633123 - Occasional crash [@ nsNodeUtils::LastRelease(nsINode*)]

Status: RESOLVED DUPLICATE of bug 635420

(Core :: DOM: Core & HTML, defect)

Description

[neil@parkwaycc.co.uk]

I've only had this crash twice, presumably it's pretty intermittent.

Stack backtrace:
nsNodeUtils::LastRelease [nsnodeutils.cpp @ 252]
nsDocument::Release [nsdocument.cpp @ 1743]
nsHTMLDocument::Release [nshtmldocument.cpp @ 310]
XPCWrappedNative::~XPCWrappedNative [xpcwrappednative.cpp @ 958]
XPCWrappedNative::`scalar deleting destructor'
XPCWrappedNative::Release [xpcwrappednative.cpp @ 1253]
XPCWrappedNative::FlatJSObjectFinalized [xpcwrappednative.cpp @ 1398]
XPC_WN_NoHelper_Finalize [xpcwrappednativejsops.cpp @ 675]
JSObject::finalize [jsobjinlines.h @ 135]
FinalizeArenaList<JSObject_Slots2> [jsgc.cpp @ 1954]
JSCompartment::finalizeObjectArenaLists [jsgc.cpp @ 2014]
MarkAndSweep [jsgc.cpp @ 2463]
GCUntilDone [jsgc.cpp @ 2728]
js_GC [jsgc.cpp @ 2799]
JS_GC [jsapi.cpp @ 2565]
nsXPConnect::Collect [nsxpconnect.cpp @ 407]
nsXPConnect::GarbageCollect [nsxpconnect.cpp @ 416]
nsJSContext::CC [nsjsenvironment.cpp @ 3408]
nsJSContext::IntervalCC [nsjsenvironment.cpp @ 3496]
nsJSContext::MaybeCC [nsjsenvironment.cpp @ 3465]
nsJSContext::CCIfUserInactive [nsjsenvironment.cpp @ 3475]
nsJSContext::LoadEnd [nsjsenvironment.cpp @ 3554]
DocumentViewerImpl::LoadComplete [nsdocumentviewer.cpp @ 1099]
nsDocShell::EndPageLoad [nsdocshell.cpp @ 6075]
nsDocShell::OnStateChange [nsdocshell.cpp @ 5929]
nsDocLoader::FireOnStateChange [nsdocloader.cpp @ 1335]
nsDocLoader::doStopDocumentLoad [nsdocloader.cpp @ 953]
nsDocLoader::DocLoaderIsEmpty [nsdocloader.cpp @ 820]
nsDocLoader::OnStopRequest [nsdocloader.cpp @ 705]
nsLoadGroup::RemoveRequest [nsloadgroup.cpp @ 680]
imgRequestProxy::RemoveFromLoadGroup [imgrequestproxy.cpp @ 231]
imgRequestProxy::OnStopRequest [imgrequestproxy.cpp @ 729]
imgStatusTracker::SendStopRequest [imgstatustracker.cpp @ 524]
imgRequest::OnStopRequest [imgrequest.cpp @ 957]
ProxyListener::OnStopRequest [imgloader.cpp @ 2009]
imgCacheValidator::OnStopRequest [imgloader.cpp @ 2165]
nsStreamListenerTee::OnStopRequest [nsstreamlistenertee.cpp @ 71]
nsHttpChannel::OnStopRequest [nshttpchannel.cpp @ 4033]
nsInputStreamPump::OnStateStop [nsinputstreampump.cpp @ 579]
nsInputStreamPump::OnInputStreamReady [nsinputstreampump.cpp @ 403]
nsInputStreamReadyEvent::Run [nsstreamutils.cpp @ 113]
nsThread::ProcessNextEvent [nsthread.cpp @ 633]
NS_ProcessNextEvent_P [nsthreadutils.cpp @ 250]
nsBaseAppShell::Run [nsbaseappshell.cpp @ 195]
nsAppShell::Run [nsappshell.cpp @ 258]
nsAppStartup::Run [nsappstartup.cpp @ 220]
XRE_main [cpp @ 3762]
NS_internal_main [nssuiteapp.cpp @ 103]
wmain [nswindowswmain.cpp @ 128]
__tmainCRTStartup
wmainCRTStartup

Code at crash:
NS_OBSERVER_ARRAY_NOTIFY_OBSERVERS(slots->mMutationObservers,
                                   nsIMutationObserver,
                                   NodeWillBeDestroyed, (aNode));
(NS_OBSERVER_ARRAY_NOTIFIY_OBSERVERS expands to)
nsTObserverArray<obstype_ *>::ForwardIterator iter_(array_);
obstype_* obs_;
while (iter_.HasMore()) {
  obs_ = iter_.GetNext();
  obs_ -> func_ params_ ; // crashes here
}

Local variables:
iter_.mPosition = 2
slots->mMutationObservers.mArray.mHdr->Length = 2
obs_ = 0xCDCDCDCD

Oops!

Note that if I change the instruction pointer to the start of the while loop then HasMore() returns false.

Comment 1

[neil@parkwaycc.co.uk]

I don't know whether it's the same crash that I'm still having, but during testing for bug 635420 I noticed that with changeset 64fdcad8cb11 I get a crash soon after opening and closing the editor window.

(In reply to comment #0)
> Note that if I change the instruction pointer to the start of the while loop
> then HasMore() returns false.
That's unsurprising, since GetNext() advanced the index. But debugging my new crash shows the second observer pointing into deleted memory. (I don't know whether the first observer deleted the second observer or not.)