Closed Bug 133410 Opened 22 years ago Closed 22 years ago

Trunk M1BR topcrash [@ nsImageBoxListener::OnStopDecode]

Categories

(Core :: Layout, defect, P1)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.0

People

(Reporter: jcarpenter0524, Assigned: attinasi)

References

(
URL
)

Details

(Keywords: crash, testcase, topcrash+, Whiteboard: [adt1][fix in hand][fixed on the trunk 04/11 and branch 04/19] [Needs a=] [ETA 04/19])

Crash Data

Attachments

(4 files)

test case
15.45 KB, text/html
Details
animated gif
16.28 KB, image/gif
Details
minimized test case
387 bytes, text/html
Details
patch v1.0
13.18 KB, patch
hjtoi-bugzilla
: review+
jst
: superreview+
dbaron
: approval+
Details | Diff | Splinter Review 
This stack signature is a topcrasher for M099 on Windows

nsImageBoxListener::OnStopDecode
Build ID range: 2002031106 to 2002031106
Stack Trace: 

	 nsImageBoxListener::OnStopDecode
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsImageBoxFrame.cpp  line 877]
	 imgRequestProxy::FrameChanged
[d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgRequestProxy.cpp  line 295]
	 imgRequest::FrameChanged
[d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgRequest.cpp  line 337]
	 imgContainer::Notify
[d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgContainer.cpp  line 459]
	 nsTimerImpl::Process
[d:\builds\seamonkey\mozilla\xpcom\threads\nsTimerImpl.cpp  line 342]
	 handleMyEvent
[d:\builds\seamonkey\mozilla\xpcom\threads\nsTimerImpl.cpp  line 381]
	 PL_HandleEvent
[d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c  line 591]
	 PL_ProcessPendingEvents
[d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c  line 524]
	 _md_EventReceiverProc
[d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c  line 1072]
	 USER32.dll + 0x3c076 (0x77d7c076)
	 USER32.dll + 0x3c076 (0x77d7c076)
	 _except_handler3()
	 kernel32.dll + 0x3bb86 (0x77e9bb86)
 
 	Source File :
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/layout/xul/base/src/nsImageBoxFrame.cpp
line : 877


COMMENTS/URLs:

     (4407199)	URL: http://knowhow.cdfreaks.com
     (4407199)	Comments: Pressed back from the "no results page" after an unsuccessful search
     (4328945)	URL: http://my.yahoo.com
     (4328945)	Comments: Using AltaVista to translate a German tech site that I don't
recall the URL to. Ack!
     (4284298)	URL: cnn.com
     (4284298)	Comments: clicked on link to story on Antarctica on CNN.com
     (4250323)	URL: http://www.01net.com
     (4168294)	URL: www.esprinet.it
     (4131762)	URL: www.msnbc.com
     (4119907)	Comments: Testing an update to a JSP page.
     (4078108)	URL: http://www.looksmart.com/
     (4078108)	Comments: Tried to click on the "Computers" link.
     (4046514)	URL:
http://translate.google.com/translate?hl=en&sl=de&u=http://www.teccentral.de/reviews/mainboard/asus/asus_a7m266-d/&prev=/search%3Fq%3D%2522asus%2Ba7m266-d%2522%2Breview%26hl%3Den%26ie%3DISO-8859-1%26oe%3DISO-8859-1
     (4046514)	Comments: this happened just after a google page was translated from german
to english.  i then selected a dropdown menu from the bottom to go to the
"result" of the review.  after choosing this item  netscape crashed.
     (4046436)	URL:
http://translate.google.com/translate?hl=en&sl=de&u=http://www.teccentral.de/reviews/mainboard/asus/asus_a7m266-d/&prev=/search%3Fq%3D%2522asus%2Ba7m266-d%2522%2Breview%26hl%3Den%26ie%3DISO-8859-1%26oe%3DISO-8859-1
     (4046436)	Comments: this is a link from a translated google search.  just browsing. 
had the mail window open with an imap account and a pop account  and a couple of
tabs to other sites.
     (4043228)	URL: http://www.prinz.de
     (4043228)	Comments: Surfing in the Foto-Gallerie from PRinz online DE
     (4027895)	URL: cnn.com
     (4027895)	Comments: it was in the layout engine (gklayout.dll) i just typed something
in the serach box  hit search  page came up  program died.
Keywords: crash, qawanted, topcrash
over to layout
Component: Networking: HTTP → Layout
.
Assignee: darin → attinasi
QA Contact: tever → petersen
Severity: normal → critical
pavlov?
Adding Trunk to summary since there have been quite a few of these crashes on
the Trunk recently.  The most recent crash was with a build from 3/22:

 Incident ID 4412409   
Stack Signature  nsImageBoxListener::OnStopDecode a2b4b3f7
Trigger Time 2002-03-24 07:18:13
Email Address
URL visited
Build ID 2002032211
Product ID MozillaTrunk
Platform
Operating System Win32
Module
Trigger Reason Access violation
User Comments
Stack Trace
nsImageBoxListener::OnStopDecode
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsImageBoxFrame.cpp, line 877]
imgRequestProxy::FrameChanged
[d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgRequestProxy.cpp, line 294]
imgRequest::FrameChanged
[d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgRequest.cpp, line 336]
imgContainer::Notify
[d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgContainer.cpp, line 459]
nsTimerImpl::Process [d:\builds\seamonkey\mozilla\xpcom\threads\nsTimerImpl.cpp,
line 342]
handleMyEvent [d:\builds\seamonkey\mozilla\xpcom\threads\nsTimerImpl.cpp, line 381]
PL_HandleEvent [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c, line 591]
PL_ProcessPendingEvents [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c,
line 524]
_md_EventReceiverProc [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c, line
1072]
KERNEL32.DLL + 0x24407 (0xbff94407)
0x00648c16

It might be possible that this crash is no longer occuring.  Do we know of
anything checked in on 3/22 that might have fixed this?  Either way, we need to
see if we can reproduce this.
Summary: M099 topcrash [@ nsImageBoxListener::OnStopDecode] → Trunk M099 topcrash [@ nsImageBoxListener::OnStopDecode]
Launch Netscape build for 4-1-02.
From the Bugzilla bug application, locate bug # 133410.
There is a link on the bug for "CDFREAK" (http://knowhow.cdfreaks.com), click
that link to launch and let the site load.
After the site completely loads, I simply hit the "back" button to return to bug
#133410.
About 10 seconds elapse, before the Netscape browser crashes with a "Invalid
Page Fault" error message.  I tried this multiple times with the same result,
however there were two different IPF messages, listed below.

NETSCP6 caused an invalid page fault in
module <unknown> at 0000:00000013.
Registers:
EAX=6111d9d8 CS=016f EIP=00000013 EFLGS=00010a86
EBX=00000001 SS=0177 ESP=0068fa90 EBP=0068faa4
ECX=c049db02 DS=0177 ESI=6111d968 FS=6f67
EDX=0068faac ES=0177 EDI=00000000 GS=0000
Bytes at CS:EIP:
00 54 ff 00 f0 40 ae 00 f0 6e af 00 f0 00 00 00 
Stack dump:
03ac0177 611160f0 0580baa0 0068faac 0580b420 0068fad0 60430eca 01db49c0 0580baa0
03ac5a60 0588f290 0068fb2c 0580fc68 61118ec0 03ac5a60 00000000 



NETSCP6 caused an invalid page fault in
module GKLAYOUT.DLL at 016f:60430ebb.
Registers:
EAX=01e2b480 CS=016f EIP=60430ebb EFLGS=00010246
EBX=00000001 SS=0177 ESP=0068fab8 EBP=0068fad0
ECX=0587e070 DS=0177 ESI=05904660 FS=1d3f
EDX=32dd8a5f ES=0177 EDI=00000000 GS=0000
Bytes at CS:EIP:
8b 08 ff 75 08 ff 75 0c 50 ff 91 4c 01 00 00 8d 
Stack dump:
05397c40 0068fb2c 05901e38 61118ec0 0587e070 00000000 0068fb58 605a51b0 0587e070
0537d0f0 0587e070 05397c40 0068fb2c 605a43e2 0537d0f0 05397c40
Keywords: qawanted
Keywords: testcase
Just tried the steps above on a Win2000 machine using the 2002040210 build and
got no crash.
Instructions in comment 5 crash it for me. Chris offered to help, so over to him
- thanks!
Assignee: attinasi → waterson
Marking it as topcrash+ since we have a reproducible case submitted by TUCSON
Beta testing group. nominating for nsbeta1
Keywords: topcrashnsbeta1, topcrash+
Status: NEW → ASSIGNED
Priority: -- → P1
Target Milestone: --- → mozilla1.0
I can crash this on Linux. I had to hit `Shift Reload' on the page to crash.
OS: Windows NT → All
Hardware: PC → All
The URL of image that's causing the crash is
<http://ads.cdfreaks.com/adview.php?bannerID=13>.
Attached file test case 
This page ought to crash the browser when you Shift+Reload.
Keywords: nsbeta1nsbeta1+
Whiteboard: [adt1]
Attached image animated gif 

    
    

    
  

      
      
      
      

        Attached file
          
        minimized test case
      

    


  
This test case refers to the animated gif attached above (attachment 77948 [details]).

    
    

    
  
To reproduce the bug, load the test case (attachment 77949 [details]), and then hit `Shift
Reload'. Wait a second or two, and the browser should crash. This looks like it
may be a problem with table teardown and/or with parser fixup. cc'ing karnaze &
harishd.

The minimized test case is as follows:

<html>
 <head>
  <title>Bug 133410</title>
 </head>

 <body>

  <table>
   <tr>
    <td>
     <form>
      <input type="text">
      <input type="submit" value="Search">
     <!-- note missing form close tag -->
    </td>
   </tr>
  </table>

  <table>
   <span>
    <!-- simple animated gif -->
    <img src="attachment.cgi?id=77948&action=view">
   </span>
  </table>

 </body>
</html>

    
    

    
  
Here's the content model that gets created once you strip the whitespace out of
the test case:

html@0x81e3cd8 refcount=9<
  head@0x81e3d30 refcount=2<
  >
  body@0x81fdb28 refcount=4<
    table@0x82300f0 refcount=6<
      tbody@0x8230160 refcount=3<
        tr@0x82301b0 refcount=3<
          td@0x8230228 refcount=4<
            form@0x822ff68 refcount=3<
              input@0x8230560 type="text" refcount=48<>
              input@0x82275a8 type="submit" value="Search" refcount=5<>
            >
          >
        >
      >
    >
    table@0x82304e8 refcount=10<
      span@0x82398e8 refcount=3<
        img@0x8239990 src="adview.php.gif" refcount=3<>
      >
    >
  >
>

Note that if I put the </form> tag in, then the <span> is correctly rotated out
from inside the <table> frame. So...looks like an htmlparser or content sink
bug, reassigning to harishd.

Of course, it _is_ unfortunate that this can crash the layout engine:

  <div style="display: table;">
   <span>
    <img src="animated.gif">
   </span>
  </div>

karnaze, should we work on fixing that?
Assignee: waterson → harishd
Status: ASSIGNED → NEW
Component: Layout → Parser

    
    

    
  
karnaze: FWIW, I take it back -- I can't crash the browser with the above HTML. ;-)

    
    

    
  
waterson: Are you saying that the missing /FORM is not the problem.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patch v1.0Splinter Review
      

    


  
The problem was due to the difference in handling of a FORM in the navdtd and
in the content sink. That is, FORM is never on the navdtd's stack however it
may be on the content sink's stack depending on its ( FORM ) parent. Because of
this difference the insertion point, for a misplaced table content, was
incorrect and hence somehow messed up the layout. With this patch the DTD would
check with the sink, whether a FORM is on the sink's stack or not, before
inserting the misplaced table content.

    
  
Status: NEW → ASSIGNED
Whiteboard: [adt1] → [adt1][fix in hand]

    
    

    
  
Btw, a better way to fix this bug is to treat FORM, in navdtd and in the
content-sink, alike ( Refer to bug 136397 ). However, ever since gecko was
formed the FORM element was always treated as a leaf in CNavDTD and hence
changing this behavior at this stage is asking for trouble. Will try to get to
bug 136397 post 1.0. For now the proposed fix ( in Comment #18 ) is the safest.

    
    

    
  
Comment on attachment 78281 [details] [diff] [review]
patch v1.0

sr=jst

        Attachment #78281 -
        Flags: superreview+

    
    

    
  
Fix landed ( 04/11 ) on the trunk.
Whiteboard: [adt1][fix in hand] → [adt1][fix in hand][fixed on the trunk 04/11]

    
    

    
  
nominating adt1.0.0.  After it's been tested on the trunk, please update the bug
with the results.
Keywords: adt1.0.0

    
    

    
  
what's the good word from QA? we want this one, but we need to know, this issue
was verified on the trunk, and did not cause any new regressions.

Pls Note: When bugs are fixed on the 1.0 branch, pls replace adt1.0.0+ with
fixed1.0.0 keyword. After QA has verified the fix is in the branch, pls replace
fixed1.0.0, with verified1.0.0.

    
    

    
  
Checked on OS X trunk (2002-04-15-08) and Windows ME trunk (2002-04-15-03) and
is fixed on both builds. Need to still check on Linux build before I mark verified.

    
    

    
  
Works under Linux Redhat 6.2 (2002-04-16-09). Marking verified.
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED

    
    

    
  
Verified
Status: RESOLVED → VERIFIED

    
    

    
  
marking adt1.0.0+ on behalf of the adt for approval to checkin on the 1.0
branch.  Please check this in today when you get drivers approval.  When it's
checked in, please add the fixed1.0.0 keyword.
Keywords: adt1.0.0adt1.0.0+

    
    

    
  
Reopening the bug for now. Will close it after landing the patch on the branch.
Status: VERIFIED → REOPENED
Resolution: FIXED → ---

    
    

    
  
Resolving as fixed because it has landed on the trunk. Once it has landed on the
1.0 branch, pls add the fixed1.0.0 keyword.
Status: REOPENED → RESOLVED
Closed: 22 years ago22 years ago
Keywords: approval
Resolution: --- → FIXED
Whiteboard: [adt1][fix in hand][fixed on the trunk 04/11] → [adt1][fix in hand][fixed on the trunk 04/11] [Needs a=] [ETA 04/19]

    
    

    
  
Fixed landed ( 04/19 ) on the branch.
Keywords: fixed1.0.0
Whiteboard: [adt1][fix in hand][fixed on the trunk 04/11] [Needs a=] [ETA 04/19] → [adt1][fix in hand][fixed on the trunk 04/11 and branch 04/19] [Needs a=] [ETA 04/19]

    
  
Status: RESOLVED → VERIFIED
Keywords: verified1.0.0

    
    

    
  
Verified on branch Win ME (2002-04-23-06) and OS X (2002-04-23-05) builds.

    
    

    
  
Comment on attachment 78281 [details] [diff] [review]
patch v1.0

after-the-fact a= for 1.0 branch

        Attachment #78281 -
        Flags: approval+

    
    

    
  
Reopening for more investigation.  It looks like this crash is still around on
the MozillaTrunk...there have been quite a few crashes with similar stacks
reported after the checkin:

Count   Offset    Real Signature
[ 13   nsImageBoxListener::OnStopDecode 9974a836 -
nsImageBoxListener::OnStopDecode ]
[ 9   nsImageBoxListener::OnStopDecode 56f9cda2 - nsImageBoxListener::OnStopDecode ]
[ 3   nsImageBoxListener::OnStopDecode 64e5e08e - nsImageBoxListener::OnStopDecode ]
[ 2   nsImageBoxListener::OnStopDecode f8319efa - nsImageBoxListener::OnStopDecode ]
 
     Crash date range: 2002-04-24 to 2002-04-29
     Min/Max Seconds since last crash: 104 - 149670
     Min/Max Runtime: 200 - 150479
     Keyword List :  
     Count   Platform List 
     13   Windows NT 5.1 build 2600
     11   Windows NT 5.0 build 2195
     3   Windows 98 4.10 build 67766222
 
     Count   Build Id List 
     7   2002042412
     5   2002042703
     5   2002042512
     4   2002042708
     3   2002042410
     3   2002042406
 
     No of Unique Users        23
 
 Stack trace(Frame) 

	 nsImageBoxListener::OnStopDecode
[nsImageBoxFrame.cpp  line 877] 
	 imgRequestProxy::FrameChanged
[imgRequestProxy.cpp  line 294] 
	 imgRequest::FrameChanged
[imgRequest.cpp  line 336] 
	 imgContainer::Notify
[imgContainer.cpp  line 459] 
	 nsTimerImpl::Fire
[nsTimerImpl.cpp  line 357] 
	 nsTimerManager::FireNextIdleTimer
[nsTimerImpl.cpp  line 591] 
	 nsAppShell::Run
[nsAppShell.cpp  line 134] 
	 nsAppShellService::Run
[nsAppShellService.cpp  line 451] 
	 main1
[nsAppRunner.cpp  line 1447] 
	 main
[nsAppRunner.cpp  line 1782] 
	 WinMain
[nsAppRunner.cpp  line 1800] 
	 WinMainCRTStartup()  
	 kernel32.dll + 0x1eb69 (0x77e7eb69)   
 
     (5728311)	URL: http://www.tucows.com/
     (5720315)	Comments: Browsing E-bay
     (5719910)	Comments: just browsing
     (5683843)	Comments: Had the Mozilla windows open for quite a while  when I started
using them again  they were suddenly considerably slow. I suspect a memory leak
somewhere in this build.
     (5677976)	URL: www.betanews.com
     (5677976)	Comments: Scrolling down the page using the scrollbar.
     (5677467)	Comments: browsing Ebay auctions
     (5672521)	URL: http://www.google.com
     (5643912)	URL: somewhere on forum.sonique.com
     (5643912)	Comments: Clicked the back button  then tried to scroll up using the slider
and the mouse was a text i-bar and mozilla was frozen *alas*.
     (5642825)	URL: www.nytimes.com/auth/login:URL=http://   (missed the rest)
     (5622482)	Comments: Clicked on "Reply" in order to reply to an e-mail message  which
appeared to cause a failure.
     (5600977)	URL: http://www.chl.it/
     (5600977)	Comments: while browsinginformaticacomputer su misurared button
procediprocessorisocket Aduron somethinginserisci nel progetto
     (5577848)	URL: eastbayexpress.com
     (5577848)	Comments: Clicking a link to continue reading an article
Status: VERIFIED → REOPENED
Resolution: FIXED → ---

    
    

    
  
There have also been a few incidents on the Mozilla1.0 Branch after the checking
there:

Count   Offset    Real Signature
[ 3   nsImageBoxListener::OnStopDecode 829d1c60 - nsImageBoxListener::OnStopDecode ]
[ 1   nsImageBoxListener::OnStopDecode c3a93772 - nsImageBoxListener::OnStopDecode ]
 
     Crash date range: 2002-04-21 to 2002-04-26
     Min/Max Seconds since last crash: 1108 - 9369
     Min/Max Runtime: 1108 - 9369
     Keyword List :  
     Count   Platform List 
     3   Windows NT 5.0 build 2195
     1   Windows 98 4.10 build 67766446
 
     Count   Build Id List 
     2   2002042308
     1   2002042208
     1   2002042108
 
     No of Unique Users         3
 
 Stack trace(Frame) 

	 nsImageBoxListener::OnStopDecode
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsImageBoxFrame.cpp  line 877] 
	 imgRequestProxy::FrameChanged
[d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgRequestProxy.cpp  line 294] 
	 imgRequest::FrameChanged
[d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgRequest.cpp  line 336] 
	 imgContainer::Notify
[d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgContainer.cpp  line 459] 
	 nsTimerImpl::Process
[d:\builds\seamonkey\mozilla\xpcom\threads\nsTimerImpl.cpp  line 342] 
	 handleMyEvent
[d:\builds\seamonkey\mozilla\xpcom\threads\nsTimerImpl.cpp  line 381] 
	 PL_HandleEvent
[d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c  line 597] 
	 PL_ProcessPendingEvents
[d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c  line 530] 
	 _md_EventReceiverProc
[d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c  line 1078] 
	 nsAppShellService::Run
[d:\builds\seamonkey\mozilla\xpfe\appshell\src\nsAppShellService.cpp  line 309] 
	 main1
[d:\builds\seamonkey\mozilla\xpfe\bootstrap\nsAppRunner.cpp  line 1431] 
	 main
[d:\builds\seamonkey\mozilla\xpfe\bootstrap\nsAppRunner.cpp  line 1766] 
	 WinMain
[d:\builds\seamonkey\mozilla\xpfe\bootstrap\nsAppRunner.cpp  line 1784] 
	 WinMainCRTStartup()  
	 KERNEL32.DLL + 0xd326 (0x77e8d326)   
 
     (5454284)	Comments: Crashed doing a search 
Summary: Trunk M099 topcrash [@ nsImageBoxListener::OnStopDecode] → Trunk M1BR topcrash [@ nsImageBoxListener::OnStopDecode]

    
    

    
  
jpatel: Is it reproducable?

    
    

    
  
Could this be another instance of bug 138292?

    
    

    
  
With the patch in bug 138292 I am not getting seeing a crash after 
loading/reloading the url and each test case. I haven't tried it without the 
patch. The minimized test case is similar to the test case in bug 138292. 

    
    

    
  
I have never been able to reproduce this particular crash, not even with the
latest urls and comments I just posted, but clearly people are still crashing at
nsImageBoxListener::OnStopDecode.  

Maybe this is another instance of bug 138292, but we will only know for sure if
someone is able to reproduce.  I'll keep an eye on Talkback data after that
checkin goes in to see if these crashes go away as well.

    
    

    
  
The fix for bug 138292 (checked in 4/30) didn't help much with this crash, there
were 3 incidents with 5/1 MozillaTrunk builds.  Here is the most recent incident:

Incident ID 5839470
Stack Signature nsImageBoxListener::OnStopDecode 48adca0f
Email Address
Product ID MozillaTrunk
Build ID 2002050108
Trigger Time 2002-05-01 20:01:31
Platform Win32
Operating System Windows 98 4.10 build 67766446
Module GKLAYOUT.DLL
URL visited
User Comments
Trigger Reason Access violation
Source File Name nsImageBoxFrame.cpp
Trigger Line No. 877
Stack Trace
nsImageBoxListener::OnStopDecode [nsImageBoxFrame.cpp, line 877]
imgRequestProxy::FrameChanged [imgRequestProxy.cpp, line 294]
imgRequest::FrameChanged [imgRequest.cpp, line 336]
imgContainer::Notify [imgContainer.cpp, line 459]
nsTimerImpl::Fire [nsTimerImpl.cpp, line 357]
nsTimerManager::FireNextIdleTimer [nsTimerImpl.cpp, line 591]
nsAppShell::Run [nsAppShell.cpp, line 134]
nsAppShellService::Run [nsAppShellService.cpp, line 451]
main1 [nsAppRunner.cpp, line 1447]
main [nsAppRunner.cpp, line 1783]
WinMain [nsAppRunner.cpp, line 1801]
WinMainCRTStartup()
KERNEL32.DLL + 0x1b6e6 (0xbff8b6e6)
KERNEL32.DLL + 0x1b598 (0xbff8b598)
KERNEL32.DLL + 0x19f5b (0xbff89f5b)
0x1c0e5d1c 

    
    

    
  
Well, I tried several times but wasn't able to reproduce that crash.

Is there a URL associated with the crash?

    
    

    
  
Here are some of the most current URLs noted in TB reports:

http://www.gamasutra.com
http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=2020334056 
ebay.com
http://www.tucows.com/


    
    

    
  
http://climate.netscape.com/reports/SingleIncidentInfo.cfm?dynamicBBID=5900773
has a slightly different stack (main1 [nsAppRunner.cpp, line 1472] instead of 1447)

    
    

    
  
I tried loading the urls mentioned in comment #42 several times but wasn't able
to reproduce the crash. Can any one else?
Keywords: qawanted

    
    

    
  
Observation:
-------------
On Initial Load:
  ImageFrame    - 0x03dcc2f0
  ImageListener - 0x039b6d58
    - mFrame    - 0x03dcc2f0

On Reload:
  ImageFrame    - 0x03ba1300
  ImageListener - 0x03c97de8
    - mFrame    - 0x03ba1300

When crashed:
  ImageFrame    - 0x03dcc2f0  <<<<
  ImageListener - 0x039b6d58  <<<<  IDENTICAL TO INITAL LOAD!
    - mFrame    - 0x03dcc2f0  <<<<

It looks like the ImageRequestProxy is holding on to an obsolete frame!

    
    

    
  
Note: To reproduce the crash undo my patch on your local tree. With my patch I
was never able to crash. 

FYI: I smell something fishy in imgContainer but couldn't say where :(

--> pavlov
Assignee: harishd → pavlov
Status: REOPENED → NEW

    
    

    
  
Objects in C++ can go away and be re-created at the same address that an old
object lived at (i.e. heap memory is reused), so make sure that's not what
you're seeing here...

    
    

    
  
this hasn't shown up in talkback since 2002050304...

    
    

    
  
*** Bug 142830 has been marked as a duplicate of this bug. ***

    
    

    
  
bug 142830 points out a reproducible URL to get this crash (I can get this 
consistently in a win2k trunk build). Try loading http://gamefix.free.fr/ and 
then 'about:blank', and repeating that once or twice.


    
    

    
  
http://gamefix.free.fr/ worksforme with linux trunk build 20020507.

    
    

    
  
John's steps crash for me incident #6064562 - build 2002050708. WinNT4. with the
nsImageListener::FrameChanged signature (from duped bug 142830.)
Keywords: qawanted
Summary: Trunk M1BR topcrash [@ nsImageBoxListener::OnStopDecode] → Trunk M1BR topcrash [@ nsImageBoxListener::OnStopDecode][nsImageListener::FrameChanged]

    
    

    
  
Crashes with the nsImageBoxListener::OnStopDecode stack signature are no longer
showing up in Talkback data after 5/3 MozillaTrunk builds.

However, people seem to still be crashing at nsImageListener::FrameChanged with
a similar stack trace.  Should we leave this bug open or log a new bug?  This
bug seems to be cluttered with a lot of adt keywords that might confuse people.
Summary: Trunk M1BR topcrash [@ nsImageBoxListener::OnStopDecode][nsImageListener::FrameChanged] → Trunk M1BR topcrash [@ nsImageBoxListener::OnStopDecode][@ nsImageListener::FrameChanged]

    
    

    
  
The nsImageListener::FrameChanged crashes might be related to bug 138292.

    
    

    
  
Although the nsImageBoxListener::OnStopDecode stack signature isn't showing up
in Talkback reports, it looks like this crash is still happening under the
0x00000000 stack signature:

Count   Offset    Real Signature
[ 3   0x00000000 917e95fa - nsImageBoxListener::OnStopDecode ]
[ 3   0x00000000 5de130aa - nsImageBoxListener::OnStopDecode ]
 
     Crash date range: 2002-04-27 to 2002-05-03
     Min/Max Seconds since last crash: 61 - 87928
     Min/Max Runtime: 2647 - 87928
     Keyword List :  
     Count   Platform List 
     3   Windows NT 5.1 build 2600
     3   Windows NT 5.0 build 2195
 
     Count   Build Id List 
     3   2002050108
     1   2002050208
     1   2002042708
     1   2002042703
 
     No of Unique Users         5
 
 Stack trace(Frame) 

	 0x00000000  
	 nsImageBoxListener::OnStopDecode
[nsImageBoxFrame.cpp  line 877] 
	 imgRequestProxy::FrameChanged
[imgRequestProxy.cpp  line 294] 
	 imgRequest::FrameChanged
[imgRequest.cpp  line 336] 
	 imgContainer::Notify
[imgContainer.cpp  line 459] 
	 nsTimerImpl::Fire
[nsTimerImpl.cpp  line 357] 
	 nsTimerManager::FireNextIdleTimer
[nsTimerImpl.cpp  line 591] 
	 nsAppShell::Run
[nsAppShell.cpp  line 134] 
	 nsAppShellService::Run
[nsAppShellService.cpp  line 451] 
	 main1
[nsAppRunner.cpp  line 1447] 
	 main
[nsAppRunner.cpp  line 1783] 
	 WinMain
[nsAppRunner.cpp  line 1801] 
	 WinMainCRTStartup()  
	 KERNEL32.DLL + 0xd326 (0x77e8d326)   
 
     (5895034)	Comments: browzing eBay
     (5873107)	URL: www.batshalom.org
     (5873107)	Comments: (or is it www.bat-shalom.org ?)The java console kicked in... some
java applet was taking forever to load (apparently)... I clicked on a link  it
started bringing up another page and Moz simply disapeared. 
     (5702810)	URL: www.antiwar.com   (missed the rest)
     (5702810)	Comments: I usually print through adobe pdf writer because I've discovered
that Moz's (sp?) print preview has stopped being WYSIWYG. Anyway  I looked at
another site (www.ariga.com) and was going through www.antiwar.com when Moz
simply vanished. Instantly.(that
     (5702810)	Comments:  was after printing a few pages here and there)
     (5683982)	URL: www.foodtv.com

    
    

    
  
The crash with the original url and testcase is no longer happening, so I was
wondering if we should log a new bug for these recent crashes?  

I already closed bug 138292 verified fixed again (the crash with the original
url and testcase in that bug has been fixed).

Pav:  Any thoughts on that?  Should we leave this one open or log a new bug?

    
    

    
  
harish, I don't understand your comments... the only reason we would crash in
these places is because of memory getting stomped on due to a frame being
recycled in the arena without the destroy method being called on it.  We've seen
this "bug" numerous times and it always points to layout not properly deleting a
frame object.
Assignee: pavlov → harishd
QA Contact: petersen → moied

    
    

    
  
I hate to bounce bugs back and forth but this is not a parser problem anymore.
Reassigning to layout for futher investigation.
Assignee: harishd → attinasi
Component: Parser → Layout
QA Contact: moied → petersen

    
    

    
  
      Count   Offset    Real Signature
[ 35   nsImageListener::FrameChanged 1c0e1f8a - nsImageListener::FrameChanged ]
[ 26   nsImageListener::FrameChanged f0971e0e - nsImageListener::FrameChanged ]
[ 21   nsImageListener::FrameChanged 0be4b6aa - nsImageListener::FrameChanged ]
[ 9   nsImageListener::FrameChanged 2a5e057a - nsImageListener::FrameChanged ]
[ 5   nsImageListener::FrameChanged 70ae2a6a - nsImageListener::FrameChanged ]
[ 4   nsImageListener::FrameChanged a88c85df - nsImageListener::FrameChanged ]
[ 4   nsImageListener::FrameChanged 937cff02 - nsImageListener::FrameChanged ]
[ 3   nsImageListener::FrameChanged f4f6126b - nsImageListener::FrameChanged ]

 
     Crash date range: 2002-05-04 to 2002-05-12
     Min/Max Seconds since last crash: 29 - 446127
     Min/Max Runtime: 410 - 484914
     Keyword List : click(4),  
     Count   Platform List 
     51   Windows NT 5.0 build 2195
     49   Windows NT 5.1 build 2600
     7   Windows 98 4.10 build 67766446

 Stack trace(Frame) 

	 nsImageListener::FrameChanged
[nsImageFrame.cpp  line 2383] 
	 imgRequestProxy::FrameChanged
[imgRequestProxy.cpp  line 294] 
	 imgRequest::FrameChanged
[imgRequest.cpp  line 338] 
	 imgContainer::Notify
[imgContainer.cpp  line 459] 
	 nsTimerImpl::Fire
[nsTimerImpl.cpp  line 357] 
	 nsTimerManager::FireNextIdleTimer
[nsTimerImpl.cpp  line 591] 
	 nsAppShell::Run
[nsAppShell.cpp  line 134] 
	 nsAppShellService::Run
[nsAppShellService.cpp  line 451] 
	 main1
[nsAppRunner.cpp  line 1472] 
	 main
[nsAppRunner.cpp  line 1808] 
	 WinMain
[nsAppRunner.cpp  line 1826] 
	 WinMainCRTStartup()  
	 kernel32.dll + 0x1eb69 (0x77e7eb69)   
 
     (6211424)	URL: http://slashdot.org
     (6159191)	Comments: Click boom bah! Nothing out of the ordinary. Single window.I think
these crashes are intention so you can gather marketroidle demographics
information  like what other programs I'm running at the time. Try tossing some
more code at the screen to see if
     (6159191)	Comments:  it sticks. We don need no steenkin algorithms.
     (6147840)	URL: www.ubid.com
     (6115349)	URL: http://www.ubid.com/actn/opn/getpage.asp?AuctionId=7214002
     (6101905)	URL: groups.yahoo.com
     (6101822)	URL: groups.yahoo.com
     (6067037)	URL: www.paypal.com
     (6067037)	Comments: I was trying to login to their secure site
     (6066401)	Comments: Moving back and forth between eBay & Half.com.  Was doing a "back"
from Half.com to eBay when it errored.
     (6054065)	URL: www.blockbuster.com
     (6041117)	URL: http://www.ubid.com/actn/opn/getpage.asp?AuctionId=7214002
     (6041117)	Comments: Initial click on the page
     (6038291)	Comments: scrolled a bugzilla query result-page before it had fully loaded
     (6033643)	URL: http://gamefix.free.fr
     (6032400)	URL: http://gamefix.free.fr
     (6032355)	URL: http://www.winace.com
     (6012854)	Comments: I was surfing eBay
     (6012843)	Comments: I was surfing eBay
     (6012830)	Comments: when pressing Home button
     (6012671)	URL: http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&Item=1535479505
     (6003592)	URL: http://www.football365.com/Homegrounds/Chelsea/News/index.shtml
     (6003592)	Comments: Clicked on  Rangers Hero link
     (5992341)	Comments: clicked on linik regarding 'armored ascii bug' in google search
for 'armored ascii'. Kept going to linuxtoday site and when clicked back would
not go back (link was redirecting me?) . Hit back a couple times then crashed.
     (5967321)	URL: www.neimanmarcus.com
     (5956412)	URL: http://www.wrestlingheadlines.com/index2.html
     (5929043)	Comments: browsing a web site
 

    
    

    
  
"The crash with the original url and testcase is no longer happening, so I was
wondering if we should log a new bug for these recent crashes?"

jpatel: please file a new bug for the recent crashes. Thanks.

    
    

    
  
Thanks Kevin...I was waiting for that comment.  Returning this bug to fixed.  I
will open a new bug on the recent nsImageListener::FrameChanged crashes.
Status: NEW → RESOLVED
Closed: 22 years ago22 years ago
Resolution: --- → FIXED

    
    

    
  
Verified fixed.  As I stated before, the orginal url and testcase in this bug is
no longer crashing for me (or others based on Talkback data).  

Removing [@ nsImageListener::FrameChanged] from summary, I will be logging a new
bug for that crash soon and will post the bug # here for others that want to
track it.
Status: RESOLVED → VERIFIED
Summary: Trunk M1BR topcrash [@ nsImageBoxListener::OnStopDecode][@ nsImageListener::FrameChanged] → Trunk M1BR topcrash [@ nsImageBoxListener::OnStopDecode]

    
    

    
  
Logged bug 144315 for new nsImageListener::FrameChanged crashes...please go
there with any new info you might have for those crashes.

    
    

    
  
jpatel: This seems to be the top topcrasher on the branch, with 19 reproductions
on Windows since 6/21 -- or am I doing something wrong?  Should this be reopened?

    
    

    
  
Kevin, the original nsImageBoxListener::OnStopDecode stack trace is the #1
topcrash on branch, trunk, and M11A, and is the #4 crash on M100.  Why did you
request its closure?

    
    

    
  
Blake and Jan:  See comment #60.  The original crash reported in this bug was
fixed and for a while we didn't see this stack in Talkback data and couldn't
reproduce it.  Then all of a sudden it reappeared.  Keep this bug closed...here
are a few newer bugs to look at:

nsImageListener::FrameChanged bug 144315 (this bug has been fixed, but only for
one testcase or url)

nsImageListener::FrameChanged bug 153815 (this bug was opened to deal with the
remaining crashes after bug 144315 was fixed)

nsImageBoxListener::OnStopDecode bug 146027 (this bug was to deal with the
remaining crashes after this bug (133410) was fixed, but Alexandru Savulov
thought it might be the same or related to bug 144315...but even after the fix
for bug 144315, I was still seeing crashes, so I just marked it a dup of bug
153815). 

So...now we need to figure out if bug 146027 is really the same as bug 153815. 
If it isn't we should reopen it and deal with just the
nsImageBoxListener::OnStopDecode crashes alone in that bug and leave bug 153815
open to deal with just nsImageListener::FrameChanged crashes.

Wow...that was some ugly writing.  I hope it was clear enough though.

    
    

    
  
Crashtest added as part of http://hg.mozilla.org/mozilla-central/rev/54417ebbaea2
Flags: in-testsuite+
Crash Signature: [@ nsImageBoxListener::OnStopDecode]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: