[PP] core dump/crash on exit

VERIFIED INVALID

Status

Core Graveyard
Tracking
P1
critical
VERIFIED INVALID
19 years ago
2 years ago

People

(Reporter: sujay, Assigned: Scott Furman)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: No Talkback for Linux yet.)

(Reporter)

Description

19 years ago
using 6/3 build of linux apprunner

1) launch apprunner
2) File | Exit

crash

Setting Back menuitem to enabled
Document file:////u/sujay/LINUX/package/res/samples/test8.html loaded
successfully
Exiting
Segmentation fault (core dumped)

I'll work on getting a stack trace..

Updated

19 years ago
QA Contact: leger → sujay

Updated

19 years ago
Assignee: don → sujay

Comment 1

19 years ago
Got a stack trace yet?  I can't reporduce this and I can't do much about it
without some more data ...

Comment 2

19 years ago
I sporadically see crashes on exiting apprunner, maybe once out of 5-10 runs.
If I see another one soon I'll append the trace to this bug report.  Sujay, are
you seeing this consistently?

Comment 3

19 years ago
Ironically, the very next time I ran apprunner -editor, did a couple minor
things then exited, I got one.  Here it is.  It looks pretty much the same as
all the previous crash-on-exit bugs I've seen.

#2  0x40021407 in nsAppShellService::Shutdown (this=0x8090238)
    at nsAppShellService.cpp:413
#3  0x40a6b997 in nsEditorAppCore::Exit (this=0x8152ff8)
    at nsEditorAppCore.cpp:933
#4  0x40a7af98 in EditorAppCoreExit (cx=0x80f2038, obj=0x8197208, argc=0,
    argv=0x81b4b80, rval=0xbfffe2c8) at nsJSEditorAppCore.cpp:1103
#5  0x4044a6f7 in js_Invoke (cx=0x80f2038, argc=0, constructing=0)
    at jsinterp.c:650

Updated

19 years ago
Whiteboard: No Talkback for Linux yet.
(Reporter)

Updated

19 years ago
Assignee: sujay → don
(Reporter)

Comment 4

19 years ago
Akkana has a stack trace below...also I can't reproduce the
problem all the time...its a random problem..

Updated

19 years ago
Assignee: don → law
Priority: P3 → P1
Target Milestone: M7

Comment 5

19 years ago
Bill, is this our bug?  Could this be related to bug #5164 and bug #7149?

Comment 6

19 years ago
I'm seeing this crash pretty often (maybe two runs out of three) in Monday's
build.

Updated

19 years ago
Whiteboard: No Talkback for Linux yet. → [PP]No Talkback for Linux yet.

Updated

19 years ago
Summary: core dump/crash on exit → [PP]core dump/crash on exit
Whiteboard: [PP]No Talkback for Linux yet. → No Talkback for Linux yet.

Comment 7

19 years ago
I'm seeing a crash after launching apprunner, then Editor, then closing
Editor window, then closing Apprunner (no interaction with editor).
Here's a stack:
gc_root_marker(JSHashEntry * 0x03099de0, int 12, void * 0x017060e8) line 587 + 3
bytes
JS_HashTableEnumerateEntries(JSHashTable * 0x01367f70, int (JSHashEntry *, int,
void *)* 0x003a1f70 gc_root_marker(JSHashEntry *, int, void *), void *
0x017060e8) line 347 + 15 bytes
js_GC(JSContext * 0x01602a90) line 724 + 21 bytes
js_ForceGC(JSContext * 0x01602a90) line 618 + 9 bytes
js_DestroyContext(JSContext * 0x01602a90) line 130 + 9 bytes
JS_DestroyContext(JSContext * 0x01602a90) line 690 + 9 bytes
nsJSContext::~nsJSContext() line 116 + 13 bytes
nsJSContext::`scalar deleting destructor'(unsigned int 1) + 15 bytes
nsJSContext::Release(nsJSContext * const 0x01602a50) line 120 + 96 bytes
nsWebShell::~nsWebShell() line 582 + 27 bytes
nsWebShell::`scalar deleting destructor'(unsigned int 1) + 15 bytes
nsWebShell::Release(nsWebShell * const 0x015ff120) line 646 + 95 bytes
nsHTMLFrameInnerFrame::~nsHTMLFrameInnerFrame() line 465 + 18 bytes
nsHTMLFrameInnerFrame::`scalar deleting destructor'(unsigned int 1) + 15 bytes
nsFrame::DeleteFrame(nsFrame * const 0x015fe520, nsIPresContext & {...}) line
390 + 34 bytes
nsFrameList::DeleteFrames(nsIPresContext & {...}) line 29
nsContainerFrame::DeleteFrame(nsContainerFrame * const 0x015fbba0,
nsIPresContext & {...}) line 82
nsFrameList::DeleteFrames(nsIPresContext & {...}) line 29
nsContainerFrame::DeleteFrame(nsContainerFrame * const 0x01727fc8,
nsIPresContext & {...}) line 82
nsLineBox::DeleteLineList(nsIPresContext & {...}, nsLineBox * 0x015fcaf0) line
158
nsBlockFrame::DeleteFrame(nsBlockFrame * const 0x015f7f20, nsIPresContext &
{...}) line 806 + 16 bytes
nsAreaFrame::DeleteFrame(nsAreaFrame * const 0x015f7f20, nsIPresContext & {...})
line 106
nsFrameList::DeleteFrames(nsIPresContext & {...}) line 29
nsContainerFrame::DeleteFrame(nsContainerFrame * const 0x015f6d80,
nsIPresContext & {...}) line 82
nsFrameList::DeleteFrames(nsIPresContext & {...}) line 29
nsContainerFrame::DeleteFrame(nsContainerFrame * const 0x015f6b90,
nsIPresContext & {...}) line 82
ViewportFrame::DeleteFrame(ViewportFrame * const 0x015f6b90, nsIPresContext &
{...}) line 116
PresShell::~PresShell() line 549
PresShell::`scalar deleting destructor'(unsigned int 1) + 15 bytes
PresShell::Release(PresShell * const 0x015d9890) line 485 + 34 bytes
nsCOMPtr_base::~nsCOMPtr_base() line 26
nsCOMPtr<nsIPresShell>::~nsCOMPtr<nsIPresShell>() + 15 bytes
DocumentViewerImpl::~DocumentViewerImpl() line 242 + 22 bytes
DocumentViewerImpl::`scalar deleting destructor'(unsigned int 1) + 15 bytes
DocumentViewerImpl::Release(DocumentViewerImpl * const 0x01598f50) line 184 + 99
bytes
nsWebShell::Destroy(nsWebShell * const 0x015b2af0) line 962 + 27 bytes
nsHTMLFrameInnerFrame::~nsHTMLFrameInnerFrame() line 465
nsHTMLFrameInnerFrame::`scalar deleting destructor'(unsigned int 1) + 15 bytes
nsFrame::DeleteFrame(nsFrame * const 0x015b2900, nsIPresContext & {...}) line
390 + 34 bytes
nsFrameList::DeleteFrames(nsIPresContext & {...}) line 29
nsContainerFrame::DeleteFrame(nsContainerFrame * const 0x01572a60,
nsIPresContext & {...}) line 82
nsFrameList::DeleteFrames(nsIPresContext & {...}) line 29
nsContainerFrame::DeleteFrame(nsContainerFrame * const 0x01779f08,
nsIPresContext & {...}) line 82
nsLineBox::DeleteLineList(nsIPresContext & {...}, nsLineBox * 0x015974f0) line
158
nsBlockFrame::DeleteFrame(nsBlockFrame * const 0x014f5ef0, nsIPresContext &
{...}) line 806 + 16 bytes
nsAreaFrame::DeleteFrame(nsAreaFrame * const 0x014f5ef0, nsIPresContext & {...})
line 106
nsFrameList::DeleteFrames(nsIPresContext & {...}) line 29
nsContainerFrame::DeleteFrame(nsContainerFrame * const 0x0146c120,
nsIPresContext & {...}) line 82
nsFrameList::DeleteFrames(nsIPresContext & {...}) line 29
nsContainerFrame::DeleteFrame(nsContainerFrame * const 0x014fd120,
nsIPresContext & {...}) line 82
ViewportFrame::DeleteFrame(ViewportFrame * const 0x014fd120, nsIPresContext &
{...}) line 116
PresShell::~PresShell() line 549
PresShell::`scalar deleting destructor'(unsigned int 1) + 15 bytes
PresShell::Release(PresShell * const 0x013bea40) line 485 + 34 bytes
nsCOMPtr_base::~nsCOMPtr_base() line 26
nsCOMPtr<nsIPresShell>::~nsCOMPtr<nsIPresShell>() + 15 bytes
DocumentViewerImpl::~DocumentViewerImpl() line 242 + 22 bytes
DocumentViewerImpl::`scalar deleting destructor'(unsigned int 1) + 15 bytes
DocumentViewerImpl::Release(DocumentViewerImpl * const 0x01364a50) line 184 + 99
bytes
nsWebShell::Destroy(nsWebShell * const 0x01300aa0) line 962 + 27 bytes
[more... this should be enough!]

Comment 8

19 years ago
I have been seeing crashes in JavaScript GC code when closing windows, too.  I'd
really like to assign this to somebody capable of diagnosing why this happens.
My suspicion is that this would be a JavaScript guru.  If it turns out to be due
to some abuse of JavaScript by somebody higher up the food-chain, then it can be
assigned back to the xptoolkit or xpapps team.

I'll be looking to find somebody better suited to deal with this and will
reassign it when I find them.  Of course, volunteers are welcome to take it.

Updated

19 years ago
Summary: [PP]core dump/crash on exit → [PP] core dump/crash on exit

Updated

19 years ago
Assignee: law → clayton
Severity: normal → critical
OS: Linux → All
Hardware: Other → All
Target Milestone: M7

Comment 9

19 years ago
Clayton,

Can someone on your team help us figure out what is causing this to die in the
Javascript garbage collector?  We just don't have the expertise to debug this
properly.  If you can figure out what is happening upstream before the crash
occurs, then we can take it from there.  Thanks.

Updated

19 years ago
Assignee: clayton → fur

Comment 10

19 years ago
Scott, would you help on this one?
(Assignee)

Comment 11

19 years ago
If someone would volunteer their Linux build and provide a semi-reliable test
case, I'm happy to help.

Comment 12

19 years ago
For the last few days, I see it just about every time I exit ... come on over
(give me a few minutes warning).

Comment 13

19 years ago
I think this may have something to do with the registry.  I moved my ~/.mozilla
aside, went through the irritating profile wizard again, and then found that I
couldn't get the crash on exit any more (which I'd been seeing every single run
all day before I removed the registry).  I continued not to see any crashes on
exit, until I updated a few files and rebuilt a library, then on the next run, I
started getting exit crashes every time again.

Adding dp to cc list -- dp, any ideas?

Comment 14

19 years ago
Incidentally, I just filed a bug on JS Engine with the same stack trace. Maybe
it already made it fur's way.

So I have been seeing this too. It is interesting what akkanna reports. Dll
change causes this. mmh! Let me try it out. So the sequence is:

- Remove reg
- run (all fine)
- Change dll
- run: crash (everytime)

I will try it. I doubt it is that easy. Any clue on what that dll is ?

Comment 15

19 years ago
*** Bug 7861 has been marked as a duplicate of this bug. ***

Comment 16

19 years ago
Actually we have two bugs here -- the one I'm seeing regularly on Linux, which
comes and goes depending on how up to date the registry is (when I don't see the
bug, I can usually make it come back by making a significant change to a library
and recompiling, then running without removing the registry first), which has
the stack trace I gave, and the one in the JS GC code, which happens on Windows.
Not clear whether these are the same crash or not.  There's no GC in the stack
traces I'm seeing, just app core, non-GC JS code, and RDF.

The stack trace I posted before was abbreviated: here's the full trace:

#0  0x40958fac in ?? ()
#1  0x4067cac7 in gdk_exit ()
#2  0x400217df in nsAppShellService::Shutdown (this=0x807bc08)
    at nsAppShellService.cpp:413
#3  0x40a6139f in nsEditorAppCore::Exit (this=0x80f54d8)
    at nsEditorAppCore.cpp:957
#4  0x40a71204 in EditorAppCoreExit (cx=0x80f44a0, obj=0x825ae98, argc=0,
    argv=0x81c7bc0, rval=0xbfffe188) at nsJSEditorAppCore.cpp:1103
#5  0x40445c83 in js_Invoke (cx=0x80f44a0, argc=0, constructing=0)
    at jsinterp.c:650
#6  0x40456456 in js_Interpret (cx=0x80f44a0, result=0xbfffe590)
    at jsinterp.c:2199
#7  0x40445ce1 in js_Invoke (cx=0x80f44a0, argc=0, constructing=0)
    at jsinterp.c:666
#8  0x40456456 in js_Interpret (cx=0x80f44a0, result=0xbfffe9c4)
    at jsinterp.c:2199
#9  0x40445ce1 in js_Invoke (cx=0x80f44a0, argc=1, constructing=0)
    at jsinterp.c:666
#10 0x40445f98 in js_CallFunctionValue (cx=0x80f44a0, obj=0x8152118,
    fval=135602464, argc=1, argv=0xbfffeb48, rval=0xbfffeb4c) at jsinterp.c:735
#11 0x4041fd95 in JS_CallFunctionValue (cx=0x80f44a0, obj=0x8152118,
    fval=135602464, argc=1, argv=0xbfffeb48, rval=0xbfffeb4c) at jsapi.c:2554
#12 0x4039f831 in nsJSEventListener::HandleEvent (this=0x829c370,
    aEvent=0x82c2bb0) at nsJSEventListener.cpp:97
#13 0x40d4a296 in nsEventListenerManager::HandleEvent (this=0x829c038,
    aPresContext=@0x80d4da0, aEvent=0xbfffecc0, aDOMEvent=0xbfffec38,
    aFlags=3, aEventStatus=@0xbfffecfc) at nsEventListenerManager.cpp:569
#14 0x40b0fd62 in RDFElementImpl::HandleDOMEvent (this=0x829bae0,
    aPresContext=@0x80d4da0, aEvent=0xbfffecc0, aDOMEvent=0xbfffec38,
    aFlags=1, aEventStatus=@0xbfffecfc) at nsRDFElement.cpp:2278
#15 0x400ea22e in nsMenuItem::DoCommand (this=0x82e78d8) at nsMenuItem.cpp:404
#16 0x400e9d3d in nsMenuItem::MenuItemSelected (this=0x82e78d8,
    aMenuEvent=@0xbfffed40) at nsMenuItem.cpp:300
#17 0x400eb2e2 in menu_item_activate_handler (w=0x82e5728, p=0x82e78d8)
    at nsGtkEventHandler.cpp:505
#18 0x4064e4ad in gtk_marshal_NONE__NONE ()
#19 0xab15 in ?? ()
(Assignee)

Comment 17

19 years ago
This bug is getting confusing since, as Akkana has noted, it's really two
separate bugs, and IMHO it's extremely unlikely that they are related.

I'm going to split this into two new bugs and mark this one INVALID.
(Assignee)

Updated

19 years ago
Status: NEW → RESOLVED
Last Resolved: 19 years ago
Resolution: --- → INVALID
(Assignee)

Comment 18

19 years ago
This bug was split into bugs 7940 and 7938.

Updated

19 years ago
Status: RESOLVED → VERIFIED

Comment 19

19 years ago
Moving all Apprunner bugs past and present to Other component temporarily whilst
don and I set correct component.  Apprunner component will be deleted/retired
shortly.
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.