Closed Bug 674032 Opened 13 years ago Closed 6 years ago

ShowModalDialog Crash

Categories

(Core :: XUL, defect)

Product:
Core
Component:
XUL
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: vulnerable.zappa, Unassigned)

References

Details

(Keywords: crash, reproducible)

Crash Data

Attachments

(3 files, 1 obsolete file)

repro (html source)
2.64 KB, text/plain
Details
WinDbg Log
195.01 KB, text/plain
Details
repro file (direct load)
2.64 KB, text/html
Details
Attached file repro (html source) 
all is in the attachments
Attached file call_stack (obsolete) — 

    
    

    
  
Does it matter what's in the wttt.html file?

    
    

    
  
it doesn't matter

    
    

    
  
The call stack attached here isn't useful.

Can you reproduce this in a official Mozilla build, and if so does the Crash Reporter dialog come up? A crashID from a submitted report (via about:crashes) would be most helpful.

    
    

    
  

      
      
      
      

        Attached file
          
        WinDbg Log
      

    


  
Attached a proper Stacktrace using WinDbg, since the Breakpad ID (https://crash-stats.mozilla.com/report/index/bp-8fefc4f6-24a6-42ff-8ace-3fa662110728) doesn't seem to load properly.

Against http://hg.mozilla.org/mozilla-central/rev/e4c8a1e7b373.

        Attachment #548269 -
        Attachment is obsolete: true
Keywords: crash
Product: Firefox → Core
QA Contact: general → general
Summary: Firefox 5.1 ShowModalDialog Crash → ShowModalDialog Crash
Version: 5 Branch → Trunk

    
    

    
  
//@Comment 4
//Oh no it isn't useless !
//Its litlle bit more abstractive ;>

    
    

    
  
I have sending error when i try to submit report via crash error 
Do you can't cause crash at all ?
Try set brakepoint at nsTArray_base<nsTArrayDefaultAllocator>::EnsureCapacity(unsigned int capacity = 0, unsigned int elemSize = 0)
,run repro and watch EAX 
My last value was 509650312  * 4 B i thing this is incorrect
I try later send crash report (when i fix my problem witch internet connection)

    
    

    
  
I have "sending error" when i trying submit bug via crash report
Do you can't cause crash at all ?
Try set conditional brakepoint (ex EAX > 4000D or something like that)
at nsTArray_base<nsTArrayDefaultAllocator>::EnsureCapacity(unsigned int capacity = 0, unsigned int elemSize = 0)
,run repro and watch EAX
My last value was 509650312  * 4 B i thing this is incorrect
I try later send crash report (when i fix my problem witch internet connection)

Sorry for spam if someone can please delete Comment 7 thx
Severity: normal → critical
Status: UNCONFIRMED → NEW
Crash Signature: [@ mozalloc_abort(char const* const) | mozalloc_handle_oom() | nsTArray_base<nsTArrayDefaultAllocator>::EnsureCapacity(unsigned int, unsigned int) | _MD_CURRENT_THREAD ]
Ever confirmed: true
Keywords: reproducible

    
    

    
  
echo, what is your system? Is this Win XP only as set in the platform?

    
    

    
  
Win32 XP home SP 3 PL

    
    

    
  
While I could reproduce your bug 672797, I can't this one even on XP. What am I missing? For me, the ShowModalDialog opens just a standard Firefox window with the URL (wttt.html) file. Is that correct? Then I should right-click on the location bar and it should crash? Doesn't happen for me. But it seems XtC4UaLL has already confirmed it.

You think the amount of memory is relevant? That seems reasonable, it crashes in mozalloc_handle_oom, which seems to be a handler for out of memory condition.
Is your swap device full when it happens?

    
    

    
  
Your crash log is quite shorter :) However, the trace from 	nsAutoCompleteController::SetInput upward is the same.
Component: General → Autocomplete
Product: Core → Toolkit
QA Contact: general → autocomplete

    
    

    
  
@Comment 11 aceman 2011-08-04 06:46:34 PDT 

1.About amount of memory
yes i thing the crash is  depit seend on amount of memory 
I watch firefox 4 source code and it seems in some cases
when allocation fail (at least in ff4) allocator call static function touchBadMemory 
this function crash browser by dereferencing null
in this bug sytuation is similar 
except that in our case debuger place before "null dereferencing" instruction
int3 instruction

2.About swap file (??)
In moment of last crash only 1 part of 3(1/3) of swap file  is used
System works  fine
So nothing special happen

    
    

    
  
but i thing the reason of firefox trying  allocate so much memory 
is more Important  and Complicated than "crash"

    
    

    
  
Can you tell how much memory it is using? If you have swap free it should still be able to allocate new memory. Maybe it needs some special kind of memory that is no longer available, like in some internal memory arena. But that is probably a bug.

    
    

    
  
My notebook has only 512 MB RAM and 768 MB swap file 
in crash moment 2XX MB of  swap file was used    
and firefox try allocate  5xx xxx xxx Bytes or more 

One more thing i have pop-up blocker totaly disabled 

@Comment 11 aceman 2011-08-04 06:46:34 PDT
If you click at url of first modalDialog and nothing happen
close him and wait for another
then click one more time
Not always click at first modalDialog leads to crash
They are opened in loop so dont  give up ;p

    
    

    
  
I should close the window? For how long? I can't see any other window opening again. Yes I disabled pop-up blocker and also "open new windows in a tab".
So Firefox takes around 500MB on your 512MB machine, not very good :)

    
    

    
  
@aceman 2011-08-05 12:49:30 PDT 
In my system modalDialog is automaticly re-open after close
(to close browser or tab or window in most cases i must use taskmgr and kill
firefox process)
============================================================================= 

So you have windows xp,firefox 5.0.1 , popup-blocker=disabled
You run repro , correct modalDialog is opening,you click at url and nothing 
happen then you close modalDialog and this is end ?
Nothing more happen ?
Truly saying I dont have any idea why this repro doesn't work as it should in your system

Generally i thing is "desing error" and this error leads to many other bugs
include 
https://bugzilla.mozilla.org/show_bug.cgi?id=672797
https://bugzilla.mozilla.org/show_bug.cgi?id=674032
and potential "regression" of this
 https://bugzilla.mozilla.org/show_bug.cgi?id=616659

    
    

    
  


  

    
  

        Attachment #548267 -
        Attachment description: repro → repro (html source)

    
    

    
  
Oh, I now got it! This is ugly :)
I was getting the exact state as you describe in comment 19, because I was always loading the testcase from a local file. Now I attached it here and opened it as a webpage and then it works as you reported:
I get a normal FF window but also another one.
The other one was first a mini-one (50x20px) then it started to be big but really strange - 2 titlebars, firefox menu button (but shouldn't as I have normal menu).
And it reopened repeatedly as you say and also crashed:
https://crash-stats.mozilla.com/report/index/bp-00375b78-d89a-4703-b71c-b4e8c2110806

But once it didn't crash, it just hung. This time I hit the mouse on the wrong spot, not on the URL bar, but above it, I got the menu with "tabs on top" and then it hung. Was looping at 100% CPU and using RAM from 100MB to 200MB, looping between these limits. I had to kill is from task manager.

    
    

    
  
Wonder why the stacktrace in comment 5 is so different from ours...

    
    

    
  
I don't think this has anything to do with memory shortage. On my 1GB RAM machine, FF was taking 78MB (in Windows Task Manager) when it crashed. It is really some internal problem. The dialog window is really broken, it changes design each time it is spawned (sometimes with the FF button, sometimes without it). It doesn't know how it should draw so maybe the context menu then triggers some uninitialized variable. Wonder which component this could fall into.
Component: Autocomplete → XUL
Product: Toolkit → Core
QA Contact: autocomplete → xptoolkit.widgets

    
    

    
  
Forgot to mention: after closing the modaldialog for about 10 times, it no longer appeared. Instead, the original page (with wttt.html error) contained the popup-blocker bar stating it prevented to open 200 popup-windows. But the popup blocker is disabled in Options...

    
    

    
  
@aceman 2011-08-07 03:58:54 PDT 
if allocators function automaticly try reserve additional memory 
when for example:
heap is in fragmented state or there is no free block 
witch required size or required size is biger 
than whole heap size then you can have right
(but in that case it must be internal error in some
of the firefox memory managment function 
because probably there is no other way to call 
mozalloc_abort,mozalloc_handle_oom etc [i thing])
But if its not then size of RAM and swap file doesn't matter (because heap has limited size)

    
    

    
  
So the issue here, presumably, is that if we end up trying to open a browser window while the JS stack is very deep some random part of window init will fail due to running out of JS stack space and then things just get weird...

    
    

    
  
Something like that. I couldn't check what FF is trying to do that fails, because
the link obj-firefox/dist/include/nsTArray.h:925 is not working in the crashlog. I have not yet downloaded the source to see manually. Only the mozalloc_oom.cpp and above works. Is that crashlog website working correctly?

    
    

    
  
bz, I have found more reports of the bad window rendering I describe in comment 21 (double titlebar, bottom one with Firefox button). They are in bug 685507 and bug 694508. The first one is currently closed, but the real problem was not really identified. Do you know any Firebug people that could look into that?

    
  
Depends on: 716345

    
  
Crash Signature: [@ mozalloc_abort(char const* const) | mozalloc_handle_oom() | nsTArray_base<nsTArrayDefaultAllocator>::EnsureCapacity(unsigned int, unsigned int) | _MD_CURRENT_THREAD ] → [@ mozalloc_abort(char const* const) | mozalloc_handle_oom() | nsTArray_base<nsTArrayDefaultAllocator>::EnsureCapacity(unsigned int unsigned int) | _MD_CURRENT_THREAD ]
[@ mozalloc_abort(char const* const) | mozalloc_handle_oom() | nsTArray_base<nsTArray…

    
  
Crash Signature: , unsigned int) | nsTArray_base<nsTArrayDefaultAllocator>::InsertSlotsAt(unsigned int, unsigned int, unsigned int) | nsTArra... ] → , unsigned int) | nsTArray_base<nsTArrayDefaultAllocator>::InsertSlotsAt(unsigned int, unsigned int, unsigned int) | nsTArra... ]
[@ mozalloc_abort | mozalloc_handle_oom | nsTArray_base<T>::EnsureCapacity | _MD_CURRENT_THREAD ]

    
    

    
  
Closing because no crash reported since 12 weeks.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: