Closed Bug 635952 Opened 9 years ago Closed 9 years ago

crash [@ NotificationController::IsTreeConstructed] on shutdown

Categories

(Core :: Disability Access APIs, defect, critical)

x86
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla5
Tracking Status
blocking2.0 --- .x+

People

(Reporter: fherrera, Assigned: tbsaunde)

References

(Blocks 1 open bug)

Details

(Keywords: crash)

Crash Data

Attachments

(3 files)

#0  0x00167416 in __kernel_vsyscall ()
#1  0x05c92086 in nanosleep () from /lib/libc.so.6
#2  0x05c91ea4 in sleep () from /lib/libc.so.6
#3  0x00674c61 in ah_crap_handler (signum=11) at /home/fer/code/mozilla/toolkit/xre/nsSigHandlers.cpp:132
#4  0x00677a50 in nsProfileLock::FatalSignalHandler (signo=11, info=0xbf95eabc, context=0xbf95eb3c) at nsProfileLock.cpp:226
#5  <signal handler called>
#6  0x05855dc0 in NotificationController::IsTreeConstructed (this=0x0) at /home/fer/code/mozilla/accessible/src/base/NotificationController.h:135
#7  0x058505a1 in nsDocAccessible::GetStateInternal (this=0xac55a200, aState=0xbf95f08c, aExtraState=0x0) at /home/fer/code/mozilla/accessible/src/base/nsDocAccessible.cpp:326
#8  0x0588270b in nsRootAccessible::GetStateInternal (this=0xac55a200, aState=0xbf95f08c, aExtraState=0x0) at /home/fer/code/mozilla/accessible/src/base/nsRootAccessible.cpp:190
#9  0x058754d1 in nsAccessible::GetState (this=0xac55a200, aState=0xbf95f08c, aExtraState=0x0) at /home/fer/code/mozilla/accessible/src/base/nsAccessible.cpp:1524
#10 0x0583b85b in nsAccUtils::State (aAcc=0xac55a214) at /home/fer/code/mozilla/accessible/src/base/nsAccUtils.h:305
#11 0x058848f7 in nsRootAccessible::GetContentDocShell (this=0xac55a200, aStart=0xa7b2149c) at /home/fer/code/mozilla/accessible/src/base/nsRootAccessible.cpp:811
#12 0x05884abd in nsRootAccessible::GetContentDocShell (this=0xac55a200, aStart=0xad402c9c) at /home/fer/code/mozilla/accessible/src/base/nsRootAccessible.cpp:831
#13 0x05884c8f in nsRootAccessible::GetRelationByType (this=0xac55a200, aRelationType=10, aRelation=0xbf95f230) at /home/fer/code/mozilla/accessible/src/base/nsRootAccessible.cpp:855
#14 0x058b427b in refRelationSetCB (aAtkObj=0xac8b88e0 [MaiAtkType201]) at /home/fer/code/mozilla/accessible/src/atk/nsAccessibleWrap.cpp:989
#15 0x00c7eff6 in atk_object_ref_relation_set () from /usr/lib/libatk-1.0.so.0
#16 0x07ab0110 in impl_accessibility_accessible_get_relation_set (servant=0xa452d324, ev=0xbf95f560) at accessible.c:361
#17 0x07aacd37 in _ORBIT_skel_small_Accessibility_Accessible_getRelationSet (_o_servant=0xa452d324, _o_retval=0xbf95f418, _o_args=0x0, _o_ctx=0xbf95f3fc, _o_ev=0xbf95f560, _impl_getRelationSet=0x7ab00e0 <impl_accessibility_accessible_get_relation_set>) at Accessibility-common.c:128
