Closed Bug 531665 Opened 16 years ago Closed 12 years ago

New Firefox 3.6b4 Crash [@ nsTextControlFrame::EditorInitializer::`scalar deleting destructor''(unsigned int) ] with Java Quick Starter present

Categories

(Core :: DOM: Events, defect)

Product:
Core
Component:
DOM: Events
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: chofmann, Unassigned)

Details

(Keywords: crash)

Crash Data

There is a new crash seen in early 3.6b4 data that has never been seen in prior 3.5.x or 3.6b relaeases. could be a recent or dormant regression from changes much earlier, or a morfed signature. http://crash-stats.mozilla.com/report/index/44f307cb-00f1-42e5-bcb6-9644e2091127 stack looks like Frame Module Signature [Expand] Source 0 xul.dll nsTextControlFrame::EditorInitializer::`scalar deleting destructor' 1 xul.dll nsRunnable::Release obj-firefox/xpcom/build/nsThreadUtils.cpp:55 2 xul.dll nsCOMPtr<nsILocale>::~nsCOMPtr<nsILocale> 3 xul.dll nsContentUtils::RemoveScriptBlocker content/base/src/nsContentUtils.cpp:4489 4 xul.dll PresShell::InitialReflow layout/base/nsPresShell.cpp:2651 5 xul.dll nsXULDocument::StartLayout content/xul/document/src/nsXULDocument.cpp:2072 6 xul.dll nsXULDocument::DoneWalking content/xul/document/src/nsXULDocument.cpp:3217 7 xul.dll xul.dll@0x3f0566 8 xul.dll CSSLoaderImpl::ParseSheet layout/style/nsCSSLoader.cpp:1560 9 xul.dll SheetLoadData::OnStreamComplete layout/style/nsCSSLoader.cpp:861 10 xul.dll nsUnicharStreamLoader::OnStopRequest netwerk/base/src/nsUnicharStreamLoader.cpp:162 more reports at http://crash-stats.mozilla.com/report/list?product=Firefox&version=Firefox%3A3.6b4&query_search=signature&query_type=exact&date=&range_value=1&range_unit=weeks&do_query=1&signature=nsTextControlFrame%3A%3AEditorInitializer%3A%3A%60scalar%20deleting%20destructor%27%27%28unsigned%20int%29 not much to go on to start the investigation. all the crashes so far are on Windows NT 5.1.2600 Service Pack 3 all but one of these crashes reported so far are very close to start up. that is this one http://crash-stats.mozilla.com/report/index/4cff1156-93e8-4b2b-9726-696cb2091127 top of the stack still looks the same. there was some recent activity in source files further down from the top of the stack, but I'm guessing they are probably not connected in this case. http://hg.mozilla.org/releases/mozilla-1.9.2/log/4c488520d1bf/content/base/src/nsContentUtils.cpp de79f09e0ee5 2009-11-19 14:37 -0500 Boris Zbarsky
ccing smaug just because and ehsan because he's at least looked at this code recently. All the crashes are at address 0xffffffffffffffff. I have no idea why the destructor of EditorInitializer would be touching this address, unless the mFrame of the nsWeakFrame is pointing to it or something. Which shouldn't happen. Anything else that could be going on here? The change in bug 467005 wouldn't have affected the XUL-related crashes here. Do we see this crash on m-c at all?
The c-s.m.c startup crashes don't show the full stack. Might be useful to see what is happening higher up in the stack.
These all seem to be reported by a single user, who has the Java Quick Starter extension in addition to others. <http://java.sun.com/javase/6/docs/technotes/guides/jweb/otherFeatures/jqs.html> So, the scalar deleting destructor for nsTextControlFrame::EditorInitializer should merely call nsWeakFrame::~nsWeakFrame, and something is going wrong either before or after this call (I think if it was actually something wrong in nsWeakFrame's destructor, that should have been on top of the stack. This looks to me like a memory corruption, and the fact that it has shown up several times at startup after the initial crash could possibly suggest a non-random bug either in our code or in an add-on's code. This code gets triggered at startup every time, and is probably coming from the urlbar or searchbar initialization in browser.xul. I don't have any idea how to debug this unless we can come up with a set of steps to reproduce. Maybe the QA folks can try to reproduce it with the exact set of extensions included in the reports, which are: en-GB@dictionaries.addons.mozilla.org jqs@sun.com {20a82645-c095-46ed-80e3-08825760534b} {635abd67-4fe9-1b23-4f01-e679fa7484c1} {972ce4c6-7e08-4474-a285-3208198ce6fd}
Keywords: crash, qawanted
Summary: New Firefox 3.6b4 Crash [@ nsTextControlFrame::EditorInitializer::`scalar deleting destructor''(unsigned int) ] → New Firefox 3.6b4 Crash [@ nsTextControlFrame::EditorInitializer::`scalar deleting destructor''(unsigned int) ] with Java Quick Starter present
I tried reproducing this on the Win XP machine in the lab using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2b4) Gecko/20091124 Firefox/3.6b4 (.NET CLR 3.5.30729) with the exact set of extensions in Comment 4 but I was unable to reproduce the crash yet. 972ce4c6-7e08-4474-a285-3208198ce6fd seems to be a weird extension - a Google search of that ID yields a lot of complaints about crashing in various flavors of Firefox going back to 3.0.x. I installed the Yahoo Toolbar, en-GB dictionary, and Java - I confirmed that Java Quick Start was enabled. Interestingly enough, when you install the Java package (http://javadl.sun.com/webapps/download/AutoDL?BundleId=36668) it does ask if you if you want to install the Yahoo toolbar. I left the box checked thinking that is what most users do but it did not install the Yahoo toolbar (this was actually using 3.5.5 since that was the version on the machine at first launch) - I ended up going to the Yahoo site and installing it from there. So I guess I should probably start again - uninstall Java and reinstall it using B4.
I did the following and was still unable to reproduce - the lab machine is not crufty since we just did a fresh clonezilla restore. 1. Uninstalled Java 2. Launched B4 with a fresh profile 3. Installed Java (this time I did not get the option for the Yahoo toolbar) 4. Installed en-GB dictionary and Yahoo Toolbar 5. Tried several restarts and no crash
Crash Signature: [@ nsTextControlFrame::EditorInitializer::`scalar deleting destructor''(unsigned int) ]
You need to log in before you can comment on or make changes to this bug.