Closed Bug 606453 Opened 15 years ago Closed 15 years ago

crash [@ nsRefPtr<nsDOMEventListenerWrapper>::~nsRefPtr<nsDOMEventListenerWrapper>() | nsTArray<nsRefPtr<nsAccessible> >::RemoveElementAt(unsigned int) ]

Categories

(Core :: Disability Access APIs, defect)

Product:
Core
Component:
Disability Access APIs
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: scoobidiver, Assigned: surkov)

References

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file, 2 obsolete files)

patch3
916 bytes, patch
ginnchen+exoracle
: review+
Details | Diff | Splinter Review
Build: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b8pre) Gecko/20101021 Firefox/4.0b8pre It is a new crash signature. Crashes first appeared in b8pre/20101021 build. It is #26 top crasher in this build. Signature nsRefPtr<nsDOMEventListenerWrapper>::~nsRefPtr<nsDOMEventListenerWrapper>() | nsTArray<nsRefPtr<nsAccessible> >::RemoveElementAt(unsigned int) UUID 28ba8de8-c3d2-40d7-a20d-614ff2101021 Time 2010-10-21 23:23:12.122777 Uptime 2059 Last Crash 22311 seconds (6.2 hours) before submission Install Age 35605 seconds (9.9 hours) since version was first installed. Product Firefox Version 4.0b8pre Build ID 20101021042123 Branch 2.0 OS Windows NT OS Version 6.1.7600 CPU x86 CPU Info GenuineIntel family 6 model 26 stepping 5 Crash Reason EXCEPTION_ACCESS_VIOLATION_READ Crash Address 0x8 App Notes AdapterVendorID: 10de, AdapterDeviceID: 05e6 Frame Module Signature [Expand] Source 0 xul.dll nsRefPtr<nsDOMEventListenerWrapper>::~nsRefPtr<nsDOMEventListenerWrapper> 1 xul.dll nsTArray<nsRefPtr<nsAccessible> >::RemoveElementAt obj-firefox/dist/include/nsTArray.h:724 2 xul.dll nsAccessible::RemoveChild accessible/src/base/nsAccessible.cpp:2772 3 xul.dll nsAccessible::Shutdown accessible/src/base/nsAccessible.cpp:2646 4 xul.dll nsAccDocManager::ClearDocCacheEntry accessible/src/base/nsAccCache.h:59 5 xul.dll nsBaseHashtable<nsURIHashKey,nsCOMPtr<nsIObserver>,nsIObserver*>::s_EnumStub obj-firefox/dist/include/nsBaseHashtable.h:364 6 xul.dll PL_DHashTableEnumerate obj-firefox/xpcom/build/pldhash.c:754 7 xul.dll nsBaseHashtable<nsPtrHashKey<void const >,nsRefPtr<nsAccessible>,nsAccessible*>::Enumerate obj-firefox/dist/include/nsBaseHashtable.h:239 8 xul.dll ClearCache<nsAccessible> accessible/src/base/nsAccCache.h:71 9 xul.dll nsAccDocManager::ShutdownDocAccessible accessible/src/base/nsAccDocManager.cpp:146 10 xul.dll nsAccDocManager::ShutdownDocAccessiblesInTree accessible/src/base/nsAccDocManager.cpp:529 The regression range is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=7aa9763e9d41&tochange=4788083ce564 More reports at: http://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=exact&query=&range_value=4&range_unit=weeks&hang_type=any&process_type=any&plugin_field=&plugin_query_type=&plugin_query=&do_query=1&admin=&signature=nsRefPtr%3CnsDOMEventListenerWrapper%3E%3A%3A~nsRefPtr%3CnsDOMEventListenerWrapper%3E%28%29%20|%20nsTArray%3CnsRefPtr%3CnsAccessible%3E%20%3E%3A%3ARemoveElementAt%28unsigned%20int%29
it appears it's regression from bug 570275.
Assignee: nobody → surkov.alexander
Blocks: 570275
It sounds like parent accessible was before the child accessible in the cache and was shutdown already. The child accessible wasn't in children of parent accessible (otherwise parent reference should be cleared on parent shutdown) but has a pointer to the parent (no idea how this can happen). The fix would be check if child->mIndexInParent is valid index in parent children array. Not sure I can keep in mind better approach while I don't have testcase. Ginn, what do you think?
Attached patch patch (obsolete) — Splinter Review
Attachment #485305 - Flags: review?(ginn.chen)
Why not check (aChild->mIndexInParent >= mChildren.Length()) || (mChildren[aChild->mIndexInParent] != aChild)?
(In reply to comment #4) > Why not check > (aChild->mIndexInParent >= mChildren.Length()) || > (mChildren[aChild->mIndexInParent] != aChild)? That's really weird case, I hope it never happens but I'm fine to add protection for it.
Attached patch patch2 (obsolete) — Splinter Review
Attachment #485305 - Attachment is obsolete: true
Attachment #485701 - Flags: review?(ginn.chen)
Attachment #485305 - Flags: review?(ginn.chen)
Comment on attachment 485701 [details] [diff] [review] patch2 hm, this makes us crash with stack from bug 597963 when closing a window (I tried DOMi) - the passed DOM document is null. xul.dll!nsIDocument::GetContainer() Line 799 + 0xb bytes C++ xul.dll!nsAccDocManager::ShutdownDocAccessiblesInTree(nsIDocument * aDocument) Line 97 + 0xc bytes C++ > xul.dll!nsOuterDocAccessible::Shutdown() Line 175 C++ xul.dll!ClearCacheEntry<nsAccessible>(const void * aKey, nsRefPtr<nsAccessible> & aAccessible, void * aUserArg) Line 61 C++ xul.dll!nsBaseHashtable<nsPtrHashKey<void const >,nsRefPtr<nsAccessible>,nsAccessible *>::s_EnumStub(PLDHashTable * table, PLDHashEntryHdr * hdr, unsigned int number, void * arg) Line 364 + 0x1e bytes C++ xul.dll!PL_DHashTableEnumerate(PLDHashTable * table, PLDHashOperator (PLDHashTable *, PLDHashEntryHdr *, unsigned int, void *)* etor, void * arg) Line 754 + 0x19 bytes C xul.dll!nsBaseHashtable<nsPtrHashKey<void const >,nsRefPtr<nsAccessible>,nsAccessible *>::Enumerate(PLDHashOperator (const void *, nsRefPtr<nsAccessible> &, void *)* enumFunc, void * userArg) Line 239 + 0x12 bytes C++ xul.dll!ClearCache<nsAccessible>(nsRefPtrHashtable<nsPtrHashKey<void const >,nsAccessible> & aCache) Line 72 C++ xul.dll!nsDocAccessible::Shutdown() Line 683 + 0xf bytes C++ xul.dll!nsDocAccessibleWrap::Shutdown() Line 291 C++ xul.dll!nsRootAccessible::Shutdown() Line 770 C++ xul.dll!nsAccDocManager::ShutdownDocAccessible(nsIDocument * aDocument) Line 147 C++ xul.dll!nsAccDocManager::ShutdownDocAccessiblesInTree(nsIDocShellTreeItem * aTreeItem, nsIDocument * aDocument) Line 530 C++ xul.dll!nsAccDocManager::ShutdownDocAccessiblesInTree(nsIDocument * aDocument) Line 100 C++ xul.dll!nsAccDocManager::HandleEvent(nsIDOMEvent * aEvent) Line 320 C++
Attachment #485701 - Flags: review?(ginn.chen)
I don't know how these bugs are connected. Maybe we can add more assertions in InsertChildAt and RemoveChild to find out.
I'll debug this one and try to understand what's going wrong here.
Attached patch patch3Splinter Review
that was wrong patch
Attachment #485701 - Attachment is obsolete: true
Attachment #485708 - Flags: review?(ginn.chen)
Attachment #485708 - Flags: review?(ginn.chen) → review+
landed on 2.0 - http://hg.mozilla.org/mozilla-central/rev/851422104158
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Crash Signature: [@ nsRefPtr<nsDOMEventListenerWrapper>::~nsRefPtr<nsDOMEventListenerWrapper>() | nsTArray<nsRefPtr<nsAccessible> >::RemoveElementAt(unsigned int) ]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: