crash [@ nsHTMLAnchorElement::UnbindFromTree(int, int)]

RESOLVED FIXED

Status

()

Core
DOM: Core & HTML
--
critical
RESOLVED FIXED
7 years ago
6 years ago

People

(Reporter: wsmwk, Assigned: timeless)

Tracking

({crash, topcrash})

1.9.1 Branch
x86
All
crash, topcrash
Points:
---

Firefox Tracking Flags

(status1.9.1 .9-fixed)

Details

(crash signature)

Attachments

(1 attachment, 1 obsolete attachment)

747 bytes, patch
timeless
: review+
Details | Diff | Splinter Review
#2 crash for SM 2.0.2
crash [@ nsHTMLAnchorElement::UnbindFromTree(int, int)]

a few comments include:
editing a simple html file 
PAting text into Composer
pasting without format 
closing windows, email, main window - then crash
closing the composer using the "X" in the upper right corner after saving a web page I created.

bp-9668ef15-fcb8-42bf-b035-9c55e2091228
closing the composer using the "X" in the upper right corner after saving a web page I created.
0	seamonkey.exe	nsHTMLAnchorElement::UnbindFromTree	 content/html/content/src/nsHTMLAreaElement.cpp:240
1	seamonkey.exe	nsElementDeletionObserver::NodeWillBeDestroyed	editor/libeditor/html/nsHTMLAnonymousUtils.cpp:130
2	seamonkey.exe	nsNodeUtils::LastRelease	content/base/src/nsNodeUtils.cpp:196
3	seamonkey.exe	nsGenericDOMDataNode::Release	content/base/src/nsGenericElement.cpp:4124
4	seamonkey.exe	XPCJSRuntime::GCCallback	js/src/xpconnect/src/xpcjsruntime.cpp:775
5	jsd3250.dll	jsds_GCCallbackProc	js/jsd/jsd_xpc.cpp:531
6	seamonkey.exe	DOMGCCallback	dom/src/base/nsJSEnvironment.cpp:3692
7	seamonkey.exe	XPCCycleCollectGCCallback	js/src/xpconnect/src/nsXPConnect.cpp:411
8	js3250.dll	js_GC	js/src/jsgc.cpp:3792
9	js3250.dll	JS_GC	js/src/jsapi.cpp:2458
10	seamonkey.exe	nsXPConnect::Collect	js/src/xpconnect/src/nsXPConnect.cpp:477
11	xpcom_core.dll	nsCycleCollector::Collect	xpcom/base/nsCycleCollector.cpp:2386
12	xpcom_core.dll	nsCycleCollector_collect	xpcom/base/nsCycleCollector.cpp:3045
13	seamonkey.exe	nsJSContext::CC	dom/src/base/nsJSEnvironment.cpp:3512
14	seamonkey.exe	GCTimerFired	dom/src/base/nsJSEnvironment.cpp:3620
15	xpcom_core.dll	nsTimerImpl::Fire	xpcom/threads/nsTimerImpl.cpp:420
16	xpcom_core.dll	nsTimerEvent::Run	xpcom/threads/nsTimerImpl.cpp:512

Comment 1

7 years ago
nsElementDeletionObserver::NodeWillBeDestroyed always seems tzo be the caller to nsHTMLAnchorElement::UnbindFromTree there.

This is the #2 topcrash for SeaMonkey 2.0.2, happening cross-platform, and it's also #159 on the Firefox 3.5.7 topcrash list, this very much seems to be core code. Many people seem to report, not surprisingly, as editor/ code is involved, being in an HTML form or editor of some kind when they crash.

bug 533061 sounds similar and is on the Thunderbird 3.0.1 topcrash list.
Component: Composer → Editor
Product: SeaMonkey → Core
QA Contact: composer → editor
Version: SeaMonkey 2.0 Branch → 1.9.1 Branch

Comment 2

7 years ago
Links to lists of reports for this signature:

http://crash-stats.mozilla.com/report/list?range_value=2&range_unit=weeks&signature=nsHTMLAnchorElement%3A%3AUnbindFromTree%28int%2C%20int%29&version=SeaMonkey%3A2.0.2
http://crash-stats.mozilla.com/report/list?range_value=2&range_unit=weeks&signature=nsHTMLAnchorElement%3A%3AUnbindFromTree%28int%2C%20int%29&version=Firefox%3A3.5.7

Many of those report 0x0 as address, which already sounds fishy to me, even though I don't really know C++ much...
(Assignee)

Comment 3

7 years ago
so, the 0x0 makes sense.

This code doesn't exist on trunk.
Assignee: nobody → timeless
Component: Editor → DOM: Core & HTML
QA Contact: editor → general
(Assignee)

Comment 4

7 years ago
Created attachment 424981 [details] [diff] [review]
proposal

So, the other parts of this file null check GetCurrentDoc(), and the function naming implies it could return null, so here it presumably did....
Attachment #424981 - Flags: review?(Olli.Pettay)

Comment 5

7 years ago
Comment on attachment 424981 [details] [diff] [review]
proposal

Yeah, this is unfortunate, but needed.
Attachment #424981 - Flags: review?(Olli.Pettay) → review+
(Assignee)

Comment 6

7 years ago
Created attachment 425017 [details] [diff] [review]
for 1.9.1 only

so, the patch i posted belongs in bug 533061. the reason they look the same and that i posted that one here is that in 1.9.1 the compiler code folded them so they shared code and thus line numbers, because it was the same code.

But this specific crash only exists in 1.9.1, whereas the other one exists in both places.
Attachment #424981 - Attachment is obsolete: true
Attachment #425017 - Flags: review+
Attachment #425017 - Flags: approval1.9.1.9?
related to bug 480300?
Comment on attachment 425017 [details] [diff] [review]
for 1.9.1 only

Approved for 1.9.1.9, a=dveditz for release-drivers
Attachment #425017 - Flags: approval1.9.1.9? → approval1.9.1.9+
(Assignee)

Comment 9

7 years ago
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/7ff00041328c
Status: NEW → RESOLVED
Last Resolved: 7 years ago
status1.9.1: --- → .9-fixed
Resolution: --- → FIXED
There doesn't seem to be anything for QA to do here for 1.9.1 verification.
Crash Signature: [@ nsHTMLAnchorElement::UnbindFromTree(int, int)]
You need to log in before you can comment on or make changes to this bug.