Closed Bug 616899 Opened 14 years ago Closed 9 years ago

crash [@ nsTreeBodyFrame::PrefillPropertyArray(int, nsTreeColumn*)] when using the JavaScript debugger

Categories

(Core :: XUL, defect)

Product:
Core
Component:
XUL
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: yuhongbao_386, Unassigned, NeedInfo)

References

Details

(Keywords: crash)

Crash Data

Attachments

(1 file, 1 obsolete file)

The correct minidumps
296.02 KB, application/zip
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12 This is about a crash that has been reported to Mozilla using crash ID bp-1eee2c5f-9f1a-45aa-a474-9f2a82101126 and several other crash IDs by me. Note that this is not a duplicate of bug 615958, as the crash is at a different location. Probably a use after free bug, as I have checked using a debugger and mSlots is not null but was pointing at an invalid address. Marking as critical as it really makes using the debugger frustrating at times. Reproducible: Always Steps to Reproduce: 1. Keep stepping using the JavaScript debugger. 2. When it freezes, close all Firefox windows. Actual Results: Crash. Expected Results: Should not freeze at all.
Version: unspecified → 3.6 Branch
OS: Windows Vista → All
Hardware: x86 → All
Hardware: All → x86
assuming mView goes to null when this happens, bug 615958's current patch should fix this. but i'm not sure if that assumption is valid.
Hey guys, Where should this bug go? Core->XP Toolkit/Widgets:XUL? Or wherever the JSD bugs live (jsengine?)
(In reply to comment #1) > assuming mView goes to null when this happens, bug 615958's current patch > should fix this. but i'm not sure if that assumption is valid. Indeed, I just confirmed with a debugger that it is not. In fact, the memory for the this object is filled with 0xf0de7fff
Attached file A crashdump of one crash (obsolete) —
Attached file The correct minidumps
Sorry, last one uploaded was wrong.
Attachment #495429 - Attachment is obsolete: true
xul trees are broken, it's a bug in xul trees. venkman/jsd are not doing anything wrong.
Component: Developer Tools → XP Toolkit/Widgets: XUL
Keywords: crash
Product: Firefox → Core
QA Contact: developer.tools → xptoolkit.xul
Version: 3.6 Branch → 1.9.2 Branch
Version: 1.9.2 Branch → Trunk
Status: UNCONFIRMED → NEW
Depends on: 615958
Ever confirmed: true
Crash Signature: [@ nsTreeBodyFrame::PrefillPropertyArray(int, nsTreeColumn*)]
also cf. bug 666277
Crash Signature: [@ nsTreeBodyFrame::PrefillPropertyArray(int, nsTreeColumn*)] → [@ nsTreeBodyFrame::PrefillPropertyArray(int, nsTreeColumn*)] [@ nsTreeBodyFrame::PrefillPropertyArray]
removing bug 615958 from blocking per comment 3
No longer depends on: 615958
@Jesse: AFAIK the address 0xF0DE7FFF is used to "poison" memory, so this may be a security issue. However, I don't remember where I got that information: do you know what part of the code uses 0xF0DE7FFF to poison memory? I ask because I am seeing crashes at this address during my own fuzzing. Finally, I understand the JavaScript debugger is deprecated - is this still an issue?
Flags: needinfo?(jruderman)
> Finally, I understand the JavaScript debugger is deprecated - is this still > an issue? The JSD v1 API doesn't work any more and the Venkman Javascript debugger is dead. The current remote debugger JSD2 API can be accessed from Firefox Developer Tools. I guess this is a WONTFIX or OBSOLETE
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
Moving to Core:XUL per https://bugzilla.mozilla.org/show_bug.cgi?id=1455336
Component: XP Toolkit/Widgets: XUL → XUL
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: