Closed Bug 17932 Opened 25 years ago Closed 25 years ago

[PP] Crash navigating thru Back & Forward button

Categories

(Core :: Networking: Cache, defect, P3)

Product:
Core
Component:
Networking: Cache
Platform:
x86
Windows NT
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: blee, Assigned: vidur)

References

Details

To repro,
On launching browser, visit several pages in sequence (home.netscape.com/ja,
home.netscape.com/ko, home.netscape.com/de are tried here) and start cliking
Back button toward the first page. If it didn't crash yet, start clicking
Forward button toward the last page loaded. ==> crash.

StackTrace info N/A.

Win32 specific. bld: 11-03-09-M11,
Fine in Mac (11-03-13-M11), Linux (11-03-09-M11)
Component: Browser-General → Cache
Summary: [PP] Crash navigating thru Back & Forward button → [PP] Crash navigating thru Back & Forward button
Assigning to radha.
Status: NEW → RESOLVED
Closed: 25 years ago
Resolution: --- → DUPLICATE
resolving as a dupe.


*** This bug has been marked as a duplicate of 17572 ***
Status: RESOLVED → VERIFIED
verified as a dup
Severity: normal → major
Status: VERIFIED → REOPENED
OS: Windows NT → All
Hardware: PC → DEC
trudelle doesn't think that this is a duplicate of the other one, so I'm
re-opening. This crash is very reproducible if you hit the back or forward
button before a large page (such as my.netscape.com) has finished loading.
Marking Platform all as I can reproduce it on Linux.

radha, I know you have a lot on your plate - can you look at this for m11?

Steps to reproduce:

1. Launch apprunner, let default page mozilla.org load
2. Click on MyNetscape, let it load
3. Click on Tinderbox button let it load
4. Click on Back, let my netscape load just a bit, and then click forward
button again while my netscape is in the middle of loading.

Results: You will crash reproducibly
Resolution: DUPLICATE → ---
Here is the dump:

KERNEL32! bff768a4()
nsDebug::Assertion(const char * 0x01833794, const char * 0x01833784, const char
* 0x01833748, int 1569) line 280 + 13 bytes
SinkContext::End() line 1569 + 35 bytes
HTMLContentSink::~HTMLContentSink() line 1887
HTMLContentSink::`scalar deleting destructor'(unsigned int 1) + 15 bytes
HTMLContentSink::Release(HTMLContentSink * const 0x03339330) line 1910 + 134
bytes
CNavDTD::~CNavDTD() line 317 + 27 bytes
CNavDTD::`vector deleting destructor'(unsigned int 1) + 84 bytes
CNavDTD::Release(CNavDTD * const 0x02f06bf0) line 225 + 134 bytes
CParserContext::~CParserContext() line 70 + 27 bytes
CParserContext::`scalar deleting destructor'(unsigned int 1) + 15 bytes
nsParser::~nsParser() line 229 + 31 bytes
nsParser::`vector deleting destructor'(unsigned int 1) + 84 bytes
nsParser::Release(nsParser * const 0x031489b0) line 234 + 134 bytes
nsDocumentBindInfo::OnStopRequest(nsDocumentBindInfo * const 0x033636c0,
nsIChannel * 0x03363460, nsISupports * 0x00000000, unsigned int 2152398850,
const unsigned short * 0x00000000) line 1261 + 27 bytes
nsChannelListener::OnStopRequest(nsChannelListener * const 0x03363520,
nsIChannel * 0x03363460, nsISupports * 0x00000000, unsigned int 2152398850,
const unsigned short * 0x00000000) line 1379 + 42 bytes
nsHTTPChannel::ResponseCompleted(nsIChannel * 0x0321fcb0, unsigned int
2152398850, const unsigned short * 0x00000000) line 779 + 42 bytes
nsHTTPResponseListener::OnStopRequest(nsHTTPResponseListener * const
0x03364fb0, nsIChannel * 0x0321fcb0, nsISupports * 0x03363460, unsigned int
2152398850, const unsigned short * 0x00000000) line 239
nsOnStopRequestEvent::HandleEvent(nsOnStopRequestEvent * const 0x030ea040) line
322
nsStreamListenerEvent::HandlePLEvent(PLEvent * 0x030edfd0) line 169 + 12 bytes
PL_HandleEvent(PLEvent * 0x030edfd0) line 537 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x00c91a40) line 498 + 9 bytes
_md_EventReceiverProc(HWND__ * 0x000004a8, unsigned int 53930, unsigned int 0,
long 13179456) line 972 + 9 bytes
KERNEL32! bff7363b()
KERNEL32! bff942e7()
008e8bda()
Severity: major → critical
OS: All → Windows NT
Hardware: DEC → PC
Assignee: radha → rickg
Status: REOPENED → NEW
It looks like this bug is related to interrupting a document that is being
loaded.  I bet that it is a result of my fixing nsLoadgroup::Cancel(...) so that
it *actually* interrupts loading documents.

I believe that the NS_ASSERTION(mStackPos == 1,...) is not correct since it does
not take into account documents that are interrupted.  In the case of a document
that was interrupted during its loading, it is quite possible that stack will be
> 1.

If the assertion is ignored in the debugger, everything seems to work fine...
I'm moving this bug over to rickg so he can have someone familiar with the
HTMLContentSink take a look at the assert...
Target Milestone: M11
Putting on M11 radar for a fix if we could please.
Rick's right - the assertion isn't valid. I removed it in my build a long time
ago (was waiting for M12 to check it in). I'm happy to get rid of it.
*** Bug 10202 has been marked as a duplicate of this bug. ***
Target Milestone: M11 → M12
I see the crash.  seemed to me like you have to go back and
forward quickly to make the crash happen.

we really need to fix this document reloading problem.
rickg, if this is not you please find the right owner...

m12
Fix checked in to the M12 tip. Does it need to go into the M11 branch?
Assignee: rickg → vidur
Target Milestone: M12 → M11
It would be good if we could get this fix on the branch if
-its isolated to a small number of changes
-the fix is low risk
-there aren't a bunch of cross dependencies with other fixes

If it meets this criteria and  can be merged easily to the
SeaMonkey_M11_BRANCH lets do it.

I don't see this bug number called out explictly in the current
trunck checkin to look at it and help make the call.
Which file updates and revisions went into this fix..
Whiteboard: have fix- figuring out if it can be applied to branch
I might have misspoken. The change I made to the tip is just the removal of a
bogus assertion (the one discussed earlier). The change went in with revision
3.269 of layout/html/document/src/nsHTMLContentSink.cpp. The assertion is the
first line of SinkContext::End() in that file. Since I don't have an M11 branch
handy I would *very much* appreciate it if someone else could apply the patch.
Anyone? Anyone? chofmann?
Status: NEW → RESOLVED
Closed: 25 years ago25 years ago
Resolution: --- → FIXED
ok, commented out the assert at line 1586...
diff -r3.265.2.1 nsHTMLContentSink.cpp
1586d1585
<  /* NS_ASSERTION(mStackPos == 1, "insufficient close container calls");
<  */

to see if that will help this problem on the m11 branch.
lets shake on the next builds and see if we have enhanced the karma...
How does this differ from 17572?

chofmann, is this supposed to be in the 1999111218 M11 build? If so, it's not; it
crashes on that build checked Mac OS/Linux).
Status: RESOLVED → REOPENED
Target Milestone: M11 → M12
Resolution: FIXED → ---
Yes, my test case above, load my.netscape.com all the way, then load tinderbox
all the way, then hit back to my.netscape.com, then forward as soon as
my.netscape.com starts to lay out, is *still* crashing using M11 candidate
build on win95.

I'm pretty sure there are 2 or 3 crashers related to back and forwards, vidur
must have fixed a different one. I will re-open this bug, but mark M12, it is
too late for M11.
*** Bug 19210 has been marked as a duplicate of this bug. ***
From recent usage of the 19991122 nightly build:

Error loading URL http://apps.freshmeat.net/download/926588842/
           All Files *.*
Going Back
Error loading URL http://bluesnews.com/
Document: Done (0.325 secs)
Going Back
Error: Can't load: http://bluesnews.com/contents.html (804b0002)
Going Forward
Document: Done (2.671 secs)
Error loading URL http://bluesnews.com/
Error: Can't load: http://bluesnews.com/news/news.shtml (804b0002)
commonDialogOnLoad
Move window by 0,20
screen x 0screen y 0
commonDialogOnLoad
Move window by 0,20
screen x 0screen y 0
Document: Done (3.899 secs)
Going Forward
           All Files *.*
Document http://freshmeat.net/ loaded successfully
Document: Done (6.049 secs)
user hit ok
Going Back
Error loading URL http://bluesnews.com/
Document: Done (0.379 secs)
Error: Can't load: http://bluesnews.com/contents.html (804b0002)
Going Forward
Document: Done (2.607 secs)
Error loading URL http://bluesnews.com/
Error: Can't load: http://bluesnews.com/news/news.shtml (804b0002)

Program received signal SIGSEGV, Segmentation fault.
0x400cd38d in nsStr::Truncate () from /home/michael/mozilla/libxpcom.so
(gdb) where
#0  0x400cd38d in nsStr::Truncate () from /home/michael/mozilla/libxpcom.so
#1  0x400d15d4 in nsString::Assign () from /home/michael/mozilla/libxpcom.so
#2  0x40cc5851 in NSGetModule ()
   from /home/michael/mozilla/components/libraptorhtml.so
#3  0x40cc5537 in NSGetModule ()
   from /home/michael/mozilla/components/libraptorhtml.so
#4  0x40ce298b in NSGetModule ()
   from /home/michael/mozilla/components/libraptorhtml.so
#5  0x40b5c36c in NSGetModule ()
   from /home/michael/mozilla/components/libraptorhtml.so
#6  0x40b5c3d2 in NSGetModule ()
   from /home/michael/mozilla/components/libraptorhtml.so
#7  0x40b5c419 in NSGetModule ()
   from /home/michael/mozilla/components/libraptorhtml.so
#8  0x40b5c419 in NSGetModule ()
   from /home/michael/mozilla/components/libraptorhtml.so
#9  0x40b5c419 in NSGetModule ()
   from /home/michael/mozilla/components/libraptorhtml.so
#10 0x40b5c419 in NSGetModule ()
   from /home/michael/mozilla/components/libraptorhtml.so
#11 0x40b5c419 in NSGetModule ()
   from /home/michael/mozilla/components/libraptorhtml.so
#12 0x40b5c419 in NSGetModule ()
---Type <return> to continue, or q <return> to quit---
   from /home/michael/mozilla/components/libraptorhtml.so
#13 0x40b5c419 in NSGetModule ()
   from /home/michael/mozilla/components/libraptorhtml.so
#14 0x40b5c419 in NSGetModule ()
   from /home/michael/mozilla/components/libraptorhtml.so
#15 0x40b5c419 in NSGetModule ()
   from /home/michael/mozilla/components/libraptorhtml.so
#16 0x40b7534b in NSGetModule ()
   from /home/michael/mozilla/components/libraptorhtml.so
#17 0x40cbacef in NSGetModule ()
   from /home/michael/mozilla/components/libraptorhtml.so
#18 0x40bf6e9e in NSGetModule ()
   from /home/michael/mozilla/components/libraptorhtml.so
#19 0x40bf23e7 in NSGetModule ()
   from /home/michael/mozilla/components/libraptorhtml.so
#20 0x40bee938 in NSGetModule ()
   from /home/michael/mozilla/components/libraptorhtml.so
#21 0x40bef56b in NSGetModule ()
   from /home/michael/mozilla/components/libraptorhtml.so
#22 0x40d8b4c0 in NSGetModule ()
   from /home/michael/mozilla/components/libraptorhtmlpars.so
#23 0x40d926fe in NSGetModule ()
   from /home/michael/mozilla/components/libraptorhtmlpars.so
---Type <return> to continue, or q <return> to quit---
#24 0x40d92dea in NSGetModule ()
   from /home/michael/mozilla/components/libraptorhtmlpars.so
#25 0x408935eb in nsDocumentBindInfo::OnDataAvailable ()
   from /home/michael/mozilla/libraptorwebwidget.so
#26 0x40893cfd in nsChannelListener::OnDataAvailable ()
   from /home/michael/mozilla/libraptorwebwidget.so
#27 0x40e7af37 in NSGetModule ()
   from /home/michael/mozilla/components/libnecko_http.so
#28 0x403cdcc3 in NSGetModule ()
   from /home/michael/mozilla/components/libnecko.so
#29 0x403cd740 in NSGetModule ()
   from /home/michael/mozilla/components/libnecko.so
#30 0x40110c17 in PL_HandleEvent () from /home/michael/mozilla/libplds3.so
#31 0x40110b86 in PL_ProcessPendingEvents ()
   from /home/michael/mozilla/libplds3.so
#32 0x400ef694 in nsEventQueueImpl::ProcessPendingEvents ()
   from /home/michael/mozilla/libxpcom.so
#33 0x405421e7 in nsAppShell::SetDispatchListener ()
   from /home/michael/mozilla/libwidget_gtk.so
#34 0x40541dad in _init () from /home/michael/mozilla/libwidget_gtk.so
#35 0x406cd52a in g_io_unix_dispatch () from /usr/lib/libglib-1.2.so.0
#36 0x406cebe6 in g_main_dispatch () from /usr/lib/libglib-1.2.so.0
#37 0x406cf1a1 in g_main_iterate () from /usr/lib/libglib-1.2.so.0
---Type <return> to continue, or q <return> to quit---
#38 0x406cf341 in g_main_run () from /usr/lib/libglib-1.2.so.0
#39 0x405f7859 in gtk_main () from /usr/lib/libgtk-1.2.so.0
#40 0x4054781b in nsFileWidget::Show ()
   from /home/michael/mozilla/libwidget_gtk.so
#41 0x40547d2f in nsFileWidget::PutFile ()
   from /home/michael/mozilla/libwidget_gtk.so
#42 0x4055b032 in nsFileSpecWithUIImpl::ChooseOutputFile ()
   from /home/michael/mozilla/libwidget_gtk.so
#43 0x40f79f32 in object.8 ()
   from /home/michael/mozilla/components/libmozxfer.so
#44 0x40f79c31 in object.8 ()
   from /home/michael/mozilla/components/libmozxfer.so
#45 0x40f79d6a in object.8 ()
   from /home/michael/mozilla/components/libmozxfer.so
#46 0x400f94c5 in XPTC_InvokeByIndex () from /home/michael/mozilla/libxpcom.so
#47 0x40e0fc26 in NSGetModule ()
   from /home/michael/mozilla/components/libxpconnect.so
#48 0x40e10d40 in NSGetModule ()
   from /home/michael/mozilla/components/libxpconnect.so
#49 0x4005e791 in js_Invoke () from /home/michael/mozilla/libmozjs.so
#50 0x40064a5a in js_Interpret () from /home/michael/mozilla/libmozjs.so
#51 0x4005e7ed in js_Invoke () from /home/michael/mozilla/libmozjs.so
#52 0x40064a5a in js_Interpret () from /home/michael/mozilla/libmozjs.so
---Type <return> to continue, or q <return> to quit---
#53 0x4005e7ed in js_Invoke () from /home/michael/mozilla/libmozjs.so
#54 0x4005e9b8 in js_InternalCall () from /home/michael/mozilla/libmozjs.so
#55 0x4004720c in JS_CallFunction () from /home/michael/mozilla/libmozjs.so
#56 0x403254a5 in nsJSContext::CallFunction ()
   from /home/michael/mozilla/libjsdom.so
#57 0x4034874e in nsJSEventListener::HandleEvent ()
   from /home/michael/mozilla/libjsdom.so
#58 0x40b43c75 in NSGetModule ()
   from /home/michael/mozilla/components/libraptorhtml.so
#59 0x40826740 in NSGetModule ()
   from /home/michael/mozilla/components/librdf.so
#60 0x40b47441 in NSGetModule ()
   from /home/michael/mozilla/components/libraptorhtml.so
#61 0x40b4612e in NSGetModule ()
   from /home/michael/mozilla/components/libraptorhtml.so
#62 0x40b75c0d in NSGetModule ()
   from /home/michael/mozilla/components/libraptorhtml.so
#63 0x40e24414 in NSGetModule ()
   from /home/michael/mozilla/components/libraptorview.so
#64 0x40e2d0fa in NSGetModule ()
   from /home/michael/mozilla/components/libraptorview.so
#65 0x40e22f1d in NSGetModule ()
   from /home/michael/mozilla/components/libraptorview.so
---Type <return> to continue, or q <return> to quit---
#66 0x405523fa in nsWidget::DispatchEvent ()
   from /home/michael/mozilla/libwidget_gtk.so
#67 0x40552325 in nsWidget::DispatchWindowEvent ()
   from /home/michael/mozilla/libwidget_gtk.so
#68 0x40552480 in nsWidget::DispatchMouseEvent ()
   from /home/michael/mozilla/libwidget_gtk.so
#69 0x40553091 in nsWidget::OnButtonReleaseSignal ()
   from /home/michael/mozilla/libwidget_gtk.so
#70 0x405522dc in nsWidget::HandleEvent ()
   from /home/michael/mozilla/libwidget_gtk.so
#71 0x405498ea in handle_gdk_event ()
   from /home/michael/mozilla/libwidget_gtk.so
#72 0x406a35cb in gdk_event_dispatch () from /usr/lib/libgdk-1.2.so.0
#73 0x406cebe6 in g_main_dispatch () from /usr/lib/libglib-1.2.so.0
#74 0x406cf1a1 in g_main_iterate () from /usr/lib/libglib-1.2.so.0
#75 0x406cf341 in g_main_run () from /usr/lib/libglib-1.2.so.0
#76 0x405f7859 in gtk_main () from /usr/lib/libgtk-1.2.so.0
#77 0x40542535 in nsAppShell::Run ()
   from /home/michael/mozilla/libwidget_gtk.so
#78 0x402e9d62 in nsAppShellService::Run ()
   from /home/michael/mozilla/libnsappshell.so
#79 0x804a6c2 in JS_PushArguments ()
#80 0x804a86d in JS_PushArguments ()
---Type <return> to continue, or q <return> to quit---
#81 0x401f5cb3 in __libc_start_main (main=0x804a76c <JS_PushArguments+3980>,
    argc=1, argv=0xbffffae4, init=0x80494c0 <_init>, fini=0x804bf68 <_fini>,
    rtld_fini=0x4000a350 <_dl_fini>, stack_end=0xbffffadc)
    at ../sysdeps/generic/libc-start.c:78
(gdb)
Moving off M12 radar for the time being. One or more might get back once I get a
chance to really look at them.
*** Bug 20024 has been marked as a duplicate of this bug. ***
*** Bug 13795 has been marked as a duplicate of this bug. ***
Whiteboard: have fix- figuring out if it can be applied to branch
In an attempt to get my bug list in order again, marking all the bugs I have
currently as ASSIGNED.
Bulk move of all Cache (to be deleted component) bugs to new Networking: Cache
component.
I don't know if this information helps, but I believe I am seeing this crash on
build 1999121915 for win32 running on Win95. The only really interesting thing
I've noticed is that when performing the repro procedure listed here I always
seem to get an invalid page fault in KERNEL32.DLL.

The interesting part is if I create the crash a little differently, it
consistantly gives an invalid page fault in plds3.dll.  I don't know if that
means anything.  Anyway, the other way I've found to repro the crash is:

Go to bugzilla.mozilla.org
Go to bug# 22023 (prob any will work)
Hit reload then quickly
Just after the header loads but the bug information is not displayed click Back.

I figure that crash, even though it's consitantly in a different DLL is probably
just another shade of this bug.
I believe I fixed the sink interruption problem associated with the stack trace
below. I can't seem to reproduce any of the crashes from the steps listed in the
bug.
Status: ASSIGNED → RESOLVED
Closed: 25 years ago25 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
VERIFIED fixed with 2000011408 build. I bet radha's session history changes
helped fix this.
You need to log in before you can comment on or make changes to this bug.