Closed Bug 202895 Opened 23 years ago Closed 23 years ago

[FIXr]Crash when closing several tabs while JPEG images are loading [@ 0x000000f0 - nsPresContext::GetFontPreferences] trunk

Categories

(Core :: Graphics: ImageLib, defect, P1)

Product:
Core
Component:
Graphics: ImageLib
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.4beta

People

(Reporter: wolruf, Assigned: bzbarsky)

References

(
URL
)

Details

(Keywords: crash, topcrash)

Crash Data

Attachments

(2 files)

Crash report generated by FizzillaMach/2003-04-22-08-trunk showing crash at nsPresContext::GetFontPreferences
11.48 KB, text/plain
Details
Possible patch
2.01 KB, patch
bryner
: review+
jst
: superreview+
asa
: approval1.4b+
Details | Diff | Splinter Review
build ID: 2003042112 on Win2k. Steps to reproduce (100% on this computer): 1. Load URL http://www1.msfc.nasa.gov/NEWSROOM/news/photos/1998/photos98-050.htm 2. Having middle-click to open new tabs in background, quickly click on 4 or 5 'Large' JPG links, an example is http://www1.msfc.nasa.gov/NEWSROOM/news/photos/images/arizona1.jpg 3. While you see the images loading (via tab title), start to close tabs clicking on the 'X', beginning with the tab on the right 4. Close tabs quickly one after another, 5. Mozilla crashes. Talkback ID: TB19392027Z.
Whiteboard: TB19392027Z
0x000000f0 nsPresContext::GetFontPreferences [c:/builds/seamonkey/mozilla/layout/base/src/nsPresContext.cpp, line 285] nsPresContext::UpdateCharSet [c:/builds/seamonkey/mozilla/layout/base/src/nsPresContext.cpp, line 713] nsPresContext::Observe [c:/builds/seamonkey/mozilla/layout/base/src/nsPresContext.cpp, line 746] nsDocument::SetDocumentCharacterSet [c:/builds/seamonkey/mozilla/content/base/src/nsDocument.cpp, line 988] nsMediaDocument::UpdateTitleAndCharset [c:/builds/seamonkey/mozilla/content/html/document/src/nsMediaDocument.cpp, line 262] nsImageDocument::UpdateTitleAndCharset [c:/builds/seamonkey/mozilla/content/html/document/src/nsImageDocument.cpp, line 613] ImageListener::OnStopRequest [c:/builds/seamonkey/mozilla/content/html/document/src/nsImageDocument.cpp, line 173] nsDocumentOpenInfo::OnStopRequest [c:/builds/seamonkey/mozilla/uriloader/base/nsURILoader.cpp, line 252] nsStreamListenerTee::OnStopRequest [c:/builds/seamonkey/mozilla/netwerk/base/src/nsStreamListenerTee.cpp, line 66] nsCOMPtr_base::assign_with_AddRef [c:/builds/seamonkey/mozilla/xpcom/glue/nsCOMPtr.cpp, line 71] nsHttpChannel::OnStopRequest [c:/builds/seamonkey/mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp, line 3111] nsInputStreamPump::OnStateStop [c:/builds/seamonkey/mozilla/netwerk/base/src/nsInputStreamPump.cpp, line 484] nsInputStreamPump::OnInputStreamReady [c:/builds/seamonkey/mozilla/netwerk/base/src/nsInputStreamPump.cpp, line 325]
Keywords: stackwanted
Summary: crash when closing several tabs while jpg images are loading → crash when closing several tabs while jpg images are loading [@ nsPresContext::GetFontPreferences ]
Whiteboard: TB19392027Z
cc'ing some people who recently touched nsMediaDocument...
Sounds like we're calling stuff on an already-destroyed prescontext or something... Though the destructor does remove it as the charset observer, I think.. Someone should put a breakpoint in the nsPresContext destructor and see whether mShell is null in there... Actually, looking at the code it looks like nsPresShell::Destroy calls SetShell on the prescontext; when SetShell is called and mShell is not null, the prescontext should remove itself as the charset observer for the relevant document... as it is, we end up with bogus prescontext pointers in the observer list.
Assignee: jdunn → jshin
Reproduced using 2003-04-22-08-trunk, generating TB240986E, though all I had to do was command+click to open the large JPEG in a new window, then close the window. Setting All/All.
OS: Windows 2000 → All
Hardware: PC → All
Summary: crash when closing several tabs while jpg images are loading [@ nsPresContext::GetFontPreferences ] → Crash when closing several tabs while JPEG images are loading [@ nsPresContext::GetFontPreferences]
This is a topcrash on the trunk. 0x000000f0 23 Crash data range: 2003-04-14 to 2003-04-22 Build ID range: 2003041308 to 2003042208 Stack Trace: 0x000000f0 nsPresContext::GetFontPreferences [c:/builds/seamonkey/mozilla/layout/base/src/nsPresContext.cpp line 285] nsPresContext::UpdateCharSet [c:/builds/seamonkey/mozilla/layout/base/src/nsPresContext.cpp line 713] nsPresContext::Observe [c:/builds/seamonkey/mozilla/layout/base/src/nsPresContext.cpp line 746] nsDocument::SetDocumentCharacterSet [c:/builds/seamonkey/mozilla/content/base/src/nsDocument.cpp line 988] nsMediaDocument::UpdateTitleAndCharset [c:/builds/seamonkey/mozilla/content/html/document/src/nsMediaDocument.cpp line 263] nsImageDocument::UpdateTitleAndCharset [c:/builds/seamonkey/mozilla/content/html/document/src/nsImageDocument.cpp line 630] ImageListener::OnStopRequest [c:/builds/seamonkey/mozilla/content/html/document/src/nsImageDocument.cpp line 178] nsDocumentOpenInfo::OnStopRequest [c:/builds/seamonkey/mozilla/uriloader/base/nsURILoader.cpp line 252] nsStreamListenerTee::OnStopRequest [c:/builds/seamonkey/mozilla/netwerk/base/src/nsStreamListenerTee.cpp line 66] nsCOMPtr_base::assign_with_AddRef [c:/builds/seamonkey/mozilla/xpcom/glue/nsCOMPtr.cpp line 71] nsHttpChannel::OnStopRequest [c:/builds/seamonkey/mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp line 3111] nsInputStreamPump::OnStateStop [c:/builds/seamonkey/mozilla/netwerk/base/src/nsInputStreamPump.cpp line 484] nsInputStreamPump::OnInputStreamReady [c:/builds/seamonkey/mozilla/netwerk/base/src/nsInputStreamPump.cpp line 325] nsInputStreamReadyEvent::EventHandler [c:/builds/seamonkey/mozilla/xpcom/io/nsStreamUtils.cpp line 117] PL_HandleEvent [c:/builds/seamonkey/mozilla/xpcom/threads/plevent.c line 660] PL_ProcessPendingEvents [c:/builds/seamonkey/mozilla/xpcom/threads/plevent.c line 596] _md_EventReceiverProc [c:/builds/seamonkey/mozilla/xpcom/threads/plevent.c line 1396] nsAppShellService::Run [c:/builds/seamonkey/mozilla/xpfe/appshell/src/nsAppShellService.cpp line 479] main1 [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp line 1284] main [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp line 1650] WinMain [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp line 1672] WinMainCRTStartup() KERNEL32.dll + 0x2847c (0x77ea847c) (19400378) Comments: Closed tab as it was loading (19400305) Comments: Closed tab as it was loading (19392027) URL: http://www1.msfc.nasa.gov/NEWSROOM/news/photos/1998/photos98-050.htm (19392027) Comments: closing tabs while loading jpg images (19391407) Comments: closing tabs quickly when 14 tabs were open loading bug images (19365476) URL: www.telugufilmserver.com (19364272) URL: http://www.alltheweb.com (19364272) Comments: i was on picture section loading the pictures to big size (19290685) Comments: opened a new tab by middle clicking (19283258) URL: http://www.slashdot.org
Keywords: topcrash
Summary: Crash when closing several tabs while JPEG images are loading [@ nsPresContext::GetFontPreferences] → Crash when closing several tabs while JPEG images are loading [@ 0x000000f0 - nsPresContext::GetFontPreferences] trunk
Attached patch Possible patchSplinter Review
This should fix things, I would think. Someone who can reproduce in a self-build, please test? For 1.4, it may be safer to leave the code in the destructor too, but going forward I think the assert is better...
Sorry I didn't come here earlier. Thanks for the patch and I'll test it as soon as possible. If others can test it now, please go ahead. Actually, I made an almost identical patch based on your diagnosis in comment #3, but I'm still building on a local machine(I changed mozconfig for other bugs). In the meantime, I was trying it on a remote machine, but it's so slow to test it in a remote X11 session.
Comment on attachment 121476 [details] [diff] [review] Possible patch Something is wrong with my local tree (now rebuilding). Anyway, I managed to test the patch and it works. i.e. it doesn't crash when the window/tab is closed down in the middle of image loading. Should I check in or ...?
Comment on attachment 121476 [details] [diff] [review] Possible patch Need reviews first.... jst, bryner, if you'd rather keep the code in the destructor too, let me know.
Attachment #121476 - Flags: superreview?(jst)
Attachment #121476 - Flags: review?(bryner)
Comment on attachment 121476 [details] [diff] [review] Possible patch sr=jst
Attachment #121476 - Flags: superreview?(jst) → superreview+
Comment on attachment 121476 [details] [diff] [review] Possible patch Looks good, but... I think I'd prefer if the destructor enforced cleaning this up as well. Maybe change the |mShell = nsnull;| to |SetShell(nsnull);| ?
Attachment #121476 - Flags: review?(bryner) → review+
Comment on attachment 121476 [details] [diff] [review] Possible patch Ah, good idea. Will do. Requesting 1.4b approval.
Attachment #121476 - Flags: approval1.4b?
Taking.
Assignee: jshin → bzbarsky
Priority: -- → P1
Summary: Crash when closing several tabs while JPEG images are loading [@ 0x000000f0 - nsPresContext::GetFontPreferences] trunk → [FIXr]Crash when closing several tabs while JPEG images are loading [@ 0x000000f0 - nsPresContext::GetFontPreferences] trunk
Target Milestone: --- → mozilla1.4beta
Comment on attachment 121476 [details] [diff] [review] Possible patch a=asa (on behalf of drivers) for checkin to 1.4b.
Attachment #121476 - Flags: approval1.4b? → approval1.4b+
Checked in with the change bryner requested.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
With the 2003042411 build Mozilla hangs while closing a tab which is in the process of downloading a picture. Previously it used to crash. No talkback report is generated, and I had to kill Mozilla. Maybe the bug was not fully fixed?
> With the 2003042411 build That's before I checked in the patch; look at the comment timestamps and the bonsai logs.
Crash Signature: [@ 0x000000f0 - nsPresContext::GetFontPreferences]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: