Closed Bug 816480 Opened 13 years ago Closed 13 years ago

crash in nsEventListenerManager::RemoveEventListener

Categories

(Core :: DOM: Events, defect)

Product:
Core
Component:
DOM: Events
Platform:
x86
Windows NT
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox17 --- wontfix
firefox18 --- fixed
firefox19 --- fixed
firefox20 --- fixed
firefox-esr17 18+ fixed

People

(Reporter: wsmwk, Assigned: smaug)

References

Details

(Keywords: crash, regression, Whiteboard: [tbird topcrash])

Crash Data

Attachments

(1 file)

patch
3.96 KB, patch
jst
: review+
akeybl
: approval-mozilla-aurora+
akeybl
: approval-mozilla-beta+
akeybl
: approval-mozilla-esr17+
Details | Diff | Splinter Review
#28 crash, new in version 17. possibly addon? This bug was filed from the Socorro interface and is report bp-d28a8703-0f92-4158-a3fa-a5a022121128 . ============================================================= 0 msvcr100.dll _VEC_memcpy 1 xul.dll nsTArray_base<nsTArrayInfallibleAllocator>::ShiftData objdir-tb/mozilla/dist/include/nsTArray-inl.h:245 2 xul.dll nsTArray<nsListenerStruct,nsTArrayDefaultAllocator>::RemoveElementsAt objdir-tb/mozilla/dist/include/nsTArray.h:946 3 xul.dll nsAutoTObserverArray<nsListenerStruct,2>::RemoveElementAt objdir-tb/mozilla/dist/include/nsTObserverArray.h:210 4 xul.dll nsEventListenerManager::RemoveEventListener content/events/src/nsEventListenerManager.cpp:408 5 xul.dll nsEventListenerManager::RemoveEventListenerByType content/events/src/nsEventListenerManager.cpp:454 6 xul.dll nsWindowRoot::RemoveSystemEventListener dom/base/nsGlobalWindow.cpp:7427 7 xul.dll nsXULTooltipListener::DestroyTooltip layout/xul/base/src/nsXULTooltipListener.cpp:668 8 xul.dll nsXULTooltipListener::HideTooltip layout/xul/base/src/nsXULTooltipListener.cpp:532 9 xul.dll nsXULTooltipListener::~nsXULTooltipListener layout/xul/base/src/nsXULTooltipListener.cpp:67 10 xul.dll nsXULTooltipListener::Release layout/xul/base/src/nsXULTooltipListener.cpp:76 11 xul.dll nsListenerStruct::~nsListenerStruct content/events/src/nsEventListenerManager.h:59 12 xul.dll nsTArray<nsListenerStruct,nsTArrayDefaultAllocator>::DestructRange objdir-tb/mozilla/dist/include/nsTArray.h:1225 13 xul.dll nsTArray<nsListenerStruct,nsTArrayDefaultAllocator>::RemoveElementsAt objdir-tb/mozilla/dist/include/nsTArray.h:945 14 xul.dll nsAutoTObserverArray<nsListenerStruct,2>::RemoveElementAt objdir-tb/mozilla/dist/include/nsTObserverArray.h:210 15 xul.dll nsEventListenerManager::RemoveEventListener content/events/src/nsEventListenerManager.cpp:408 16 xul.dll nsEventListenerManager::RemoveEventListenerByType content/events/src/nsEventListenerManager.cpp:454 17 xul.dll nsWindowRoot::RemoveSystemEventListener dom/base/nsGlobalWindow.cpp:7427 18 xul.dll nsXULTooltipListener::DestroyTooltip layout/xul/base/src/nsXULTooltipListener.cpp:667 19 xul.dll nsXULTooltipListener::HideTooltip layout/xul/base/src/nsXULTooltipListener.cpp:532 20 xul.dll nsXULTooltipListener::~nsXULTooltipListener layout/xul/base/src/nsXULTooltipListener.cpp:67 21 xul.dll nsXULTooltipListener::Release layout/xul/base/src/nsXULTooltipListener.cpp:76 22 xul.dll nsListenerStruct::~nsListenerStruct content/events/src/nsEventListenerManager.h:59 23 xul.dll nsTArray<nsListenerStruct,nsTArrayDefaultAllocator>::DestructRange objdir-tb/mozilla/dist/include/nsTArray.h:1225 24 xul.dll nsTArray<nsListenerStruct,nsTArrayDefaultAllocator>::RemoveElementsAt objdir-tb/mozilla/dist/include/nsTArray.h:945 25 xul.dll nsAutoTObserverArray<nsListenerStruct,2>::RemoveElementAt objdir-tb/mozilla/dist/include/nsTObserverArray.h:210 26 xul.dll nsEventListenerManager::RemoveEventListener content/events/src/nsEventListenerManager.cpp:408 27 xul.dll nsEventListenerManager::RemoveEventListenerByType content/events/src/nsEventListenerManager.cpp:454 28 xul.dll nsWindowRoot::RemoveSystemEventListener dom/base/nsGlobalWindow.cpp:7427 29 xul.dll nsXULTooltipListener::DestroyTooltip layout/xul/base/src/nsXULTooltipListener.cpp:666 30 xul.dll nsXULTooltipListener::HideTooltip layout/xul/base/src/nsXULTooltipListener.cpp:532 31 xul.dll nsXULTooltipListener::~nsXULTooltipListener layout/xul/base/src/nsXULTooltipListener.cpp:67 32 xul.dll nsXULTooltipListener::Release layout/xul/base/src/nsXULTooltipListener.cpp:76 33 xul.dll nsListenerStruct::~nsListenerStruct content/events/src/nsEventListenerManager.h:59 34 xul.dll nsTArray<nsListenerStruct,nsTArrayDefaultAllocator>::DestructRange objdir-tb/mozilla/dist/include/nsTArray.h:1225 35 xul.dll nsTArray<nsListenerStruct,nsTArrayDefaultAllocator>::RemoveElementsAt objdir-tb/mozilla/dist/include/nsTArray.h:945 36 xul.dll nsAutoTObserverArray<nsListenerStruct,2>::Clear objdir-tb/mozilla/dist/include/nsTObserverArray.h:234 37 xul.dll nsEventListenerManager::cycleCollection::UnlinkImpl content/events/src/nsEventListenerManager.cpp:161 38 xul.dll nsCycleCollector::CollectWhite xpcom/base/nsCycleCollector.cpp:2314 39 xul.dll nsCycleCollector::FinishCollection xpcom/base/nsCycleCollector.cpp:2874 40 xul.dll nsCycleCollector::Collect xpcom/base/nsCycleCollector.cpp:2759 41 xul.dll nsCycleCollector::Shutdown xpcom/base/nsCycleCollector.cpp:2924 another example bp-e87f8c02-08ee-417e-b35c-3b78f2121128
Product: Thunderbird → Core
Component: General → DOM: Events
Summary: crash in _VEC_memcpy → crash in nsEventListenerManager::RemoveEventListener
Odd. This is a bit similar to Bug 120863
Keywords: regression, regressionwindow-wanted
Whiteboard: [tbird crash]
Assignee: nobody → bugs
Attached patch patchSplinter Review
I think this is an old problem, which just for some reason hasn't happened earlier. Modifying the listener array while clearing feels bad. I don't have a testcase, but based on the code inspection this should work. Crossing fingers :) https://tbpl.mozilla.org/?tree=Try&rev=c6158be3846e
Attachment #686691 - Flags: review?(jst)
Attachment #686691 - Flags: review?(jst) → review+
https://hg.mozilla.org/mozilla-central/rev/fa79d795218f
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Requesting tracking esr17, as it would be nice to have this fixed in Thunderbird 17.0.1
tracking-firefox-esr17: --- → ?
Ludo, do you have any ideas how to reproduce this? Do you know anyone who is seeing the crash often? Perhaps we could create TB17-try build for such user for testing.
No :(
Please nominate for uplift to Aurora/Beta/ESR17 with a risk evaluation if we'd like this fixed in the next TB17 version.
This is low risk. Ludo, do we need this on branches?
(In reply to Olli Pettay [:smaug] from comment #8) > This is low risk. Ludo, do we need this on branches? We need it on ESR as it's our major release until 24.
Comment on attachment 686691 [details] [diff] [review] patch [Approval Request Comment] Bug caused by (feature/regressing bug #): NA User impact if declined: Crashes Testing completed (on m-c, etc.): Landed m-c week ago Risk to taking this patch (and alternatives if risky): Shouldn't be risky String or UUID changes made by this patch: NA
Attachment #686691 - Flags: approval-mozilla-esr17?
Attachment #686691 - Flags: approval-mozilla-beta?
Attachment #686691 - Flags: approval-mozilla-aurora?
Attachment #686691 - Flags: approval-mozilla-esr17?
Attachment #686691 - Flags: approval-mozilla-esr17+
Attachment #686691 - Flags: approval-mozilla-beta?
Attachment #686691 - Flags: approval-mozilla-beta+
Attachment #686691 - Flags: approval-mozilla-aurora?
Attachment #686691 - Flags: approval-mozilla-aurora+
hmm, this is still occurring at a high rate for TB17.0.2. For example bp-3c9e778d-d2f9-47b1-868c-745ba2130128 need new bug report?
Whiteboard: [tbird crash] → [tbird topcrash]
is TB17.0.2 based on ESR?
(In reply to Olli Pettay [:smaug] from comment #13) > is TB17.0.2 based on ESR? yes. I would think we would have picked up the patch in 17.0.2 via status-firefox-esr17: --- → fixed
Specifically, 17.0.2 still comes from comm-release/mozilla-release, but as a pre-merge release branch off the 17.0 release cycle. TB 17.0.3+ should come entirely from comm-esr17/mozilla-esr17 (bug 815302).
Yes, this landed for GECKO1701_2013010313_RELBRANCH on Jan 03 13:59:12 2013, http://hg.mozilla.org/releases/mozilla-release/rev/eb637a9dd482
Crash Signature: unsigned int) | nsAutoTObse...] → unsigned int) | nsAutoTObse... ] [@ _VEC_memcpy | nsTArray_base<nsTArrayDefaultAllocator>::ShiftData(unsigned int, unsigned int, unsigned int, unsigned int, unsigned int) | nsTArray<nsListenerStruct nsTArrayDefaultAllocator>::RemoveElementsAt(unsigned in…
indeed, #8 crash. I haven't done the math, but I suspect the crash rate was not impacted at all by this patch. most comments mention closing. bp-42632b54-5b53-4caf-9610-139522130324 bp-01d876f3-fc34-4fc0-836e-2aea62130320 "I got this message after I closed the Thunderbird. Firefox is giving me the same message, same circumstances. Might be my computer or the complement of programs running in the background." (user has PATROLPRO installed, but doesn't look to be the norm for other crashes) bp-855399b7-9a7d-4486-bc82-8d3712130323
Blocks: 877671
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: