Closed Bug 590512 Opened 13 years ago Closed 13 years ago

Firefox 4.0b Crash [@ PL_DHashTableOperate | nsPrefBranch::GetBoolPref(char const*, int*) ]

Categories

(Core :: Preferences: Backend, defect)

Product:
Core
Component:
Preferences: Backend
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- final+

People

(Reporter: chofmann, Assigned: dwitte)

References

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file, 1 obsolete file)

v2
10.95 KB, patch
dougt
: review+
Details | Diff | Splinter Review 
A start up crash rising in volume in beta4.  looks like its mostly windows7.

checking --- PL_DHashTableOperate...nsPrefBranch::GetBoolP 20100824-crashdata.csv
found in: 4.0b4 4.0b3
release total-crashes
              PL_DHashTableOperate...nsPrefBranch::GetBoolP crashes
                         pct.
all     283844  38      0.000133876
4.0b4   2929    24      0.00819392
4.0b3   17067   14      0.000820296

os breakdown
PL_DHashTableOperate...nsPrefBranch::GetBoolPTotal 38
Win5.1  0.11
Win6.0  0.03
Win6.1  0.87


Its possible this is associated with the inability to restart and results in repeated crashes.

user comments:

multiplied appearance of "mozilla crash reporters"

won't let me restart. 

several comments about gmail notifier.

Installed the gmail notifier, using the compatibility check addons. After the restart, I get this crash every time.

I just installed Greasemeonkey and Minefield crashed. Go figure.

Stack looks like

http://crash-stats.mozilla.com/report/index/ceb76946-636b-4dc7-8128-e7deb2100825

Frame  	Module  	Signature [Expand]  	Source
0 	xul.dll 	PL_DHashTableOperate 	obj-firefox/xpcom/build/pldhash.c:615
1 	xul.dll 	nsPrefBranch::GetBoolPref 	modules/libpref/src/nsPrefBranch.cpp:194
2 	xul.dll 	nsPrefService::GetBoolPref 	modules/libpref/src/nsPrefService.h:60
3 	xul.dll 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:102
4 	xul.dll 	js::InvokeCommon<int > 	js/src/jsinterp.cpp:561
5 	xul.dll 	js::Invoke 	js/src/jsinterp.cpp:694
6 	xul.dll 	js::Interpret 	js/src/jsinterp.cpp:4710
7 	xul.dll 	js::Execute 	js/src/jsinterp.cpp:886
8 	xul.dll 	JS_ExecuteScript 	js/src/jsapi.cpp:4754
9 	xul.dll 	nsJSContext::ExecuteScript 	dom/base/nsJSEnvironment.cpp:1975
10 	xul.dll 	nsXULDocument::ExecuteScript 	content/xul/document/src/nsXULDocument.cpp:3620
11 	xul.dll 	nsXULDocument::ExecuteScript 	content/xul/document/src/nsXULDocument.cpp:3643
12 	xul.dll 	nsXULDocument::OnStreamComplete 	content/xul/document/src/nsXULDocument.cpp:3511
13 	xul.dll 	nsStreamLoader::OnStopRequest 	netwerk/base/src/nsStreamLoader.cpp:125
14 	xul.dll 	nsJARChannel::OnStopRequest 	modules/libjar/nsJARChannel.cpp:874
15 	xul.dll 	nsInputStreamPump::OnStateStop 	netwerk/base/src/nsInputStreamPump.cpp:578
16 	xul.dll 	nsInputStreamPump::OnInputStreamReady 	netwerk/base/src/nsInputStreamPump.cpp:403
17 	xul.dll 	nsInputStreamReadyEvent::Run 	xpcom/io/nsStreamUtils.cpp:112
18 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:547
19 	xul.dll 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:142
20 	xul.dll 	xul.dll@0xb7a45b 	
21 	xul.dll 	MessageLoop::RunInternal 	ipc/chromium/src/base/message_loop.cc:219
22 	xul.dll 	MessageLoop::RunHandler 	ipc/chromium/src/base/message_loop.cc:202
23 	xul.dll 	_SEH_epilog4 	
24 	xul.dll 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:176
25 	xul.dll 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:175
26 	xul.dll 	nsAppShell::Run 	widget/src/windows/nsAppShell.cpp:243
27 		@0x77b5ffff 	
28 	xul.dll 	nsCaret::GetCaretRect 	layout/base/nsCaret.h:151
29 	advapi32.dll 	PcwCollectData 	
30 	xul.dll 	nsHTMLOptionElement::QueryInterface 	
31 		@0x7595ffff

more reports at

http://crash-stats.mozilla.com/report/list?range_value=2&range_unit=weeks&signature=PL_DHashTableOperate%20|%20nsPrefBranch%3A%3AGetBoolPref%28char%20const*%2C%20int*%29

also possible that addon compat is mostly turned off 

addons_checked
   2 checked
  36 [unknown]
blocking2.0: --- → ?
Keywords: crash, regression
OS: Mac OS X → Windows 7
Blocking based on regression, we can unblock if this magically goes away.
Assignee: nobody → dwitte
blocking2.0: ? → final+
maybe something to do with migration.  we saw the orginal spike after beta 4 was released, then decline, then smaller another spike after beta 5 was released.

date     tl crashes at
         PL_DHashTableOperate...nsPrefBranch::GetBoolPref.char.const...int..
            count version, count version,...

20100821 16  4.0b3,
20100822 14  4.0b3,
20100823 56  ,31 4.0b3,15 4.0b4,9 4.0b5pre,1 4.0b2,

 -- beta 4 released

20100824 38  ,24 4.0b4,14 4.0b3,
20100825 100 ,89 4.0b4,8 4.0b5pre,2 4.0b3,1 4.0b4pre,
20100826 83  ,81 4.0b4,2 4.0b2,
20100827 40  4.0b4,
20100828 9   ,5 4.0b3,4 4.0b4,
20100829 44  ,33 4.0b4,11 4.0b3,
20100830 35  ,32 4.0b4,3 4.0b5pre,
20100831 25  ,21 4.0b4,4 4.0b5pre,
20100901 10  ,5 4.0b4,3 4.0b5pre,2 4.0b5,
20100902 17  ,15 4.0b4,2 4.0b6pre,
20100903 36  ,34 4.0b4,1 4.0b5pre,1 4.0b2,
20100904 16  ,10 4.0b4,4 4.0b6pre,2 4.0b2,
20100905 28  4.0b4
20100906 6   ,3 4.0b4,2 4.0b6pre,1 4.0b2,

  -- beta 5 released

20100907 45  ,22 4.0b5,21 4.0b4,1 4.0b6pre,1 4.0b5pre,
20100908 59  ,57 4.0b5,2 4.0b4,
20100909 26  ,21 4.0b5,4 4.0b6pre,1 4.0b2,
20100910 29  ,14 4.0b5,9 4.0b6pre,6 4.0b3,
20100911 1   4.0b5
20100912 8   4.0b5
20100913 24  4.0b5
20100914 4   ,2 4.0b7pre,1 4.0b5,1 4.0b4,
20100915 16  ,15 4.0b6,1 4.0b7pre,
on day of the last spike...

checking --- PL_DHashTableOperate...nsPrefBranch::GetBoolPref.char.const...int.. 20100908-crashdata.csv
found in: 4.0b5 4.0b4
release total-crashes
              PL_DHashTableOperate...nsPrefBranch::GetBoolPref.char.const...int.. crashes
                         pct.
all     312235  59      0.00018896
4.0b5   18501   57      0.00308091
4.0b4   20322   2       9.84155e-05

Correlation to startup or time of session
59 total crashes for PL_DHashTableOperate...nsPrefBranch::GetBoolPref.char.const...int.. on 20100908-crashdata.csv
44 startup crashes inside 2 sec.
57 startup crashes inside 30 sec.
59 startup crashes inside 3 min.

os breakdown
PL_DHashTableOperate...nsPrefBranch::GetBoolPref.char.const...int..Total 59
Win5.1  0.31
Win6.0  0.07
Win6.1  0.63
This isn't going away, we've got crashes every day from now back to 9/2. All with the same stack (i.e. from JS). Gmail Notifier is frequent among the reports, but not common to all. Based on the comments it's likely to be related.I recall seeing a posting in the newsgroups within the last week -- someone seeing NS_ERROR_OUT_OF_MEMORY being returned by a call to getBoolPref from script. One of the very few ways this can happen is if gHashTable.ops is NULL. Something's probably up with gHashTable.ops here too, so they could be related. I'll email the guy and try to get more details.
Severity: normal → critical
OK, newsgroup posting was a red herring. Going to look into what Gmail Notifier is up to...
the trend in commment 2 continued in beta6. as we see a decline in the growth of the beta population there seems to be a decline in the crash volume.

20100914 4

-- beta 6 released

20100915 16   33k adus
20100916 33  218k adus
20100917 7   337k adus
20100918 18  353k adus
20100919 18  408k adus
20100920 12  524k adus
20100921 8   557k adus
20100922 1   572k adus
Attached patch fix (obsolete) — Splinter Review 
Apparently xpconnect is fine with converting 'undefined' to a null char* string; which kinda asplodes. (When we rejiggered prefbranch to remove security checks, a nullcheck got lost.)

This also removes a couple unnecessary checks on outparam pointers -- the only risk on those is C++ callers, which means they generally always come from the stack.

This patch fixes the crash for me, though Gmail Notifier is still broken somewhere else. But it doesn't crash. :)
Attachment #478391 - Flags: review?(doug.turner)
This is on top of the patch in bug 589905, btw.
using NS_ENSURE_ARG_POINTER will throw back to js a invalid pointer error.  maybe it is better to use NS_ERROR_INVALID_ARG instead for null pref names.

I do not understand why we want to remove the check for a non-null _retval in PrefHasUserValue?
Sure, I can switch to NS_ERROR_INVALID_ARG.

About _retval -- see comment 7.
right, i read 7.  still don't know why we want to review the code.
Because the way you'd typically call it is:

  PRBool ret;
  pb->PrefHasUserValue("blah", &ret);

which makes it impossible to have a null outparam pointer. And from JS, xpconnect will make it impossible.
Comment on attachment 478391 [details] [diff] [review]
fix


I understand that, what I don't have a grasp of is any other callers that might be passing around a bool* that gets nulled.

It just seems like removing something that has been around for a long time without data that proves that the above case never happens in our code or in any code that is built above preference is risky.

Also, tests?
Attached patch v2Splinter Review 
Now with better errors and more tests.
Attachment #478391 - Attachment is obsolete: true
Attachment #478471 - Flags: review?(doug.turner)
Attachment #478391 - Flags: review?(doug.turner)
Attachment #478471 - Flags: review?(doug.turner) → review+
http://hg.mozilla.org/mozilla-central/rev/dc689419476d

Going to leave this open for a bit to see if the crashes disappear.
Er, wrong bug. This is definitely fixed. ;)
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Crash Signature: [@ PL_DHashTableOperate | nsPrefBranch::GetBoolPref(char const*, int*) ]
You need to log in before you can comment on or make changes to this bug.