Closed
Bug 353021
Opened 18 years ago
Closed 18 years ago
crashes [@ PL_DHashTableOperate] removing from nsDOMClassInfo's sExternallyReferencedTable
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: dbaron, Assigned: smaug)
References
()
Details
(Keywords: crash, topcrash, verified1.8.1.2)
Crash Data
Attachments
(4 files)
(deleted),
text/plain; charset=utf-8
|
Details | |
(deleted),
patch
|
dbaron
:
review+
dbaron
:
superreview+
|
Details | Diff | Splinter Review |
(deleted),
patch
|
dbaron
:
review+
dbaron
:
superreview+
|
Details | Diff | Splinter Review |
(deleted),
patch
|
jay
:
approval1.8.1.2+
|
Details | Diff | Splinter Review |
Talkback is showing one of the Firefox2 topcrashes is in PL_DHashTableOperate (accounting for most of the PL_DHashTableOperate crashes), operating on nsDOMClassInfo's sExternallyReferencedTable with the stack that is presumably:
PL_DHashTableOperate
nsDOMClassInfo::UnsetExternallyReferenced
nsImageLoadingContent::UnpreserveLoadHandlers
nsHTMLImageElement::~nsHTMLImageElement
Reporter | ||
Comment 1•18 years ago
|
||
This is an example Linux incident, Windows incident, and Mac incident. The Windows incident is typical of many, although some have one more frame worth of information (DOMGCCallback).
Reporter | ||
Updated•18 years ago
|
Assignee | ||
Comment 2•18 years ago
|
||
Currently #10 FF2 crasher.
Could it be a problem that there is a QI and
Addred/Release happening while deleting nsHTMLImageElement?
Assignee | ||
Updated•18 years ago
|
Flags: blocking1.8.1.2?
Comment 3•18 years ago
|
||
Let's try to get some traction on this bug if we want to fix a topcrasher for the next release. Anyone want to take a shot at this one?
Flags: blocking1.8.1.2? → blocking1.8.1.2+
Assignee | ||
Comment 4•18 years ago
|
||
Could we just add an if(.ops) check.
This way if something is keeping an htmlimage alive after
nsDOMClassInfo::ShutDown we don't crash.
Attachment #250154 -
Flags: review?(dbaron)
Reporter | ||
Comment 5•18 years ago
|
||
But nsDOMClassInfo::ShutDown says:
if (sExternallyReferencedTable.ops &&
sExternallyReferencedTable.entryCount == 0) {
Did you see indications in talkback comments that this was a shutdown crash?
Assignee | ||
Comment 6•18 years ago
|
||
(In reply to comment #5)
>
> Did you see indications in talkback comments that this was a shutdown crash?
>
Some of comments are like:
"I closed the browser",
"Restarting Firefox after updating Add-ons."
"exited Firefox and pressed the OK button to clean up cookies, temp files etc."
Assignee | ||
Comment 7•18 years ago
|
||
(In reply to comment #5)
> But nsDOMClassInfo::ShutDown says:
>
> if (sExternallyReferencedTable.ops &&
> sExternallyReferencedTable.entryCount == 0) {
>
Ah, entryCount == 0. Is it possible the htmlimage isn't always
added to sExternallyReferencedTable, so that entryCount is 0, but
somehow there is an htmlimage alive...
Reporter | ||
Comment 8•18 years ago
|
||
Comment on attachment 250154 [details] [diff] [review]
possible patch
There are some known cases where these calls are unbalanced, so let's try this. r+sr=dbaron
But could you add a pair of assertions -- one that ops is non-null, and the second that the entryCount actually decreases across the remove?
Attachment #250154 -
Flags: superreview+
Attachment #250154 -
Flags: review?(dbaron)
Attachment #250154 -
Flags: review+
Assignee | ||
Comment 9•18 years ago
|
||
Assignee | ||
Comment 10•18 years ago
|
||
Checked in to trunk. Waiting few days to see whether this helps and then
asking approval for 1.8.1.2.
Reporter | ||
Comment 11•18 years ago
|
||
Comment on attachment 250187 [details] [diff] [review]
+assertions
>+ NS_ASSERTION(sExternallyReferencedTable.ops,
>+ "Unexpected null sExternallyReferencedTable.ops");
I'd make the text be "unbalanced call".
>+ NS_ASSERTION(count != sExternallyReferencedTable.entryCount,
This could be count == sExternallyReferencedTable.entryCount + 1
>+ "DOMGCParticipant wasn't removed from sExternallyReferencedTable.");
And likewise about the text.
Attachment #250187 -
Flags: superreview+
Attachment #250187 -
Flags: review+
Assignee | ||
Comment 12•18 years ago
|
||
This was checked in to trunk and applies cleanly to 1.8 branch.
Haven't seen any trunk crashes since the landing, but those have been
quite rare anyway, so waiting still few days before asking
approval.
Assignee | ||
Comment 13•18 years ago
|
||
Comment on attachment 250468 [details] [diff] [review]
checked in
hmm, though, perhaps it is better to have testing also on branch.
The patch shouldn't cause any harm in any case, since it is just a null check + assertions.
Attachment #250468 -
Flags: approval1.8.1.2?
Comment 14•18 years ago
|
||
Comment on attachment 250468 [details] [diff] [review]
checked in
Approved for 1.8 branch, a=jay for drivers. Let's get this landed now and keep an eye on crash data for any regressions and to make sure this is fixed.
Attachment #250468 -
Flags: approval1.8.1.2? → approval1.8.1.2+
Assignee | ||
Comment 15•18 years ago
|
||
Checked in to 1.8.
Assignee: dbaron → Olli.Pettay
Keywords: fixed1.8.1.2
Assignee | ||
Comment 16•18 years ago
|
||
Marking fixed, but will look at the crash data and reopen if needed.
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Comment 17•18 years ago
|
||
v.fixed on Trunk and 1.8 branch based on Talkback data (or lack thereof). I only see one incident from 12/17 branch nightly (tons with 2.0.0.1 from 12/4), and only a few on the Trunk from a while back. None since.
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.1.2 → verified1.8.1.2
Updated•14 years ago
|
Crash Signature: [@ PL_DHashTableOperate]
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•