Closed Bug 588643 Opened 14 years ago Closed 14 years ago

Crash in [@ nsDocShell::SetHistoryEntry ], [@ @0x0 | nsDocShell::SetHistoryEntry(nsCOMPtr<nsISHEntry>*, nsISHEntry*) ], [@ nsDocShell::SetHistoryEntry(nsCOMPtr<nsISHEntry>*, nsISHEntry*) ] when operating in Gmail

Categories

(Core :: DOM: Navigation, defect)

Product:
Core
Component:
DOM: Navigation
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- betaN+

People

(Reporter: marcia, Assigned: smaug)

References

(Depends on 1 open bug)

Details

(4 keywords)

Crash Data

Attachments

(1 file, 3 obsolete files)

er, this one.
932 bytes, patch
Details | Diff | Splinter Review
Hit this today while running Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:2.0b5pre) Gecko/20100818 Minefield/4.0b5pre, and so have others in crash-stats data: http://tinyurl.com/294hdoy since the three comments all mention doing something in Gmail when they crashed. 7 Mac crashes so far, and 1 Linux - no Win data showing yet. STR: 1. Load Gmail. I was composing an email and went to click a tab and then I crashed. http://crash-stats.mozilla.com/report/index/bp-92ea6d7d-b865-4e70-8c9b-d7b832100818 is my report. Frame Module Signature [Expand] Source 0 @0xc6890000 1 XUL nsDocShell::SetHistoryEntry docshell/base/nsDocShell.cpp:10148 2 XUL nsDocShell::OnStateChange docshell/base/nsDocShell.cpp:5764 3 XUL nsDocLoader::FireOnStateChange uriloader/base/nsDocLoader.cpp:1334 4 XUL nsDocLoader::OnStartRequest uriloader/base/nsDocLoader.cpp:870 5 XUL nsLoadGroup::AddRequest netwerk/base/src/nsLoadGroup.cpp:595 6 XUL nsHTMLDocument::CreateAndAddWyciwygChannel content/html/document/src/nsHTMLDocument.cpp:2880 7 XUL nsHTMLDocument::OpenCommon content/html/document/src/nsHTMLDocument.cpp:2024 8 XUL nsHTMLDocument::Open content/html/document/src/nsHTMLDocument.cpp:2042 9 XUL nsHTMLDocumentSH::DocumentOpen dom/base/nsDOMClassInfo.cpp:8765 10 XUL js::InvokeCommon<JSBool > js/src/jscntxtinlines.h:554 11 XUL js::Invoke js/src/jsinterp.cpp:694 12 XUL js::Interpret js/src/jsinterp.cpp:4710 13 XUL js::InvokeCommon<JSBool > js/src/jsinterp.cpp:572 14 XUL js::Invoke js/src/jsinterp.cpp:694 15 XUL js_fun_call js/src/jsfun.cpp:2027 16 XUL js::Interpret js/src/jsinterp.cpp:4699 17 XUL js::InvokeCommon<JSBool > js/src/jsinterp.cpp:572 18 XUL js::Invoke js/src/jsinterp.cpp:694 19 XUL js_fun_call js/src/jsfun.cpp:2027 20 XUL js::Interpret js/src/jsinterp.cpp:4699 21 XUL js::InvokeCommon<JSBool > js/src/jsinterp.cpp:572 22 XUL js::Invoke js/src/jsinterp.cpp:694 23 XUL js_fun_call js/src/jsfun.cpp:2027 24 XUL js::Interpret js/src/jsinterp.cpp:4699 25 XUL js::InvokeCommon<JSBool > js/src/jsinterp.cpp:572 26 XUL js::Invoke js/src/jsinterp.cpp:694 27 XUL js_fun_call js/src/jsfun.cpp:2027 28 XUL js::Interpret js/src/jsinterp.cpp:4699 29 XUL js::InvokeCommon<JSBool > js/src/jsinterp.cpp:572 30 XUL js::Invoke js/src/jsinterp.cpp:694 31 XUL js_fun_apply js/src/jsfun.cpp:2139 32 XUL js::Interpret js/src/jsinterp.cpp:4699 33 XUL js::InvokeCommon<JSBool > js/src/jsinterp.cpp:572 34 XUL js::Invoke js/src/jsinterp.cpp:694 35 XUL js_fun_call js/src/jsfun.cpp:2027 36 XUL js::Interpret js/src/jsinterp.cpp:4699 37 XUL js::InvokeCommon<JSBool > js/src/jsinterp.cpp:572 38 XUL js::Invoke js/src/jsinterp.cpp:694 39 XUL js_fun_apply js/src/jsfun.cpp:2139 40 XUL js::Interpret js/src/jsinterp.cpp:4699 41 XUL js::InvokeCommon<JSBool > js/src/jsinterp.cpp:572 42 XUL js::Invoke js/src/jsinterp.cpp:694 43 XUL js_fun_apply js/src/jsfun.cpp:2139 44 XUL js::Interpret js/src/jsinterp.cpp:4699 45 XUL js::InvokeCommon<JSBool > js/src/jsinterp.cpp:572 46 XUL js::Invoke js/src/jsinterp.cpp:694 47 XUL js_fun_call js/src/jsfun.cpp:2027 48 XUL js::Interpret js/src/jsinterp.cpp:4699 49 XUL js::InvokeCommon<JSBool > js/src/jsinterp.cpp:572 50 XUL js::Invoke js/src/jsinterp.cpp:694 51 XUL js::InternalInvoke js/src/jsinterp.cpp:734 52 XUL JS_CallFunctionValue js/src/jsinterp.h:419 53 XUL nsXPCWrappedJSClass::CallMethod js/src/xpconnect/src/xpcwrappedjsclass.cpp:1687 54 XUL nsXPCWrappedJS::CallMethod js/src/xpconnect/src/xpcwrappedjs.cpp:570 55 XUL PrepareAndDispatch xpcom/reflect/xptcall/src/md/unix/xptcstubs_unixish_x86.cpp:93 56 XUL nsXPTCStubBase::Stub3 xptcstubsdef.inc:1 57 XUL nsEventListenerManager::HandleEventSubType content/events/src/nsEventListenerManager.cpp:1112 58 XUL nsEventListenerManager::HandleEventInternal content/events/src/nsEventListenerManager.cpp:1208 59 XUL nsEventTargetChainItem::HandleEventTargetChain content/events/src/nsEventListenerManager.h:146 60 XUL nsEventDispatcher::Dispatch content/events/src/nsEventDispatcher.cpp:628 61 XUL PresShell::HandleEventInternal layout/base/nsPresShell.cpp:6749 62 XUL PresShell::HandleEventWithTarget layout/base/nsPresShell.cpp:6606 63 XUL nsEventStateManager::CheckForAndDispatchClick content/events/src/nsEventStateManager.cpp:4048 64 XUL nsEventStateManager::PostHandleEvent content/events/src/nsEventStateManager.cpp:2934 65 XUL PresShell::HandleEventInternal layout/base/nsPresShell.cpp:6772 66 XUL PresShell::HandlePositionedEvent layout/base/nsPresShell.cpp:6591 67 XUL PresShell::HandleEvent layout/base/nsPresShell.cpp:6444 68 XUL PresShell::HandleEvent layout/base/nsPresShell.cpp:6228 69 XUL nsViewManager::DispatchEvent view/src/nsViewManager.cpp:1092 70 XUL HandleEvent view/src/nsView.cpp:160 71 XUL nsChildView::DispatchEvent widget/src/cocoa/nsChildView.mm:1726 72 XUL nsChildView::DispatchWindowEvent widget/src/cocoa/nsChildView.mm:1736 73 XUL -[ChildView mouseUp:] widget/src/cocoa/nsChildView.mm:3176 74 AppKit -[NSWindow sendEvent:] 75 XUL -[ToolbarWindow sendEvent:] widget/src/cocoa/nsCocoaWindow.mm:2307 76 AppKit -[NSApplication sendEvent:] 77 AppKit -[NSApplication run] 78 XUL nsAppShell::Run widget/src/cocoa/nsAppShell.mm:747 79 XUL nsAppStartup::Run toolkit/components/startup/src/nsAppStartup.cpp:191 80 XUL XRE_main toolkit/xre/nsAppRunner.cpp:3659 81 firefox-bin main browser/app/nsBrowserApp.cpp:158 82 firefox-bin firefox-bin@0xbf5 83 @0x1
If someone could move this into the right component, that would be great.
Here are the three comments: Firefox crash when it loads gmail Crashed while on Gmail. This one was new session. Logged in to Gmail, got mail, boom! Going back to FF4 (Beta 3)
Summary: Crash in [@ nsDocShell::SetHistoryEntry ] when operating in Gmail → Crash in [@ nsDocShell::SetHistoryEntry ], [@ @0x0 | nsDocShell::SetHistoryEntry(nsCOMPtr<nsISHEntry>*, nsISHEntry*) ] when operating in Gmail
Clicking on compose and then rich formatting crashes for me. Have a different stack for one of the crashes. 8873bbbd-819c-4407-9760-631a92100819 @ nsACString_internal::ReplacePrep(unsigned int, unsigned int, unsigned int)
I crash every time using my steps in comment 4, got a second nsACString stack adding it to the summary. http://crash-stats.mozilla.com/report/index/8873bbbd-819c-4407-9760-631a92100819 Working on a regression range.
Summary: Crash in [@ nsDocShell::SetHistoryEntry ], [@ @0x0 | nsDocShell::SetHistoryEntry(nsCOMPtr<nsISHEntry>*, nsISHEntry*) ] when operating in Gmail → Crash in [@ nsDocShell::SetHistoryEntry ], [@ @0x0 | nsDocShell::SetHistoryEntry(nsCOMPtr<nsISHEntry>*, nsISHEntry*) ], [@ nsDocShell::SetHistoryEntry(nsCOMPtr<nsISHEntry>*, nsISHEntry*) ] when operating in Gmail
Changing to all since this is showing up using Windows as well. Nominating since this has moved into the top spot on trunk crashes - ( [@ PR_AtomicIncrement ] leads the pack and all comments mention Gmail) but as Kevin notes I think there may be a bunch of different stacks associated with this crash.
Keywords: regressionwindow-wanted
OS: Mac OS X → All
blocking2.0: --- → ?
I think nsDocShell is Core:Document Navigation.
Component: General → Document Navigation
QA Contact: general → docshell
Assignee: nobody → Olli.Pettay
I assume this is a regression from Bug 462076, but I haven't verified that yet.
Crashes every time for me when I simply hit "Reply" in Gmail. bp-0e2363b4-d0f5-4956-bd46-c3b192100820 The signature is somewhat different for me though, it's: [@ nsACString_internal::ReplacePrep(unsigned int, unsigned int, unsigned int) ] The title of this bug is too long already to add that signature, should I file a separate bug?
Keywords: top50
Yes yes, I'm working on this. Sorry about the crashes.
Just to confirm the guess, Bug 462076 broke this. Built http://hg.mozilla.org/mozilla-central/rev/f43f9b764efb and it does not crash. Built http://hg.mozilla.org/mozilla-central/rev/353da09ea0dd and it crashes when loading the rich text editor.
Blocks: 462076
Same problem. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0b5pre) Gecko/20100819 Minefield/4.0b5pre Build Identifier: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0b5pre) Gecko/20100819 Minefield/4.0b5pre bp-09fa87da-9db2-4bd3-9d78-140922100819 bp-456cd8fa-e568-4492-8380-e43e02100819 bp-ec2a3475-4864-4327-b69f-a39e52100819 bp-ebcb3483-31c8-4570-a6b6-870a72100819 bp-40a1166c-ab5a-4599-9bb7-2aad12100819 bp-96550cdf-4c60-4447-bba4-d706a2100819 bp-c9b0f2ad-61ab-4e6e-8c03-df4742100819 Reproducible: Always Steps to Reproduce: 1. Login to gmail with Minefield 4.0b5pre 2. Try to write an email General usage of gmail didn't seem awkward. Might have been a bit sluggish, but I hadn't really noticed. I'll try using plain text.
Attached patch patch (obsolete) — Splinter Review
Attachment #467857 - Flags: review?(bent.mozilla)
Attachment #467857 - Flags: approval2.0?
I'll file a followup to fix nsCOMArray
Comment on attachment 467857 [details] [diff] [review] patch Looks great, thanks!
Attachment #467857 - Flags: review?(bent.mozilla) → review+
(In reply to comment #21) > I'll file a followup to fix nsCOMArray Bug 589276
blocking2.0: ? → betaN+
Comment on attachment 467857 [details] [diff] [review] patch >+ // InsertObjectAt allows only appending one object. >+ // If aOffset is larger than Count(), we must first manually >+ // set the capacity. >+ if (aOffset > mChildren.Count()) { >+ mChildren.SetCapacity(aOffset + 1); >+ } This looks wrong. Did you mean mChildren.SetCount(aOffset); ?
Attached patch +Neil's comment (obsolete) — Splinter Review
Attachment #467857 - Attachment is obsolete: true
Attached patch hg export patch (obsolete) — Splinter Review
Attachment #467896 - Attachment is obsolete: true
Attached patch er, this one.Splinter Review
Attachment #467899 - Attachment is obsolete: true
So http://hg.mozilla.org/mozilla-central/rev/cbf6e0a17783 landed Sat Aug 21 00:26:52 2010 +0300 Marking this fixed, since at least I can't reproduce the crash anymore. For any other session history problems, please file a new bug an CC me.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Still crashing here. Same problems. bp-A3D3BB9E-C0F7-4354-9102-7C28684F334F bp-bf81d7d4-2bb4-40bd-8f2a-75ab62100821 bp-cee946f0-e060-4318-a844-450b12100821
Not that it matters but that first line should be: bp-aef772aa-fbf0-4639-bcf7-dda162100821 Cheers
Adrian, your build ID is 20100820064128, so that is certainly before Sat Aug 21 00:26:52. You need get a new nightly (if there is already one).
Just add mine, when logged in one of my gmail account, i can see the progression pie first finished loading the page, then for some reason, it start to indicate page loading again, and then gmail crashes. It doesn't crash on my other gmail account, very strange.
What build are you using? I'm not getting any crashing using the build from the 21st using the str from comment 4.
Olli, thanks for the tip, quite right too. Got build 20100821031035 from today (21-Aug-2010 05:48) and problem seems to be solved. Cheers.
Verified fixed using Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b5pre) Gecko/20100823 Minefield/4.0b5pre, as well as the latest Mac nightly. I no longer am seeing the crashes I was seeing previously following the STR in Comment 4.
Status: RESOLVED → VERIFIED
Depends on: 624177
Depends on: 624917
Depends on: 609396
Depends on: 632835
Depends on: 640486
Depends on: 642741
Depends on: 647237
Crash Signature: [@ nsDocShell::SetHistoryEntry ] [@ @0x0 | nsDocShell::SetHistoryEntry(nsCOMPtr<nsISHEntry>*, nsISHEntry*) ] [@ nsDocShell::SetHistoryEntry(nsCOMPtr<nsISHEntry>*, nsISHEntry*) ]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: