Closed
Bug 673472
Opened 13 years ago
Closed 13 years ago
Segfault when using acceleration event handler that calls console.log
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
FIXED
mozilla8
People
(Reporter: jdm, Assigned: jdm)
References
Details
(Whiteboard: [inbound])
Crash Data
Attachments
(2 files, 2 obsolete files)
|
161 bytes,
text/html
|
Details | |
|
5.45 KB,
patch
|
Details | Diff | Splinter Review |
With the attached testcase, I am able to frequently trigger a segfault. It has something to do with an nsIDOMWindow element in mWindowListeners going missing, and it always happens when I switch to a different application. GDB confirms that the nsGlobalWindow elements of mWindowListeners are fine, but the DOM window pointer is corrupt.
https://crash-stats.mozilla.com/report/index/bp-db853315-1ba0-4408-ac0a-672cc2110722
http://hg.mozilla.org/mozilla-central/annotate/6df31af4cca6/dom/system/nsDeviceMotion.cpp#l229
|
Assignee | |
Comment 1•13 years ago
|
||
To make this crash, I open the testcase, open a blank tab, close the testcase, then reopen the closed tab, repeating this until it crashes (usually a couple iterations).
Attachment #547746 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 2•13 years ago
|
||
(gdb) fr 1
#1 0x0000000101adc540 in nsDeviceMotion::DeviceMotionChanged (this=0x10694c010, type=0, x=-0.019999999552965164, y=0.012000000104308128, z=1.0479999780654907) at /Users/jdm/src/mozilla-central/dom/system/nsDeviceMotion.cpp:229
229 mWindowListeners[i]->GetDocument(getter_AddRefs(domdoc));
(gdb) ptarray mWindowListeners
elem[0]: $1 = (class nsIDOMWindow *) 0x100181a10
elem[1]: $2 = (class nsIDOMWindow *) 0x125718040
elem[2]: $3 = (nsGlobalWindow *) 0x11cc204f0
elem[3]: $4 = (nsGlobalWindow *) 0x11cc204f0
nsTArray length = 4
nsTArray capacity = 8
Element Cannot access memory at address 0x0
(gdb) p i
$5 = 1
(gdb) p $1
$6 = (class nsIDOMWindow *) 0x100181a10
(gdb) p $2
$7 = (class nsIDOMWindow *) 0x125718040
(gdb) p *$2
$8 = {
<nsISupports> = {
_vptr$nsISupports = 0x125710262
}, <No data fields>}
(gdb) p *$1
$9 = {
<nsISupports> = {
_vptr$nsISupports = 0x10019bc03
}, <No data fields>}
(gdb)
|
|
Assignee | |
Comment 3•13 years ago
|
||
Attachment #547765 -
Flags: review?(doug.turner)
|
||
Comment 4•13 years ago
|
||
Comment on attachment 547765 [details] [diff] [review]
Avoid adding multiple copies of device motion listeners.
should NoIndex also be static?
Want to add a test?
otherwise looks fine.
Attachment #547765 -
Flags: review?(doug.turner) → review+
|
|
||
Updated•13 years ago
|
Assignee: nobody → josh
|
|
Assignee | |
Comment 5•13 years ago
|
||
|
|
Assignee | |
Updated•13 years ago
|
Attachment #547765 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 6•13 years ago
|
||
Whiteboard: [inbound]
|
||
Comment 7•13 years ago
|
||
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
|
|
||
Updated•13 years ago
|
Target Milestone: --- → mozilla8
|
|
||
Comment 8•13 years ago
|
||
Also see bug 675126 for fixups
|
||
Comment 9•13 years ago
|
||
FYI, there are still crashes coming in for this signature, on the same
line as in comment 1. The latest one has Build ID: 20110802030845
bp-db8e07ca-7f1c-4bc2-9217-518ce2110802
|
||
Comment 10•13 years ago
|
||
I hit this on Mac OSX Desktop Nightly: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0a1) Gecko/20110731 Firefox/8.0a1
STR (not 100% reproducible):
1) Visit github
2) click on account settings > Account overview
3) went into Email Addresses, and removed an existing address
4) Hit add
5) Crash
Is it the same bug? If so, i'll reopen. if not, i'll file new.
https://crash-stats.mozilla.com/report/index/bp-78ea9f31-03d3-4240-8ffd-2a6032110809
Frame Module Signature [Expand] Source
0 XUL nsDeviceMotion::DeviceMotionChanged dom/system/nsDeviceMotion.cpp:236
1 XUL nsDeviceMotionSystem::UpdateHandler dom/system/cocoa/nsDeviceMotionSystem.mm:146
2 XUL nsTimerImpl::Fire xpcom/threads/nsTimerImpl.cpp:424
3 XUL nsTimerEvent::Run xpcom/threads/nsTimerImpl.cpp:520
4 XUL nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:631
5 XUL NS_ProcessNextEvent_P obj-firefox/x86_64/xpcom/build/nsThreadUtils.cpp:245
6 XUL nsXULWindow::CreateNewContentWindow xpfe/appshell/src/nsXULWindow.cpp:1808
7 XUL nsAppStartup::CreateChromeWindow2 toolkit/components/startup/nsAppStartup.cpp:497
8 XUL nsWindowWatcher::OpenWindowJSInternal embedding/components/windowwatcher/src/nsWindowWatcher.cpp:721
9 XUL nsWindowWatcher::OpenWindowJS embedding/components/windowwatcher/src/nsWindowWatcher.cpp:480
10 XUL nsGlobalWindow::OpenInternal dom/base/nsGlobalWindow.cpp:8668
11 XUL nsGlobalWindow::OpenInternal dom/base/nsGlobalWindow.cpp:8563
12 XUL nsGlobalWindow::OpenJS dom/base/nsGlobalWindow.cpp:5781
13 XUL NS_InvokeByIndex_P xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:195
14 XUL XPCWrappedNative::CallMethod js/src/xpconnect/src/xpcwrappednative.cpp:3119
15 XUL XPC_WN_CallMethod js/src/xpconnect/src/xpcwrappednativejsops.cpp:1595
16 XUL js::Invoke js/src/jscntxtinlines.h:281
17 XUL js::Interpret js/src/jsinterp.cpp:4008
18 XUL js::mjit::stubs::UncachedCallHelper js/src/methodjit/InvokeHelpers.cpp:345
19 XUL CallCompiler::update js/src/methodjit/MonoIC.cpp:964
20 XUL js::mjit::ic::Call js/src/methodjit/MonoIC.cpp:1018
21 @0x1592a4f52
22 @0x1ffffffff
23 XUL js::mjit::EnterMethodJIT js/src/methodjit/MethodJIT.cpp:686
24 XUL js::mjit::JaegerShot js/src/methodjit/MethodJIT.cpp:716
25 XUL js::Interpret js/src/jsinterp.cpp:4045
26 XUL js::mjit::stubs::CompileFunction js/src/methodjit/InvokeHelpers.cpp:300
27 @0x1522baed4
28 GeForceGLDriver GeForceGLDriver@0x0
29 XUL js::mjit::EnterMethodJIT js/src/methodjit/MethodJIT.cpp:686
30 XUL js::mjit::JaegerShot js/src/methodjit/MethodJIT.cpp:716
31 XUL js::RunScript js/src/jsinterp.cpp:610
32 XUL js::Invoke js/src/jsinterp.cpp:686
33 XUL js_fun_apply js/src/jsinterp.h:169
34 XUL js::Invoke js/src/jscntxtinlines.h:281
35 XUL js::Interpret js/src/jsinterp.cpp:4008
36 XUL js::mjit::stubs::UncachedCallHelper js/src/methodjit/InvokeHelpers.cpp:345
37 XUL CallCompiler::update js/src/methodjit/MonoIC.cpp:964
38 XUL js::mjit::ic::Call js/src/methodjit/MonoIC.cpp:1018
39 @0x15284806f
40 XUL js::mjit::EnterMethodJIT js/src/methodjit/MethodJIT.cpp:686
41 XUL js::mjit::JaegerShot js/src/methodjit/MethodJIT.cpp:716
42 XUL js::RunScript js/src/jsinterp.cpp:610
43 XUL js::Invoke js/src/jsinterp.cpp:686
44 XUL js::ExternalInvoke js/src/jsinterp.h:169
45 XUL JS_CallFunctionValue js/src/jsapi.cpp:5085
46 XUL nsXPCWrappedJSClass::CallMethod js/src/xpconnect/src/xpcwrappedjsclass.cpp:1657
47 XUL nsXPCWrappedJS::CallMethod js/src/xpconnect/src/xpcwrappedjs.cpp:585
48 XUL PrepareAndDispatch xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_darwin.cpp:153
49 XUL XUL@0xe81b0a
50 XUL nsEventListenerManager::HandleEventSubType content/events/src/nsEventListenerManager.cpp:1080
51 XUL nsEventListenerManager::HandleEventInternal content/events/src/nsEventListenerManager.cpp:1177
52 XUL nsEventTargetChainItem::HandleEventTargetChain content/events/src/nsEventListenerManager.h:155
53 XUL nsEventDispatcher::Dispatch content/events/src/nsEventDispatcher.cpp:672
54 XUL PresShell::HandleEventInternal layout/base/nsPresShell.cpp:7069
55 XUL PresShell::HandleEventWithTarget layout/base/nsPresShell.cpp:6917
56 XUL nsEventStateManager::CheckForAndDispatchClick content/events/src/nsEventStateManager.cpp:4229
57 XUL nsEventStateManager::PostHandleEvent content/events/src/nsEventStateManager.cpp:3171
58 XUL PresShell::HandleEventInternal layout/base/nsPresShell.cpp:7092
59 XUL PresShell::HandlePositionedEvent layout/base/nsPresShell.cpp:6902
60 XUL PresShell::HandleEvent layout/base/nsPresShell.cpp:6734
61 XUL nsViewManager::DispatchEvent view/src/nsViewManager.cpp:1029
62 XUL HandleEvent view/src/nsView.cpp:159
63 XUL nsChildView::DispatchEvent widget/src/cocoa/nsChildView.mm:1493
64 XUL nsChildView::DispatchWindowEvent widget/src/cocoa/nsChildView.mm:1503
65 XUL -[ChildView mouseUp:] widget/src/cocoa/nsChildView.mm:3149
66 AppKit AppKit@0x13d7ec
67 CoreFoundation CoreFoundation@0x21eca
68 CoreFoundation CoreFoundation@0x100cb
69 libSystem.B.dylib libSystem.B.dylib@0x65d3
70 CoreFoundation CoreFoundation@0x6191
71 CoreFoundation CoreFoundation@0xf876
72 CoreFoundation CoreFoundation@0x100cb
73 CoreFoundation CoreFoundation@0xf876
74 CoreFoundation CoreFoundation@0xf6ce
75 libSystem.B.dylib libSystem.B.dylib@0x6b19
76 Foundation Foundation@0x5ff3
77 libobjc.A.dylib libobjc.A.dylib@0x619f
78 XUL -[ToolbarWindow sendEvent:] widget/src/cocoa/nsCocoaWindow.mm:2363
79 AppKit AppKit@0x72ee1
80 CoreFoundation CoreFoundation@0x24228
81 AppKit AppKit@0x71904
82 AppKit AppKit@0x749ff7
83 AppKit AppKit@0x749ff7
84 AppKit AppKit@0x43f09
|
|
||
Comment 11•13 years ago
|
||
I hit this on Mac OSX Desktop Nightly: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0a1) Gecko/20110731 Firefox/8.0a1
STR (not 100% reproducible):
1) Visit github
2) click on account settings > Account overview
3) went into Email Addresses, and removed an existing address
4) Hit add
5) Crash!
Is it the same bug? If so, i'll reopen. if not, i'll file new.
https://crash-stats.mozilla.com/report/index/bp-78ea9f31-03d3-4240-8ffd-2a6032110809
Frame Module Signature [Expand] Source
0 XUL nsDeviceMotion::DeviceMotionChanged dom/system/nsDeviceMotion.cpp:236
1 XUL nsDeviceMotionSystem::UpdateHandler dom/system/cocoa/nsDeviceMotionSystem.mm:146
2 XUL nsTimerImpl::Fire xpcom/threads/nsTimerImpl.cpp:424
3 XUL nsTimerEvent::Run xpcom/threads/nsTimerImpl.cpp:520
4 XUL nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:631
5 XUL NS_ProcessNextEvent_P obj-firefox/x86_64/xpcom/build/nsThreadUtils.cpp:245
6 XUL nsXULWindow::CreateNewContentWindow xpfe/appshell/src/nsXULWindow.cpp:1808
7 XUL nsAppStartup::CreateChromeWindow2 toolkit/components/startup/nsAppStartup.cpp:497
8 XUL nsWindowWatcher::OpenWindowJSInternal embedding/components/windowwatcher/src/nsWindowWatcher.cpp:721
9 XUL nsWindowWatcher::OpenWindowJS embedding/components/windowwatcher/src/nsWindowWatcher.cpp:480
10 XUL nsGlobalWindow::OpenInternal dom/base/nsGlobalWindow.cpp:8668
11 XUL nsGlobalWindow::OpenInternal dom/base/nsGlobalWindow.cpp:8563
12 XUL nsGlobalWindow::OpenJS dom/base/nsGlobalWindow.cpp:5781
13 XUL NS_InvokeByIndex_P xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:195
14 XUL XPCWrappedNative::CallMethod js/src/xpconnect/src/xpcwrappednative.cpp:3119
15 XUL XPC_WN_CallMethod js/src/xpconnect/src/xpcwrappednativejsops.cpp:1595
16 XUL js::Invoke js/src/jscntxtinlines.h:281
17 XUL js::Interpret js/src/jsinterp.cpp:4008
18 XUL js::mjit::stubs::UncachedCallHelper js/src/methodjit/InvokeHelpers.cpp:345
19 XUL CallCompiler::update js/src/methodjit/MonoIC.cpp:964
20 XUL js::mjit::ic::Call js/src/methodjit/MonoIC.cpp:1018
21 @0x1592a4f52
22 @0x1ffffffff
23 XUL js::mjit::EnterMethodJIT js/src/methodjit/MethodJIT.cpp:686
24 XUL js::mjit::JaegerShot js/src/methodjit/MethodJIT.cpp:716
25 XUL js::Interpret js/src/jsinterp.cpp:4045
26 XUL js::mjit::stubs::CompileFunction js/src/methodjit/InvokeHelpers.cpp:300
27 @0x1522baed4
28 GeForceGLDriver GeForceGLDriver@0x0
29 XUL js::mjit::EnterMethodJIT js/src/methodjit/MethodJIT.cpp:686
30 XUL js::mjit::JaegerShot js/src/methodjit/MethodJIT.cpp:716
31 XUL js::RunScript js/src/jsinterp.cpp:610
32 XUL js::Invoke js/src/jsinterp.cpp:686
33 XUL js_fun_apply js/src/jsinterp.h:169
34 XUL js::Invoke js/src/jscntxtinlines.h:281
35 XUL js::Interpret js/src/jsinterp.cpp:4008
36 XUL js::mjit::stubs::UncachedCallHelper js/src/methodjit/InvokeHelpers.cpp:345
37 XUL CallCompiler::update js/src/methodjit/MonoIC.cpp:964
38 XUL js::mjit::ic::Call js/src/methodjit/MonoIC.cpp:1018
39 @0x15284806f
40 XUL js::mjit::EnterMethodJIT js/src/methodjit/MethodJIT.cpp:686
41 XUL js::mjit::JaegerShot js/src/methodjit/MethodJIT.cpp:716
42 XUL js::RunScript js/src/jsinterp.cpp:610
43 XUL js::Invoke js/src/jsinterp.cpp:686
44 XUL js::ExternalInvoke js/src/jsinterp.h:169
45 XUL JS_CallFunctionValue js/src/jsapi.cpp:5085
46 XUL nsXPCWrappedJSClass::CallMethod js/src/xpconnect/src/xpcwrappedjsclass.cpp:1657
47 XUL nsXPCWrappedJS::CallMethod js/src/xpconnect/src/xpcwrappedjs.cpp:585
48 XUL PrepareAndDispatch xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_darwin.cpp:153
49 XUL XUL@0xe81b0a
50 XUL nsEventListenerManager::HandleEventSubType content/events/src/nsEventListenerManager.cpp:1080
51 XUL nsEventListenerManager::HandleEventInternal content/events/src/nsEventListenerManager.cpp:1177
52 XUL nsEventTargetChainItem::HandleEventTargetChain content/events/src/nsEventListenerManager.h:155
53 XUL nsEventDispatcher::Dispatch content/events/src/nsEventDispatcher.cpp:672
54 XUL PresShell::HandleEventInternal layout/base/nsPresShell.cpp:7069
55 XUL PresShell::HandleEventWithTarget layout/base/nsPresShell.cpp:6917
56 XUL nsEventStateManager::CheckForAndDispatchClick content/events/src/nsEventStateManager.cpp:4229
57 XUL nsEventStateManager::PostHandleEvent content/events/src/nsEventStateManager.cpp:3171
58 XUL PresShell::HandleEventInternal layout/base/nsPresShell.cpp:7092
59 XUL PresShell::HandlePositionedEvent layout/base/nsPresShell.cpp:6902
60 XUL PresShell::HandleEvent layout/base/nsPresShell.cpp:6734
61 XUL nsViewManager::DispatchEvent view/src/nsViewManager.cpp:1029
62 XUL HandleEvent view/src/nsView.cpp:159
63 XUL nsChildView::DispatchEvent widget/src/cocoa/nsChildView.mm:1493
64 XUL nsChildView::DispatchWindowEvent widget/src/cocoa/nsChildView.mm:1503
65 XUL -[ChildView mouseUp:] widget/src/cocoa/nsChildView.mm:3149
66 AppKit AppKit@0x13d7ec
67 CoreFoundation CoreFoundation@0x21eca
68 CoreFoundation CoreFoundation@0x100cb
69 libSystem.B.dylib libSystem.B.dylib@0x65d3
70 CoreFoundation CoreFoundation@0x6191
71 CoreFoundation CoreFoundation@0xf876
72 CoreFoundation CoreFoundation@0x100cb
73 CoreFoundation CoreFoundation@0xf876
74 CoreFoundation CoreFoundation@0xf6ce
75 libSystem.B.dylib libSystem.B.dylib@0x6b19
76 Foundation Foundation@0x5ff3
77 libobjc.A.dylib libobjc.A.dylib@0x619f
78 XUL -[ToolbarWindow sendEvent:] widget/src/cocoa/nsCocoaWindow.mm:2363
79 AppKit AppKit@0x72ee1
80 CoreFoundation CoreFoundation@0x24228
81 AppKit AppKit@0x71904
82 AppKit AppKit@0x749ff7
83 AppKit AppKit@0x749ff7
84 AppKit AppKit@0x43f09
|
|
||
Comment 12•13 years ago
|
||
And here's another crash immediately following, after clicking Save Changes in this bug comment.
https://crash-stats.mozilla.com/report/index/bp-9c309c0f-e8ca-46ba-84e0-465712110809
Signature @0x0 | nsDeviceMotion::DeviceMotionChanged
|
|
||
Updated•13 years ago
|
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
||
Comment 13•13 years ago
|
||
jdm - if we have multiple callers to AddWindowListener with the same window, the call to RemoveWindowListener will just return the first one. This is probably the cause to this crash. do you agree?
|
|
||
Comment 14•13 years ago
|
||
nevermind ^^.
mxr is like a week out of sync with the tip.
|
|
Assignee | |
Comment 15•13 years ago
|
||
I'm pretty sure any further crashes should be filed as new ones.
Status: REOPENED → RESOLVED
Closed: 13 years ago → 13 years ago
Resolution: --- → FIXED
|
||
Updated•13 years ago
|
Resolution: FIXED → DUPLICATE
|
|
Assignee | |
Comment 18•13 years ago
|
||
This is its own bug, not a duplicate.
Resolution: DUPLICATE → FIXED
|
||
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•