Closed Bug 100935 Opened 24 years ago Closed 24 years ago

click in one of the images in the left will crash mozilla

Categories

(Core :: XUL, defect)

Product:
Core
Component:
XUL
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla0.9.8

People

(Reporter: deb, Assigned: saari)

References

(
URL
)

Details

(Keywords: crash, hang)

From Bugzilla Helper: User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.4.9 i686) BuildID: 2001091311, click in one of the images in the left will crash mozilla I tried with builds id 0.9.4 2001091311, 0.9.4 2001091905 Reproducible: Always Steps to Reproduce: 1. load http://perso.wanadoo.fr/sogem.immo/ 2.click in one of the images in the left will crash mozilla 3.
confirming with current CVS, linux. There is no indication the images are links: Cursor does not change into a hand. One click spawns the framework for two small popup windows. Crash occures before anything renders in them. There is java on the page, but i tested this without java installed. Start of backtrace looks like this: Program received signal SIGILL, Illegal instruction. [Switching to Thread 1024 (LWP 7009)] 0x082fbdc8 in ?? () at eval.c:41 41 eval.c: No such file or directory. in eval.c (gdb) bt #0 0x082fbdc8 in ?? () at eval.c:41 #1 0x406cb4f1 in NSGetModule () from libnsappshell.so #2 0x40c91214 in NSGetModule () from libwidget_gtk.so
Status: UNCONFIRMED → NEW
Ever confirmed: true
testing with 2001092021, linux: Full freeze, 100% CPU, but it "hangs in there" with dead windows.
worksforme on windows 2000
Build 0.9.4 (2001091303) on Windows 2000 (SP2) works for me. I can click on all the images and they pop up another window and fill it with an image. No crashing.
Keywords: crash, hang
->docshell
Assignee: asa → adamlock
Component: Browser-General → Embedding: Docshell
QA Contact: doronr → adamlock
Works for me in today's pull from the trunk though I get a few assertions when I click from one window to another and it reconstructs the popup window. Assertions are: "ASSERTION: root element not in document: 'doc != nsnull', file d:\m\source\mozilla\content\xul\templates\src\nsXULContentBuilder.cpp, line 1540" Reassigning to XUL. Stack trace for assertion: NTDLL! 77f9eea9() nsDebug::Assertion(const char * 0x0258c978, const char * 0x0258c968, const char * 0x0258c91c, int 0x00000604) line 290 + 13 bytes nsXULContentBuilder::GetElementsForResource(nsIRDFResource * 0x0503f250, nsISupportsArray * 0x05123240) line 1540 + 44 bytes nsXULContentBuilder::RemoveMember(nsIContent * 0x050828c8, nsIRDFResource * 0x0503f250, int 0x00000001) line 1094 + 24 bytes nsXULContentBuilder::ReplaceMatch(nsIRDFResource * 0x0503f250, const nsTemplateMatch * 0x05231ad0, nsTemplateMatch * 0x00000000) line 1858 nsXULTemplateBuilder::Retract(nsIRDFResource * 0x010da748, nsIRDFResource * 0x01108230, nsIRDFNode * 0x0503f250) line 617 nsXULTemplateBuilder::OnUnassert(nsXULTemplateBuilder * const 0x0504108c, nsIRDFDataSource * 0x0500d2e0, nsIRDFResource * 0x010da748, nsIRDFResource * 0x01108230, nsIRDFNode * 0x0503f250) line 651 + 23 bytes CompositeDataSourceImpl::OnUnassert(CompositeDataSourceImpl * const 0x0500d2e4, nsIRDFDataSource * 0x010ac920, nsIRDFResource * 0x010da748, nsIRDFResource * 0x01108230, nsIRDFNode * 0x0503f250) line 1576 InMemoryDataSource::Unassert(InMemoryDataSource * const 0x010ac920, nsIRDFResource * 0x010da748, nsIRDFResource * 0x01108230, nsIRDFNode * 0x0503f250) line 1296 RDFContainerImpl::RemoveElement(RDFContainerImpl * const 0x05113d50, nsIRDFNode * 0x0503f250, int 0x00000001) line 261 + 38 bytes nsWindowMediator::UnregisterWindow(nsWindowMediator * const 0x010d4f08, nsWindowInfo * 0x04caa510) line 272 nsWindowMediator::UnregisterWindow(nsWindowMediator * const 0x010d4f08, nsIXULWindow * 0x050aadf8) line 249 + 16 bytes nsAppShellService::UnregisterTopLevelWindow(nsAppShellService * const 0x010d54e8, nsIXULWindow * 0x050aadf8) line 840 nsXULWindow::Destroy(nsXULWindow * const 0x050aadfc) line 355 nsWebShellWindow::Destroy(nsWebShellWindow * const 0x050aadfc) line 1700 + 9 bytes nsContentTreeOwner::Destroy(nsContentTreeOwner * const 0x04e6c634) line 450 GlobalWindowImpl::ReallyCloseWindow(GlobalWindowImpl * const 0x051762a4) line 2498 GlobalWindowImpl::CloseWindow(nsISupports * 0x05176294) line 3274 nsJSContext::ScriptEvaluated(nsJSContext * const 0x051763c8, int 0x00000001) line 1407 + 18 bytes nsJSContext::CallEventHandler(nsJSContext * const 0x051763c8, void * 0x04dfd5d8, void * 0x03879770, unsigned int 0x00000001, void * 0x0012de84, int * 0x0012de80, int 0x00000000) line 984 nsJSEventListener::HandleEvent(nsJSEventListener * const 0x04e1d1e0, nsIDOMEvent * 0x052776cc) line 155 + 74 bytes nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x04e0ffa8, nsIDOMEvent * 0x052776cc, nsIDOMEventTarget * 0x051762a0, unsigned int 0x00000004, unsigned int 0x00000002) line 1213 + 20 bytes nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x045732c0, nsIPresContext * 0x0518bf68, nsEvent * 0x0012f368, nsIDOMEvent * * 0x0012f24c, nsIDOMEventTarget * 0x051762a0, unsigned int 0x00000002, nsEventStatus * 0x0012f674) line 1381 + 36 bytes GlobalWindowImpl::HandleDOMEvent(GlobalWindowImpl * const 0x05176290, nsIPresContext * 0x0518bf68, nsEvent * 0x0012f368, nsIDOMEvent * * 0x0012f24c, unsigned int 0x00000002, nsEventStatus * 0x0012f674) line 662 nsDocument::HandleDOMEvent(nsDocument * const 0x0507ecb8, nsIPresContext * 0x0518bf68, nsEvent * 0x0012f368, nsIDOMEvent * * 0x0012f24c, unsigned int 0x00000002, nsEventStatus * 0x0012f674) line 3033 nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0518b638, nsIPresContext * 0x0518bf68, nsEvent * 0x0012f368, nsIDOMEvent * * 0x0012f24c, unsigned int 0x00000002, nsEventStatus * 0x0012f674) line 1854 + 39 bytes nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x049c0540, nsIPresContext * 0x0518bf68, nsEvent * 0x0012f368, nsIDOMEvent * * 0x0012f24c, unsigned int 0x00000002, nsEventStatus * 0x0012f674) line 1847 + 53 bytes nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x04ecfa28, nsIPresContext * 0x0518bf68, nsEvent * 0x0012f368, nsIDOMEvent * * 0x0012f24c, unsigned int 0x00000002, nsEventStatus * 0x0012f674) line 1847 + 53 bytes nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x0514a9e0, nsIPresContext * 0x0518bf68, nsEvent * 0x0012f368, nsIDOMEvent * * 0x0012f24c, unsigned int 0x00000002, nsEventStatus * 0x0012f674) line 1847 + 53 bytes nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x04fb8760, nsIPresContext * 0x0518bf68, nsEvent * 0x0012f368, nsIDOMEvent * * 0x0012f24c, unsigned int 0x00000002, nsEventStatus * 0x0012f674) line 1847 + 53 bytes nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x04ec09f8, nsIPresContext * 0x0518bf68, nsEvent * 0x0012f368, nsIDOMEvent * * 0x0012f24c, unsigned int 0x00000002, nsEventStatus * 0x0012f674) line 1847 + 53 bytes nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x050d9f10, nsIPresContext * 0x0518bf68, nsEvent * 0x0012f368, nsIDOMEvent * * 0x0012f24c, unsigned int 0x00000001, nsEventStatus * 0x0012f674) line 1847 + 53 bytes nsHTMLImageElement::HandleDOMEvent(nsHTMLImageElement * const 0x050d9f10, nsIPresContext * 0x0518bf68, nsEvent * 0x0012f368, nsIDOMEvent * * 0x00000000, unsigned int 0x00000001, nsEventStatus * 0x0012f674) line 582 PresShell::HandleEventInternal(nsEvent * 0x0012f368, nsIView * 0x00000000, unsigned int 0x00000001, nsEventStatus * 0x0012f674) line 5708 + 47 bytes PresShell::HandleEventWithTarget(PresShell * const 0x0518cc90, nsEvent * 0x0012f368, nsIFrame * 0x049c8064, nsIContent * 0x050d9f10, unsigned int 0x00000001, nsEventStatus * 0x0012f674) line 5679 + 22 bytes nsEventStateManager::CheckForAndDispatchClick(nsEventStateManager * const 0x051946b8, nsIPresContext * 0x0518bf68, nsMouseEvent * 0x0012f780, nsEventStatus * 0x0012f674) line 2502 + 61 bytes nsEventStateManager::PostHandleEvent(nsEventStateManager * const 0x051946c0, nsIPresContext * 0x0518bf68, nsEvent * 0x0012f780, nsIFrame * 0x049c8064, nsEventStatus * 0x0012f674, nsIView * 0x0526bf60) line 1587 + 28 bytes PresShell::HandleEventInternal(nsEvent * 0x0012f780, nsIView * 0x0526bf60, unsigned int 0x00000001, nsEventStatus * 0x0012f674) line 5728 + 43 bytes PresShell::HandleEvent(PresShell * const 0x0518cc94, nsIView * 0x0526bf60, nsGUIEvent * 0x0012f780, nsEventStatus * 0x0012f674, int 0x00000001, int & 0x00000001) line 5633 + 25 bytes nsView::HandleEvent(nsView * const 0x0526bf60, nsGUIEvent * 0x0012f780, unsigned int 0x0000001c, nsEventStatus * 0x0012f674, int 0x00000001, int & 0x00000001) line 377 nsViewManager::DispatchEvent(nsViewManager * const 0x0518c5d8, nsGUIEvent * 0x0012f780, nsEventStatus * 0x0012f674) line 2062 HandleEvent(nsGUIEvent * 0x0012f780) line 68 nsWindow::DispatchEvent(nsWindow * const 0x0526bac4, nsGUIEvent * 0x0012f780, nsEventStatus & nsEventStatus_eIgnore) line 733 + 10 bytes nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012f780) line 754 nsWindow::DispatchMouseEvent(unsigned int 0x0000012d, nsPoint * 0x00000000) line 4261 + 21 bytes ChildWindow::DispatchMouseEvent(unsigned int 0x0000012d, nsPoint * 0x00000000) line 4513 nsWindow::ProcessMessage(unsigned int 0x00000202, unsigned int 0x00000000, long 0x0037011a, long * 0x0012fb94) line 3231 + 24 bytes nsWindow::WindowProc(HWND__ * 0x001204c4, unsigned int 0x00000202, unsigned int 0x00000000, long 0x0037011a) line 1001 + 27 bytes USER32! 77e148dc() USER32! 77e14aa7() USER32! 77e266fd() nsAppShellService::Run(nsAppShellService * const 0x010d54e8) line 442 main1(int 0x00000001, char * * 0x00357a18, nsISupports * 0x00000000) line 1278 + 32 bytes main(int 0x00000001, char * * 0x00357a18) line 1606 + 37 bytes mainCRTStartup() line 338 + 17 bytes KERNEL32! 77e992a6() A side issue : Looking at the source I see layer manipulation, something Mozilla doesn't support. The sniffer code needs to be fixed.
Assignee: adamlock → hyatt
Component: Embedding: Docshell → XP Toolkit/Widgets: XUL
QA Contact: adamlock → jrgm
--> waterson
Assignee: hyatt → waterson
I've been able to reproduce the crash. I think you might need to have Java installed, as the page has a Java applet as its centerpiece. We're crashing somewhere in nsWebShellWindow::StoreBoundsToXUL(), although gdb is befuddled enough at this point that I'm not exactly sure how or why. It looks like something got clobbered while dispatching focus. Reassingning to saari, cc'ing danm. #0 0x08b3e9dc in ?? () #1 0x409468ec in nsWebShellWindow::StoreBoundsToXUL (this=0x8921208, aPosition=1, aSize=1, aSizeMode=1) at ../../../../mozilla/xpfe/appshell/src/nsWebShellWindow.cpp:1362 #2 0x40944bc8 in nsWebShellWindow::HandleEvent (aEvent=0xbfffedd0) at ../../../../mozilla/xpfe/appshell/src/nsWebShellWindow.cpp:545 #3 0x410d07f9 in nsWidget::DispatchEvent (this=0x8940c18, aEvent=0xbfffedd0, aStatus=@0xbfffed8c) at ../../../../mozilla/widget/src/gtk/nsWidget.cpp:1402 #4 0x410d041a in nsWidget::DispatchWindowEvent (this=0x8940c18, event=0xbfffedd0) at ../../../../mozilla/widget/src/gtk/nsWidget.cpp:1293 #5 0x410d04c2 in nsWidget::DispatchFocus (this=0x8940c18, aEvent=@0xbfffedd0) at ../../../../mozilla/widget/src/gtk/nsWidget.cpp:1315 #6 0x410d7018 in nsWindow::DispatchSetFocusEvent (this=0x8940c18) at ../../../../mozilla/widget/src/gtk/nsWindow.cpp:1325 #7 0x410d7251 in nsWindow::HandleMozAreaFocusIn (this=0x8940c18) at ../../../../mozilla/widget/src/gtk/nsWindow.cpp:1432 #8 0x410dafa7 in handle_mozarea_focus_in (aWidget=0x83f1348, aGdkFocusEvent=0xbffff230, aData=0x8940c18) at ../../../../mozilla/widget/src/gtk/nsWindow.cpp:2904 #9 0x4037cfbc in gtk_marshal_BOOL__POINTER () from /usr/lib/libgtk-1.2.so.0 #10 0x403b0916 in gtk_handlers_run () from /usr/lib/libgtk-1.2.so.0 #11 0x403afc3d in gtk_signal_real_emit () from /usr/lib/libgtk-1.2.so.0 #12 0x403ad9f5 in gtk_signal_emit () from /usr/lib/libgtk-1.2.so.0 #13 0x403e80e9 in gtk_widget_event () from /usr/lib/libgtk-1.2.so.0 #14 0x403f0dac in gtk_window_focus_in_event () from /usr/lib/libgtk-1.2.so.0 #15 0x4037cfbc in gtk_marshal_BOOL__POINTER () from /usr/lib/libgtk-1.2.so.0 #16 0x403afc7d in gtk_signal_real_emit () from /usr/lib/libgtk-1.2.so.0 #17 0x403ad9f5 in gtk_signal_emit () from /usr/lib/libgtk-1.2.so.0 #18 0x403e80e9 in gtk_widget_event () from /usr/lib/libgtk-1.2.so.0 #19 0x4037bfe4 in gtk_main_do_event () from /usr/lib/libgtk-1.2.so.0 #20 0x410c8073 in handle_gdk_event (event=0x83524e8, data=0x0) at ../../../../mozilla/widget/src/gtk/nsGtkEventHandler.cpp:994 #21 0x40433e4f in gdk_event_dispatch () from /usr/lib/libgdk-1.2.so.0 #22 0x404667f3 in g_main_dispatch () from /usr/lib/libglib-1.2.so.0 #23 0x40466dd9 in g_main_iterate () from /usr/lib/libglib-1.2.so.0 #24 0x40466f8c in g_main_run () from /usr/lib/libglib-1.2.so.0 #25 0x4037b803 in gtk_main () from /usr/lib/libgtk-1.2.so.0 #26 0x410bf289 in nsAppShell::Run (this=0x8123cc0) at ../../../../mozilla/widget/src/gtk/nsAppShell.cpp:364 #27 0x4093fa91 in nsAppShellService::Run (this=0x8119f10) at ../../../../mozilla/xpfe/appshell/src/nsAppShellService.cpp:456 #28 0x08058a71 in main1 (argc=4, argv=0xbffff9d4, nativeApp=0x0) at ../../../mozilla/xpfe/bootstrap/nsAppRunner.cpp:1293 #29 0x08059753 in main (argc=4, argv=0xbffff9d4) at ../../../mozilla/xpfe/bootstrap/nsAppRunner.cpp:1621 #30 0x405b1177 in ?? () from /lib/i686/libc.so.6
Assignee: waterson → saari
nails macos too, nice
Status: NEW → ASSIGNED
OS: Linux → All
Target Milestone: --- → mozilla0.9.6
Just tried this again on win2k and did not crash. please retest with a curent nightly.
Target Milestone: mozilla0.9.6 → mozilla0.9.7
Testing with an hour old non-debug CVS build AND java i now crashed already when loading the page. Re-started mozilla in gdb and the page loaded, but not the centered java applet. Cursor now turned into a hand when over the images, but clicking one caused a crash. 0x0831d185 in ?? () at eval.c:41 41 eval.c: No such file or directory. in eval.c #0 0x0831d185 in ?? () at eval.c:41 #1 0x407335b1 in NSGetModule () from libnsappshell.so #2 0x40cb2464 in NSGetModule () from libwidget_gtk.so #3 0x40cb238c in NSGetModule () from libwidget_gtk.so #4 0x40cb2407 in NSGetModule () from libwidget_gtk.so #5 0x40cb6120 in NSGetModule () from libwidget_gtk.so #6 0x40cb62d1 in NSGetModule () from libwidget_gtk.so #7 0x40cb876a in NSGetModule () from libwidget_gtk.so #8 0x40291c21 in gtk_marshal_BOOL__POINTER (object=0x8b78488, func=0x40cb8718 <NSGetModule+16700>, func_data=0x8b31950, args=0xbfffeae0) at gtkmarshal.c:28 #9 0x402c156a in gtk_handlers_run (handlers=0x8b302e0, signal=0xbfffea80, object=0x8b78488, params=0xbfffeae0, after=0) at gtksignal.c:1917 #10 0x402c09bb in gtk_signal_real_emit (object=0x8b78488, signal_id=31, params=0xbfffeae0) at gtksignal.c:1477 #11 0x402bea30 in gtk_signal_emit (object=0x8b78488, signal_id=31) at gtksignal.c:552 #12 0x402f5ee8 in gtk_widget_event (widget=0x8b78488, event=0xbfffedc0) at gtkwidget.c:2864 #13 0x402fe227 in gtk_window_focus_in_event (widget=0x8b78400, event=0x8324f10) at gtkwindow.c:1415 #14 0x40291c21 in gtk_marshal_BOOL__POINTER (object=0x8b78400, func=0x402fe104 <gtk_window_focus_in_event>, func_data=0x0, args=0xbfffee90) at gtkmarshal.c:28 #15 0x402c09fb in gtk_signal_real_emit (object=0x8b78400, signal_id=31, params=0xbfffee90) at gtksignal.c:1492 #16 0x402bea30 in gtk_signal_emit (object=0x8b78400, signal_id=31) at gtksignal.c:552 #17 0x402f5ee8 in gtk_widget_event (widget=0x8b78400, event=0x8324f10) at gtkwidget.c:2864 #18 0x40290df8 in gtk_main_do_event (event=0x8324f10) at gtkmain.c:834 #19 0x40cacfdb in NSGetModule () from libwidget_gtk.so #20 0x4034b16b in gdk_event_dispatch (source_data=0x0, current_time=0xbffff300, user_data=0x0) at gdkevents.c:2139 #21 0x4037c055 in g_main_dispatch (dispatch_time=0xbffff300) at gmain.c:656 #22 0x4037c659 in g_main_iterate (block=1, dispatch=1) at gmain.c:877 #23 0x4037c7e8 in g_main_run (loop=0x8163ae8) at gmain.c:935 #24 0x4029065b in gtk_main () at gtkmain.c:524 #25 0x40ca6725 in NSGetModule () from libwidget_gtk.so #26 0x4072ff66 in NSGetModule () from libnsappshell.so #27 0x080513f4 in NS_CreateNativeAppSupport () at eval.c:41 #28 0x08051d11 in main () at eval.c:41 ---Type <return> to continue, or q <return> to quit--- #29 0x404c4627 in __libc_start_main (main=0x8051bd8 <main>, argc=1, ubp_av=0xbffff714, init=0x804be68 <_init>, fini=0x8052b1c <_fini>, rtld_fini=0x4000dcd4 <_dl_fini>, stack_end=0xbffff70c) at ../sysdeps/generic/libc-start.c:129
okay, looks like clicking on one of the images pops up a window, which almost immediately gets destroyed. We attempt to store the popup window position, but the window is being destoryed and we use some garbage pointers. Not sure if a proper safe guard exists already, or why the window collapses immediately.
Target Milestone: mozilla0.9.7 → mozilla0.9.8
I tried clicking on one of the images, however, the window is *not* destroyed like saari suggests. It opens and renders like a charm... Looks like we lost the testcase to this bug. Should we mark WORKSFORME? Can anyone else still reproduce this?
This still crashes with 2001121821 linux. TB710237Z
This should be fixed by my checkin for bug 107844. Please reopen if it is still happening.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Component: XP Toolkit/Widgets: XUL → XUL
QA Contact: jrgmorrison → xptoolkit.widgets
You need to log in before you can comment on or make changes to this bug.