Closed Bug 816480 Opened 8 years ago Closed 8 years ago

crash in nsEventListenerManager::RemoveEventListener

Categories

(Core :: DOM: Events, defect)

x86
Windows NT
defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
firefox17 --- wontfix
firefox18 --- fixed
firefox19 --- fixed
firefox20 --- fixed
firefox-esr17 18+ fixed

People

(Reporter: wsmwk, Assigned: smaug)

References

Details

(Keywords: crash, regression, Whiteboard: [tbird topcrash])

Crash Data

Attachments

(1 file)

#28 crash, new in version 17. 
possibly addon?

This bug was filed from the Socorro interface and is 
report bp-d28a8703-0f92-4158-a3fa-a5a022121128 .
============================================================= 
0	msvcr100.dll	_VEC_memcpy	
1	xul.dll	nsTArray_base<nsTArrayInfallibleAllocator>::ShiftData	objdir-tb/mozilla/dist/include/nsTArray-inl.h:245
2	xul.dll	nsTArray<nsListenerStruct,nsTArrayDefaultAllocator>::RemoveElementsAt	objdir-tb/mozilla/dist/include/nsTArray.h:946
3	xul.dll	nsAutoTObserverArray<nsListenerStruct,2>::RemoveElementAt	objdir-tb/mozilla/dist/include/nsTObserverArray.h:210
4	xul.dll	nsEventListenerManager::RemoveEventListener	content/events/src/nsEventListenerManager.cpp:408
5	xul.dll	nsEventListenerManager::RemoveEventListenerByType	content/events/src/nsEventListenerManager.cpp:454
6	xul.dll	nsWindowRoot::RemoveSystemEventListener	dom/base/nsGlobalWindow.cpp:7427
7	xul.dll	nsXULTooltipListener::DestroyTooltip	layout/xul/base/src/nsXULTooltipListener.cpp:668
8	xul.dll	nsXULTooltipListener::HideTooltip	layout/xul/base/src/nsXULTooltipListener.cpp:532
9	xul.dll	nsXULTooltipListener::~nsXULTooltipListener	layout/xul/base/src/nsXULTooltipListener.cpp:67
10	xul.dll	nsXULTooltipListener::Release	layout/xul/base/src/nsXULTooltipListener.cpp:76
11	xul.dll	nsListenerStruct::~nsListenerStruct	content/events/src/nsEventListenerManager.h:59
12	xul.dll	nsTArray<nsListenerStruct,nsTArrayDefaultAllocator>::DestructRange	objdir-tb/mozilla/dist/include/nsTArray.h:1225
13	xul.dll	nsTArray<nsListenerStruct,nsTArrayDefaultAllocator>::RemoveElementsAt	objdir-tb/mozilla/dist/include/nsTArray.h:945
14	xul.dll	nsAutoTObserverArray<nsListenerStruct,2>::RemoveElementAt	objdir-tb/mozilla/dist/include/nsTObserverArray.h:210
15	xul.dll	nsEventListenerManager::RemoveEventListener	content/events/src/nsEventListenerManager.cpp:408
16	xul.dll	nsEventListenerManager::RemoveEventListenerByType	content/events/src/nsEventListenerManager.cpp:454
17	xul.dll	nsWindowRoot::RemoveSystemEventListener	dom/base/nsGlobalWindow.cpp:7427
18	xul.dll	nsXULTooltipListener::DestroyTooltip	layout/xul/base/src/nsXULTooltipListener.cpp:667
19	xul.dll	nsXULTooltipListener::HideTooltip	layout/xul/base/src/nsXULTooltipListener.cpp:532
20	xul.dll	nsXULTooltipListener::~nsXULTooltipListener	layout/xul/base/src/nsXULTooltipListener.cpp:67
21	xul.dll	nsXULTooltipListener::Release	layout/xul/base/src/nsXULTooltipListener.cpp:76
22	xul.dll	nsListenerStruct::~nsListenerStruct	content/events/src/nsEventListenerManager.h:59
23	xul.dll	nsTArray<nsListenerStruct,nsTArrayDefaultAllocator>::DestructRange	objdir-tb/mozilla/dist/include/nsTArray.h:1225
24	xul.dll	nsTArray<nsListenerStruct,nsTArrayDefaultAllocator>::RemoveElementsAt	objdir-tb/mozilla/dist/include/nsTArray.h:945
25	xul.dll	nsAutoTObserverArray<nsListenerStruct,2>::RemoveElementAt	objdir-tb/mozilla/dist/include/nsTObserverArray.h:210
26	xul.dll	nsEventListenerManager::RemoveEventListener	content/events/src/nsEventListenerManager.cpp:408
27	xul.dll	nsEventListenerManager::RemoveEventListenerByType	content/events/src/nsEventListenerManager.cpp:454
28	xul.dll	nsWindowRoot::RemoveSystemEventListener	dom/base/nsGlobalWindow.cpp:7427
29	xul.dll	nsXULTooltipListener::DestroyTooltip	layout/xul/base/src/nsXULTooltipListener.cpp:666
30	xul.dll	nsXULTooltipListener::HideTooltip	layout/xul/base/src/nsXULTooltipListener.cpp:532
31	xul.dll	nsXULTooltipListener::~nsXULTooltipListener	layout/xul/base/src/nsXULTooltipListener.cpp:67
32	xul.dll	nsXULTooltipListener::Release	layout/xul/base/src/nsXULTooltipListener.cpp:76
33	xul.dll	nsListenerStruct::~nsListenerStruct	content/events/src/nsEventListenerManager.h:59
34	xul.dll	nsTArray<nsListenerStruct,nsTArrayDefaultAllocator>::DestructRange	objdir-tb/mozilla/dist/include/nsTArray.h:1225
35	xul.dll	nsTArray<nsListenerStruct,nsTArrayDefaultAllocator>::RemoveElementsAt	objdir-tb/mozilla/dist/include/nsTArray.h:945
36	xul.dll	nsAutoTObserverArray<nsListenerStruct,2>::Clear	objdir-tb/mozilla/dist/include/nsTObserverArray.h:234
37	xul.dll	nsEventListenerManager::cycleCollection::UnlinkImpl	content/events/src/nsEventListenerManager.cpp:161
38	xul.dll	nsCycleCollector::CollectWhite	xpcom/base/nsCycleCollector.cpp:2314
39	xul.dll	nsCycleCollector::FinishCollection	xpcom/base/nsCycleCollector.cpp:2874
40	xul.dll	nsCycleCollector::Collect	xpcom/base/nsCycleCollector.cpp:2759
41	xul.dll	nsCycleCollector::Shutdown	xpcom/base/nsCycleCollector.cpp:2924 

another example bp-e87f8c02-08ee-417e-b35c-3b78f2121128
Product: Thunderbird → Core
Component: General → DOM: Events
Summary: crash in _VEC_memcpy → crash in nsEventListenerManager::RemoveEventListener
Odd. This is a bit similar to Bug 120863
Whiteboard: [tbird crash]
Assignee: nobody → bugs
Attached patch patchSplinter Review
I think this is an old problem, which just for some reason hasn't happened
earlier. Modifying the listener array while clearing feels bad.
I don't have a testcase, but based on the code inspection this should work.
Crossing fingers :)

https://tbpl.mozilla.org/?tree=Try&rev=c6158be3846e
Attachment #686691 - Flags: review?(jst)
Attachment #686691 - Flags: review?(jst) → review+
https://hg.mozilla.org/mozilla-central/rev/fa79d795218f
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Requesting tracking esr17, as it would be nice to have this fixed in Thunderbird 17.0.1
Ludo, do you have any ideas how to reproduce this? Do you know anyone who is seeing the crash
often? Perhaps we could create TB17-try build for such user for testing.
Please nominate for uplift to Aurora/Beta/ESR17 with a risk evaluation if we'd like this fixed in the next TB17 version.
This is low risk. Ludo, do we need this on branches?
(In reply to Olli Pettay [:smaug] from comment #8)
> This is low risk. Ludo, do we need this on branches?

We need it on ESR as it's our major release until 24.
Comment on attachment 686691 [details] [diff] [review]
patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): NA
User impact if declined: Crashes
Testing completed (on m-c, etc.): Landed m-c week ago 
Risk to taking this patch (and alternatives if risky): Shouldn't be risky 
String or UUID changes made by this patch: NA
Attachment #686691 - Flags: approval-mozilla-esr17?
Attachment #686691 - Flags: approval-mozilla-beta?
Attachment #686691 - Flags: approval-mozilla-aurora?
Attachment #686691 - Flags: approval-mozilla-esr17?
Attachment #686691 - Flags: approval-mozilla-esr17+
Attachment #686691 - Flags: approval-mozilla-beta?
Attachment #686691 - Flags: approval-mozilla-beta+
Attachment #686691 - Flags: approval-mozilla-aurora?
Attachment #686691 - Flags: approval-mozilla-aurora+
hmm, this is still occurring at a high rate for TB17.0.2.
For example bp-3c9e778d-d2f9-47b1-868c-745ba2130128
need new bug report?
Whiteboard: [tbird crash] → [tbird topcrash]
is TB17.0.2 based on ESR?
(In reply to Olli Pettay [:smaug] from comment #13)
> is TB17.0.2 based on ESR?

yes. I would think we would have picked up the patch in 17.0.2 via status-firefox-esr17: --- → fixed
Specifically, 17.0.2 still comes from comm-release/mozilla-release, but as a pre-merge release branch off the 17.0 release cycle. TB 17.0.3+ should come entirely from comm-esr17/mozilla-esr17 (bug 815302).
Yes, this landed for GECKO1701_2013010313_RELBRANCH on Jan 03 13:59:12 2013, http://hg.mozilla.org/releases/mozilla-release/rev/eb637a9dd482
Crash Signature: unsigned int) | nsAutoTObse...] → unsigned int) | nsAutoTObse... ] [@ _VEC_memcpy | nsTArray_base<nsTArrayDefaultAllocator>::ShiftData(unsigned int, unsigned int, unsigned int, unsigned int, unsigned int) | nsTArray<nsListenerStruct nsTArrayDefaultAllocator>::RemoveElementsAt(unsigned in…
indeed, #8 crash.
I haven't done the math, but I suspect the crash rate was not impacted at all by this patch.

most comments mention closing. 
bp-42632b54-5b53-4caf-9610-139522130324
bp-01d876f3-fc34-4fc0-836e-2aea62130320

"I got this message after I closed the Thunderbird. Firefox is giving me the same message, same circumstances. Might be my computer or the complement of programs running in the background." (user has PATROLPRO installed, but doesn't look to be the norm for other crashes)
bp-855399b7-9a7d-4486-bc82-8d3712130323
Blocks: 877671
You need to log in before you can comment on or make changes to this bug.