Closed Bug 612887 Opened 9 years ago Closed 9 years ago

crash [@ nsSHistory::RemoveEntries(nsTArray<unsigned __int64, nsTArrayDefaultAllocator>&, int) ]

Categories

(Core :: DOM: Navigation, defect, critical)

x86
Windows 7
defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
blocking2.0 --- betaN+

People

(Reporter: scoobidiver, Assigned: smaug)

References

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

This is a new crash signature that was introduced in 4.0b8pre/20101115 build.
It is #21 top crasher in 4.0b8pre/20101116 build.

Signature	nsSHistory::RemoveEntries(nsTArray<unsigned __int64, nsTArrayDefaultAllocator>&, int)
UUID	572cb174-74d6-4b2a-b8b7-7162b2101117
Time 	2010-11-17 07:19:40.796508
Uptime	110
Last Crash	112 seconds before submission
Install Age	19527 seconds (5.4 hours) since version was first installed.
Product	Firefox
Version	4.0b8pre
Build ID	20101116042306
Branch	2.0
OS	Windows NT
OS Version	6.1.7600
CPU	x86
CPU Info	AuthenticAMD family 16 model 4 stepping 2
Crash Reason	EXCEPTION_ACCESS_VIOLATION_EXEC
Crash Address	0x6a3aae0
App Notes 	AdapterVendorID: 10de, AdapterDeviceID: 0393

Frame 	Module 	Signature [Expand] 	Source
0 		@0x6a3aae0 	
1 	xul.dll 	nsSHistory::RemoveEntries 	docshell/shistory/src/nsSHistory.cpp:1235
2 	xul.dll 	nsDocShell::RemoveFromSessionHistory 	docshell/base/nsDocShell.cpp:3472
3 	xul.dll 	nsFrameLoader::Destroy 	
4 	xul.dll 	nsGenericHTMLFrameElement::UnbindFromTree 	content/html/content/src/nsGenericHTMLElement.cpp:3169
5 	xul.dll 	nsINode::doRemoveChildAt 	content/base/src/nsGenericElement.cpp:3695
6 	xul.dll 	nsGenericElement::RemoveChildAt 	content/base/src/nsGenericElement.cpp:3637
7 	xul.dll 	nsINode::ReplaceOrInsertBefore 	
8 	xul.dll 	nsIDOMNode_AppendChild 	obj-firefox/js/src/xpconnect/src/dom_quickstubs.cpp:5463
9 	xul.dll 	nsIDOMNode_AppendChild 	obj-firefox/js/src/xpconnect/src/dom_quickstubs.cpp:5468
10 	mozjs.dll 	JS_DHashClearEntryStub 	js/src/jsdhash.cpp:175
11 	mozjs.dll 	js_StopResolving 	js/src/jscntxt.cpp:1307
12 	mozjs.dll 	js_GetPropertyHelper 	js/src/jsobj.cpp:5068
13 	mozjs.dll 	InlineGetProp 	js/src/methodjit/StubCalls.cpp:1985
14 		@0x508997f 	
15 	mozjs.dll 	JSCompartment::wrap 	js/src/jscompartment.cpp:147
16 	mozjs.dll 	js::mjit::EnterMethodJIT 	js/src/methodjit/MethodJIT.cpp:739
17 	mozjs.dll 	CheckStackAndEnterMethodJIT 	js/src/methodjit/MethodJIT.cpp:764
18 	mozjs.dll 	js::mjit::JaegerShot 	js/src/methodjit/MethodJIT.cpp:781
19 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:662
20 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:768
21 	mozjs.dll 	js::ExternalInvoke 	js/src/jsinterp.cpp:881
22 	mozjs.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:4908
23 	xul.dll 	nsXPCWrappedJSClass::CallMethod 	js/src/xpconnect/src/xpcwrappedjsclass.cpp:1694
24 	xul.dll 	nsXPCWrappedJS::CallMethod 	js/src/xpconnect/src/xpcwrappedjs.cpp:577
25 	xul.dll 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:114
26 	xul.dll 	SharedStub 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:141
27 	xul.dll 	nsEventListenerManager::HandleEventSubType 	content/events/src/nsEventListenerManager.cpp:1114

The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=674f2ed15cea&tochange=edf41ff32f08

More reports at:
http://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=exact&query=&range_value=4&range_unit=weeks&hang_type=any&process_type=any&plugin_field=&plugin_query_type=&plugin_query=&do_query=1&admin=&signature=nsSHistory%3A%3ARemoveEntries%28nsTArray%3Cunsigned%20__int64%2C%20nsTArrayDefaultAllocator%3E%26%2C%20int%29
blocking2.0: --- → ?
Olli, can you investigate this?
Assignee: nobody → Olli.Pettay
blocking2.0: ? → betaN+
I wish c-s.m.c stack traces would be a bit more useful...
This is truly a guess fix, but IMO should be done anyway.
The stack traces don't give enough information about the crash :/
Attachment #491499 - Flags: review?(jst)
Comment on attachment 491499 [details] [diff] [review]
guess fix [checked in]

Sounds good to me.
Attachment #491499 - Flags: review?(jst) → review+
I pushed http://hg.mozilla.org/mozilla-central/rev/7e22b1719901
but won't mark this fixed, since it is not sure that the patch fixes the problem.
Will look at c-s.m.c.
Depends on: 614499
Attachment #491499 - Attachment description: guess fix → guess fix [checked in]
Marking this fixed since I don't see the crashes anymore in c-s.m.c.
Though, I think the fix was bug 612887.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Er, bug 614499
Crash Signature: [@ nsSHistory::RemoveEntries(nsTArray<unsigned __int64, nsTArrayDefaultAllocator>&, int) ]
You need to log in before you can comment on or make changes to this bug.