#18 0x07bacd58 in ORBit_POAObject_invoke (pobj=0xa452d400, ret=0xbf95f418, args=0x0, ctx=0xbf95f3fc, data=0xbf95f48c, ev=0xbf95f560) at poa.c:1148
#19 0x07bb3b96 in ORBit_OAObject_invoke (adaptor_obj=0xa452d400, ret=0xbf95f418, args=0x0, ctx=0xbf95f3fc, data=0xbf95f48c, ev=0xbf95f560) at orbit-adaptor.c:340
#20 0x07b9f2d4 in ORBit_small_invoke_adaptor (adaptor_obj=0xa452d400, recv_buffer=0xa316e940, m_data=0x7acf320, data=0xbf95f48c, ev=0xbf95f560) at orbit-small.c:846
#21 0x07baee6a in ORBit_POAObject_handle_request (pobj=0xa452d400, opname=0xa316e9ec "getRelationSet", ret=0x0, args=0x0, ctx=0x0, recv_buffer=0xa316e940, ev=0xbf95f560) at poa.c:1357
#22 0x07baf557 in ORBit_POAObject_invoke_incoming_request (pobj=0xa452d400, recv_buffer=0xa316e940, opt_ev=0xbf95f560) at poa.c:1427
#23 0x07baf6f5 in ORBit_POA_handle_request (poa=0xb7617600, recv_buffer=0xa316e940, objkey=0xa316e958) at poa.c:1649
#24 0x07bb3a51 in ORBit_handle_request (orb=0xb76b7fc0, recv_buffer=0xa316e940) at orbit-adaptor.c:300
#25 0x07b9ba45 in giop_connection_handle_input (lcnx=0xa313a1f0 [GIOPConnection]) at giop-recv-buffer.c:1312
#26 0x07bbab0a in link_connection_io_handler (gioc=0x0, condition=G_IO_IN, data=0xa313a1f0) at linc-connection.c:1475
#27 0x07bbd9f7 in link_source_dispatch (source=0xa313a380, callback=0x7bba9f0 <link_connection_io_handler>, user_data=0xa313a1f0) at linc-source.c:164
#28 0x00d8f192 in g_main_dispatch (context=0xb7617380) at gmain.c:2149
#29 g_main_context_dispatch (context=0xb7617380) at gmain.c:2702
#30 0x00d8f978 in g_main_context_iterate (context=0xb7617380, block=1, dispatch=1, self=<value optimized out>) at gmain.c:2780
#31 0x00d8fc35 in g_main_context_iteration (context=0xb7617380, may_block=1) at gmain.c:2843
#32 0x07bb8d68 in link_main_iteration (block_for_reply=1) at linc.c:285
#33 0x07b9afb4 in giop_recv_buffer_get (ent=0xbf95f8d0, timeout=0xbf95f8e8) at giop-recv-buffer.c:727
#34 0x07b9efaf in ORBit_small_invoke_stub (obj=0xafee8160, m_data=0x7acfb20, ret=0x0, args=0xbf95f9dc, ctx=0x0, ev=0xc1dd80) at orbit-small.c:660
#35 0x07b9f1d6 in ORBit_small_invoke_stub_n (object=0xafee8160, methods=0x7acfc64, index=0, ret=0x0, args=0xbf95f9dc, ctx=0x0, ev=0xc1dd80) at orbit-small.c:577
#36 0x07bb2215 in ORBit_c_stub_invoke (obj=0xafee8160, methods=0x7acfc64, method_index=0, ret=0x0, args=0xbf95f9dc, ctx=0x0, ev=0xc1dd80, class_id=0, method_offset=4, skel_impl=0x7aad210 <_ORBIT_skel_small_Accessibility_EventListener_notifyEvent>) at poa.c:2650
#37 0x07a96795 in Accessibility_EventListener_notifyEvent (_obj=0xafee8160, e=0xbf95fa14, ev=0xc1dd80) at Accessibility-stubs.c:422
#38 0x00c1a65c in spi_atk_emit_eventv (gobject=0xafec3dc0 [MaiAtkObject], detail1=1, detail2=0, any=0xbf95fab0, format=0xc1c077 "object:%s:%s") at bridge.c:805
#39 0x00c1b64a in spi_atk_bridge_signal_listener (signal_hint=0xbf95fb70, n_param_values=3, param_values=0xa33f7dc0, data=0xafebd2e0) at bridge.c:1233
#40 0x005b39e3 in signal_emit_unlocked_R (node=0xafec3b20, detail=521, instance=0xafec3dc0, emission_return=0x0, instance_and_params=0xa33f7dc0) at gsignal.c:3218
#41 0x005bd24e in g_signal_emit_valist (instance=0xafec3dc0, signal_id=200, detail=521, var_args=0xbf95fdc0 "") at gsignal.c:2983
#42 0x005bd585 in g_signal_emit_by_name (instance=0xafec3dc0, detailed_signal=0x5922640 "children_changed::remove") at gsignal.c:3077
#43 0x058b85dc in nsApplicationAccessibleWrap::RemoveChild (this=0xafe4a380, aChild=0xac55a200) at /home/fer/code/mozilla/accessible/src/atk/nsApplicationAccessibleWrap.cpp:691
#44 0x0585191f in nsDocAccessible::Shutdown (this=0xac55a200) at /home/fer/code/mozilla/accessible/src/base/nsDocAccessible.cpp:658
#45 0x05884846 in nsRootAccessible::Shutdown (this=0xac55a200) at /home/fer/code/mozilla/accessible/src/base/nsRootAccessible.cpp:785
#46 0x058420f4 in nsAccDocManager::HandleEvent (this=0xad4099c0, aEvent=0xa33f7d40) at /home/fer/code/mozilla/accessible/src/base/nsAccDocManager.cpp:306
#47 0xb5dc5c42 in nsEventListenerManager::HandleEventSubType (this=0xafea16a0, aListenerStruct=0xa7ba27d0, aListener=0xad4099c4, aDOMEvent=0xa33f7d40, aCurrentTarget=0xb148e0dc, aPhaseFlags=4, aPusher=0xbf960228) at /home/fer/code/mozilla/content/events/src/nsEventListenerManager.cpp:1127
#48 0xb5dc6025 in nsEventListenerManager::HandleEventInternal (this=0xafea16a0, aPresContext=0x0, aEvent=0xa312e370, aDOMEvent=0xbf960240, aCurrentTarget=0xb148e0dc, aFlags=4, aEventStatus=0xbf960244, aPusher=0xbf960228) at /home/fer/code/mozilla/content/events/src/nsEventListenerManager.cpp:1222
#49 0xb5df04bc in nsEventListenerManager::HandleEvent (this=0xafea16a0, aPresContext=0x0, aEvent=0xa312e370, aDOMEvent=0xbf960240, aCurrentTarget=0xb148e0dc, aFlags=4, aEventStatus=0xbf960244, aPusher=0xbf960228) at /home/fer/code/mozilla/content/events/src/nsEventListenerManager.h:146
#50 0xb5df097e in nsEventTargetChainItem::HandleEvent (this=0xb2cd4060, aVisitor=..., aFlags=4, aMayHaveNewListenerManagers=0, aPusher=0xbf960228) at /home/fer/code/mozilla/content/events/src/nsEventDispatcher.cpp:212
#51 0xb5dee55e in nsEventTargetChainItem::HandleEventTargetChain (this=0xb2cd4060, aVisitor=..., aFlags=6, aCallback=0x0, aMayHaveNewListenerManagers=0, aPusher=0xbf960228) at /home/fer/code/mozilla/content/events/src/nsEventDispatcher.cpp:311
#52 0xb5def307 in nsEventDispatcher::Dispatch (aTarget=0xb6962f74, aPresContext=0x0, aEvent=0xa312e370, aDOMEvent=0xa33f7d40, aEventStatus=0x0, aCallback=0x0, aTargets=0x0) at /home/fer/code/mozilla/content/events/src/nsEventDispatcher.cpp:628
#53 0xb5def6ba in nsEventDispatcher::DispatchDOMEvent (aTarget=0xb6962f74, aEvent=0x0, aDOMEvent=0xa33f7d40, aPresContext=0x0, aEventStatus=0x0) at /home/fer/code/mozilla/content/events/src/nsEventDispatcher.cpp:691
#54 0xb5cc09a1 in nsDocument::DispatchPageTransition (this=0xafe7fc00, aDispatchTarget=0xb6962f74, aType=..., aPersisted=0) at /home/fer/code/mozilla/content/base/src/nsDocument.cpp:7358
#55 0xb5cc0f0c in nsDocument::OnPageHide (this=0xafe7fc00, aPersisted=0, aDispatchStartTarget=0x0) at /home/fer/code/mozilla/content/base/src/nsDocument.cpp:7469
#56 0xb5996fba in DocumentViewerImpl::PageHide (this=0xaca2ce20, aIsUnload=1) at /home/fer/code/mozilla/layout/base/nsDocumentViewer.cpp:1282
#57 0x08f33b16 in nsDocShell::FirePageHideNotification (this=0xad402c00, aIsUnload=1) at /home/fer/code/mozilla/docshell/base/nsDocShell.cpp:1520
#58 0x08f3f179 in nsDocShell::Destroy (this=0xad402c00) at /home/fer/code/mozilla/docshell/base/nsDocShell.cpp:4524
#59 0x025511a2 in nsXULWindow::Destroy (this=0xafebca60) at /home/fer/code/mozilla/xpfe/appshell/src/nsXULWindow.cpp:528
#60 0x02564396 in nsWebShellWindow::Destroy (this=0xafebca60) at /home/fer/code/mozilla/xpfe/appshell/src/nsWebShellWindow.cpp:832
#61 0x02562e24 in nsWebShellWindow::HandleEvent (aEvent=0xbf9607c8) at /home/fer/code/mozilla/xpfe/appshell/src/nsWebShellWindow.cpp:416
#62 0x0113f1a8 in nsWindow::DispatchEvent (this=0xad436320, aEvent=0xbf9607c8, aStatus=@0xbf9607fc) at /home/fer/code/mozilla/widget/src/gtk2/nsWindow.cpp:563
#63 0x0114373e in nsWindow::OnDeleteEvent (this=0xad436320, aWidget=0xb2c87b30 [GtkWindow], aEvent=0xa33742e0) at /home/fer/code/mozilla/widget/src/gtk2/nsWindow.cpp:2399
#64 0x0114b6c4 in delete_event_cb (widget=0xb2c87b30 [GtkWindow], event=0xa33742e0) at /home/fer/code/mozilla/widget/src/gtk2/nsWindow.cpp:5553
#65 0x07364718 in _gtk_marshal_BOOLEAN__BOXED (closure=0xb1ec4be0, return_value=0xbf960994, n_param_values=2, param_values=0xa313dbe0, invocation_hint=0xbf960980, marshal_data=0x114b667) at gtkmarshalers.c:86
#66 0x005a1be3 in g_closure_invoke (closure=0xb1ec4be0, return_value=0xbf960994, n_param_values=2, param_values=0xa313dbe0, invocation_hint=0xbf960980) at gclosure.c:766
#67 0x005b40f0 in signal_emit_unlocked_R (node=0xb7695790, detail=0, instance=0xb2c87b30, emission_return=0xbf960acc, instance_and_params=0xa313dbe0) at gsignal.c:3252
#68 0x005bcfcd in g_signal_emit_valist (instance=0xb2c87b30, signal_id=39, detail=0, var_args=0xbf960b40 "l\v\226\277") at gsignal.c:2993
#69 0x005bd403 in g_signal_emit (instance=0xb2c87b30, signal_id=39, detail=0) at gsignal.c:3040
#70 0x074b4b1e in gtk_widget_event_internal (widget=0xb2c87b30 [GtkWindow], event=0xa33742e0) at gtkwidget.c:4992
#71 0x07362ae0 in IA__gtk_main_do_event (event=0xa33742e0) at gtkmain.c:1567
#72 0x00cf138b in gdk_event_dispatch (source=0xb7638d00, callback=0, user_data=0x0) at gdkevents-x11.c:2377
#73 0x00d8f192 in g_main_dispatch (context=0xb7616600) at gmain.c:2149
#74 g_main_context_dispatch (context=0xb7616600) at gmain.c:2702
#75 0x00d8f978 in g_main_context_iterate (context=0xb7616600, block=1, dispatch=1, self=<value optimized out>) at gmain.c:2780
#76 0x00d8fc35 in g_main_context_iteration (context=0xb7616600, may_block=1) at gmain.c:2843
#77 0x01155c61 in nsAppShell::ProcessNextNativeEvent (this=0xb4ead1f0, mayWait=1) at /home/fer/code/mozilla/widget/src/gtk2/nsAppShell.cpp:144
#78 0x0118216f in nsBaseAppShell::DoProcessNextNativeEvent (this=0xb4ead1f0, mayWait=1) at /home/fer/code/mozilla/widget/src/xpwidgets/nsBaseAppShell.cpp:173
#79 0x0118259b in nsBaseAppShell::OnProcessNextEvent (this=0xb4ead1f0, thr=0xb76d6160, mayWait=1, recursionDepth=0) at /home/fer/code/mozilla/widget/src/xpwidgets/nsBaseAppShell.cpp:333
#80 0x0025ee61 in nsThread::ProcessNextEvent (this=0xb76d6160, mayWait=1, result=0xbf960e7c) at /home/fer/code/mozilla/xpcom/threads/nsThread.cpp:597
#81 0x001dd2c7 in NS_ProcessNextEvent_P (thread=0xb76d6160, mayWait=1) at nsThreadUtils.cpp:250
#82 0x01182210 in nsBaseAppShell::Run (this=0xb4ead1f0) at /home/fer/code/mozilla/widget/src/xpwidgets/nsBaseAppShell.cpp:195
#83 0x0189f597 in nsAppStartup::Run (this=0xb4e90490) at /home/fer/code/mozilla/toolkit/components/startup/src/nsAppStartup.cpp:220
#84 0x00667a0f in XRE_main (argc=2, argv=0xbf9614b4, aAppData=0xb760e380) at /home/fer/code/mozilla/toolkit/xre/nsAppRunner.cpp:3766
#85 0x08049694 in main (argc=2, argv=0xbf9614b4) at /home/fer/code/mozilla/browser/app/nsBrowserApp.cpp:158
So while we are at nsDocAccessible::Shutdown, we have removed mNotificationController, call nsApplicationAccessibleWrap::RemoveChild which causes a atk signal emission that iterates over the main loop and we get an incoming refRelationSet call.
Attachment #514252 - Flags: review?(surkov.alexander)
It's quite bad they call into us in the middle of shutdown while the document isn't marked as shutdown. The fix should be a prevention of this. Either 1. we should mark early (btw, mWeakShell = nsnull & !!mWeakShell is not right check since isn't in sync with IsDefunct) or 2. we should remove document from tree before we shutdown the document. I'd prefer 1. if ATK is fine with that, i.e. it doesn't care if doesn't get correct information (because even if we follow 2. we can't guarantee we return correct information either way).

Btw, unitl we reentry into nsDocAccessible::AttributeChanged when document is getting shutdown or shut down already we don't need your second check. If we do then I'd like to see a stack, perhaps there's a better solution.
Assignee: nobody → fherrera
Severity: normal → critical
Keywords: crash
Summary: crash at NotificationController::IsTreeConstructed on shutdown → crash [@ NotificationController::IsTreeConstructed] on shutdown
Comment on attachment 514252 [details] [diff] [review]
patch checking for mNotificationController before using it

cancelling review until questions are addressed.
Attachment #514252 - Flags: review?(surkov.alexander)
This just showed up again see bp-ceb8c154-59ec-45b1-995a-01b732110305
I can only find a crash at crash-stats.m.o:

https://crash-stats.mozilla.com/report/index/ceb8c154-59ec-45b1-995a-01b732110305

however, it is happening a lot to me (maybe it is spotted more on debug builds?)
Attachment #517220 - Flags: review?(surkov.alexander) → review+
If we have another rc then it's worth to take this crash fix, otherwise fx5. I don't expect possible regressions, though it touch important piece of code and therefore I can't say it's zero risk. Does blocking 2.x look good for this?
blocking2.0: --- → ?
Yep .x+
blocking2.0: ? → .x+
Whiteboard: [has reviewed patch]
Assignee: fherrera → trev.saunders
The patch delivers different kinds of cycle collector crashes like:

>	xul.dll!nsCOMPtr<nsIDocumentObserver>::assign_with_AddRef(nsISupports * rawPtr)  Line 1203 + 0x9 bytes	C++
 	xul.dll!nsCOMPtr<nsIDocumentObserver>::operator=(nsIDocumentObserver * rhs)  Line 664	C++
 	xul.dll!nsDocument::BeginUpdate(unsigned int aUpdateType)  Line 3993 + 0x39 bytes	C++
 	xul.dll!nsStyleLinkElement::DoUpdateStyleSheet(nsIDocument * aOldDocument, nsICSSLoaderObserver * aObserver, int * aWillNotify, int * aIsAlternate, int aForceUpdate)  Line 227	C++
 	xul.dll!nsStyleLinkElement::UpdateStyleSheetInternal(nsIDocument * aOldDocument, int aForceUpdate)  Line 210	C++
 	xul.dll!nsHTMLStyleElement::UnbindFromTree(int aDeep, int aNullParent)  Line 261	C++
 	xul.dll!nsGenericElement::cycleCollection::Unlink(void * p)  Line 4330	C++
 	xul.dll!nsCycleCollector::CollectWhite()  Line 1912 + 0x1a bytes	C++
 	xul.dll!nsCycleCollector::FinishCollection()  Line 2720 + 0x8 bytes	C++
 	xul.dll!nsCycleCollectorRunner::Collect(nsICycleCollectorListener * aListener)  Line 3364 + 0xe bytes	C++
 	xul.dll!nsCycleCollector_collect(nsICycleCollectorListener * aListener)  Line 3430 + 0x14 bytes	C++
 	xul.dll!nsJSContext::CycleCollectNow(nsICycleCollectorListener * aListener)  Line 3290 + 0x9 bytes	C++
 	xul.dll!CCTimerFired(nsITimer * aTimer, void * aClosure)  Line 3330 + 0x7 bytes	C++
Attached patch patchSplinter Review
Attachment #520894 - Flags: feedback?(fherrera)
Attachment #520894 - Attachment is patch: true
Attachment #520894 - Attachment mime type: application/octet-stream → text/plain
Whiteboard: [has reviewed patch] → [fx4-rc-ridealong][has reviewed patch]
Fernando, ping. It's our priority.
Whiteboard: [fx4-rc-ridealong][has reviewed patch] → [fx4-rc-ridealong][not ready]
Comment on attachment 520894 [details] [diff] [review]
patch

I have been running ff4 with the patch for the last two days and I have not get any crash on shutdown (before it, it usually happened 2/3 times a day).

However I cannot be 100% sure as this is not this kind of null pointer crash that you prevent using an assertion and can check for that assertion output in the debug output to check that you are hitting that code path and not crashing. Anyway, it looks ok.
Attachment #520894 - Flags: feedback?(fherrera) → feedback+
landed - http://hg.mozilla.org/mozilla-central/rev/02cf1c240705
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Whiteboard: [fx4-rc-ridealong][not ready]
Target Milestone: --- → mozilla2.2
Crash Signature: [@ NotificationController::IsTreeConstructed]
You need to log in before you can comment on or make changes to this bug.