crash [@ nsAString_internal::Assign ]

RESOLVED DUPLICATE of bug 822398

Status

()

--
critical
RESOLVED DUPLICATE of bug 822398
7 years ago
6 years ago

People

(Reporter: nhirata, Unassigned)

Tracking

({crash})

10 Branch
B2G C3 (12dec-1jan)
ARM
Android
crash
Points:
---

Firefox Tracking Flags

(blocking-basecamp:+)

Details

(Whiteboard: [mobile-crash][b2g-crash], crash signature)

This bug was filed from the Socorro interface and is 
report bp-df14b60d-877c-4372-8a75-669892111101 .
============================================================= 
Crashing Thread
Frame 	Module 	Signature [Expand] 	Source
0 	libc.so 	libc.so@0xd130 	
1 	libxul.so 	nsAString_internal::Assign 	xpcom/string/src/nsTSubstring.cpp:419
2 	libxul.so 	nsEventListenerManager::RemoveEventListenerByType 	nsTSubstring.h:576
3 	libxul.so 	nsXBLBinding::UnhookEventHandlers 	content/xbl/src/nsXBLBinding.cpp:1004
4 	libxul.so 	nsXBLBinding::ChangeDocument 	content/xbl/src/nsXBLBinding.cpp:1141
5 	libxul.so 	nsXBLBinding::ChangeDocument 	content/xbl/src/nsXBLBinding.cpp:1150
6 	libxul.so 	nsBindingManager::RemovedFromDocumentInternal 	content/xbl/src/nsBindingManager.cpp:683
7 	libxul.so 	nsGenericElement::UnbindFromTree 	nsBindingManager.h:98
8 	libxul.so 	nsStyledElementNotElementCSSInlineStyle::UnbindFromTree 	content/base/src/nsStyledElement.cpp:249
9 	libxul.so 	nsXULElement::UnbindFromTree 	content/xul/content/src/nsXULElement.cpp:923
10 	libxul.so 	AnonymousContentDestroyer::Run 	content/base/src/nsContentUtils.cpp:3892
11 	libxul.so 	nsContentUtils::RemoveScriptBlocker 	content/base/src/nsContentUtils.cpp:4426
12 	libxul.so 	DocumentViewerImpl::DestroyPresShell 	nsContentUtils.h:1997
13 	libxul.so 	DocumentViewerImpl::Destroy 	layout/base/nsDocumentViewer.cpp:1665
14 	libxul.so 	DocumentViewerImpl::Show 	layout/base/nsDocumentViewer.cpp:1941
15 	libxul.so 	nsPresContext::EnsureVisible 	layout/base/nsPresContext.cpp:1742
16 	libxul.so 	PresShell::UnsuppressAndInvalidate 	layout/base/nsPresShell.cpp:3768
17 	libxul.so 	PresShell::UnsuppressPainting 	layout/base/nsPresShell.cpp:3818
18 	libxul.so 	PresShell::sPaintSuppressionCallback 	layout/base/nsPresShell.cpp:2064
19 	libxul.so 	nsTimerImpl::Fire 	xpcom/threads/nsTimerImpl.cpp:424
20 	libxul.so 	nsTimerEvent::Run 	xpcom/threads/nsTimerImpl.cpp:520
21 	libxul.so 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:631
22 	libxul.so 	NS_ProcessNextEvent_P 	obj-firefox/xpcom/build/nsThreadUtils.cpp:245
23 	libxul.so 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:134
24 	libxul.so 	mozilla::ipc::MessagePumpForChildProcess::Run 	ipc/glue/MessagePump.cpp:229
25 	libxul.so 	MessageLoop::RunInternal 	ipc/chromium/src/base/message_loop.cc:208
26 	libxul.so 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:201
27 	libxul.so 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:189
28 	libxul.so 	XRE_RunAppShell 	toolkit/xre/nsEmbedFunctions.cpp:685
29 	libxul.so 	mozilla::ipc::MessagePumpForChildProcess::Run 	ipc/glue/MessagePump.cpp:215
30 	libxul.so 	MessageLoop::RunInternal 	ipc/chromium/src/base/message_loop.cc:208
31 	libxul.so 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:201
32 	libxul.so 	XRE_InitChildProcess 	toolkit/xre/nsEmbedFunctions.cpp:524
33 	libmozutils.so 	ChildProcessInit 	other-licenses/android/APKOpen.cpp:703
34 	libplugin-container.so 	main 	ipc/app/MozillaRuntimeMainAndroid.cpp:68
35 	libc.so 	libc.so@0x15523

Comment 1

7 years ago
Not an XPCOM bug: probably XBL, but that's just a guess from the immediate stack caller.
Component: XPCOM → General
QA Contact: xpcom → general
Looks like a null deref.

The XBL code is:

  manager->RemoveEventListenerByType(handler,
                                     nsDependentAtomString(eventAtom),
                                     flags);

according to that stack.  This should be just fine.

Sadly, the stack doesn't actually show where in RemoveEventListenerByType the Assign is beig called, so I have no idea which string is being the problem.
Oh, and chances are this is an OOM crash...

Comment 4

6 years ago
This is also seen on B2G, e.g. bp-1989ed30-b153-4908-9bc1-e3bed2121219
Whiteboard: [mobile-crash] → [mobile-crash][b2g-crash]
(seen regularly during b2g stability test, noming for bc+)
Blocks: 808607
blocking-basecamp: --- → ?
basecamp+ as per comment 5 about this being a regularly occurring crash during stability testing.
blocking-basecamp: ? → +
Target Milestone: --- → B2G C3 (12dec-1jan)

Comment 7

6 years ago
Hi, though it's not clear the reproduce steps of this issue, I'm seeing almost the same call stack from comment 4, could bug 823474 be a solve to this crash?
(this bug occurred again in today's b2g stability testing multiple times)
This may or may not be bug 822398, but the symptoms seem similar, so unsetting to get better resolution if it reproduces again.
No longer blocks: 808607
-> bb? until we see this pop up after bug 822398.
blocking-basecamp: + → ?
Let's give this a few more days on the nom list with bug 822398 being in builds.
There haven't been new comments here since bug 822398 landed so let's dupe this.
Status: NEW → RESOLVED
blocking-basecamp: ? → +
Last Resolved: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 822398
You need to log in before you can comment on or make changes to this bug.