Closed Bug 557689 Opened 15 years ago Closed 15 years ago

Mochitest-3 (debug) crash after running test_bug366682.html or test_selection_move_commands.xul as a result of bug 542919 [@ nsCOMPtr<nsIMutationObserver>::assign_with_AddRef]

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9.3a5

People

(Reporter: ehsan.akhgari, Assigned: ehsan.akhgari)

References

(
URL
)

Details

(Keywords: crash)

Crash Data

Attachments

(2 files)

valgrind warnings at full stack depth
(deleted), text/plain
Details
Patch (v1)
(deleted), patch
jrmuizel
: review+
bzbarsky
: review+
Details | Diff | Splinter Review
http://tinderbox.mozilla.org/showlog.cgi?tree=Firefox&errorparser=unittest&logfile=1270592344.1270593951.28811.gz&buildtime=1270592344&buildname=Linux%20mozilla-central%20debug%20test%20mochitests-3%2f5&fulltext=1#err2 Linux mozilla-central debug test mochitests-3/5 on 2010/04/06 15:19:04 This happened a bunch of times today, and I'm pretty sure that I've seen this before. Here is the crash stack: Thread 0 (crashed) 0 libxul.so!nsCOMPtr<nsIMutationObserver>::assign_with_AddRef [nsCOMPtr.h : 1180 + 0x8] eip = 0x015dad22 esp = 0xbf985e50 ebp = 0xbf985e58 ebx = 0x02a34db0 esi = 0x08157d78 edi = 0x00000000 eax = 0x00000040 ecx = 0x00000001 edx = 0x0ba8d990 efl = 0x00210212 Found by: given as instruction pointer in context 1 libxul.so!nsCOMPtr<nsIMutationObserver>::operator= [nsCOMPtr.h : 640 + 0x11] eip = 0x015daecc esp = 0xbf985e60 ebp = 0xbf985e68 ebx = 0x02a34db0 esi = 0x08157d78 edi = 0x00000000 Found by: call frame info 2 libxul.so!nsNodeUtils::LastRelease [nsNodeUtils.cpp:40038cc9f245 : 210 + 0x3d] eip = 0x015da02b esp = 0xbf985e70 ebp = 0xbf985ec8 ebx = 0x02a34db0 esi = 0x08157d78 edi = 0x00000000 Found by: call frame info 3 libxul.so!nsDocument::Release [nsDocument.cpp:40038cc9f245 : 1560 + 0x10a] eip = 0x01583c2c esp = 0xbf985ed0 ebp = 0xbf985f08 ebx = 0x02a34db0 esi = 0x08157d78 edi = 0x00000000 Found by: call frame info 4 libxul.so!nsHTMLDocument::Release [nsHTMLDocument.cpp:40038cc9f245 : 272 + 0xa] eip = 0x01731457 esp = 0xbf985f10 ebp = 0xbf985f38 ebx = 0x02a34db0 esi = 0x08157d78 edi = 0x00000000 Found by: call frame info 5 libxul.so!DoDeferredRelease<nsISupports*> [xpcjsruntime.cpp:40038cc9f245 : 489 + 0x11] eip = 0x00f2df9c esp = 0xbf985f40 ebp = 0xbf985f58 ebx = 0x02a34db0 esi = 0x08157d78 edi = 0x00000000 Found by: call frame info 6 libxul.so!XPCJSRuntime::GCCallback [xpcjsruntime.cpp:40038cc9f245 : 760 + 0xf] eip = 0x00f2fb9e esp = 0xbf985f60 ebp = 0xbf986048 ebx = 0x02a34db0 esi = 0x08157d78 edi = 0x00000000 Found by: call frame info 7 libxul.so!DOMGCCallback [nsJSEnvironment.cpp:40038cc9f245 : 3723 + 0x1e] eip = 0x0183cc7c esp = 0xbf986050 ebp = 0xbf986078 ebx = 0x02a34db0 esi = 0x08157d78 edi = 0x00000000 Found by: call frame info 8 libxul.so!XPCCycleCollectGCCallback [nsXPConnect.cpp:40038cc9f245 : 413 + 0x1e] eip = 0x00efe212 esp = 0xbf986080 ebp = 0xbf9860a8 ebx = 0x02a34db0 esi = 0x08157d78 edi = 0x00000000 Found by: call frame info 9 libmozjs.so!js_GC [jsgc.cpp:40038cc9f245 : 3397 + 0x12] eip = 0x0034a8b5 esp = 0xbf9860b0 ebp = 0xbf986188 ebx = 0x0050bfd4 esi = 0x08157d78 edi = 0x00000000 Found by: call frame info 10 libmozjs.so!JS_GC [jsapi.cpp:40038cc9f245 : 2313 + 0x12] eip = 0x002eb0ef esp = 0xbf986190 ebp = 0xbf9861a8 ebx = 0x0050bfd4 esi = 0x00e3cb74 edi = 0x00000000 Found by: call frame info 11 libxul.so!nsXPConnect::Collect [nsXPConnect.cpp:40038cc9f245 : 479 + 0xa] eip = 0x00efd77c esp = 0xbf9861b0 ebp = 0xbf986288 ebx = 0x02a34db0 esi = 0x00e3cb74 edi = 0x00000000 Found by: call frame info 12 libxul.so!nsCycleCollector::Collect [nsCycleCollector.cpp:40038cc9f245 : 2520 + 0x17] eip = 0x022ca4e7 esp = 0xbf986290 ebp = 0xbf98a158 ebx = 0x02a34db0 esi = 0x00e3cb74 edi = 0x00000000 Found by: call frame info 13 libxul.so!nsCycleCollector_collect [nsCycleCollector.cpp:40038cc9f245 : 3217 + 0x1f] eip = 0x022ca5d2 esp = 0xbf98a160 ebp = 0xbf98a178 ebx = 0x02a34db0 esi = 0x00e3cb74 edi = 0x00000000 Found by: call frame info 14 libxul.so!nsJSContext::CC [nsJSEnvironment.cpp:40038cc9f245 : 3537 + 0x4] eip = 0x0183f355 esp = 0xbf98a180 ebp = 0xbf98a198 ebx = 0x02a34db0 esi = 0x00e3cb74 edi = 0x00000000 Found by: call frame info 15 libxul.so!nsJSContext::IntervalCC [nsJSEnvironment.cpp:40038cc9f245 : 3625 + 0x4] eip = 0x0183f3eb esp = 0xbf98a1a0 ebp = 0xbf98a1d8 ebx = 0x02a34db0 esi = 0x00e3cb74 edi = 0x00000000 Found by: call frame info 16 libxul.so!nsJSContext::MaybeCC [nsJSEnvironment.cpp:40038cc9f245 : 3603 + 0x4] eip = 0x0183f4fa esp = 0xbf98a1e0 ebp = 0xbf98a208 ebx = 0x02a34db0 esi = 0x0000602d edi = 0x0211afbc Found by: call frame info 17 libxul.so!nsJSContext::CCIfUserInactive [nsJSEnvironment.cpp:40038cc9f245 : 3613 + 0xb] eip = 0x0183f538 esp = 0xbf98a210 ebp = 0xbf98a218 ebx = 0x02a34db0 esi = 0x0000602d edi = 0x0211afbc Found by: call frame info 18 libxul.so!GCTimerFired [nsJSEnvironment.cpp:40038cc9f245 : 3651 + 0x4] eip = 0x0183f751 esp = 0xbf98a220 ebp = 0xbf98a228 ebx = 0x02a34db0 esi = 0x0000602d edi = 0x0211afbc Found by: call frame info 19 libxul.so!nsTimerImpl::Fire [nsTimerImpl.cpp:40038cc9f245 : 427 + 0x14] eip = 0x022b7ca8 esp = 0xbf98a230 ebp = 0xbf98a278 ebx = 0x02a34db0 esi = 0x0000602d edi = 0x0211afbc Found by: call frame info 20 libxul.so!nsTimerEvent::Run [nsTimerImpl.cpp:40038cc9f245 : 519 + 0x12] eip = 0x022b7ed9 esp = 0xbf98a280 ebp = 0xbf98a2a8 ebx = 0x02a34db0 esi = 0x0000602d edi = 0x0211afbc Found by: call frame info 21 libxul.so!nsThread::ProcessNextEvent [nsThread.cpp:40038cc9f245 : 527 + 0x18] eip = 0x022b0957 esp = 0xbf98a2b0 ebp = 0xbf98a318 ebx = 0x02a34db0 esi = 0x088c8fc4 edi = 0x0211afbc Found by: call frame info 22 libxul.so!NS_ProcessNextEvent_P [nsThreadUtils.cpp : 250 + 0x1f] eip = 0x02244180 esp = 0xbf98a320 ebp = 0xbf98a358 ebx = 0x02a34db0 esi = 0x00000001 edi = 0x0211afbc Found by: call frame info 23 libxul.so!mozilla::ipc::MessagePump::Run [MessagePump.cpp:40038cc9f245 : 118 + 0x15] eip = 0x0218d0ca esp = 0xbf98a360 ebp = 0xbf98a3a8 ebx = 0x02a34db0 esi = 0x00000001 edi = 0x0211afbc Found by: call frame info 24 libxul.so!MessageLoop::RunInternal [message_loop.cc:40038cc9f245 : 216 + 0x22] eip = 0x02327df7 esp = 0xbf98a3b0 ebp = 0xbf98a3d8 ebx = 0x02a34db0 esi = 0x08491fa8 edi = 0x0211afbc Found by: call frame info 25 libxul.so!MessageLoop::RunHandler [message_loop.cc:40038cc9f245 : 199 + 0xa] eip = 0x02327e1b esp = 0xbf98a3e0 ebp = 0xbf98a3e8 ebx = 0x02a34db0 esi = 0x08491fa8 edi = 0x0211afbc Found by: call frame info 26 libxul.so!MessageLoop::Run [message_loop.cc:40038cc9f245 : 173 + 0xa] eip = 0x02327e9f esp = 0xbf98a3f0 ebp = 0xbf98a418 ebx = 0x02a34db0 esi = 0x08491fa8 edi = 0x0211afbc Found by: call frame info 27 libxul.so!nsBaseAppShell::Run [nsBaseAppShell.cpp:40038cc9f245 : 174 + 0xc] eip = 0x0203e768 esp = 0xbf98a420 ebp = 0xbf98a458 ebx = 0x02a34db0 esi = 0x08491fa8 edi = 0x0211afbc Found by: call frame info 28 libxul.so!nsAppStartup::Run [nsAppStartup.cpp:40038cc9f245 : 182 + 0x1b] eip = 0x01d96ff1 esp = 0xbf98a460 ebp = 0xbf98a498 ebx = 0x02a34db0 esi = 0x08491fa8 edi = 0x0211afbc Found by: call frame info 29 libxul.so!XRE_main [nsAppRunner.cpp:40038cc9f245 : 3545 + 0x1b] eip = 0x00ec87f9 esp = 0xbf98a4a0 ebp = 0xbf98aa58 ebx = 0x02a34db0 esi = 0x08491fa8 edi = 0x0211afbc Found by: call frame info 30 firefox-bin!main [nsBrowserApp.cpp:40038cc9f245 : 158 + 0x1d] eip = 0x08048e42 esp = 0xbf98aa60 ebp = 0xbf98aac8 ebx = 0x0804bb04 esi = 0x081596f8 edi = 0x0229ab48 Found by: call frame info 31 libc-2.5.so + 0x15deb eip = 0x0624ddec esp = 0xbf98aae0 ebp = 0xbf98ab38 ebx = 0x06370ff4 esi = 0x00a88ca0 edi = 0x00000000 Found by: call frame info 32 firefox-bin + 0x9f0 eip = 0x080489f1 esp = 0xbf98ab40 ebp = 0x00000000 Found by: previous frame's frame pointer 33 firefox-bin!Output [nsBrowserApp.cpp:40038cc9f245 : 77 + 0x5] eip = 0x08048b42 esp = 0xbf98ab44 ebp = 0x00000000 Found by: stack scanning 34 ld-2.5.so + 0xe2cf eip = 0x00a7d2d0 esp = 0xbf98ab58 ebp = 0x00000000 Found by: stack scanning 35 ld-2.5.so + 0x1688a eip = 0x00a8588b esp = 0xbf98ab60 ebp = 0x00000000 Found by: stack scanning On Windows, it seems that we're trying to read from 0xdddddddd, which is MSVC's signature for free'd memory. dbaron ran this under valgrind, and here is the log from valgrind: ###!!! ASSERTION: recurring into frame construction: 'mPresContext->mLayoutPhaseCount[eLayoutPhase_FrameC] == 0', file /home/dbaron/builds/mozilla-central/mozilla/layout/base/nsPresContext.h, line 1252 nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, int, nsCSSFrameConstructor::RemoveFlags, int*) (/home/dbaron/builds/mozilla-central/mozilla/layout/base/nsCSSFrameConstructor.cpp:6871) PresShell::ContentRemoved(nsIDocument*, nsIContent*, nsIContent*, int) (/home/dbaron/builds/mozilla-central/mozilla/layout/base/nsPresShell.cpp:4866) nsNodeUtils::ContentRemoved(nsINode*, nsIContent*, int) (/home/dbaron/builds/mozilla-central/mozilla/content/base/src/nsNodeUtils.cpp:183) nsGenericElement::doRemoveChildAt(unsigned int, int, nsIContent*, nsIContent*, nsIDocument*, nsAttrAndChildArray&, int) (/home/dbaron/builds/mozilla-central/mozilla/content/base/src/nsGenericElement.cpp:3439) nsGenericElement::RemoveChildAt(unsigned int, int, int) (/home/dbaron/builds/mozilla-central/mozilla/content/base/src/nsGenericElement.cpp:3367) ~nsString (/home/dbaron/builds/mozilla-central/obj/firefox-debugopt/layout/forms/../../dist/include/nsTString.h:55) nsCOMPtr<nsIEditor>::operator->() const (/home/dbaron/builds/mozilla-central/obj/firefox-debugopt/layout/forms/../../dist/include/nsCOMPtr.h:796) nsTextControlFrame::EnsureEditorInitialized() (/home/dbaron/builds/mozilla-central/mozilla/layout/forms/nsTextControlFrame.cpp:1343) nsTextControlFrame::GetEditor(nsIEditor**) (/home/dbaron/builds/mozilla-central/mozilla/layout/forms/nsTextControlFrame.cpp:2002) NS_InvokeByIndex_P (/home/dbaron/builds/mozilla-central/mozilla/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:210) XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) (/home/dbaron/builds/mozilla-central/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp:2750) XPCWrappedNative::GetAttribute(XPCCallContext&) (/home/dbaron/builds/mozilla-central/mozilla/js/src/xpconnect/src/xpcprivate.h:2575) js_Invoke (/home/dbaron/builds/mozilla-central/mozilla/js/src/jsinterp.cpp:836) js_InternalInvoke (/home/dbaron/builds/mozilla-central/mozilla/js/src/jsinterp.cpp:900) js_InternalGetOrSet (/home/dbaron/builds/mozilla-central/mozilla/js/src/jsinterp.cpp:938) JSScopeProperty::get(JSContext*, JSObject*, JSObject*, long*) (/home/dbaron/builds/mozilla-central/mozilla/js/src/jsscope.h:970) js_NativeGet (/home/dbaron/builds/mozilla-central/mozilla/js/src/jsobj.cpp:4923) js_GetPropertyHelper (/home/dbaron/builds/mozilla-central/mozilla/js/src/jsobj.cpp:5095) js_Interpret (/home/dbaron/builds/mozilla-central/mozilla/js/src/jsops.cpp:1502) js_Invoke (/home/dbaron/builds/mozilla-central/mozilla/js/src/jsinterp.cpp:843) nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) (/home/dbaron/builds/mozilla-central/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp:1697) PrepareAndDispatch (/home/dbaron/builds/mozilla-central/mozilla/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:153) SharedStub (xptcstubs_x86_64_linux.cpp:0) ###!!! ASSERTION: recurring into frame construction: 'mPresContext->mLayoutPhaseCount[eLayoutPhase_FrameC] == 0', file /home/dbaron/builds/mozilla-central/mozilla/layout/base/nsPresContext.h, line 1252 nsIFrame::GetParent() const (/home/dbaron/builds/mozilla-central/mozilla/layout/base/../generic/nsIFrame.h:758) PresShell::ContentRemoved(nsIDocument*, nsIContent*, nsIContent*, int) (/home/dbaron/builds/mozilla-central/mozilla/layout/base/nsPresShell.cpp:4866) nsNodeUtils::ContentRemoved(nsINode*, nsIContent*, int) (/home/dbaron/builds/mozilla-central/mozilla/content/base/src/nsNodeUtils.cpp:183) nsGenericElement::doRemoveChildAt(unsigned int, int, nsIContent*, nsIContent*, nsIDocument*, nsAttrAndChildArray&, int) (/home/dbaron/builds/mozilla-central/mozilla/content/base/src/nsGenericElement.cpp:3439) nsGenericElement::RemoveChildAt(unsigned int, int, int) (/home/dbaron/builds/mozilla-central/mozilla/content/base/src/nsGenericElement.cpp:3367) ~nsString (/home/dbaron/builds/mozilla-central/obj/firefox-debugopt/layout/forms/../../dist/include/nsTString.h:55) nsCOMPtr<nsIEditor>::operator->() const (/home/dbaron/builds/mozilla-central/obj/firefox-debugopt/layout/forms/../../dist/include/nsCOMPtr.h:796) nsTextControlFrame::EnsureEditorInitialized() (/home/dbaron/builds/mozilla-central/mozilla/layout/forms/nsTextControlFrame.cpp:1343) nsTextControlFrame::GetEditor(nsIEditor**) (/home/dbaron/builds/mozilla-central/mozilla/layout/forms/nsTextControlFrame.cpp:2002) NS_InvokeByIndex_P (/home/dbaron/builds/mozilla-central/mozilla/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:210) XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) (/home/dbaron/builds/mozilla-central/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp:2750) XPCWrappedNative::GetAttribute(XPCCallContext&) (/home/dbaron/builds/mozilla-central/mozilla/js/src/xpconnect/src/xpcprivate.h:2575) js_Invoke (/home/dbaron/builds/mozilla-central/mozilla/js/src/jsinterp.cpp:836) js_InternalInvoke (/home/dbaron/builds/mozilla-central/mozilla/js/src/jsinterp.cpp:900) js_InternalGetOrSet (/home/dbaron/builds/mozilla-central/mozilla/js/src/jsinterp.cpp:938) JSScopeProperty::get(JSContext*, JSObject*, JSObject*, long*) (/home/dbaron/builds/mozilla-central/mozilla/js/src/jsscope.h:970) js_NativeGet (/home/dbaron/builds/mozilla-central/mozilla/js/src/jsobj.cpp:4923) js_GetPropertyHelper (/home/dbaron/builds/mozilla-central/mozilla/js/src/jsobj.cpp:5095) js_Interpret (/home/dbaron/builds/mozilla-central/mozilla/js/src/jsops.cpp:1502) js_Invoke (/home/dbaron/builds/mozilla-central/mozilla/js/src/jsinterp.cpp:843) nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) (/home/dbaron/builds/mozilla-central/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp:1697) PrepareAndDispatch (/home/dbaron/builds/mozilla-central/mozilla/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:153) SharedStub (xptcstubs_x86_64_linux.cpp:0) ###!!! ASSERTION: recurring into frame construction: 'mPresContext->mLayoutPhaseCount[eLayoutPhase_FrameC] == 0', file /home/dbaron/builds/mozilla-central/mozilla/layout/base/nsPresContext.h, line 1252 nsCSSFrameConstructor::ContentAppended(nsIContent*, int) (/home/dbaron/builds/mozilla-central/mozilla/layout/base/nsCSSFrameConstructor.cpp:6112) PresShell::ContentAppended(nsIDocument*, nsIContent*, int) (/home/dbaron/builds/mozilla-central/mozilla/layout/base/nsPresShell.cpp:4806) nsNodeUtils::ContentAppended(nsIContent*, int) (/home/dbaron/builds/mozilla-central/mozilla/content/base/src/nsNodeUtils.cpp:135) nsGenericElement::doInsertChildAt(nsIContent*, unsigned int, int, nsIContent*, nsIDocument*, nsAttrAndChildArray&) (/home/dbaron/builds/mozilla-central/mozilla/content/base/src/nsGenericElement.cpp:3339) nsINode::ReplaceOrInsertBefore(int, nsINode*, nsINode*) (/home/dbaron/builds/mozilla-central/mozilla/content/base/src/nsGenericElement.cpp:4007) nsINode::ReplaceOrInsertBefore(int, nsIDOMNode*, nsIDOMNode*, nsIDOMNode**) (/home/dbaron/builds/mozilla-central/mozilla/content/base/src/nsGenericElement.cpp:583) nsCOMPtr<nsIDOMNode>::get() const (/home/dbaron/builds/mozilla-central/obj/firefox-debugopt/editor/libeditor/base/../../../dist/include/nsCOMPtr.h:777) nsEditor::DoTransaction(nsITransaction*) (/home/dbaron/builds/mozilla-central/mozilla/editor/libeditor/base/nsEditor.cpp:735) nsEditor::InsertNode(nsIDOMNode*, nsIDOMNode*, int) (/home/dbaron/builds/mozilla-central/mozilla/editor/libeditor/base/nsEditor.cpp:1436) nsTextEditRules::CreateBogusNodeIfNeeded(nsISelection*) (/home/dbaron/builds/mozilla-central/mozilla/editor/libeditor/text/nsTextEditRules.cpp:1379) nsTextEditRules::Init(nsPlaintextEditor*, unsigned int) (/home/dbaron/builds/mozilla-central/mozilla/editor/libeditor/text/nsTextEditRules.cpp:156) nsPlaintextEditor::InitRules() (/home/dbaron/builds/mozilla-central/mozilla/editor/libeditor/text/nsPlaintextEditor.cpp:330) nsPlaintextEditor::EndEditorInit() (/home/dbaron/builds/mozilla-central/mozilla/editor/libeditor/text/nsPlaintextEditor.cpp:209) ~nsAutoEditInitRulesTrigger (/home/dbaron/builds/mozilla-central/mozilla/editor/libeditor/text/nsTextEditUtils.cpp:134) nsPlaintextEditor::Init(nsIDOMDocument*, nsIPresShell*, nsIContent*, nsISelectionController*, unsigned int) (/home/dbaron/builds/mozilla-central/mozilla/editor/libeditor/text/nsPlaintextEditor.cpp:163) nsTextControlFrame::EnsureEditorInitializedInternal() (/home/dbaron/builds/mozilla-central/mozilla/layout/forms/nsTextControlFrame.cpp:1445) nsTextControlFrame::EnsureEditorInitialized() (/home/dbaron/builds/mozilla-central/mozilla/layout/forms/nsTextControlFrame.cpp:1343) nsTextControlFrame::GetEditor(nsIEditor**) (/home/dbaron/builds/mozilla-central/mozilla/layout/forms/nsTextControlFrame.cpp:2002) NS_InvokeByIndex_P (/home/dbaron/builds/mozilla-central/mozilla/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:210) XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) (/home/dbaron/builds/mozilla-central/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp:2750) XPCWrappedNative::GetAttribute(XPCCallContext&) (/home/dbaron/builds/mozilla-central/mozilla/js/src/xpconnect/src/xpcprivate.h:2575) js_Invoke (/home/dbaron/builds/mozilla-central/mozilla/js/src/jsinterp.cpp:836) js_InternalInvoke (/home/dbaron/builds/mozilla-central/mozilla/js/src/jsinterp.cpp:900) js_InternalGetOrSet (/home/dbaron/builds/mozilla-central/mozilla/js/src/jsinterp.cpp:938) JSScopeProperty::get(JSContext*, JSObject*, JSObject*, long*) (/home/dbaron/builds/mozilla-central/mozilla/js/src/jsscope.h:970) js_NativeGet (/home/dbaron/builds/mozilla-central/mozilla/js/src/jsobj.cpp:4923) js_GetPropertyHelper (/home/dbaron/builds/mozilla-central/mozilla/js/src/jsobj.cpp:5095) js_Interpret (/home/dbaron/builds/mozilla-central/mozilla/js/src/jsops.cpp:1502) js_Invoke (/home/dbaron/builds/mozilla-central/mozilla/js/src/jsinterp.cpp:843) nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) (/home/dbaron/builds/mozilla-central/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp:1697) PrepareAndDispatch (/home/dbaron/builds/mozilla-central/mozilla/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:153) SharedStub (xptcstubs_x86_64_linux.cpp:0) ###!!! ASSERTION: recurring into frame construction: 'mPresContext->mLayoutPhaseCount[eLayoutPhase_FrameC] == 0', file /home/dbaron/builds/mozilla-central/mozilla/layout/base/nsPresContext.h, line 1252 nsCSSFrameConstructor::ContentAppended(nsIContent*, int) (/home/dbaron/builds/mozilla-central/mozilla/layout/base/nsCSSFrameConstructor.cpp:6350) PresShell::ContentAppended(nsIDocument*, nsIContent*, int) (/home/dbaron/builds/mozilla-central/mozilla/layout/base/nsPresShell.cpp:4806) nsNodeUtils::ContentAppended(nsIContent*, int) (/home/dbaron/builds/mozilla-central/mozilla/content/base/src/nsNodeUtils.cpp:135) nsGenericElement::doInsertChildAt(nsIContent*, unsigned int, int, nsIContent*, nsIDocument*, nsAttrAndChildArray&) (/home/dbaron/builds/mozilla-central/mozilla/content/base/src/nsGenericElement.cpp:3339) nsINode::ReplaceOrInsertBefore(int, nsINode*, nsINode*) (/home/dbaron/builds/mozilla-central/mozilla/content/base/src/nsGenericElement.cpp:4007) nsINode::ReplaceOrInsertBefore(int, nsIDOMNode*, nsIDOMNode*, nsIDOMNode**) (/home/dbaron/builds/mozilla-central/mozilla/content/base/src/nsGenericElement.cpp:583) nsCOMPtr<nsIDOMNode>::get() const (/home/dbaron/builds/mozilla-central/obj/firefox-debugopt/editor/libeditor/base/../../../dist/include/nsCOMPtr.h:777) nsEditor::DoTransaction(nsITransaction*) (/home/dbaron/builds/mozilla-central/mozilla/editor/libeditor/base/nsEditor.cpp:735) nsEditor::InsertNode(nsIDOMNode*, nsIDOMNode*, int) (/home/dbaron/builds/mozilla-central/mozilla/editor/libeditor/base/nsEditor.cpp:1436) nsTextEditRules::CreateBogusNodeIfNeeded(nsISelection*) (/home/dbaron/builds/mozilla-central/mozilla/editor/libeditor/text/nsTextEditRules.cpp:1379) nsTextEditRules::Init(nsPlaintextEditor*, unsigned int) (/home/dbaron/builds/mozilla-central/mozilla/editor/libeditor/text/nsTextEditRules.cpp:156) nsPlaintextEditor::InitRules() (/home/dbaron/builds/mozilla-central/mozilla/editor/libeditor/text/nsPlaintextEditor.cpp:330) nsPlaintextEditor::EndEditorInit() (/home/dbaron/builds/mozilla-central/mozilla/editor/libeditor/text/nsPlaintextEditor.cpp:209) ~nsAutoEditInitRulesTrigger (/home/dbaron/builds/mozilla-central/mozilla/editor/libeditor/text/nsTextEditUtils.cpp:134) nsPlaintextEditor::Init(nsIDOMDocument*, nsIPresShell*, nsIContent*, nsISelectionController*, unsigned int) (/home/dbaron/builds/mozilla-central/mozilla/editor/libeditor/text/nsPlaintextEditor.cpp:163) nsTextControlFrame::EnsureEditorInitializedInternal() (/home/dbaron/builds/mozilla-central/mozilla/layout/forms/nsTextControlFrame.cpp:1445) nsTextControlFrame::EnsureEditorInitialized() (/home/dbaron/builds/mozilla-central/mozilla/layout/forms/nsTextControlFrame.cpp:1343) nsTextControlFrame::GetEditor(nsIEditor**) (/home/dbaron/builds/mozilla-central/mozilla/layout/forms/nsTextControlFrame.cpp:2002) NS_InvokeByIndex_P (/home/dbaron/builds/mozilla-central/mozilla/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:210) XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) (/home/dbaron/builds/mozilla-central/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp:2750) XPCWrappedNative::GetAttribute(XPCCallContext&) (/home/dbaron/builds/mozilla-central/mozilla/js/src/xpconnect/src/xpcprivate.h:2575) js_Invoke (/home/dbaron/builds/mozilla-central/mozilla/js/src/jsinterp.cpp:836) js_InternalInvoke (/home/dbaron/builds/mozilla-central/mozilla/js/src/jsinterp.cpp:900) js_InternalGetOrSet (/home/dbaron/builds/mozilla-central/mozilla/js/src/jsinterp.cpp:938) JSScopeProperty::get(JSContext*, JSObject*, JSObject*, long*) (/home/dbaron/builds/mozilla-central/mozilla/js/src/jsscope.h:970) js_NativeGet (/home/dbaron/builds/mozilla-central/mozilla/js/src/jsobj.cpp:4923) js_GetPropertyHelper (/home/dbaron/builds/mozilla-central/mozilla/js/src/jsobj.cpp:5095) js_Interpret (/home/dbaron/builds/mozilla-central/mozilla/js/src/jsops.cpp:1502) js_Invoke (/home/dbaron/builds/mozilla-central/mozilla/js/src/jsinterp.cpp:843) nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) (/home/dbaron/builds/mozilla-central/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp:1697) PrepareAndDispatch (/home/dbaron/builds/mozilla-central/mozilla/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:153) SharedStub (xptcstubs_x86_64_linux.cpp:0) Starting nsCycleCollector_collect Doing JS GC... ... JS_GC took 1247 milliseconds. --DOMWINDOW == 13 (0x1453eef8) [serial = 14] [outer = 0x26d0b7c0] [url = about:blank] --DOMWINDOW == 12 (0x2266d808) [serial = 13] [outer = 0x26d0b7c0] [url = about:blank] ...nsCycleCollector_collect took 1469 milliseconds. nsDocShell(0x26c00e50)::LoadURI(http://mochi.test:8888/tests/editor/libeditor/base/tests/test_bug514156.html) ++DOMWINDOW == 13 (0x26f28d88) [serial = 16] [outer = 0x26d0b7c0] nsDocShell(0x26c00e50)::LoadURI(http://mochi.test:8888/tests/editor/libeditor/base/tests/test_selection_move_commands.xul) ++DOMWINDOW == 14 (0x243b1238) [serial = 17] [outer = 0x26d0b7c0] ++DOCSHELL 0x2733d770 == 8 ++DOMWINDOW == 15 (0x272599f8) [serial = 18] [outer = (nil)] nsDocShell(0x2733d770)::LoadURI(about:blank) ++DOMWINDOW == 16 (0x2ba6f318) [serial = 19] [outer = 0x272599a0] Starting nsCycleCollector_collect Doing JS GC... ... JS_GC took 1012 milliseconds. --DOMWINDOW == 15 (0x25d77358) [serial = 15] [outer = 0x26d0b7c0] [url = http://mochi.test:8888/tests/editor/libeditor/base/tests/test_bug502673.html] ==30305== Invalid read of size 8 ==30305== at 0x19271403: nsNodeUtils::LastRelease(nsINode*) (nsCOMPtr.h:1180) ==30305== by 0x192010EA: nsDocument::Release() (nsDocument.cpp:1560) ==30305== by 0x193E2245: nsHTMLDocument::Release() (nsHTMLDocument.cpp:272) ==30305== by 0x156C26E3: XPCJSRuntime::GCCallback(JSContext*, JSGCStatus) (xpcjsruntime.cpp:517) ==30305== by 0x19513452: DOMGCCallback(JSContext*, JSGCStatus) (nsJSEnvironment.cpp:3804) ==30305== by 0x531A299: js_GC (jsgc.cpp:3416) ==30305== by 0x15690924: nsXPConnect::Collect() (nsXPConnect.cpp:479) ==30305== by 0x59B9B52: nsCycleCollector::Collect(unsigned int) (nsCycleCollector.cpp:2521) ==30305== by 0x59B9D3F: nsCycleCollector_collect() (nsCycleCollector.cpp:3222) ==30305== by 0x1951373E: nsJSContext::CC() (nsJSEnvironment.cpp:3618) ==30305== by 0x1951378E: nsJSContext::IntervalCC() (nsJSEnvironment.cpp:3706) ==30305== by 0x18ED8B2C: DocumentViewerImpl::LoadComplete(unsigned int) (nsDocumentViewer.cpp:1076) ==30305== Address 0x26dc8c48 is 4 bytes after a block of size 4 alloc'd ==30305== at 0x4C25153: malloc (vg_replace_malloc.c:195) ==30305== by 0x1B91C7E3: HashMgr::add_hidden_capitalized_word(char*, int, int, unsigned short*, int, char*, int) (hashmgr.cpp:287) ==30305== by 0x1B91CC47: HashMgr::load_tables(char const*, char const*) (hashmgr.cpp:527) ==30305== by 0x1B91CDA1: HashMgr::HashMgr(char const*, char const*, char const*) (hashmgr.cpp:105) ==30305== by 0x1B9222C9: Hunspell::Hunspell(char const*, char const*, char const*) (hunspell.cpp:87) ==30305== by 0x1B9044CC: mozHunspell::SetDictionary(unsigned short const*) (mozHunspell.cpp:157) ==30305== by 0x1B8EDD0D: mozSpellChecker::SetCurrentDictionary(nsAString_internal const&) (mozSpellChecker.cpp:374) ==30305== by 0x189A3409: nsEditorSpellCheck::SetCurrentDictionary(unsigned short const*) (nsEditorSpellCheck.cpp:454) ==30305== by 0x189A4C1F: nsEditorSpellCheck::InitSpellChecker(nsIEditor*, int) (nsEditorSpellCheck.cpp:212) ==30305== by 0x1B8FA3FE: mozInlineSpellChecker::SetEnableRealTimeSpell(int) (mozInlineSpellChecker.cpp:725) ==30305== by 0x19638E66: nsEditor::SyncRealTimeSpell() (nsEditor.cpp:1369) ==30305== by 0x193EB8D4: nsHTMLDocument::EditingStateChanged() (nsHTMLDocument.cpp:3368) ==30305== ==30305== Invalid read of size 8 ==30305== at 0x19271406: nsNodeUtils::LastRelease(nsINode*) (nsCOMPtr.h:1180) ==30305== by 0x192010EA: nsDocument::Release() (nsDocument.cpp:1560) ==30305== by 0x193E2245: nsHTMLDocument::Release() (nsHTMLDocument.cpp:272) ==30305== by 0x156C26E3: XPCJSRuntime::GCCallback(JSContext*, JSGCStatus) (xpcjsruntime.cpp:517) ==30305== by 0x19513452: DOMGCCallback(JSContext*, JSGCStatus) (nsJSEnvironment.cpp:3804) ==30305== by 0x531A299: js_GC (jsgc.cpp:3416) ==30305== by 0x15690924: nsXPConnect::Collect() (nsXPConnect.cpp:479) ==30305== by 0x59B9B52: nsCycleCollector::Collect(unsigned int) (nsCycleCollector.cpp:2521) ==30305== by 0x59B9D3F: nsCycleCollector_collect() (nsCycleCollector.cpp:3222) ==30305== by 0x1951373E: nsJSContext::CC() (nsJSEnvironment.cpp:3618) ==30305== by 0x1951378E: nsJSContext::IntervalCC() (nsJSEnvironment.cpp:3706) ==30305== by 0x18ED8B2C: DocumentViewerImpl::LoadComplete(unsigned int) (nsDocumentViewer.cpp:1076) ==30305== Address 0x8 is not stack'd, malloc'd or (recently) free'd ==30305== ==30305== ==30305== HEAP SUMMARY: ==30305== in use at exit: 32,752,104 bytes in 286,847 blocks ==30305== total heap usage: 789,810 allocs, 502,963 frees, 268,308,711 bytes allocated ==30305== ==30305== LEAK SUMMARY: ==30305== definitely lost: 11,462 bytes in 41 blocks ==30305== indirectly lost: 39,472 bytes in 1,216 blocks ==30305== possibly lost: 17,741,366 bytes in 198,132 blocks ==30305== still reachable: 14,931,916 bytes in 87,139 blocks ==30305== suppressed: 27,888 bytes in 319 blocks ==30305== Rerun with --leak-check=full to see details of leaked memory ==30305== ==30305== For counts of detected and suppressed errors, rerun with: -v ==30305== Use --track-origins=yes to see where uninitialised values come from ==30305== ERROR SUMMARY: 509 errors from 19 contexts (suppressed: 19 from 7) TEST-UNEXPECTED-FAIL | automation.py | Exited with code -9 during test run
http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1270598239.1270600954.17640.gz WINNT 5.2 mozilla-central debug test mochitests-3/5 on 2010/04/06 16:57:19 s: win32-slave12
Blocks: 221820
I've backed out the patches for bug 221820 so that we can investigate this issue which seems to have been triggered a lot by that bug offline and fix the problem and reland bug 221820.
Attached file valgrind warnings at full stack depth (deleted) —
It's pretty weird to get a read from a totally random address when valgrind doesn't also report reading from uninitialized memory.
Actually, this had happened before: bug 542919 comment 14. Assigning myself to investigate.
Assignee: nobody → ehsan
Blocks: 542919
No longer blocks: 221820, 438871
Status: NEW → ASSIGNED
Summary: Mochitest-3 (debug) crash after running test_bug366682.html [@ nsCOMPtr<nsIMutationObserver>::assign_with_AddRef] → Mochitest-3 (debug) crash after running test_bug366682.html as a result of bug 542919 [@ nsCOMPtr<nsIMutationObserver>::assign_with_AddRef]
Whiteboard: [orange]
Those FC reentry asserts also look... odd.
It seems like the immediate cause of the crash is a bad pointer in the mutation observers array... most likely one that's been a bad pointer for a *long* time.
Depends on: 558111
I got access to a VM clone of the same Linux box configuration which runs our unit tests, and I tried running the tests several times, and I couldn't reproduce the crash even once. :( I'm not sure how to proceed from this point...
Try relanding, and if it shows up again, debug by adding some relevant printfs to the code?
I landed the patch for bug 542919 again: http://hg.mozilla.org/mozilla-central/rev/3dcfd44195d6 The only theory that I have which may be the cause of this crash is the fact that with that patch, we would attempt to set the value of the editor after it was initialized even when the value was empty. I pushed another patch on top of that one to change this behavior to make it match what we do right now (which is, skipping the editor value set when the initial value is empty.) I'll wait and see if this fixes the crash. The patch I mentioned here is: http://hg.mozilla.org/mozilla-central/rev/3c1ac0bbeb52
Apparently, that patch fixed the problem!
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Gah. Can we file a bug on that? Setting editor to empty shouldn't cause crashes...
(In reply to comment #13) > Gah. Can we file a bug on that? Setting editor to empty shouldn't cause > crashes... Well, I'm not still sure what was happening there. The test which the crash happens on doesn't really use this code. Here is the test: http://mxr.mozilla.org/mozilla-central/source/editor/libeditor/html/tests/test_bug366682.html?force=1 I still don't get why/how the crash happens, and why the lazy editor initialization patch is actually triggering it.
Arghh, the crash has happened again once on Tinderbox so far: http://tinderbox.mozilla.org/showlog.cgi?tree=Firefox&errorparser=unittest&logfile=1271035234.1271036890.29070.gz&buildtime=1271035234&buildname=WINNT%205.2%20mozilla-central%20debug%20test%20mochitests-3%2f5&fulltext=1 The fact that this is intermittent and I have never been able to reproduce it locally (or even on a VM clone that releng configured for me) makes this really hard to debug. I think at this point we need to do what dbaron suggests in comment 10, but I'm still not sure what a useful set of printf debug messages might be...
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
And I think backing out the lazy editor init stuff might only make the job of tracking this down harder, so maybe I should just let those patches remain in the tree and try to figure out a good printf debugging strategy?
I landed a number of debug printf's to log the creation and destruction of editor objects, and also when they add or remove a mutation observer on the document. http://hg.mozilla.org/mozilla-central/rev/b501122477cc
Masayuki just starred http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1271043908.1271045564.16501.gz with this bug, and the failure in that log was /tests/editor/libeditor/base/tests/test_selection_move_commands.xul instead of test_bug366682.html; adding test_selection_move_commands.xul to the summary for suggestion purposes.
Summary: Mochitest-3 (debug) crash after running test_bug366682.html as a result of bug 542919 [@ nsCOMPtr<nsIMutationObserver>::assign_with_AddRef] → Mochitest-3 (debug) crash after running test_bug366682.html or test_selection_move_commands.xul as a result of bug 542919 [@ nsCOMPtr<nsIMutationObserver>::assign_with_AddRef]
So, the actual offending test is: http://mxr.mozilla.org/mozilla-central/source/editor/libeditor/base/tests/test_bug502673.html?force=1 What happens here is that the test accesses the editor property of the input element, which leads to the lazy initialization to start, to initialize an editor for the text control. As part of that initialization, the editor registers itself as a mutation observer for the document. Then, the test goes on to remove the input box from the document. This leads to nsTextControlFrame::PreDestroy being called, which first sets mUseEditor to false <http://hg.mozilla.org/mozilla-central/file/9acb882b2890/layout/forms/nsTextControlFrame.cpp#l1020>, and then calls nsEditor::PreDestroy, which tries to notify the document listeners, which runs the js code that the test has registered. That js code again access the editor property, which leads to lazy initialization, which creates another editor which overwrites mEditor on the text control frame. The stack looks like this: #0 0x00bbf875 in nsEditor::nsEditor at nsEditor.cpp:159 #1 0x00ba79f0 in nsPlaintextEditor::nsPlaintextEditor at nsPlaintextEditor.cpp:102 #2 0x0048bb09 in nsPlaintextEditorConstructor at nsLayoutModule.cpp:149 #3 0x014eef2c in nsGenericFactory::CreateInstance at nsGenericFactory.cpp:80 #4 0x0154f77a in nsComponentManagerImpl::CreateInstance at nsComponentManager.cpp:1597 #5 0x014e2185 in CallCreateInstance at nsComponentManagerUtils.cpp:157 #6 0x014e21c7 in nsCreateInstanceByCID::operator() at nsComponentManagerUtils.cpp:199 #7 0x0062567b in nsCOMPtr<nsIEditor>::assign_from_helper at nsCOMPtr.h:1249 #8 0x0062600b in nsCOMPtr<nsIEditor>::operator= at nsCOMPtr.h:707 #9 0x0062031b in nsTextControlFrame::EnsureEditorInitializedInternal at nsTextControlFrame.cpp:1405 #10 0x0061dfb3 in nsTextControlFrame::EnsureEditorInitialized at nsTextControlFrame.cpp:1343 #11 0x00618e8b in nsTextControlFrame::GetEditor at nsTextControlFrame.cpp:2005 #12 0x008ff112 in nsGenericHTMLElement::GetEditorInternal at nsGenericHTMLElement.cpp:3049 #13 0x008ff192 in nsGenericHTMLElement::GetEditor at nsGenericHTMLElement.cpp:3037 #14 0x0093ad26 in nsHTMLInputElement::GetEditor at nsHTMLInputElement.cpp:253 #15 0x01577fa4 in NS_InvokeByIndex_P at xptcinvoke_unixish_x86.cpp:179 #16 0x0019ff5e in XPCWrappedNative::CallMethod at xpcwrappednative.cpp:2750 #17 0x001aed4f in XPCWrappedNative::GetAttribute at xpcprivate.h:2575 #18 0x001a7edf in XPC_WN_GetterSetter at xpcwrappednativejsops.cpp:1814 #19 0x03a20410 in js_Invoke at jsinterp.cpp:835 #20 0x03a20a27 in js_InternalInvoke at jsinterp.cpp:900 #21 0x03a20b40 in js_InternalGetOrSet at jsinterp.cpp:937 #22 0x03a3fcbf in JSScopeProperty::get at jsscope.h:970 #23 0x03a34cbd in js_NativeGet at jsobj.cpp:4923 #24 0x03a352ae in js_GetPropertyHelper at jsobj.cpp:5095 #25 0x03a080a9 in js_Interpret at jsops.cpp:1502 #26 0x03a20459 in js_Invoke at jsinterp.cpp:843 #27 0x00192465 in nsXPCWrappedJSClass::CallMethod at xpcwrappedjsclass.cpp:1696 #28 0x00188ceb in nsXPCWrappedJS::CallMethod at xpcwrappedjs.cpp:570 #29 0x0157d4e4 in PrepareAndDispatch at xptcstubs_unixish_x86.cpp:93 #30 0x01578079 in nsXPTCStubBase::Stub4 at xptcstubsdef.inc:2 #31 0x00bbbcc8 in nsEditor::NotifyDocumentListeners at nsEditor.cpp:2728 #32 0x00bbe82b in nsEditor::PreDestroy at nsEditor.cpp:540 #33 0x006217d8 in nsTextControlFrame::PreDestroy at nsTextControlFrame.cpp:1027 This sequence causes nsEditor::PreDestroy not be called on the second editor, and therefore it never gets a chance to remove itself from the document's mutation listeners list, and leads to a crash some time in the future. I'm currently working on a fix.
Backed out the debugging code. http://hg.mozilla.org/mozilla-central/rev/f27efa0b5104
Blocks: 221820
No longer blocks: 542919
Attached patch Patch (v1) (deleted) — Splinter Review
I also added an assertion to nsEditor's destructor to make sure that if the editor has been initialized, PreDestroy is called on it before the object is actually destroyed. I also tried a few things in order to write a crash test for this bug, but it's very tricky since in order for this to crash, the document needs to be released, which means that the GC needs to run, but apparently, Components.utils.forceGC does not cause it to be destroyed. What I did was adding a mochitest to run immediately after test_bug502673.html, which called Components.utils.forceGC, but that didn't trigger the crash. A quick review for this is highly appreciated, since it's a very frequent orange on Tinderboxes right now.
Attachment #438424 - Flags: review?(bzbarsky)
Also, I can't help but ask, why do we store plain pointers to nsIMutationObserver's, and not a refcounted nsCOMPtr? Is it for perf reasons?
http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1271067435.1271068976.11508.gz WINNT 5.2 mozilla-central debug test mochitests-3/5 on 2010/04/12 03:17:15 s: win32-slave35
http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1271078037.1271079716.24170.gz WINNT 5.2 mozilla-central debug test mochitests-3/5 on 2010/04/12 06:13:57 s: win32-slave35
http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1271089717.1271091402.27794.gz WINNT 5.2 mozilla-central debug test mochitests-3/5 on 2010/04/12 09:28:37 s: win32-slave35
http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1271091175.1271092813.31432.gz WINNT 5.2 mozilla-central debug test mochitests-3/5 on 2010/04/12 09:52:55 s: win32-slave34
The root cause of this bug is the unnecessary value exchange between the frame and the content node. This is bug 534785, which is on track to get fixed.
Comment on attachment 438424 [details] [diff] [review] Patch (v1) Ehsan walked Gavin and I through this and it seems like this is the direction we want to go. I think it's probably worth including the number of the bug that's supposed to clean this up in the comment about this problem.
Attachment #438424 - Flags: review?(bzbarsky) → review+
http://hg.mozilla.org/mozilla-central/rev/8526e9e6c9ed (In reply to comment #31) > I think it's probably worth including the number of the bug that's supposed to > clean this up in the comment about this problem. Done.
Status: REOPENED → RESOLVED
Closed: 15 years ago15 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9.3a5
Attachment #438424 - Flags: review?(bzbarsky)
Comment on attachment 438424 [details] [diff] [review] Patch (v1) Setting r?=bz again so that he can take a look at this patch when he's back.
Attachment #438424 - Flags: review?(bzbarsky) → review+
Crash Signature: [@ nsCOMPtr<nsIMutationObserver>::assign_with_AddRef]
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: