Closed Bug 724374 Opened 12 years ago Closed 3 years ago

Crash @ nsNodeUtils::LastRelease

Categories

(Core :: XSLT, defect)

Product:
Core
Component:
XSLT
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: imphil, Unassigned)

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(4 files)

backtrace
14.33 KB, text/plain
Details
backtrace for revision b993e9c8edbe (Gecko 2.0b2+)
4.80 KB, text/plain
Details
reduced XForms testcase
1.25 KB, application/xhtml+xml
Details
run the testcase and call CC afterwards
1.18 KB, application/xhtml+xml
Details
Attached file backtrace 
With the XForms extension I get a crash at nsNodeUtils::LastRelease when closing a page using XForms. Backtrace is attached.
STR

In your tree:

cd extensions
hg clone http://hg.mozilla.org/xforms
cd .hg
hg clone http://philipp.wagner.name/hg/patches-xforms patches
cd ..
hg qpush # until domnodelist-newmethod.patch is on top

cd ../
hg clone http://hg.mozilla.org/schema-validation
cd .hg
hg clone http://philipp.wagner.name/hg/patches-schema-validation patches
cd ..
hg qpush -a

and there are two mozilla-central patches ....
http://philipp.wagner.name/hg/patches-mozilla-central/raw-file/7f9aa44422d7/nsixpathevaluatorexternal-string.patch
and 
http://philipp.wagner.name/hg/patches-mozilla-central/raw-file/7f9aa44422d7/bug718201-getnodeat.patch


build with 
ac_add_options --enable-extensions="default,xforms"
To make it easier, I also uploaded the xforms.xpi to http://philipp.wagner.name/temp/xforms-mc.xpi It's built from yesterday's mozilla-central with debug symbols for Linux x86_64. If you need another build just tell me. If it's easier for you I could also upload a patched source tree somewhere.
Severity: normal → critical
Crash Signature: [@ nsNodeUtils::LastRelease(nsINode*)] [@ nsNodeUtils::LastRelease]
Keywords: crash
I haven't yet build xforms addon, but one guess is that it uses
nsINode "properties" and does something unexpected to a property when an element is being removed.
What's better than doing a long bisect on a cold day to keep the CPU and your room warm?
The result is this regression range (I know, this is rather old; no idea why I didn't catch it earlier):

http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=cf5f013caa80&tochange=b993e9c8edbe

This would lead to bug 566466 as cause for this. Olli, any idea? I will attach a updated backtrace for the first failing changeset (b993e9c8edbe), which is a bit different than the current one but similar enough I'd say.

If you need the XForms code that builds with this revision please tell me, also the steps above to get a current XForms build have changed in the meantime. Just ping me if you need something to make your life easier with this.

    
    

    
  


  
I attached the reduced XForms test case and a small html page that runs the test case and calls the CC afterwards. In more recent builds just clicking "Minimize memory usage" in about:memory does the same trick.
To work, popup blocker must be disabled and a debug build must be used.

    
    

    
  
Oh... is there something wrong with XTF element creation.

    
  
Keywords: testcase

    
    

    
  
I still wonder if some xforms node has properties, and then releasing the property causes other
badness.
Assignee: alex → nobody
Component: XTF → XSLT
QA Contact: xtf → xslt

    
    

    
  
XForms uses properties at some places, yes, but from my debugging I don't see anything that would hint that properties are the cause for this.

I finally managed to get a backtrace from where the nsXTFElementWrapper object is coming from, that causes the crash when it is destroyed: http://hg.mozilla.org/xforms/file/8fd9a06f667d/nsXFormsItemSetElement.cpp#l359, that is (adapted to current mozilla-central):
  templateNode->CloneNode(true, 1, getter_AddRefs(cloneNode));

The full backtrace looks like this: http://pastebin.mozilla.org/1498672

    
    

    
  
Hey Phillipp,

Does this issue still reproduce on your side or should we close it?


Flags: needinfo?(imphil)

    
    

    
  
I don't think I was ever able to sort this out, but it's been 10 years now and neither XForms nor my use of the XForms extension exist any more. I think we can safely close this (even though it's an interesting trip down the memory lane).


Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(imphil)
Resolution: --- → WONTFIX

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: