Closed Bug 749182 Opened 13 years ago Closed 13 years ago

crash in nsSessionStorageEntry::~nsSessionStorageEntry

Categories

(Core :: DOM: Core & HTML, defect)

15 Branch
All
Windows 7
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla15

People

(Reporter: scoobidiver, Assigned: mayhemer)

References

Details

(Keywords: crash, regression, topcrash)

Crash Data

Attachments

(1 file)

It first appeared in 15.0a1/20120426 and happens only with 64-bit builds. The regression range is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=75c7378c87b6&tochange=cc5254f9825f It's likely a regression from bug 746272. Signature nsRefPtr<mozilla::DOMSVGAnimatedLengthList>::~nsRefPtr<mozilla::DOMSVGAnimatedLengthList>() | nsCOMPtr_base::~nsCOMPtr_base() | nsSessionStorageEntry::~nsSessionStorageEntry() More Reports Search UUID 043b7217-d42d-4796-853f-1ff4e2120426 Date Processed 2012-04-26 13:59:38 Uptime 109 Last Crash 1.9 minutes before submission Install Age 48.9 minutes since version was first installed. Install Time 2012-04-26 13:10:31 Product Firefox Version 15.0a1 Build ID 20120426030504 Release Channel nightly OS Windows NT OS Version 6.1.7601 Service Pack 1 Build Architecture amd64 Build Architecture Info family 6 model 23 stepping 10 Crash Reason EXCEPTION_ACCESS_VIOLATION_EXEC Crash Address 0x400010001 App Notes AdapterVendorID: 0x10de, AdapterDeviceID: 0x0a22, AdapterSubsysID: 1141174b, AdapterDriverVersion: 8.17.12.9573 D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ EMCheckCompatibility False Total Virtual Memory 8796092891136 Available Virtual Memory 8795386687488 System Memory Use Percentage 41 Available Page File 6224048128 Available Physical Memory 2502184960 Frame Module Signature Source 0 @0x400010001 1 xul.dll nsRefPtr<mozilla::DOMSVGAnimatedLengthList>::~nsRefPtr<mozilla::DOMSVGAnimatedLe obj-firefox/dist/include/nsAutoPtr.h:908 2 xul.dll nsCOMPtr_base::~nsCOMPtr_base obj-firefox/dist/include/nsAutoPtr.h:908 3 xul.dll nsSessionStorageEntry::~nsSessionStorageEntry dom/src/storage/nsDOMStorage.cpp:250 4 xul.dll nsDOMStoragePersistentDB::RemoveKey dom/src/storage/nsDOMStoragePersistentDB.cpp:633 5 xul.dll nsSessionStorageEntry::`scalar deleting destructor' 6 xul.dll JS_DHashTableRawRemove js/src/jsdhash.cpp:714 7 xul.dll DOMStorageImpl::RemoveValue dom/src/storage/nsDOMStorage.cpp:1269 8 xul.dll JS_FrameIterator js/src/jsdbgapi.cpp:507 9 xul.dll nsCOMPtr_base::assign_from_qi obj-firefox/xpcom/build/nsCOMPtr.cpp:96 10 xul.dll nsScriptSecurityManager::GetSubjectPrincipal caps/src/nsScriptSecurityManager.cpp:1917 11 xul.dll nsCOMPtr_base::~nsCOMPtr_base obj-firefox/dist/include/nsAutoPtr.h:908 12 xul.dll nsScriptSecurityManager::GetSubjectPrincipal caps/src/nsScriptSecurityManager.cpp:1917 13 xul.dll IsCallerSecure dom/src/storage/nsDOMStorage.cpp:169 14 xul.dll nsDOMStorage::RemoveItem dom/src/storage/nsDOMStorage.cpp:1636 15 xul.dll castNative js/xpconnect/src/XPCQuickStubs.cpp:767 16 xul.dll js::GetPropertyHelper js/src/jsobj.cpp:5124 17 xul.dll xpc_qsUnwrapThis<nsIDOMStorage> js/xpconnect/src/XPCQuickStubs.h:492 18 xul.dll xpc_qsDOMString::xpc_qsDOMString js/xpconnect/src/XPCQuickStubs.cpp:605 19 xul.dll nsDOMStorage2::RemoveItem dom/src/storage/nsDOMStorage.cpp:1961 20 xul.dll nsIDOMStorage_RemoveItem obj-firefox/js/xpconnect/src/dom_quickstubs.cpp:18996 21 xul.dll js::InvokeKernel js/src/jsinterp.cpp:519 22 xul.dll js::Interpret js/src/jsinterp.cpp:2757 23 xul.dll nsDisplayList::HitTest layout/base/nsDisplayList.cpp:802 ... More reports at: https://crash-stats.mozilla.com/report/list?signature=nsRefPtr%3Cmozilla%3A%3ADOMSVGAnimatedLengthList%3E%3A%3A~nsRefPtr%3Cmozilla%3A%3ADOMSVGAnimatedLengthList%3E%28%29+|+nsCOMPtr_base%3A%3A~nsCOMPtr_base%28%29+|+nsSessionStorageEntry%3A%3A~nsSessionStorageEntry%28%29
I added the 32-bit signature. It's now #1 top crasher over the last day with 60 crashes per hour!
Crash Signature: [@ nsRefPtr<mozilla::DOMSVGAnimatedLengthList>::~nsRefPtr<mozilla::DOMSVGAnimatedLengthList>() | nsCOMPtr_base::~nsCOMPtr_base() | nsSessionStorageEntry::~nsSessionStorageEntry()] → [@ nsRefPtr<mozilla::DOMSVGAnimatedLengthList>::~nsRefPtr<mozilla::DOMSVGAnimatedLengthList>() | nsCOMPtr_base::~nsCOMPtr_base() | nsSessionStorageEntry::~nsSessionStorageEntry()] [@ nsRefPtr<nsMemoryReporter>::~nsRefPtr<nsMemoryReporter>() | nsSessionSt…
Keywords: topcrash
Hardware: x86_64 → All
Crash Signature: [@ nsRefPtr<mozilla::DOMSVGAnimatedLengthList>::~nsRefPtr<mozilla::DOMSVGAnimatedLengthList>() | nsCOMPtr_base::~nsCOMPtr_base() | nsSessionStorageEntry::~nsSessionStorageEntry()] [@ nsRefPtr<nsMemoryReporter>::~nsRefPtr<nsMemoryReporter>() | nsSessionSt… → [@ nsRefPtr<mozilla::DOMSVGAnimatedLengthList>::~nsRefPtr<mozilla::DOMSVGAnimatedLengthList>() | nsCOMPtr_base::~nsCOMPtr_base() | nsSessionStorageEntry::~nsSessionStorageEntry()] [@ nsRefPtr<mozilla::DOMSVGAnimatedLengthList>::~nsRefPtr<mozilla::DOMSVGA…
Crash Signature: nsRefPtr<mozilla::DOMSVGAnimatedLengthList>::~nsRefPtr<mozilla::DOMSVGAnimatedLengthList>() | nsSessionStorageEntry::~nsSessionStorageEntry()] [@ @0x0 | nsSessionStorageEntry::~nsSessionStorageEntry] [@ nsSessionStorageEntry::~nsSessionStorageEntry] → nsRefPtr<mozilla::DOMSVGAnimatedLengthList>::~nsRefPtr<mozilla::DOMSVGAnimatedLengthList>() | nsSessionStorageEntry::~nsSessionStorageEntry()] [@ @0x0 | nsSessionStorageEntry::~nsSessionStorageEntry] [@ nsSessionStorageEntry::~nsSessionStorageEntry] [@…
Attached patch v1Splinter Review
Potential fix. To explain: nsString oldValue; nsSessionStorageEntry *entry = mItems.GetEntry(aKey); <<<<< here we store address of an entry in the hashtable if (entry && entry->mItem->IsSecure() && !aCallerSecure) { return NS_ERROR_DOM_SECURITY_ERR; } if (UseDB()) { nsresult rv = InitDB(); NS_ENSURE_SUCCESS(rv, rv); CacheKeysFromDB(); entry = mItems.GetEntry(aKey); <<<<< here we release all entries from the hashtable <<<<< (entry is no longer valid) nsAutoString value; bool secureItem; rv = GetDBValue(aKey, value, &secureItem); NS_ENSURE_SUCCESS(rv, rv); if (!aCallerSecure && secureItem) return NS_ERROR_DOM_SECURITY_ERR; oldValue = value; rv = gStorageDB->RemoveKey(this, aKey, !IsOfflineAllowed(mDomain), aKey.Length() + value.Length()); NS_ENSURE_SUCCESS(rv, rv); } else if (entry) { // clear string as StorageItems may be referencing this item oldValue = entry->mItem->GetValueInternal(); entry->mItem->ClearValue(); } if (entry) { mItems.RawRemoveEntry(entry); <<<<< here we delete it again (double delete) } aOldValue = oldValue; return NS_OK; It's hard to locally reproduce, since often the entry is just created at the same address again, so no harm done, just by accident. https://tbpl.mozilla.org/?tree=Try&rev=2d475a844444
Assignee: nobody → honzab.moz
Status: NEW → ASSIGNED
Attachment #618770 - Flags: review?(bzbarsky)
Attachment #618770 - Flags: review?(bzbarsky) → review+
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla15
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: