Closed Bug 809458 Opened 12 years ago Closed 12 years ago

crash in nsWindow::GetToplevelWidget

Categories

(Core :: Widget: Gtk, defect)

Product:
Core
Component:
Widget: Gtk
Version:
19 Branch
Platform:
All
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla19

People

(Reporter: tonymec, Unassigned)

References

Details

(Keywords: crash, regression, reproducible)

Crash Data

This bug was filed from the Socorro interface and is 
report bp-c730cfc7-6683-444b-99e9-48cb12121107 .
============================================================= 
Mozilla/5.0 (X11; Linux x86_64; rv:19.0) Gecko/19.0 Firefox/19.0 SeaMonkey/2.16a1 ID:20121106230402 c-c:73850fe23239 m-c:70c55e9a3ef6

Reproducible: Always

Steps to Reproduce:
1. Start SeaMonkey with ChatZilla enabled.

Actual result:
Crash after opening all tabs and joining most (but not all) channels

Expected result:
No crash

Additional information:
This crash did not happen yesterday, and yet ChatZilla was not reinstalled (in particular, no SeaMonkey version number change and no recheck of extensions' maxVersion settings)

This is an hourly build (today's linux-x86_64 had "exception" status) so Socorro doesn't know its symbols; I'll fetch them manually from the crasreporter-symbols.zip

Startup with -browser: no crash
Restart (cZ enabled): bp-c299bfbf-9261-4d64-b68d-b27212121107
Normal startup (cZ, browser & Mail): bp-f9396d91-3b49-4f55-9e3f-039bb2121107
Startup with -mail: no crash
Startup with -chat: bp-c730cfc7-6683-444b-99e9-48cb12121107

All three at libxul.so@0x12c2031. Here is the stack from the "cZ-only" startup:

0: libxul.so@0x12c2031 in nsWindow::GetToplevelWidget()
1: libxul.so@0x12c2534 in nsWindow::GetAttention(int)
2: libxul.so@0x2196d97 in ???
3: libxul.so@0xe3b796 in nsGlobalChromeWindow::GetAttentionWithCycleCount(int)
4: libxul.so@0x1731b87 in NS_InvokeByIndex_P
5: libxul.so@0x10cf525 in XPCWrappedNative::FindTearOff(XPCCallContext&, XPCNativeInterface*, int, tag_nsresult*)
6: libxul.so@0x3095277 in ???
7: libxul.so@0xf4b865 in nsScriptSecurityManager::CheckPropertyAccessImpl(unsigned int, nsAXPCNativeCallContext*, JSContext*, JSObject*, nsISupports*, nsIClassInfo*, char const*, long, void**)
8: ld-2.14.1.so@0x10efc
9: libxul.so@0x10d27d0 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode)
10: libxul.so@0x1cf5c64 in JSObject::addPropertyInternal(JSContext*, long, int (*)(JSContext*, JS::Handle<JSObject*>, JS::Handle<long>, JS::MutableHandle<JS::Value>), int (*)(JSContext*, JS::Handle<JSObject*>, JS::Handle<long>, int, JS::MutableHandle<JS::Value>), unsigned int, unsigned int, unsigned int, int, js::Shape**, bool)
11: libxul.so@0x1ce7f41 in js::PropertyTree::getChild(JSContext*, js::Shape*, unsigned int, js::StackShape const&)
12: libxul.so@0x1cb831b in JSObject::setLastProperty(JSContext*, JS::Handle<JSObject*>, js::Shape*)
13: libxul.so@0x1cf3792 in JSObject::getChildProperty(JSContext*, js::Shape*, js::StackShape&)
14: libxul.so@0x1cb7d34 in JSObject::growSlots(JSContext*, JS::Handle<JSObject*>, unsigned int, unsigned int)
15: libxul.so@0x1cf5c64 in JSObject::addPropertyInternal(JSContext*, long, int (*)(JSContext*, JS::Handle<JSObject*>, JS::Handle<long>, JS::MutableHandle<JS::Value>), int (*)(JSContext*, JS::Handle<JSObject*>, JS::Handle<long>, int, JS::MutableHandle<JS::Value>), unsigned int, unsigned int, unsigned int, int, js::Shape**, bool)
16: libxul.so@0x1cb81ca in JSObject::updateSlotsForSpan(JSContext*, JS::Handle<JSObject*>, unsigned long, unsigned long)
17: libxul.so@0x1ce72ff in js::detail::HashTable<js::Shape* const, js::HashSet<js::Shape*, js::ShapeHasher, js::SystemAllocPolicy>::SetOps, js::SystemAllocPolicy>::lookup(js::StackShape const&, unsigned int, unsigned int) const
18: libxul.so@0xe1b0fc in js::IsProxy(JSObject*)
19: libxul.so@0xe1b117 in js::GetProxyHandler(JSObject*)
20: libxul.so@0xe1b244 in js::IsWrapper(JSObject*)
21: libxul.so@0x1d3c996 in js::UnwrapObject(JSObject*, bool, unsigned int*)
22: libxul.so@0xe1b117 in js::GetProxyHandler(JSObject*)
23: libxul.so@0xe1b0fc in js::IsProxy(JSObject*)
24: libxul.so@0xe1b234 in js::IsWrapper(JSObject*)
25: libxul.so@0x1d3c94f in js::UnwrapObject(JSObject*, bool, unsigned int*)
26: libxul.so@0x10ce8a5 in XPCWrappedNative::GetWrappedNativeOfJSObject(JSContext*, JSObject*, JSObject*, JSObject**, XPCWrappedNativeTearOff**)
27: libxul.so@0xbc676d in xpc_UnmarkGrayObject(JSObject*)
28: libxul.so@0x10a9ffd in XPCCallContext::Init(XPCContext::LangType, int, JSObject*, JSObject*, XPCCallContext::WrapperInitOptions, long, unsigned int, JS::Value*, JS::Value*)
29: libxul.so@0xe1b0fc in js::IsProxy(JSObject*)
30: libxul.so@0xe1b234 in js::IsWrapper(JSObject*)
31: libxul.so@0x1d3c996 in js::UnwrapObject(JSObject*, bool, unsigned int*)
32: libxul.so@0x10d5a52 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*)
33: libxul.so@0x113fe57 in nsDocShell::FindChildWithName(unsigned short const*, bool, bool, nsIDocShellTreeItem*, nsIDocShellTreeItem*, nsIDocShellTreeItem**)
34: libxul.so@0x2f8b45f in ???
35: libxul.so@0x1c1fbf2 in JS_EndRequest(JSContext*)
36: libxul.so@0x1e3d9c8 in js::mjit::CallCompiler::generateNativeStub()
37: libxul.so@0x304e5bf in ???
38: libxul.so@0x1cb9538 in js::LookupNameWithGlobalDefault(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JSObject*>, JS::MutableHandle<JSObject*>)
39: libxul.so@0x1d5b13d in js::CallObject::createForFunction(JSContext*, js::StackFrame*)
40: libxul.so@0x10ce888 in XPCWrappedNative::GetWrappedNativeOfJSObject(JSContext*, JSObject*, JSObject*, JSObject**, XPCWrappedNativeTearOff**)
41: libxul.so@0xbc676d in xpc_UnmarkGrayObject(JSObject*)
42: libxul.so@0x10a9ffd in XPCCallContext::Init(XPCContext::LangType, int, JSObject*, JSObject*, XPCCallContext::WrapperInitOptions, long, unsigned int, JS::Value*, JS::Value*)
43: libxul.so@0x3095277 in ???
44: ld-2.14.1.so@0x10efc
45: libxul.so@0x10a7595 in nsXPConnect::GetXPConnect()
46: libxul.so@0x10a6472 in nsXPConnect::Release()
47: libxul.so@0x10a76cc in XPCJSRuntime::Get()
48: libxul.so@0x10a9b04 in XPCCallContext::~XPCCallContext
49: libxul.so@0x10d72c1 in XPC_WN_Helper_NewResolve
50: libxul.so@0x2f8b45f in ???
etc.
Crash Signature: [@ nsWindow::GetTopLevelWidget()] → [@ nsWindow::GetToplevelWidget()]
At cZ startup, I connect automatically to the moznet server with the following list of "autoperform" actions (where I use "echo" as the next-best thing for commenting-out a line without actually removing it). j is an alias for join.

disable-plugin joinint
query NickServ
nickserv identify --censored--
j #chatzilla
j #calendar
j #developers
echo 'j #smafa'
j #seamonkey
j #bugday
query firebot
echo 'query firewolfbot'
j #firebot
echo 'j #testday'
j #bugs
j #ateam
echo 'j #extdev'
echo 'j #addons'
echo 'j #maildev'
j #tb-qa
j #tb-bugs
j #thunderbird
echo 'j #qa'
j #build
j #buildduty
echo 'j #xul'
echo 'j #womoz'
echo 'j #mozillazine'
echo 'j #b2g'
query memoserv list
echo 'j #mozillians'
j #Mozilla-eo
query ChanServ
server moznet

My Konversation client (not having /join'ed #build and #buildduty) shows join and ping-timeout messages for tonymec on #thunderbird but not on #Mozilla-eo
Can you recheck in a more recent build? Seems a nullcheck accidentally disappeared from GTK2's nsWindow.cpp implementation ( http://hg.mozilla.org/mozilla-central/filelog/8776d96f0099/widget/gtk2/nsWindow.cpp ). Should be fixed now. Not sure that's it, but might as well give it a shot before going down all the relevant rabbit holes! :-)
(In reply to Gijs Kruitbosch from comment #2)
> Can you recheck in a more recent build? Seems a nullcheck accidentally
> disappeared from GTK2's nsWindow.cpp implementation (
> http://hg.mozilla.org/mozilla-central/filelog/8776d96f0099/widget/gtk2/
> nsWindow.cpp ). Should be fixed now. Not sure that's it, but might as well
> give it a shot before going down all the relevant rabbit holes! :-)

There isn't any yet (according to http://tinderbox.mozilla.org/showbuilds.cgi?tree=SeaMonkey&hours=36 the latest SeaMonkey linux x86_64 successful build was built from the m-c and c-c changesets I mentioned after my User-Agent string near the top of comment #0) but as soon as I notice one, I shall try it.
Gijs: Even though I haven't yet been able to recheck, I bet you've hit the jackpot: see bug 808873 comment #6 where the top two levels of the stack (no others are mentioned) are the same as those I got.
It happens in Firefox and Thunderbird as well.
It first in 19.0a1/20121107. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=f9c2c266e7aa&tochange=e587aa26326e
It's likely a regression from bug 808873.

More reports at:
https://crash-stats.mozilla.com/report/list?signature=nsWindow%3A%3AGetToplevelWidget%28%29
Blocks: 808873
Component: General → Widget: Gtk
Keywords: reproducible
Product: SeaMonkey → Core
Hardware: x86_64 → All
Summary: crash in libxul at ChatZilla startup → crash in nsWindow::GetToplevelWidget
Version: Trunk → 19 Branch
Mozilla/5.0 (X11; Linux x86_64; rv:19.0) Gecko/19.0 Firefox/19.0 SeaMonkey/2.16a1 ID:20121109003004 c-c:cc55366365ad m-c:90cea19e27e2

Now that the null check has been added back in bug 808873, this bug does not appear anymore.

I'm setting FIXED rather than WORKSFORME because the fix is in mozilla-central changeset 8671bfc8e9a8.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla19
No longer blocks: 808873
Depends on: 808873
(In reply to Tony Mechelynck [:tonymec] from comment #6)
[...]
> I'm setting FIXED rather than WORKSFORME because the fix is in
> mozilla-central changeset 8671bfc8e9a8.

oops, 8671bfc8e9a8 is a merge. The actual fix is in mozilla-central changeset 3985e437a262.
You need to log in before you can comment on or make changes to this bug.