Closed
Bug 615958
Opened 14 years ago
Closed 4 years ago
crash [@ nsTreeBodyFrame::PrefillPropertyArray]
Categories
(Core :: XUL, defect, P5)
Tracking
()
RESOLVED
INCOMPLETE
| Tracking | Status | |
|---|---|---|
| firefox64 | --- | affected |
People
(Reporter: wsmwk, Assigned: timeless)
Details
(Keywords: crash, Whiteboard: [tbird crash][rare])
Crash Data
Attachments
(2 files, 1 obsolete file)
|
16.89 KB,
patch
|
beltzner
:
approval2.0-
|
Details | Diff | Splinter Review |
|
29.77 KB,
patch
|
Details | Diff | Splinter Review |
crash [@ nsTreeBodyFrame::PrefillPropertyArray(int, nsTreeColumn*)]
bp-02f4c420-91a3-4e5e-8f34-c0fea2101109 (arnold9) Printer hp pssc 2410xi photosmart all-in-one wont print
EXCEPTION_ACCESS_VIOLATION_READ
0x0
0 thunderbird.exe nsTreeBodyFrame::PrefillPropertyArray layout/xul/base/src/tree/src/nsTreeBodyFrame.cpp:1991
1 thunderbird.exe nsTreeBodyFrame::GetItemWithinCellAt layout/xul/base/src/tree/src/nsTreeBodyFrame.cpp:1532
2 thunderbird.exe nsTreeBodyFrame::GetCellAt layout/xul/base/src/tree/src/nsTreeBodyFrame.cpp:1708
3 thunderbird.exe nsTreeBodyFrame::GetCursor layout/xul/base/src/tree/src/nsTreeBodyFrame.cpp:2554
4 thunderbird.exe nsEventStateManager::UpdateCursor content/events/src/nsEventStateManager.cpp:3379
5 thunderbird.exe nsEventStateManager::PreHandleEvent content/events/src/nsEventStateManager.cpp:1131
6 thunderbird.exe PresShell::HandleEventInternal layout/base/nsPresShell.cpp:6508
7 thunderbird.exe PresShell::HandlePositionedEvent layout/base/nsPresShell.cpp:6364
8 thunderbird.exe PresShell::HandleEvent layout/base/nsPresShell.cpp:6228
9 thunderbird.exe nsViewManager::HandleEvent view/src/nsViewManager.cpp:1224
10 thunderbird.exe nsViewManager::DispatchEvent view/src/nsViewManager.cpp:1203
11 thunderbird.exe HandleEvent view/src/nsView.cpp:167
|
Reporter | |
Updated•14 years ago
|
Component: General → Layout
Product: Thunderbird → Core
QA Contact: general → layout
mView is null, and it's often null and usually null checked...
Component: Layout → XP Toolkit/Widgets: XUL
QA Contact: layout → xptoolkit.xul
1967 nsTreeBodyFrame::PrefillPropertyArray(PRInt32 aRowIndex, nsTreeColumn* aCol)
1968 {
1969 NS_PRECONDITION(!aCol || aCol->GetFrame(this), "invalid column passed");
we should crash here if mScratchArray is null:
1970 mScratchArray->Clear();
1971
1972 // focus
1973 if (mFocused)
1974 mScratchArray->AppendElement(nsGkAtoms::focus);
1975
1976 // sort
1977 PRBool sorted = PR_FALSE;
we should crash here if mView is null:
1978 mView->IsSorted(&sorted);
isSorted() can be js, at which point all assumptions we've made to this point cease to be valid.
1979 if (sorted)
1980 mScratchArray->AppendElement(nsGkAtoms::sorted);
1981
1982 // drag session
1983 if (mSlots && mSlots->mDragSession)
1984 mScratchArray->AppendElement(nsGkAtoms::dragSession);
1985
1986 if (aRowIndex != -1) {
we crashed somewhere after this line:
1987 if (aRowIndex == mMouseOverRow)
1988 mScratchArray->AppendElement(nsGkAtoms::hover);
1989
1990 nsCOMPtr<nsITreeSelection> selection;
1991 mView->GetSelection(getter_AddRefs(selection));
and not later than this line.
But we've already crashed earlier for both.
I think that we probably need to recheck mView and friends after 1978.
|
||
Comment 3•14 years ago
|
||
BTW, the JavaScript debugger often causes this crash.
Assignee: nobody → timeless
Status: NEW → ASSIGNED
Attachment #495350 -
Flags: review?(neil)
Attachment #495350 -
Flags: approval2.0?
|
||
Comment 5•14 years ago
|
||
Comment on attachment 495350 [details] [diff] [review]
patch
The only way that mScratchArray can disappear is if we are destroyed in which case testing for mScratchArray is the least of our worries.
|
|
||
Comment 6•14 years ago
|
||
Comment on attachment 495350 [details] [diff] [review]
patch
All the consumers of PrefillPropertyArray immediately hit mView so this will just move the crash.
Attachment #495350 -
Flags: review?(neil) → review-
Attachment #495350 -
Attachment is obsolete: true
Attachment #495383 -
Flags: review?(neil)
Attachment #495383 -
Flags: approval2.0?
Attachment #495350 -
Flags: approval2.0?
|
|
||
Updated•14 years ago
|
Attachment #495383 -
Flags: feedback?(enndeakin)
|
|
||
Comment 8•14 years ago
|
||
(In reply to comment #3)
> BTW, the JavaScript debugger often causes this crash.
Actually, it doesn't. It crashes at a different location. I may file a new bug later.
|
||
Comment 9•14 years ago
|
||
Comment on attachment 495383 [details] [diff] [review]
mView guards
>@@ -1056,8 +1060,10 @@ nsresult
> nsTreeBodyFrame::GetCellAt(PRInt32 aX, PRInt32 aY, PRInt32* aRow, nsITreeColumn** aCol,
> nsACString& aChildElt)
> {
>- if (!mView)
>+ if (!mView) {
>+ *aRow = -1;
> return NS_OK;
Set the other out parameters as well?
For much of the rest of the checks, it would seem clearer to check mView for null before using it, rather than after it
|
||
Comment 10•14 years ago
|
||
Comment on attachment 495383 [details] [diff] [review]
mView guards
r+ before a?, please
Attachment #495383 -
Flags: approval2.0? → approval2.0-
|
|
||
Updated•14 years ago
|
Attachment #495383 -
Flags: feedback?(enndeakin)
|
||
Updated•14 years ago
|
Crash Signature: [@ nsTreeBodyFrame::PrefillPropertyArray(int, nsTreeColumn*)]
|
|
Reporter | |
Comment 11•13 years ago
|
||
different thunderbird users report trying to access/use addons
bp-56ee7f0a-afff-4d9e-85f1-c92682120416
bp-cebcef33-8261-49e5-bf69-b573e2120410
bp-54c3bca6-03fb-435b-8bdf-555d92120319
bp-1e49ddba-d095-4f2d-aa0e-aa0652120127
bp-5e98773f-ff5b-4837-98d5-98fb32120120
but it's still la small percentage of crashes that mentions addons
And there are way more Thunderbird crashes than FFirefox
Whiteboard: [tbird crash] → [tbird topcrash]
|
|
Reporter | |
Comment 12•13 years ago
|
||
highest percentage of comments cites using calendar tabs.
|
||
Comment 13•13 years ago
|
||
Neil Ping review
|
||
Comment 14•12 years ago
|
||
It's #204 top crasher in TB 17.0.
Whiteboard: [tbird topcrash] → [tbird crash]
|
||
Comment 15•12 years ago
|
||
Saving this here. Just rebased to apply to current. No other changes.
|
||
Updated•9 years ago
|
Crash Signature: [@ nsTreeBodyFrame::PrefillPropertyArray(int, nsTreeColumn*)] → [@ nsTreeBodyFrame::PrefillPropertyArray(int, nsTreeColumn*)]
[@ nsTreeBodyFrame::PrefillPropertyArray]
|
|
Reporter | |
Comment 16•9 years ago
|
||
Timothy,
Thanks for the rebased patch.
Had you seen this crash?
Do you have an opionion regarding viability of the patch?
Flags: needinfo?(tnikkel)
|
|
||
Comment 17•9 years ago
|
||
I don't remember what prompted me to rebase the patch. I don't think I saw the crash. Maybe I was trying to fix some intermittent failures in automation or something I found in crash-stats.
Patch might be a little overkill. If we could add the null checks where we actually need them only that would be better.
crash-stats has a bunch of low volume crashes in various nsTreeBodyFrame functions
https://crash-stats.mozilla.com/search/?signature=~nsTreeBodyFrame&_facets=signature&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#facet-signature
Do you want to create a patch adding a null check for each signature?
Flags: needinfo?(tnikkel) → needinfo?(vseerror)
|
|
Reporter | |
Comment 18•9 years ago
|
||
Sorry, I'm not knowledgable to make a patch. Just trying to move the bug forward.
Looking at your query, many Thunderbird crash stacks are a mess.
Flags: needinfo?(vseerror)
|
||
Comment 19•7 years ago
|
||
Moving to Core:XUL per https://bugzilla.mozilla.org/show_bug.cgi?id=1455336
Component: XP Toolkit/Widgets: XUL → XUL
|
|
Reporter | |
Comment 20•7 years ago
|
||
Let's ask m_kato about comment 17. recent crash for reference bp-bfc79cc9-7cb3-4dc5-a786-14e1b0180615 and bp-8984bd5f-7ef7-4736-ad11-85c3c0180520, which are still a mess, as first mentioned in comment 18. Perhaps add-on related? https://crash-stats.mozilla.com/report/index/8984bd5f-7ef7-4736-ad11-85c3c0180520#tab-extensions has 76 add-ons! (seriously)
A different signature isn't quite such a mess nsTreeBodyFrame::GetSelectionRegion bp-f1672e22-2b76-4827-8b4c-e03a70180529
Flags: needinfo?(m_kato)
|
||
Comment 21•7 years ago
|
||
(In reply to Wayne Mery (:wsmwk) from comment #20)
> Let's ask m_kato about comment 17. recent crash for reference
> bp-bfc79cc9-7cb3-4dc5-a786-14e1b0180615 and
> bp-8984bd5f-7ef7-4736-ad11-85c3c0180520, which are still a mess, as first
> mentioned in comment 18. Perhaps add-on related?
> https://crash-stats.mozilla.com/report/index/8984bd5f-7ef7-4736-ad11-
> 85c3c0180520#tab-extensions has 76 add-ons! (seriously)
I guess that this is timing issue after frame (tree view) is destroyed. But If addon uses XUL's tree view, it is related. Maybe, Firefox doesn't use it now (and we are removing XUL code), so this is only on Thunderbird (and Seamonkey?).
> A different signature isn't quite such a mess
> nsTreeBodyFrame::GetSelectionRegion bp-f1672e22-2b76-4827-8b4c-e03a70180529
Same issue. mView is null.
Flags: needinfo?(m_kato)
|
|
Reporter | |
Comment 22•7 years ago
|
||
(In reply to Makoto Kato [:m_kato] from comment #21)
> (In reply to Wayne Mery (:wsmwk) from comment #20)
> > ...
> > A different signature isn't quite such a mess
> > nsTreeBodyFrame::GetSelectionRegion bp-f1672e22-2b76-4827-8b4c-e03a70180529
>
> Same issue. mView is null.
If you are willing to submit a patch that hits a couple locations [1] as mentioned in comment 17 would be great. But if you are not (and I wouldn't hold it against you) then we should just close this, because I don't foresee anyone else doing it from being virtually Thunderbird only, low crash rate and xul going away - well, some day.
[1] https://crash-stats.mozilla.com/search/?signature=~nsTreeBodyFrame&date=%3E%3D2018-04-08T19%3A22%3A18.000Z&date=%3C2018-07-08T19%3A22%3A18.000Z&_sort=-email&_sort=-user_comments&_sort=-date&_facets=signature&_facets=platform_version&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=user_comments#crash-reports
Flags: needinfo?(m_kato)
|
|
||
Comment 23•7 years ago
|
||
Since this crash rate is low volume, I don't think this has to be fixed soon. And we going away from XUL, so this is low priority now at least.
Flags: needinfo?(m_kato)
|
||
Comment 24•6 years ago
|
||
Closing because no crashes reported for 12 weeks.
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
|
|
||
Comment 25•6 years ago
|
||
Closing because no crashes reported for 12 weeks.
|
||
Comment 26•6 years ago
|
||
There are still some crashes so reopen it.
|
|
Reporter | |
Comment 27•6 years ago
|
||
Historically, and still today, the vast majority of crashes are Thunderbird. But most of those crashes are old versions [1]. In the past month there are only 5 crashes with current versions and one of those has bitdefender, which is known to cause issues. With such a low crash rate, I suggest this bug is no longer interesting nor actionable.
[1] https://crash-stats.mozilla.com/signature/?product=Thunderbird&signature=nsTreeBodyFrame%3A%3APrefillPropertyArray&date=%3E%3D2018-10-07T08%3A19%3A58.000Z&date=%3C2019-01-07T07%3A19%3A58.000Z#graphs
Crash Signature: [@ nsTreeBodyFrame::PrefillPropertyArray(int, nsTreeColumn*)]
[@ nsTreeBodyFrame::PrefillPropertyArray] → [@ nsTreeBodyFrame::PrefillPropertyArray]
Flags: needinfo?(enndeakin)
Summary: crash [@ nsTreeBodyFrame::PrefillPropertyArray(int, nsTreeColumn*)] → crash [@ nsTreeBodyFrame::PrefillPropertyArray]
|
|
||
Updated•6 years ago
|
Severity: critical → normal
Flags: needinfo?(enndeakin)
Priority: -- → P5
|
|
Reporter | |
Comment 28•5 years ago
|
||
Most of the old crashes referred to in comment 27 were probably version 52. The crash volume of version 68 is also much reduced compared to the prior version 60
Whiteboard: [tbird crash] → [tbird crash][rare]
|
|
Reporter | |
Comment 29•4 years ago
|
||
Only a couple crashes per month for version 78, and even fewer user. Probably not actionable.
Status: REOPENED → RESOLVED
Closed: 6 years ago → 4 years ago
Resolution: --- → INCOMPLETE
You need to log in
before you can comment on or make changes to this bug.
Description
•