Closed Bug 606414 Opened 15 years ago Closed 14 years ago

crash [@ nsPlaintextEditor::Release() ]

Categories

(Core :: Layout: Form Controls, defect)

Product:
Core
Component:
Layout: Form Controls
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: scoobidiver, Assigned: ehsan.akhgari)

Details

(Keywords: crash, Whiteboard: Worksforme?)

Crash Data

It is a residual crash signature that exists in 3.5, 3.6 and trunk builds. It is #300 top crasher in 4.0b8pre for the last week. Signature nsPlaintextEditor::Release() UUID 0e921c6e-6ea8-43fd-b32d-9d75c2101021 Time 2010-10-21 17:55:34.449275 Uptime 51 Last Crash 53 seconds before submission Install Age 36267 seconds (10.1 hours) since version was first installed. Product Firefox Version 4.0b8pre Build ID 20101021042123 Branch 2.0 OS Windows NT OS Version 6.1.7600 CPU x86 CPU Info GenuineIntel family 6 model 23 stepping 10 Crash Reason EXCEPTION_ACCESS_VIOLATION_WRITE Crash Address 0x0 App Notes AdapterVendorID: 8086, AdapterDeviceID: 29c2 Frame Module Signature [Expand] Source 0 xul.dll nsPlaintextEditor::Release editor/libeditor/text/nsPlaintextEditor.cpp:140 1 xul.dll nsCOMPtr_base::~nsCOMPtr_base obj-firefox/dist/include/nsAutoPtr.h:969 2 xul.dll nsTextControlFrame::GetRootNodeAndInitializeEditor layout/forms/nsTextControlFrame.cpp:872 3 xul.dll nsTextControlFrame::DOMPointToOffset layout/forms/nsTextControlFrame.cpp:1011 4 xul.dll nsTextControlFrame::GetSelectionRange layout/forms/nsTextControlFrame.cpp:1157 5 xul.dll nsHTMLTextAreaElement::GetSelectionRange content/html/content/src/nsHTMLTextAreaElement.cpp:861 6 xul.dll nsHTMLInputElement::GetSelectionEnd content/html/content/src/nsHTMLInputElement.cpp:2882 7 xul.dll nsIDOMHTMLInputElement_GetSelectionEnd obj-firefox/js/src/xpconnect/src/dom_quickstubs.cpp:18454 8 mozjs.dll js::Shape::get js/src/jsscopeinlines.h:256 9 mozjs.dll js_NativeGet js/src/jsobj.cpp:4959 10 mozjs.dll InlineGetProp js/src/methodjit/StubCalls.cpp:2052 11 mozjs.dll js::mjit::stubs::GetProp js/src/methodjit/PolyIC.cpp:2297 12 mozjs.dll js::mjit::EnterMethodJIT js/src/methodjit/MethodJIT.cpp:742 13 mozjs.dll CheckStackAndEnterMethodJIT js/src/methodjit/MethodJIT.cpp:767 14 mozjs.dll js::mjit::JaegerShot js/src/methodjit/MethodJIT.cpp:784 15 mozjs.dll js::RunScript js/src/jsinterp.cpp:634 16 mozjs.dll js::Invoke js/src/jsinterp.cpp:740 17 mozjs.dll js_fun_call js/src/jsfun.cpp:2248 18 @0xb806ba0 19 mozjs.dll js::mjit::EnterMethodJIT js/src/methodjit/MethodJIT.cpp:742 20 mozjs.dll CheckStackAndEnterMethodJIT js/src/methodjit/MethodJIT.cpp:767 21 mozjs.dll js::mjit::JaegerShot js/src/methodjit/MethodJIT.cpp:784 22 mozjs.dll js::RunScript js/src/jsinterp.cpp:634 23 mozjs.dll js::Invoke js/src/jsinterp.cpp:740 24 mozjs.dll js::ExternalInvoke js/src/jsinterp.cpp:855 25 mozjs.dll JS_CallFunctionValue js/src/jsapi.cpp:4960 26 xul.dll nsJSContext::CallEventHandler dom/base/nsJSEnvironment.cpp:2157 27 xul.dll nsGlobalWindow::RunTimeout dom/base/nsGlobalWindow.cpp:8916 28 xul.dll nsGlobalWindow::TimerCallback dom/base/nsGlobalWindow.cpp:9261 29 xul.dll nsTimerImpl::Fire xpcom/threads/nsTimerImpl.cpp:425 30 xul.dll nsTimerEvent::Run xpcom/threads/nsTimerImpl.cpp:517 31 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:547 32 xul.dll mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:110 33 xul.dll xul.dll@0xb011b3 34 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:202 35 mozcrt19.dll arena_dalloc_small obj-firefox/memory/jemalloc/crtsrc/jemalloc.c:4178 36 xul.dll MessageLoop::Run ipc/chromium/src/base/message_loop.cc:176 37 xul.dll xul.dll@0x372c19 38 firefox.exe firefox.exe@0x1bd7 39 ntdll.dll WinSqmSetIfMaxDWORD 40 ntdll.dll _RtlUserThreadStart 41 firefox.exe firefox.exe@0x188f 42 firefox.exe firefox.exe@0x188f More reports at: http://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=exact&query=&range_value=4&range_unit=weeks&hang_type=any&process_type=any&plugin_field=&plugin_query_type=&plugin_query=&do_query=1&admin=&signature=nsPlaintextEditor%3A%3ARelease%28%29
Assignee: nobody → ehsan
Blocks: 534785
OS: Windows 7 → All
There is something very wrong about this stack: nsHTMLInputElement::GetSelectionEnd is calling nsHTMLTextAreaElement::GetSelectionRange. This speaks out memory corruption, but I'm not sure how to track it down without a test case. There are other types of stacks as well, though...
Keywords: testcase-wanted
Could there be a few frames missing? That's reasonably common, given optimization.
(In reply to comment #2) > Could there be a few frames missing? That's reasonably common, given > optimization. Presumably yes, but nsHTMLInputElement's implementation is entirely separate from nsHTMLTextAreaElement, so the former can't call into the latter unless there's an indirect call going on somewhere in between (for example, removing a script blocker running a textarea init function...) And the frames here look an aweful lot like a real bug to me than an unlucky exclusion of a few frames in between...
nsHTMLInputElement::GetSelectionRange and nsHTMLTextAreaElement::GetSelectionRange look exactly the same, though, so the compiler may well have merged them.
(In reply to comment #4) > nsHTMLInputElement::GetSelectionRange and > nsHTMLTextAreaElement::GetSelectionRange look exactly the same, though, so the > compiler may well have merged them. I didn't know that the compiler would make such an optimization, but yes, both methods are identical, so what you said makes perfect sense...
This is not a regression from bug 534785.
No longer blocks: 534785
Crash Signature: [@ nsPlaintextEditor::Release() ]
There's only 11 reported incidents for nsPlaintextEditor::Release in the past 4 weeks - all on 3.5/3.6. Worksforme?
Whiteboard: Worksforme?
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.