Closed
Bug 816480
Opened 11 years ago
Closed 11 years ago
crash in nsEventListenerManager::RemoveEventListener
Categories
(Core :: DOM: Events, defect)
Tracking
()
People
(Reporter: wsmwk, Assigned: smaug)
References
Details
(Keywords: crash, regression, Whiteboard: [tbird topcrash])
Crash Data
Attachments
(1 file)
3.96 KB,
patch
|
jst
:
review+
akeybl
:
approval-mozilla-aurora+
akeybl
:
approval-mozilla-beta+
akeybl
:
approval-mozilla-esr17+
|
Details | Diff | Splinter Review |
#28 crash, new in version 17. possibly addon? This bug was filed from the Socorro interface and is report bp-d28a8703-0f92-4158-a3fa-a5a022121128 . ============================================================= 0 msvcr100.dll _VEC_memcpy 1 xul.dll nsTArray_base<nsTArrayInfallibleAllocator>::ShiftData objdir-tb/mozilla/dist/include/nsTArray-inl.h:245 2 xul.dll nsTArray<nsListenerStruct,nsTArrayDefaultAllocator>::RemoveElementsAt objdir-tb/mozilla/dist/include/nsTArray.h:946 3 xul.dll nsAutoTObserverArray<nsListenerStruct,2>::RemoveElementAt objdir-tb/mozilla/dist/include/nsTObserverArray.h:210 4 xul.dll nsEventListenerManager::RemoveEventListener content/events/src/nsEventListenerManager.cpp:408 5 xul.dll nsEventListenerManager::RemoveEventListenerByType content/events/src/nsEventListenerManager.cpp:454 6 xul.dll nsWindowRoot::RemoveSystemEventListener dom/base/nsGlobalWindow.cpp:7427 7 xul.dll nsXULTooltipListener::DestroyTooltip layout/xul/base/src/nsXULTooltipListener.cpp:668 8 xul.dll nsXULTooltipListener::HideTooltip layout/xul/base/src/nsXULTooltipListener.cpp:532 9 xul.dll nsXULTooltipListener::~nsXULTooltipListener layout/xul/base/src/nsXULTooltipListener.cpp:67 10 xul.dll nsXULTooltipListener::Release layout/xul/base/src/nsXULTooltipListener.cpp:76 11 xul.dll nsListenerStruct::~nsListenerStruct content/events/src/nsEventListenerManager.h:59 12 xul.dll nsTArray<nsListenerStruct,nsTArrayDefaultAllocator>::DestructRange objdir-tb/mozilla/dist/include/nsTArray.h:1225 13 xul.dll nsTArray<nsListenerStruct,nsTArrayDefaultAllocator>::RemoveElementsAt objdir-tb/mozilla/dist/include/nsTArray.h:945 14 xul.dll nsAutoTObserverArray<nsListenerStruct,2>::RemoveElementAt objdir-tb/mozilla/dist/include/nsTObserverArray.h:210 15 xul.dll nsEventListenerManager::RemoveEventListener content/events/src/nsEventListenerManager.cpp:408 16 xul.dll nsEventListenerManager::RemoveEventListenerByType content/events/src/nsEventListenerManager.cpp:454 17 xul.dll nsWindowRoot::RemoveSystemEventListener dom/base/nsGlobalWindow.cpp:7427 18 xul.dll nsXULTooltipListener::DestroyTooltip layout/xul/base/src/nsXULTooltipListener.cpp:667 19 xul.dll nsXULTooltipListener::HideTooltip layout/xul/base/src/nsXULTooltipListener.cpp:532 20 xul.dll nsXULTooltipListener::~nsXULTooltipListener layout/xul/base/src/nsXULTooltipListener.cpp:67 21 xul.dll nsXULTooltipListener::Release layout/xul/base/src/nsXULTooltipListener.cpp:76 22 xul.dll nsListenerStruct::~nsListenerStruct content/events/src/nsEventListenerManager.h:59 23 xul.dll nsTArray<nsListenerStruct,nsTArrayDefaultAllocator>::DestructRange objdir-tb/mozilla/dist/include/nsTArray.h:1225 24 xul.dll nsTArray<nsListenerStruct,nsTArrayDefaultAllocator>::RemoveElementsAt objdir-tb/mozilla/dist/include/nsTArray.h:945 25 xul.dll nsAutoTObserverArray<nsListenerStruct,2>::RemoveElementAt objdir-tb/mozilla/dist/include/nsTObserverArray.h:210 26 xul.dll nsEventListenerManager::RemoveEventListener content/events/src/nsEventListenerManager.cpp:408 27 xul.dll nsEventListenerManager::RemoveEventListenerByType content/events/src/nsEventListenerManager.cpp:454 28 xul.dll nsWindowRoot::RemoveSystemEventListener dom/base/nsGlobalWindow.cpp:7427 29 xul.dll nsXULTooltipListener::DestroyTooltip layout/xul/base/src/nsXULTooltipListener.cpp:666 30 xul.dll nsXULTooltipListener::HideTooltip layout/xul/base/src/nsXULTooltipListener.cpp:532 31 xul.dll nsXULTooltipListener::~nsXULTooltipListener layout/xul/base/src/nsXULTooltipListener.cpp:67 32 xul.dll nsXULTooltipListener::Release layout/xul/base/src/nsXULTooltipListener.cpp:76 33 xul.dll nsListenerStruct::~nsListenerStruct content/events/src/nsEventListenerManager.h:59 34 xul.dll nsTArray<nsListenerStruct,nsTArrayDefaultAllocator>::DestructRange objdir-tb/mozilla/dist/include/nsTArray.h:1225 35 xul.dll nsTArray<nsListenerStruct,nsTArrayDefaultAllocator>::RemoveElementsAt objdir-tb/mozilla/dist/include/nsTArray.h:945 36 xul.dll nsAutoTObserverArray<nsListenerStruct,2>::Clear objdir-tb/mozilla/dist/include/nsTObserverArray.h:234 37 xul.dll nsEventListenerManager::cycleCollection::UnlinkImpl content/events/src/nsEventListenerManager.cpp:161 38 xul.dll nsCycleCollector::CollectWhite xpcom/base/nsCycleCollector.cpp:2314 39 xul.dll nsCycleCollector::FinishCollection xpcom/base/nsCycleCollector.cpp:2874 40 xul.dll nsCycleCollector::Collect xpcom/base/nsCycleCollector.cpp:2759 41 xul.dll nsCycleCollector::Shutdown xpcom/base/nsCycleCollector.cpp:2924 another example bp-e87f8c02-08ee-417e-b35c-3b78f2121128
Updated•11 years ago
|
Product: Thunderbird → Core
Updated•11 years ago
|
Component: General → DOM: Events
Summary: crash in _VEC_memcpy → crash in nsEventListenerManager::RemoveEventListener
Assignee | ||
Comment 1•11 years ago
|
||
Odd. This is a bit similar to Bug 120863
Reporter | ||
Updated•11 years ago
|
Keywords: regression,
regressionwindow-wanted
Whiteboard: [tbird crash]
Assignee | ||
Updated•11 years ago
|
Assignee: nobody → bugs
Assignee | ||
Comment 2•11 years ago
|
||
I think this is an old problem, which just for some reason hasn't happened earlier. Modifying the listener array while clearing feels bad. I don't have a testcase, but based on the code inspection this should work. Crossing fingers :) https://tbpl.mozilla.org/?tree=Try&rev=c6158be3846e
Attachment #686691 -
Flags: review?(jst)
Updated•11 years ago
|
Attachment #686691 -
Flags: review?(jst) → review+
Assignee | ||
Comment 3•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/fa79d795218f
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Comment 4•11 years ago
|
||
Requesting tracking esr17, as it would be nice to have this fixed in Thunderbird 17.0.1
tracking-firefox-esr17:
--- → ?
Assignee | ||
Comment 5•11 years ago
|
||
Ludo, do you have any ideas how to reproduce this? Do you know anyone who is seeing the crash often? Perhaps we could create TB17-try build for such user for testing.
Comment 6•11 years ago
|
||
No :(
Comment 7•11 years ago
|
||
Please nominate for uplift to Aurora/Beta/ESR17 with a risk evaluation if we'd like this fixed in the next TB17 version.
Assignee | ||
Comment 8•11 years ago
|
||
This is low risk. Ludo, do we need this on branches?
Comment 9•11 years ago
|
||
(In reply to Olli Pettay [:smaug] from comment #8) > This is low risk. Ludo, do we need this on branches? We need it on ESR as it's our major release until 24.
Assignee | ||
Comment 10•11 years ago
|
||
Comment on attachment 686691 [details] [diff] [review] patch [Approval Request Comment] Bug caused by (feature/regressing bug #): NA User impact if declined: Crashes Testing completed (on m-c, etc.): Landed m-c week ago Risk to taking this patch (and alternatives if risky): Shouldn't be risky String or UUID changes made by this patch: NA
Attachment #686691 -
Flags: approval-mozilla-esr17?
Attachment #686691 -
Flags: approval-mozilla-beta?
Attachment #686691 -
Flags: approval-mozilla-aurora?
Updated•11 years ago
|
Attachment #686691 -
Flags: approval-mozilla-esr17?
Attachment #686691 -
Flags: approval-mozilla-esr17+
Attachment #686691 -
Flags: approval-mozilla-beta?
Attachment #686691 -
Flags: approval-mozilla-beta+
Attachment #686691 -
Flags: approval-mozilla-aurora?
Attachment #686691 -
Flags: approval-mozilla-aurora+
Updated•11 years ago
|
Comment 11•11 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/2995c1d6718e https://hg.mozilla.org/releases/mozilla-beta/rev/d3163e8e655c https://hg.mozilla.org/releases/mozilla-esr17/rev/618ffd249ae7
status-firefox17:
--- → wontfix
status-firefox18:
--- → fixed
status-firefox19:
--- → affected
status-firefox20:
--- → fixed
status-firefox-esr17:
--- → fixed
Updated•11 years ago
|
Reporter | ||
Comment 12•11 years ago
|
||
hmm, this is still occurring at a high rate for TB17.0.2. For example bp-3c9e778d-d2f9-47b1-868c-745ba2130128 need new bug report?
Whiteboard: [tbird crash] → [tbird topcrash]
Assignee | ||
Comment 13•11 years ago
|
||
is TB17.0.2 based on ESR?
Reporter | ||
Comment 14•11 years ago
|
||
(In reply to Olli Pettay [:smaug] from comment #13) > is TB17.0.2 based on ESR? yes. I would think we would have picked up the patch in 17.0.2 via status-firefox-esr17: --- → fixed
![]() |
||
Comment 15•11 years ago
|
||
Specifically, 17.0.2 still comes from comm-release/mozilla-release, but as a pre-merge release branch off the 17.0 release cycle. TB 17.0.3+ should come entirely from comm-esr17/mozilla-esr17 (bug 815302).
![]() |
||
Comment 16•11 years ago
|
||
Yes, this landed for GECKO1701_2013010313_RELBRANCH on Jan 03 13:59:12 2013, http://hg.mozilla.org/releases/mozilla-release/rev/eb637a9dd482
Updated•11 years ago
|
Crash Signature: unsigned int) | nsAutoTObse...] → unsigned int) | nsAutoTObse... ]
[@ _VEC_memcpy | nsTArray_base<nsTArrayDefaultAllocator>::ShiftData(unsigned int, unsigned int, unsigned int, unsigned int, unsigned int) | nsTArray<nsListenerStruct nsTArrayDefaultAllocator>::RemoveElementsAt(unsigned in…
Comment 17•10 years ago
|
||
It's still a TB top crasher in 17.0.4. See https://crash-stats.mozilla.com/report/list?signature=_VEC_memcpy+|+nsTArray_base%3CnsTArrayInfallibleAllocator%3E%3A%3AShiftData%28unsigned+int%2C+unsigned+int%2C+unsigned+int%2C+unsigned+int%2C+unsigned+int%29+|+nsTArray%3CnsListenerStruct%2C+nsTArrayDefaultAllocator%3E%3A%3ARemoveElementsAt%28unsigned+int%2C+unsigned+int%29+|+nsAutoTObse...
Reporter | ||
Comment 18•10 years ago
|
||
indeed, #8 crash. I haven't done the math, but I suspect the crash rate was not impacted at all by this patch. most comments mention closing. bp-42632b54-5b53-4caf-9610-139522130324 bp-01d876f3-fc34-4fc0-836e-2aea62130320 "I got this message after I closed the Thunderbird. Firefox is giving me the same message, same circumstances. Might be my computer or the complement of programs running in the background." (user has PATROLPRO installed, but doesn't look to be the norm for other crashes) bp-855399b7-9a7d-4486-bc82-8d3712130323
Updated•8 years ago
|
Keywords: regressionwindow-wanted
You need to log in
before you can comment on or make changes to this bug.
Description
•