Ubuntu
mozilla-thunderbird package

MASTER mozilla-thunderbird crashed [@nsViewManager::UpdateWidgetsForView] [@nsViewManager::ForceUpdate]

Bug #97324 reported by Stéphane Grimal
24
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mozilla Thunderbird
Invalid
Critical
mozilla-thunderbird (Ubuntu)
Fix Released
High
Mozilla Bugs

Bug Description

Binary package hint: mozilla-thunderbird

1) I launch OpenOffice.org 2.2 writer with fast load option ([OpenOffice.org menu : tools -> options -> RAM] to select option at startup of OpenOffice.org).
2) I open a document with open button.
3) I click on the document by email button. (no responding I think)
3) I click file -> send -> send by email under pdf format.
4) I chose protected document by password.
5) The bug report box appear on my screen...

Sorry for menu labels, my OS is in french version.

Good day.

ProblemType: Crash
Architecture: i386
Date: Wed Mar 28 10:43:53 2007
DistroRelease: Ubuntu 7.04
ExecutablePath: /usr/lib/mozilla-thunderbird/mozilla-thunderbird-bin
Package: mozilla-thunderbird 1.5.0.10-0ubuntu2
PackageArchitecture: i386
ProcCmdline: /usr/lib/mozilla-thunderbird/mozilla-thunderbird-bin -compose attachment=file:///tmp/sv379.tmp/sv38i.tmp/cong%C3%A9.doc
ProcCwd: /usr/lib/openoffice/program
ProcEnviron:
 LANGUAGE=fr_FR.UTF-8@euro
 PATH=/usr/lib/openoffice/program:/usr/local/qt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11:/usr/games
 LANG=fr_FR.UTF-8@euro
 SHELL=/bin/bash
Signal: 11
SourcePackage: mozilla-thunderbird
StacktraceTop:
 __kernel_vsyscall ()
 raise () from /lib/tls/i686/cmov/libpthread.so.0
 ?? ()
 ?? ()
 ?? ()
Uname: Linux stephdevel 2.6.20-13-generic #2 SMP Sun Mar 25 00:21:25 UTC 2007 i686 GNU/Linux
UserGroups: adm admin audio cdrom dialout dip floppy fuse lpadmin mysql plugdev scanner video

From retraced stacktrace:
...
#3 <signal handler called>
#4 nsViewManager::UpdateWidgetsForView (this=0x8aae230, aView=0x0)
#5 nsViewManager::ForceUpdate (this=0x8aae230) at nsViewManager.cpp:3656
#6 nsViewManager::Composite (this=0x8aae230) at nsViewManager.cpp:1631
#7 nsViewManager::EnableRefresh (this=0x8aae230, aUpdateFlags=2) at nsViewManager.cpp:3438
#8 nsViewManager::EndUpdateViewBatch (this=0x8aae230, aUpdateFlags=2)
#9 nsEditor::EndUpdateViewBatch (this=0x8aad9c0) at nsEditor.cpp:4568
#10 nsHTMLEditor::EndUpdateViewBatch (this=0x8aad9c0) at nsHTMLEditor.cpp:5735
#11 nsEditor::EndPlaceHolderTransaction (this=0x8aad9c0) at nsEditor.cpp:933
#12 nsHTMLEditor::StyleSheetLoaded (this=0x8aad9c0, aSheet=0x8b26490, aNotify=1)
...

See original description
Revision history for this message
In , Adam Guthrie (ispiked) wrote :

The line numbers for where it's crashing don't match up. nsViewManager::UpdateWidgetsForView is on line 3213 of nsViewManager.cpp.

Revision history for this message
In , Bugzilla-quilty (bugzilla-quilty) wrote :

Same thing again with 1.5.0.2: TB19115700X.
There are 50 incidents in the Talkback database with a stack signature "nsViewManager::UpdateWidgetsForView()" citing line 345, for Mac and Linux only, and a further 47 incidents with stack signature "nsViewManager::UpdateWidgetsForView" citing line 3217 for Windows only.

Cross-ref: Bug 293651 filed against the core.

Stack Signature nsViewManager::UpdateWidgetsForView() e772bf97
Product ID Thunderbird15
Build ID 2006030804
Trigger Time 2006-05-25 12:29:49.0
Platform MacOSX
Operating System Darwin 7.9.0
Module thunderbird-bin + (003529ac)
URL visited
User Comments
Since Last Crash 891295 sec
Total Uptime 1575893 sec
Trigger Reason SIGBUS: Bus Error: (signal 10)
Source File, Line No. /builds/tinderbox/Tb-Mozilla1.8.0/Darwin_7.9.0_Depend/mozilla/view/src/nsViewManager.cpp, line 345
Stack Trace
nsViewManager::UpdateWidgetsForView() [/builds/tinderbox/Tb-Mozilla1.8.0/Darwin_7.9.0_Depend/mozilla/view/src/nsViewManager.cpp, line 345]
nsViewManager::ForceUpdate() [/builds/tinderbox/Tb-Mozilla1.8.0/Darwin_7.9.0_Depend/mozilla/view/src/nsViewManager.cpp, line 3658]
nsViewManager::Composite() [/builds/tinderbox/Tb-Mozilla1.8.0/Darwin_7.9.0_Depend/mozilla/view/src/nsViewManager.cpp, line 444]
nsViewManager::EnableRefresh() [/builds/tinderbox/Tb-Mozilla1.8.0/Darwin_7.9.0_Depend/mozilla/view/src/nsViewManager.cpp, line 3438]
nsViewManager::EndUpdateViewBatch() [/builds/tinderbox/Tb-Mozilla1.8.0/Darwin_7.9.0_Depend/mozilla/view/src/nsViewManager.cpp, line 3487]
nsEditor::EndUpdateViewBatch() [/builds/tinderbox/Tb-Mozilla1.8.0/Darwin_7.9.0_Depend/mozilla/editor/libeditor/base/nsEditor.cpp, line 495]
nsHTMLEditor::EndUpdateViewBatch() nsEditor::EndPlaceHolderTransaction() [/builds/tinderbox/Tb-Mozilla1.8.0/Darwin_7.9.0_Depend/mozilla/editor/libeditor/base/nsEditor.cpp, line 942]
nsHTMLEditor::StyleSheetLoaded() CSSLoaderImpl::SheetComplete() SheetLoadData::OnStreamComplete() nsUnicharStreamLoader::OnStopRequest() [/builds/tinderbox/Tb-Mozilla1.8.0/Darwin_7.9.0_Depend/mozilla/netwerk/base/src/nsUnicharStreamLoader.cpp, line 713]
nsJARChannel::OnStopRequest() [/builds/tinderbox/Tb-Mozilla1.8.0/Darwin_7.9.0_Depend/mozilla/modules/libjar/nsJARChannel.cpp, line 713]
nsInputStreamPump::OnStateStop() nsInputStreamPump::OnInputStreamReady() nsInputStreamReadyEvent::EventHandler()
PL_HandleEvent() [/builds/tinderbox/Tb-Mozilla1.8.0/Darwin_7.9.0_Depend/mozilla/xpcom/threads/plevent.c, line 689]
PL_ProcessPendingEvents() [/builds/tinderbox/Tb-Mozilla1.8.0/Darwin_7.9.0_Depend/mozilla/xpcom/threads/plevent.c, line 623]
__CFRunLoopDoSources0()
__CFRunLoopRun()
CFRunLoopRunSpecific()
RunCurrentEventLoopInMode()
GetNextEventMatchingMask()
WNEInternal()
WaitNextEvent()
nsMacMessagePump::GetEvent() nsMacMessagePump::DoMessagePump() nsAppShell::Run() [/builds/tinderbox/Tb-Mozilla1.8.0/Darwin_7.9.0_Depend/mozilla/widget/src/mac/nsAppShell.cpp, line 114]
nsAppStartup::Run() XRE_main() [/builds/tinderbox/Tb-Mozilla1.8.0/Darwin_7.9.0_Depend/mozilla/toolkit/xre/nsAppRunner.cpp, line 2353]
_start() start()

Revision history for this message
In , Bugzilla-quilty (bugzilla-quilty) wrote :

I can reproduce this crash: TB19165889X and TB19166074Q.

Steps to reproduce:
1. Open an IMAP message in a separate window
2. Edit as new (Cmd-E)
3. Close edit window before it has finished opening (Cmd-W)
4. Close original message window (Cmd-W)

N.B. If the edit window in step 3 completes opening then when it is closed it will display a save draft dialog and subsequent closing of the original message window in step 4 won't cause the crash.

Revision history for this message
In , Bugzilla-quilty (bugzilla-quilty) wrote :

I'm able to reproduce this with Thunderbird version 1.5.0.4 (20060530): TB19842254Q and TB19842407Z.

 I can reproduce this with both POP and IMAP messages and have found that the message must be HTML to obtain the crash. The amended steps to reproduce are:

1. Open an HTML message in a separate window
2. Edit as new (Cmd-E)
3. Close edit window before it has finished opening (Cmd-W)
4. Close original message window (Cmd-W)

Revision history for this message
In , Adam Guthrie (ispiked) wrote :

I'm curious as to whether this occurs in the 1.8 branch or trunk.

Revision history for this message
Stéphane Grimal (mirmidon) wrote : [apport] mozilla-thunderbird-bin crashed with SIGSEGV in __kernel_vsyscall()

Binary package hint: mozilla-thunderbird

1) I launch OpenOffice.org 2.2 writer with fast load option ([OpenOffice.org menu : tools -> options -> RAM] to select option at startup of OpenOffice.org).
2) I open a document with open button.
3) I click on the document by email button. (no responding I think)
3) I click file -> send -> send by email under pdf format.
4) I chose protected document by password.
5) The bug report box appear on my screen...

Sorry for menu labels, my OS is in french version.

Good day.

ProblemType: Crash
Architecture: i386
Date: Wed Mar 28 10:43:53 2007
DistroRelease: Ubuntu 7.04
ExecutablePath: /usr/lib/mozilla-thunderbird/mozilla-thunderbird-bin
Package: mozilla-thunderbird 1.5.0.10-0ubuntu2
PackageArchitecture: i386
ProcCmdline: /usr/lib/mozilla-thunderbird/mozilla-thunderbird-bin -compose attachment=file:///tmp/sv379.tmp/sv38i.tmp/cong%C3%A9.doc
ProcCwd: /usr/lib/openoffice/program
ProcEnviron:
 LANGUAGE=fr_FR.UTF-8@euro
 PATH=/usr/lib/openoffice/program:/usr/local/qt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11:/usr/games
 LANG=fr_FR.UTF-8@euro
 SHELL=/bin/bash
Signal: 11
SourcePackage: mozilla-thunderbird
StacktraceTop:
 __kernel_vsyscall ()
 raise () from /lib/tls/i686/cmov/libpthread.so.0
 ?? ()
 ?? ()
 ?? ()
Uname: Linux stephdevel 2.6.20-13-generic #2 SMP Sun Mar 25 00:21:25 UTC 2007 i686 GNU/Linux
UserGroups: adm admin audio cdrom dialout dip floppy fuse lpadmin mysql plugdev scanner video

Revision history for this message
Stéphane Grimal (mirmidon) wrote :
Alexander Sack (asac)
Changed in mozilla-thunderbird:
assignee: nobody → mozilla-bugs
importance: Undecided → High
status: Unconfirmed → Needs Info
Revision history for this message
Hilario J. Montoliu (hjmf) (hmontoliu) wrote : Retraced Stacktrace

Retrace done:
...
#3 <signal handler called>
#4 nsViewManager::UpdateWidgetsForView (this=0x8aae230, aView=0x0)
    at ../../dist/include/view/nsIView.h:345

#5 0xb56a586f in nsViewManager::ForceUpdate (this=0x8aae230) at nsViewManager.cpp:3656

#6 0xb56a5a15 in nsViewManager::Composite (this=0x8aae230) at nsViewManager.cpp:1631

#7 0xb56a9675 in nsViewManager::EnableRefresh (this=0x8aae230, aUpdateFlags=2) at nsViewManager.cpp:3438

#8 0xb56a58e8 in nsViewManager::EndUpdateViewBatch (this=0x8aae230, aUpdateFlags=2)
    at nsViewManager.cpp:3487
 result = <value optimized out>
#9 0xb358a98a in nsEditor::EndUpdateViewBatch (this=0x8aad9c0) at nsEditor.cpp:4568
 updateFlag = 0
 caret = {<nsCOMPtr_base> = {mRawPtr = 0x0}, <No data fields>}
...

Tagging as mt-confirm for further processing

Revision history for this message
Hilario J. Montoliu (hjmf) (hmontoliu) wrote : Retraced Thread Stacktrace

Retraced Thread Stacktrace

Hilario J. Montoliu (hjmf) (hmontoliu)
Changed in mozilla-thunderbird:
status: Needs Info → Confirmed
description: updated
Revision history for this message
Hilario J. Montoliu (hjmf) (hmontoliu) wrote :

See upstream's https://bugzilla.mozilla.org/show_bug.cgi?id=323740 ( TB15 Crash [@ nsViewManager::UpdateWidgetsForView] )for other tests cases to reproduce this issue.

Revision history for this message
Hilario J. Montoliu (hjmf) (hmontoliu) wrote :

Adding tag mt-confirm as upstream's bug is not yet confirmed.

Bug Watch Updater (bug-watch-updater)
Changed in thunderbird:
status: Unknown → Unconfirmed
Revision history for this message
In , Philringnalda (philringnalda) wrote :

*** Bug 388273 has been marked as a duplicate of this bug. ***

Revision history for this message
In , Hskupin (hskupin) wrote :

This is also an issue for Thunderbird 2.0. Updating summary accordingly.

Revision history for this message
Alexander Sack (asac) wrote :

looks more or less on track upstream.

Changed in mozilla-thunderbird:
status: Confirmed → In Progress
Revision history for this message
In , Hskupin (hskupin) wrote :

I got two crashes with version 3.0a1pre (2008011108) on OS X while running the above steps. But Breakpad doesn't come up. Thunderbird silently closes itself. Even running within the debugger doesn't give me any stack. The application quits without any message. No idea if it's exactly this crash.

Tried to search on talkback if it's still a crasher for Thunderbird 2. But the server always gives me a timeout.

Revision history for this message
In , Bugzilla-quilty (bugzilla-quilty) wrote :

 I've also seen silent crashes. Have you checked ~/Library/Logs/CrashReporter for an OS-generated crash report in the thunderbird-bin.crash.log? I've often found what I needed there when Talkback didn't launch.

Revision history for this message
In , Hskupin (hskupin) wrote :

Sadly not, but there are 3 reports for trunk builds on Windows:
http://crash-stats.mozilla.com/report/list?range_unit=months&query_search=signature&query_type=contains&signature=nsViewManager%3A%3AUpdateWidgetsForView%28nsView%2A%29&query=nsViewManager%3A%3AUpdateWidgetsForView&range_value=3

Even Talkback lists hundreds of them. Let's try to find a good test case which is reproducible and provides a meaningful stack or let my debugger catch it.

On trunk it crashes at following line:
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/view/src/nsViewManager.cpp&rev=3.459&mark=1682#1682

Updating summary to reflect it's not only happen for Thunderbird.

Revision history for this message
In , Hskupin (hskupin) wrote :

Shouldn't we use NS_ENSURE_ARG_POINTER instead of NS_PRECONDITION here?

void nsViewManager::UpdateWidgetsForView(nsView* aView)
{
  NS_PRECONDITION(aView, "Must have view!");

  if (aView->HasWidget()) {
    aView->GetWidget()->Update();
  }
  ...

Revision history for this message
In , Bzbarsky (bzbarsky) wrote :

No, we shouldn't. No one should be passing in a null view here.

In fact, looking at the stacks for the incidents in comment 10, two of the stacks are calls from the line in the loop in UpdateWidgetsForView (where we KNOW the view is non-null). So in those cases we have a garbage pointer. This is, of course, very bad... and adding a null-check wouldn't help one bit.

The third stack is a call on mRootView, where we might want to have a null-check in the caller, since I think that can in fact be null.

Revision history for this message
In , Hskupin (hskupin) wrote :

Created attachment 296853
Possible patch v1 (checked in)

You are right. So is this the solution you thought of?

Revision history for this message
In , Bzbarsky (bzbarsky) wrote :

We should do that, yes. It doesn't fix this bug in general..

Bug Watch Updater (bug-watch-updater)
Changed in thunderbird:
status: New → Confirmed
Revision history for this message
In , Reed Loden (reed) wrote :

Checking in view/src/nsViewManager.cpp;
/cvsroot/mozilla/view/src/nsViewManager.cpp,v <-- nsViewManager.cpp
new revision: 3.467; previous revision: 3.466
done

Leaving this bug open for other fixes?

Revision history for this message
In , Hskupin (hskupin) wrote :

Comment on attachment 296853
Possible patch v1 (checked in)

I think yes. We should try to find a reproducible test case to be able to find the real cause (what bz already said). But it doesn't seems to be easy. Talkback doesn't repond to queries at the moment and with breakpad we don't have a comment field for now. :/

Bug Watch Updater (bug-watch-updater)
Changed in thunderbird:
status: Confirmed → In Progress
Revision history for this message
In , Hskupin (hskupin) wrote :
Download full text (4.1 KiB)

There are also crashes on 1.8 branch. The stack trace looks a bit different:

Stack Signature nsViewManager::UpdateWidgetsForView 4c93acc9
Product ID Firefox2
Build ID 2007112718
Trigger Time 2008-01-24 12:28:39.0
Platform Win32
Operating System Windows NT 5.1 build 2600
Module firefox.exe + (001ec79e)
URL visited American Airlines site (plus 5 other tabs)
User Comments checking my miles
Since Last Crash 579594 sec
Total Uptime 579594 sec
Trigger Reason Access violation
Source File, Line No. c:/builds/tinderbox/Fx-Mozilla1.8-Release/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 3224
Stack Trace
nsViewManager::UpdateWidgetsForView [mozilla/view/src/nsViewManager.cpp, line 3224]
nsScrollPortView::Scroll [mozilla/view/src/nsScrollPortView.cpp, line 595]
nsScrollPortView::ScrollToImpl [mozilla/view/src/nsScrollPortView.cpp, line 700]
nsScrollPortView::ScrollTo [mozilla/view/src/nsScrollPortView.cpp, line 275]
nsGfxScrollFrameInner::ScrollbarChanged [mozilla/layout/generic/nsGfxScrollFrame.cpp, line 2521]
nsScrollbarFrame::AttributeChanged [mozilla/layout/xul/base/src/nsScrollbarFrame.cpp, line 155]
nsCSSFrameConstructor::AttributeChanged [mozilla/layout/base/nsCSSFrameConstructor.cpp, line 10767]
PresShell::AttributeChanged [mozilla/layout/base/nsPresShell.cpp, line 5570]
nsDocument::AttributeChanged [mozilla/content/base/src/nsDocument.cpp, line 2498]
nsHTMLDocument::AttributeChanged [mozilla/content/html/document/src/nsHTMLDocument.cpp, line 1300]
nsXULElement::SetAttrAndNotify [mozilla/content/xul/content/src/nsXULElement.cpp, line 1488]
nsXULElement::SetAttr [mozilla/content/xul/content/src/nsXULElement.cpp, line 1439]
UpdateAttribute [mozilla/layout/xul/base/src/nsSliderFrame.cpp, line 684]
nsSliderFrame::SetCurrentPosition [mozilla/layout/xul/base/src/nsSliderFrame.cpp, line 731]
nsSliderFrame::HandleEvent [mozilla/layout/xul/base/src/nsSliderFrame.cpp, line 551]
PresShell::HandleEventInternal [mozilla/layout/base/nsPresShell.cpp, line 6555]
PresShell::HandleEvent [mozilla/layout/base/nsPresShell.cpp, line 6350]
nsViewManager::HandleEvent [mozilla/view/src/nsViewManager.cpp, line 2566]
nsViewManager::DispatchEvent [mozilla/view/src/nsViewManager.cpp, line 2253]
HandleEvent [mozilla/view/src/nsView.cpp, line 174]
nsWindow::DispatchEvent [mozilla/widget/src/windows/nsWindow.cpp, line 1319]
nsWindow::DispatchMouseEvent [mozilla/widget/src/windows/nsWindow.cpp, line 6329]
ChildWindow::DispatchMouseEvent [mozilla/widget/src/windows/nsWindow.cpp, line 6576]
nsWindow::WindowProc [mozilla/widget/src/windows/nsWindow.cpp, line 1507]
USER32.dll + 0x8709 (0x77d48709)
USER32.dll + 0x87eb (0x77d487eb)
USER32.dll + 0x89a5 (0x77d489a5)
USER32.dll + 0x89e8 (0x77d489e8)
nsAppShell::Run [mozilla/widget/src/windows/nsAppShell.cpp, line 159]
nsAppStartup::Run [mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 152]
main [mozilla/browser/app/nsBrowserApp.cpp, line 61]
kernel32.dll + 0x16d4f (0x7c816d4f)

or

Stack Signature nsViewManager::UpdateWidgetsForView 55b5752f
Product ID Firefox2
Build ID 2006120418
Trigger Time 2008-01-24 06:47:35.0
Platform Win32
Operating System Windows NT 5.1 build 2600
Module fi...

Read more...

Revision history for this message
In , Mats Palmgren (matspal) wrote :

I think the bug here could be that nsViewManager::UpdateWidgetsForView()
calls aView->GetWidget()->Update() which flushes Layout which deletes
arbitrary layout objects such as nsViews.
See the "deleting nsView while in use by UpdateWidgetsForView()"
stack in bug 421839.

Bug Watch Updater (bug-watch-updater)
Changed in thunderbird:
status: In Progress → Confirmed
Revision history for this message
In , Vseerror (vseerror) wrote :

this is no longer a topcrash for latest shipping 3.0 or 3.5

Bug Watch Updater (bug-watch-updater)
Changed in thunderbird:
importance: Unknown → Critical
Revision history for this message
In , Vseerror (vseerror) wrote :

nsViewManager::UpdateWidgetsForView(nsView*)
no crashes in past month for any current version.
nor for substring nsViewManager::UpdateWidgetsForView

Bug Watch Updater (bug-watch-updater)
Changed in thunderbird:
status: Confirmed → Invalid
Thomas Hotz (thotz-deactivatedaccount)
Changed in mozilla-thunderbird (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.