Closed Bug 76226 Opened 24 years ago Closed 24 years ago

crash [@ free] [@ nsAllocatorManager.cp]

Categories

(SeaMonkey :: Passwords & Permissions, defect, P3)

Product:
SeaMonkey
Component:
Passwords & Permissions
Platform:
PowerPC
Mac System 9.x
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: greer, Assigned: morse)

Details

(Keywords: crash, topcrash, Whiteboard: Proposed for 0.9)

Crash Data

This is the number two top crash on Mac OS 9 in the M081 build. User comments point to crashing in conjunction with Instant Messenger/mail. (29023154) Comments: crashes on Instant messenger (28988586) Comments: Crash dismissing browser with two Im windows up (28918604) Comments: Crash invoking IM setup dialog (29032515) Comments: trying to get imap mail free() [nsAllocatorManager.cp] PR_Free() [prmem.c line 66] nsMemoryImpl::Free() [nsMemoryImpl.cpp line 326] nsMemory::Free() [nsMemoryImpl.cpp line 559] nsStr::Free() [nsStr.cpp line 694] nsStr::Destroy() [nsStr.cpp line 87] nsString::~nsString() [nsString2.cpp line 126] nsAutoString::~nsAutoString() [nsString2.cpp line 1891] si_RemoveUser() [singsign.cpp line 796] SI_RemoveAllSignonData() [singsign.cpp line 1177] SI_ClearUserData() [singsign.cpp line 1211] nsWalletlibService::~nsWalletlibService() [nsWalletService.cpp line 66] nsWalletlibService::Release() [nsWalletService.cpp line 74] DeleteEntry() [nsServiceManager.cpp line 258] _hashEnumerateRemove() [nsHashtable.cpp line 367] PL_HashTableEnumerateEntries() [plhash.c line 413] nsHashtable::Reset() [nsHashtable.cpp line 383] nsObjectHashtable::Reset() [nsHashtable.cpp line 626] nsObjectHashtable::~nsObjectHashtable() [nsHashtable.cpp line 592] nsServiceManagerImpl::~nsServiceManagerImpl() [nsServiceManager.cpp line 283] nsServiceManagerImpl::Release() [nsServiceManager.cpp line 292] nsServiceManager::ShutdownGlobalServiceManager() [nsServiceManager.cpp line 544] NS_ShutdownXPCOM() [nsXPComInit.cpp line 473]
Adding crash, topcrash and qawanted keywords
Keywords: crash, qawanted, topcrash
wallet on the stack, over to morse.
Assignee: sspitzer → morse
Does anyone have a reproducible test case on this? Does this occur only on the mac?
Status: NEW → ASSIGNED
Keywords: nsbeta1
Target Milestone: --- → mozilla0.9
Whiteboard: Proposed for 0.9
Here's what I think is happening. Without a reproducible test case, I can't be sure but this explanation seems plausible. In singsign.cpp there are three calls to si_PutData. (Actually there are four but the fourth is under "ifdef APPLE_KEYCHAIN" that is no longer used.) These calls pass in an array of si_SignonDataStruct (second parameter). The elements of si_SignonDataStruct are nsAutoStrings which eventually get released when SI_RemoveAllSignonData is called. Following the first call to si_PutData (in si_LoadSignonData) is code that explicitly deletes the si_SignonDataStruct which means that the nsAutoStings will get released. So at the end when SI_RemoveAllSignonData is called, same nsAutoStrings are released a second time which is probably the cause of the crash observed here (the stack trace indicates that the crash is occuring at exactly this point). Note that the other two calls do not delete the si_SignonDataStruct. So my feeling is that either we remove the delete code following the first call, or we add it after all the calls and somehow make explicit copies of the nsAutoStrings in the si_PutData routine. I'll need to investigate this a little further to figure out what the correct patch is.
Changing component to password-manager.
Status: ASSIGNED → NEW
Component: Mail Window Front End → Password Manager
Product: MailNews → Browser
QA Contact: esther → tpreston
converting nsbeta1 nomination to nsbeta1+ as this is a crasher. Ccing pchen and todd to inform.
Keywords: nsbeta1nsbeta1+
<Hixie> Since this has had no traction and it's now past the 0.9 tree closure, this topcrasher should probably be moved on to another milestone. (Top crashers that are targetted at 0.9 are appearing on the "potential 0.9 fixes" list.)
any updates on this? we want to get it in 0.9 if possible
Here are two stack traces that showed up from the 4-17 Mac build: free() [nsAllocatorManager.cp] PR_Free() [prmem.c, line 66] nsJSID::~nsJSID() [xpcjsid.cpp, line 73] nsJSCID::~nsJSCID() [xpcjsid.cpp, line 893] nsJSCID::Release() [xpcjsid.cpp, line 873] CIDGetService::~CIDGetService() [xpcjsid.cpp, line 750] CIDGetService::Release() [xpcjsid.cpp, line 738] nsXPCWrappedNative::~nsXPCWrappedNative() [xpcwrappednative.cpp, line 398] nsXPCWrappedNative::Release() [xpcwrappednative.cpp, line 71] nsXPCWrappedNative::JSObjectFinalized() [xpcwrappednative.cpp, line 94] WrappedNative_Finalize() [xpcwrappednativejsops.cpp, line 893] js_FinalizeObject() [jsobj.c, line 1741] js_GC() [jsgc.c, line 1216] js_ForceGC() [jsgc.c, line 942] JS_GC() [jsapi.c, line 1633] nsJSContext::GC() [nsJSEnvironment.cpp, line 1324] GlobalWindowImpl::SetNewDocument() [nsGlobalWindow.cpp, line 382] CONTENT_DLL + 0x1bb654 (0x16b6eb74) ------------ Incident ID 29241860 free() [nsAllocatorManager.cp] PR_Free() [prmem.c, line 66] PR_DestroyLock() [prulock.c, line 209] nsFileTransport::~nsFileTransport() [nsFileTransport.cpp, line 289] nsFileTransport::Release() [nsFileTransport.cpp, line 304] nsCOMPtr_base::~nsCOMPtr_base() [nsCOMPtr.cpp, line 49] nsOnStopRequestEvent::~nsOnStopRequestEvent() [nsRequestObserverProxy.cpp, line 138] nsARequestObserverEvent::DestroyPLEvent() [nsRequestObserverProxy.cpp, line 71] PL_DestroyEvent() [plevent.c, line 625] PL_HandleEvent() [plevent.c, line 599] PL_ProcessPendingEvents() [plevent.c, line 518] nsEventQueueImpl::ProcessPendingEvents() [nsEventQueue.cpp, line 361] nsMacNSPREventQueueHandler::ProcessPLEventQueue() [nsToolkit.cpp, line 135] nsMacNSPREventQueueHandler::RepeatAction() [nsToolkit.cpp, line 100] Repeater::DoRepeaters() [nsRepeater.cpp, line 119] nsMacMessagePump::DispatchEvent() [nsMacMessagePump.cpp, line 430] nsMacMessagePump::DoMessagePump() [nsMacMessagePump.cpp, line 253] nsAppShell::Run() [nsAppShell.cpp, line 110] nsAppShellService::Run() [nsAppShellService.cpp, line 406] Netscape 6 + 0x45fc (0x1742b0dc)
> chofmann: any updates on this? we want to get it in 0.9 if possible I'm actively working on it as you can see by my comments of yesterday. The new stack traces presented by greer are entirely different from the original stack trace appearing in this bug report and have nothing to do with password manager. Sounds like they are an entirely different bug.
I know this is marked a topcrash, but it looks like the majority of crashes being reported by Talkback under the "free" stack signature are related to the IM crash (most of the stack traces look like the first one greer posted on 4/18).
Let me clarify the comment that I made above. This bug report has to do with the original stack posted by greer on 4-16. It has nothing at all to do with the next two stack traces he posted on 4-18 -- they are separate bugs and I recommend that they be posted in a separate report.
My comments of 2001-04-17 17:30 implied that there might be a problem with explicit delete after one of the calls to si_PutData. Now that I've done a more careful analysis and instrumentation of the code, I can conclude that that is not the problem. It seems that the assignment in si_PutData does an implicit copy of the string so it is fine to do the delete after the si_PutData call. If anything, there may be a leakage problem because such deletes are not being done after the other two calls to si_PutData, but that's not related in any way to the crash reported here. So I have now taken this as far as I can without a reproducible test case. There is nothing at all obvious that I can glean from the stack trace to help determine the cause of the crash. Reluctantly I am removing the 0.9 target milestone because there is no way we are going to come up with a fix for this in that timeframe. In fact, there is no way I can assign any target mileston to it until we have a reproducible test case.
Target Milestone: mozilla0.9 → ---
moving the milestone and priority.
Priority: -- → P3
Target Milestone: --- → mozilla0.9.2
Removing the milestone. As I mentioned above, there is no way we can assign a milestone to this unless we have a reproducible test case.
Status: NEW → ASSIGNED
Target Milestone: mozilla0.9.2 → ---
tom/jpatel, can you have a relook at this for some addtional test cases or comments?
29032515) Comments: trying to get imap mail I have had this problem trying to get imap mail after installing a new build of Netscape (4-20 full install) or Mozilla 81-tb. Then it hangs at the watch checking imap mail and I have to force quit the application. It doesn't trigger talkback on restart.
Today's report doesn't have much helpful info, but here it is: free 17 76226 ASSI First BBID :29174136 Last BBID :29512005 Min Runtime :10 Max Runtime :11853 First Appearance Date : 2001-04-16 Last Appearance Date : 2001-04-23 First BuildID : 2001041604 Last BuildID : 2001042308 Stack Trace: free() [nsAllocatorManager.cp] PR_Free() [prmem.c line 66] nsJSID::~nsJSID() [xpcjsid.cpp line 73] nsJSCID::~nsJSCID() [xpcjsid.cpp line 893] nsJSCID::Release() [xpcjsid.cpp line 873] CIDGetService::~CIDGetService() [xpcjsid.cpp line 750] CIDGetService::Release() [xpcjsid.cpp line 738] nsXPCWrappedNative::~nsXPCWrappedNative() [xpcwrappednative.cpp line 398] nsXPCWrappedNative::Release() [xpcwrappednative.cpp line 71] nsXPCWrappedNative::JSObjectFinalized() [xpcwrappednative.cpp line 94] WrappedNative_Finalize() [xpcwrappednativejsops.cpp line 893] js_FinalizeObject() [jsobj.c line 1741] js_GC() [jsgc.c line 1216] js_ForceGC() [jsgc.c line 942] JS_GC() [jsapi.c line 1633] nsJSContext::GC() [nsJSEnvironment.cpp line 1324] GlobalWindowImpl::SetNewDocument() [nsGlobalWindow.cpp line 383] CONTENT_DLL + 0x1bb368 (0x15c6a958) Source File : nsAllocatorManager.cp line : (29396881) Comments: Crash exiting browser (didn not setup im ) (29344265) Comments: failure occurs when opening AB (29331771) Comments: still crashes on Im setup selecting use an existing screen name (29304013) Comments: tried to launch Instant messanger (Mac Build 20010417) and it crashed out
jpatel, you are attaching the stack trace for a different bug. This bug involves several si_ routines (single signon) whereas the trace you just posted doesn't. Please open a separate bug report for that stack trace.
morse, sorry about that, i forgot that we had a couple of different crashes under the free - nsAllocatorManager.cp stack signatures.
Are we still getting reports with the stacktrace containing si_ routines?
Not seeing any si_ routines in crashes listed on the reports from 5/7/01.
Closing this out as wfm per the above comment. Please reopen if you see this stacktrace in a future crash report.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → WORKSFORME
Moving all the Works For Me bugs to talkback user account for future reference.
Assignee: morse → talkback
Status: RESOLVED → NEW
We are gathering all the Resolved and WFM bugs which are happened to be topcrash bugs and assigning it to talkback. I am marking all of them as RESOLVED WFM.
Status: NEW → RESOLVED
Closed: 24 years ago24 years ago
Per commments above, marking verified
Status: RESOLVED → VERIFIED
Keywords: qawanted
Reopening as a topcrash on N620 Mac for the stack signature free. There are 44 crashes for this stack signature in todays topcrash report. Count Offset Real Signature [ 4 free() a640495d - free() ] [ 2 free() faeaf814 - free() ] Crash date range: 2001-11-01 to 2001-11-07 Min/Max Seconds since last crash: 86 - 52970 Min/Max Runtime: 1542 - 82817 Keyword List : Count Platform List 2 MacOS version 9.2.1 2 MacOS version 8.6 1 MacOS version 9.2 1 MacOS version 9.0 Count Build Id List 6 2001102217 No of Unique Users 6 Stack trace(Frame) free() [nsAllocatorManager.cp] PR_Free() [prmem.c line 82] nsMemoryImpl::Free() [nsMemoryImpl.cpp line 326] nsMemory::Free() [nsMemoryImpl.cpp line 559] nsStr::Free() [nsStr.cpp line 694] nsStr::Destroy() [nsStr.cpp line 87] nsCString::~nsCString() [nsString.cpp line 139] nsCacheMetaData::FreeElement() [nsCacheMetaData.cpp line 319] PL_DHashTableEnumerate() [pldhash.c line 543] nsCacheMetaData::Finalize() [nsCacheMetaData.cpp line 264] PL_DHashTableFinish() [pldhash.c line 239] nsCacheMetaData::~nsCacheMetaData() [nsCacheMetaData.cpp line 55] nsCacheEntry::~nsCacheEntry() [nsCacheEntry.cpp line 63] nsDiskCacheDevice::DeactivateEntry() [nsDiskCacheDevice.cpp line 443] nsCacheService::DeactivateEntry() [nsCacheService.cpp line 1285] nsCacheService::CloseDescriptor() [nsCacheService.cpp line 1245] nsCacheEntryDescriptor::Close() [nsCacheEntryDescriptor.cpp line 339] nsCacheEntryDescriptor::~nsCacheEntryDescriptor() [nsCacheEntryDescriptor.cpp line 48] nsCacheEntryDescriptor::Release() [nsCacheEntryDescriptor.cpp line 32] nsCOMPtr_base::assign_with_AddRef() [nsCOMPtr.cpp line 58] nsHttpChannel::CloseCacheEntry() [nsHttpChannel.cpp line 886] nsHttpChannel::OnStopRequest() [nsHttpChannel.cpp line 2196] nsOnStopRequestEvent::HandleEvent() [nsRequestObserverProxy.cpp line 161] nsARequestObserverEvent::HandlePLEvent() [nsRequestObserverProxy.cpp line 64] PL_HandleEvent() [plevent.c line 590] PL_ProcessPendingEvents() [plevent.c line 520] nsEventQueueImpl::ProcessPendingEvents() [nsEventQueue.cpp line 374] nsEventQueueImpl::ProcessPendingEvents() [nsEventQueue.cpp line 380] COMMENTS/URLs: (37749498) Comments: restart (37654594) URL: infotrac.galegroup.com Here are other offsets and their comments: 3 free() d51f4131 (37596734) Comments: opening new page=http://www.meuhedet.co.il 2 free() 61f7c0f2 (37596734) Comments: opening new page=http://www.meuhedet.co.il 2 free() 61f7c0f2 (37539899) URL: WWW.USGA.ORG (37539899) Comments: SWITCHING FROM WWW.AZGOLF.ORG TO WWW.USGA.ORG (37459987) Comments: I was browsing on the net 1 free() f16522f5 (37585829) Comments: I was down loading a web page and trying to scroll down when the program quit 1 free() eb58bed2 (37743072) Comments: Reading Mail 1 free() eb068180 1 free() d1139cc7 1 free() cbfeb7a9 1 free() c723c171
Status: VERIFIED → REOPENED
Resolution: WORKSFORME → ---
reassigning to original owner...but looking at the recent stack from N620, it looks like a different crash than what was originally reported. not sure what to do about this one.
Assignee: talkback → morse
Status: REOPENED → NEW
remarking this bug worksforme, since the latest stack doesn't have any si_ routines, which is what morse was orginally looking into. jan: look a little deeper into the stack traces for this crash and log another bug on them if necessary.
Status: NEW → RESOLVED
Closed: 24 years ago24 years ago
Resolution: --- → WORKSFORME
Product: Browser → Seamonkey
Crash Signature: [@ free] [@ nsAllocatorManager.cp]
You need to log in before you can comment on or make changes to this bug.