Tbird crash in XPCWrappedNative::cycleCollection::TraverseImpl with QuickText addon

RESOLVED WORKSFORME

Status

()

Core
XPConnect
--
critical
RESOLVED WORKSFORME
6 years ago
3 years ago

People

(Reporter: wsmwk, Assigned: standard8)

Tracking

({crash, regression, reproducible})

Trunk
x86
Windows 7
crash, regression, reproducible
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox17-, firefox18-)

Details

(Whiteboard: [Update Quicktext to 0.9.11.5 if you see this crash][startupcrash][tbird crash][addon][gs], crash signature, URL)

(Reporter)

Description

6 years ago
#1 crash for thunderbird trunk. 
startup crash
according to crash-stats, crash started on 2012-08-09

This bug was filed from the Socorro interface and is 
report bp-0e01f759-49ce-4974-8204-60b702120809 .
============================================================= 
0		@0x103d4a50	
1	xul.dll	XPCWrappedNative::cycleCollection::TraverseImpl	js/xpconnect/src/XPCWrappedNative.cpp:97
2	xul.dll	GCGraphBuilder::Traverse	xpcom/base/nsCycleCollector.cpp:1759
3	xul.dll	nsCycleCollector::MarkRoots	xpcom/base/nsCycleCollector.cpp:2082
4	xul.dll	nsCycleCollectorRunner::Run	xpcom/base/nsCycleCollector.cpp:3083
5	xul.dll	nsThread::ProcessNextEvent	xpcom/threads/nsThread.cpp:624 

only *one* firefox crash in one month, and it is not startup
bp-bc56bfab-7377-4e9d-b3a0-fa6982120815 Fx16.0a2
Component: General → XPCOM
Product: Thunderbird → Core

Comment 1

6 years ago
https://crash-stats.mozilla.com/report/index/bp-64b098b9-37ee-4f2f-80aa-a00c22120903
Appears after you click send. The window for writing and in 15-20 seconds crashes. If you disable the add error disappears.
This is currently the top crasher for Thunderbird 17 - Benjamin any idea what could be going on here ?
(Reporter)

Comment 3

6 years ago
(In reply to adminnu from comment #1)
> If you disable the add error disappears.

It looks like QuickText Version 0.9.11.1 stops working in TB17
bp-12d653d4-d556-431e-97d1-9d5d22121013 nails the cause at QuickText addon.
And all the crashes I examined have QuickText installed.
Whiteboard: [startupcrash] → [startupcrash][tbird topcrash][addon]

Comment 4

6 years ago
This bug has also been reported on Geckozone. Has anyone contacted QuickText's author?

Comment 5

6 years ago
The quicktext addon does not appear to use any binary components, and a pure-JS really shouldn't be able to make the cycle collector crash. mccr8, want to take a look?
That's odd.  The line in question that is crashing for both of those is:
  cb.NoteXPCOMChild(tmp->GetIdentityObject());

GetIdentityObject just grabs a field, and cb and tmp have been touched before this, so I'm not sure what could be wrong.
Assignee: nobody → continuation
(Reporter)

Comment 7

6 years ago
http://extensions.hesslow.se/forum/thread/622/0.9.11.3+crashes+18.x+Thunderbird+in+nightly+build/ reports crashes using TB18 but no comments from the author yet
(Assignee)

Comment 8

6 years ago
Can anyone reproduce with QuickText installed? A straw poll of the crashes indicates QuickText on the majority of them.

Updated

6 years ago
Whiteboard: [startupcrash][tbird topcrash][addon] → [startupcrash][tbird topcrash][addon][gs]
Steps to reproduce:
1. Launch Thunderbird 17 Beta
2. Install QuickText 0.9.11.3
3. Reply to an email.
4. Wait a few seconds until Thunderbird crashes.
Component: XPCOM → XPConnect
Summary: crash in XPCWrappedNative::cycleCollection::TraverseImpl → Tbird crash in XPCWrappedNative::cycleCollection::TraverseImpl with QuickText addon
(Reporter)

Comment 11

6 years ago
no sign yet of a new version, so I've posted more info at hesslow.se
(Reporter)

Comment 12

6 years ago
(In reply to Andrew McCreight [:mccr8] from comment #6)
> That's odd.  The line in question that is crashing for both of those is:
>   cb.NoteXPCOMChild(tmp->GetIdentityObject());
> 
> GetIdentityObject just grabs a field, and cb and tmp have been touched
> before this, so I'm not sure what could be wrong.

Given that this is #1 TB17 crash, this could use some immediate attention.


bp-ac826979-82f9-428a-8098-438832121109 @ hang | XPCWrappedNative::cycleCollection::TraverseImpl(XPCWrappedNative::cycleCollection*, void*, nsCycleCollectionTraversalCallback&)
tracking-firefox17: --- → ?
tracking-firefox18: --- → ?
Keywords: regressionwindow-wanted, reproducible, topcrash+
Somebody who knows Thunderbird needs to figure out where this corrupted XPCWrappedNative is coming from. Probably the most useful thing to do is to get the tmp->GetScriptableInfo()->GetJSClass()->name of the native, if any.

I'll try poking around the addon code and see if anything jumps out at me.
Assignee: continuation → nobody
While it's an important TB topcrash, it's not a Firefox topcrasher or release-blocking priority, so we won't track this - especially for 17 which is about to ship.
tracking-firefox17: ? → -
tracking-firefox18: ? → -
(Reporter)

Comment 15

6 years ago
TB17 officially released and this is #1 crash - 2k crashes in 4 hours.

The original support topic is a month old, so I'm not going to be pointing users to it and invite flames.  The canonical support topic will be a more recent https://getsatisfaction.com/mozilla_messaging/topics/upgrade_to_ver17_results_in_crashes_on_new_email_creation_including_replies
Has somebody contacted QuickText's author? Can we get a reduced test case?
(Reporter)

Comment 17

6 years ago
(In reply to Andrew McCreight [:mccr8] from comment #16)
> Has somebody contacted QuickText's author? Can we get a reduced test case?

comment 7 - not a peep from the author. I'm not a user of quicktext, so I have no vested interest in hounding the author, etc. 

Do we really need a reduced testcase?  My impression is it crashes outright when making a reply.

Comment 18

6 years ago
I was using QuickText 0.9.11.3 all the time, and now with Thunderbird 17 it causes a crash as soon as I open a mail. Disabling QuickText fixes the problem, re-enabling it brings back the crashes. The problem is new for Thunderbird 17.

Updated

6 years ago
Duplicate of this bug: 813793
(Assignee)

Comment 20

6 years ago
(In reply to Andrew McCreight [:mccr8] from comment #13)
> Somebody who knows Thunderbird needs to figure out where this corrupted
> XPCWrappedNative is coming from. Probably the most useful thing to do is to
> get the tmp->GetScriptableInfo()->GetJSClass()->name of the native, if any.

tmp->GetScriptableInfo() returns 0x0, so we can't get the name.

tmp->mRefCnt.get() is 1, tmp->IsValid() is also 1.

I couldn't really see any other way to determine what the bad wrapper might be.
(Reporter)

Updated

6 years ago
Blocks: 813899
(Assignee)

Updated

6 years ago
Depends on: 813954
Duplicate of this bug: 813958
So, IsValid() is true, so mFlatJSObject should be non-null. You can try mFlatJSObject->dump() and hopefully that will print out some useful information about the reflector, which should give us some idea of what the XPCWN is.
(Assignee)

Comment 23

6 years ago
Ok, here's what I get:

object 0x149023610
class 0x106b0cdd0 XPCWrappedNative_NoHelper
flags:
proto <XPC_WN_NoHelper_Proto_JSClass object at 0x1490270a0>
parent <BackstagePass object at 0x149022060>
private 0x12007c320
reserved slots:
   0 (reserved) = null
properties:
    ((Shape *) 0x149021290) enumerate readonly permanent setterOp=0x102cf13f0 JSString* (0x14902c2c0) = jschar * (0x14902c2d0) = "getCardFromAttribute"
: slot 1 = <function getCardFromAttribute at 0x149038e20>

There's two calls to nsIAddrDatabase::getCardFromAttribute in the extension, so that would probably be right.

Comment 24

6 years ago
I have not had time to look at this. And if you guys are not able to figure out why Thunderbird is crashing because of my Javascript I'm not sure if I would be able to. And my extension is in Javascript so this should be a bug in Thunderbird and not my extension. If you are able to figure out a work around I can update the extension.

But I will not have time to look at this for at least 2 more weeks.

Comment 25

6 years ago
if you add a "return;" just at the beginning of the function "wzQuicktextVar()" in the file "wzQuicktextVar.js"  then the addon works again, but it seems that the variables (TO, FROM etc) don't work anymore.
Can I upload the addon somewhere, so others can check the problem is indeed there?

Comment 26

6 years ago
I have been testing,comment out the line "this.mDatabases.push(dir.database);"in the function "wzQuicktextVar()" in the file "wzQuicktextVar.js",it works well!
Hope it helps

Comment 27

6 years ago
That helps.

Today I use getCardFromAttribute to get a nsIAbCard from an email address. Is there any better way of doing that?

Comment 28

6 years ago
Is cardForEmailAddress on nsIAbCollection a better way of doing this?

Comment 29

6 years ago
Found http://lxr.mozilla.org/comm-central/source/mailnews/db/gloda/modules/utils.js#91 and that doesn't crash so I'm just going to use that.

Comment 30

6 years ago
There is now a beta version up on http://extensions.hesslow.se/extension/4/Quicktext/ (there is a Beta section under the Download button in the upper right corner). I will email the hundred of people that have emailed me today and ask them to test it. And if they don't find any problems I will update it on AMO tomorrow.

And people here please test it and send me feedback

Comment 31

6 years ago
Put 0.9.11.4, falls far from happening. I will continue to test.

Comment 32

6 years ago
(In reply to Emil Hesslow from comment #30)
> There is now a beta version up on
> http://extensions.hesslow.se/extension/4/Quicktext/
> And people here please test it and send me feedback

Your 0.9.11.4 beta works perfect for me. Thanks for quick reaction although you only got limited time. Your Users will appreciate it.
Duplicate of this bug: 813704
(Assignee)

Updated

6 years ago
Crash Signature: [@ XPCWrappedNative::cycleCollection::TraverseImpl(XPCWrappedNative::cycleCollection*, void*, nsCycleCollectionTraversalCallback&)] → [@ XPCWrappedNative::cycleCollection::TraverseImpl(XPCWrappedNative::cycleCollection*, void*, nsCycleCollectionTraversalCallback&)] [@ ToParticipant ]
(Assignee)

Updated

6 years ago
Crash Signature: [@ XPCWrappedNative::cycleCollection::TraverseImpl(XPCWrappedNative::cycleCollection*, void*, nsCycleCollectionTraversalCallback&)] [@ ToParticipant ] → [@ XPCWrappedNative::cycleCollection::TraverseImpl(XPCWrappedNative::cycleCollection*, void*, nsCycleCollectionTraversalCallback&)] [@ ToParticipant ] [@ CallQueryInterface<nsISupports, nsXPCOMCycleCollectionParticipant> ]

Comment 34

6 years ago
Quicktext 0.9.11.4 works for me in Thunderbird 17, but it repeatedly crashed Firefox when I tried to download it at http://extensions.hesslow.se/extension/4/Quicktext/ in the new Firefox 17 by clicking on it.    I only resolved this when I right-clicked and used "save link as".

Comment 35

6 years ago
0.9.11.5 is now live on AMO which fixes the crash
(Assignee)

Comment 36

6 years ago
Thanks Emil.

I'm going to leave this bug open for now, as I'd to see if I can track down if there is an issue with the interfaces the previous version of the extension was using.
Assignee: nobody → mbanner
Whiteboard: [startupcrash][tbird topcrash][addon][gs] → [Update Quicktext to 0.9.11.5 if you see this crash][startupcrash][tbird topcrash][addon][gs]
Duplicate of this bug: 814760

Updated

6 years ago
Duplicate of this bug: 813768

Comment 39

6 years ago
(In reply to Emil Hesslow from comment #35)
> 0.9.11.5 is now live on AMO which fixes the crash
It seems so based on correlations:
  XPCWrappedNative::cycleCollection::TraverseImpl(XPCWrappedNative::cycleCollection*, void*, nsCycleCollectionTraversalCallback&)|EXCEPTION_ACCESS_VIOLATION_EXEC (266 crashes)
     85% (225/266) vs.   2% (311/14500) {8845e3b3-e8fb-40e2-95e9-ec40294818c4}
         58% (153/266) vs.   1% (182/14500) 0.9.11.2
         27% (72/266) vs.   1% (89/14500) 0.9.11.3
          0% (0/266) vs.   0% (40/14500) 0.9.11.5
Keywords: topcrash+ → topcrash
OS: Windows NT → Windows 7
(Reporter)

Updated

6 years ago
Duplicate of this bug: 818031
(Reporter)

Updated

5 years ago
Duplicate of this bug: 829722

Comment 42

5 years ago
It's #30 top crasher in TB 17.0.2 so not a top crasher according to https://wiki.mozilla.org/CrashKill/Topcrash
Keywords: topcrash
Whiteboard: [Update Quicktext to 0.9.11.5 if you see this crash][startupcrash][tbird topcrash][addon][gs] → [Update Quicktext to 0.9.11.5 if you see this crash][startupcrash][tbird crash][addon][gs]
(Assignee)

Comment 43

4 years ago
This seems to have gone away from the topcrash list. So I'm going to close it. If there's still same around with the same signature, they need investigating to check it is with the latest version of the add-on etc.
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → WORKSFORME
Keywords: regressionwindow-wanted
You need to log in before you can comment on or make changes to this bug.