence.

It's also really strange that we have this nsINativeAppSupport::Stop and ::Quit API which we hardly ever use.
It's certainly possible to imagine that we posted a "process a remote command line" event, then started the shutdown sequence that led to this crash, and I'm not sure there's a lot we can do about that from the startup sequence.
Assignee: benjamin → Olli.Pettay
(In reply to comment #25)
> nsNativeAppSupportWin::Quit is called by a quit-application observer. We don't
> always fire quit-application observers, though, especially when we're in the
> initial restart sequence.
Well, then nsNativeAppSupportWin needs to observe some other notification.
Something like this could work.
Benjamin, is this even close to something that you could accept?
yes
Comment on attachment 413093 [details] [diff] [review]
"xpcom-will-shutdown"

I tried this manually.
Without the patch trying to open a new window in an xpcom-shutdown observer leads to a crash (not necessarily in nsEventListenerManager::AddEventListenerByType).
The patch fixes the crash.
Attachment #413093 - Flags: review?(benjamin)
Comment on attachment 413093 [details] [diff] [review]
"xpcom-will-shutdown"

Please update https://wiki.mozilla.org/XPCOM_Shutdown when this lands.
Attachment #413093 - Flags: review?(benjamin) → review+
We should fix this for 3.6 even if we haven't seen this crash there yet. I'd bet we will. I also think this will fix bug 525575.
Blocks: 525575
Flags: blocking1.9.2+
Fixed on trunk and 1.9.2.

http://hg.mozilla.org/mozilla-central/rev/239c5a22fdaf
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/5a515e5b7c6a
Status: NEW → RESOLVED
Closed: 15 years ago
status1.9.2: --- → final-fixed
Resolution: --- → FIXED
Jst, seems like you added a printf to 1.9.2. I'll remove that.
Oh, duh! Yeah, that was never meant to be checked in, that was just me verifying that my merged patch still worked. Thanks for fixing!
Crash Signature: [@ PL_DHashTableOperate | free | nsEventListenerManager::AddEventListenerByType(nsIDOMEventListener*, nsAString_internal const&, int, nsIDOMEventGroup*)]
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: