Closed
Bug 241864
Opened 21 years ago
Closed 21 years ago
M18a2 Crash after trying to save page and visiting other url or reload current url - [@ ntdll.dll - ???] [@nsCOMPtr<nsIURI>::assign_assuming_AddRef]
Categories
(Core :: Networking, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: martijn.martijn, Assigned: darin.moz)
References
()
Details
(Keywords: crash, topcrash+)
Crash Data
Attachments
(1 file, 1 obsolete file)
|
4.12 KB,
patch
|
bzbarsky
:
review+
darin.moz
:
superreview+
asa
:
approval1.8b+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7b) Gecko/20040421
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7b) Gecko/20040421
I did see the original problem here:
http://www.massagepraktijkdoorn.nl/
The above is a simplified/minimal testcase.
The following things must be used in the site to get the crash:
- There must be no filename in the url (not http://foo.com/index.html but
http://foo.com/)
- The index.html file has a weird title (with | and :: and spaces in it)
- The index.html file must be a frames page
- One of the framed pages (content2.html) must have a background-image (
background="content2_data/back2.gif") and that background-image must be in a
different directory.
Reproducible: Always
Steps to Reproduce:
1. Visit http://home.hccnet.nl/m.wargers/test/mozilla/crash/filesaveas5/
2. Try to save the page (doesn't seem to work)
3. Press reload or visit a differen site
Actual Results:
Crash
Expected Results:
No crash
|
Reporter | |
Comment 1•21 years ago
|
||
Talkback ID: TB31610Z
It can take a while before the actual crash occurs. Sometimes 20s or so.
Reproducable in 1.7rc1 and FireFox 20040426 on Win2k. Related to bug 227830?
|
||
Comment 4•21 years ago
|
||
Stack Signature ntdll.dll + 0x4ca14 (0x77fcca14) a59b7930
Product ID Mozilla17
Build ID 2004042109
Trigger Time 2004-04-27 04:48:38.0
Platform Win32
Operating System Windows NT 5.0 build 2195
Module ntdll.dll + (0004ca14)
URL visited http://home.hccnet.nl/m.wargers/test/mozilla/crash/filesaveas5/
User Comments See bug 241864
Since Last Crash sec
Total Uptime sec
Trigger Reason Access violation
Source File Name
Trigger Line No.
Stack Trace
ntdll.dll + 0x4ca14 (0x77fcca14)
ntdll.dll + 0x4c774 (0x77fcc774)
MSVCRT.DLL + 0x1e00 (0x78001e00)
JS_free
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/js/src/jsapi.c, line 1483]
js_FinalizeObject
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/js/src/jsobj.c, line 2028]
js_GC [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/js/src/jsgc.c,
line 1328]
js_ForceGC
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/js/src/jsgc.c, line 1001]
JS_GC [d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/js/src/jsapi.c,
line 1699]
nsJSContext::Notify
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/dom/src/base/nsJSEnvironment.cpp,
line 1838]
nsTimerImpl::Fire
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/xpcom/threads/nsTimerImpl.cpp,
line 395]
nsAppShell::Run
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsAppShell.cpp,
line 142]
nsAppShellService::Run
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/xpfe/appshell/src/nsAppShellService.cpp,
line 524]
main1
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsAppRunner.cpp,
line 1313]
main
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsAppRunner.cpp,
line 1783]
WinMain
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsAppRunner.cpp,
line 1809]
WinMainCRTStartup()
KERNEL32.DLL + 0x11af6 (0x7c581af6)
Hmm, is this JS Engine, Events or something else ?
|
||
Comment 5•21 years ago
|
||
I think the stacktrace here is faulty, got the same with a opt build, but with a
debug build i already crash when i try to save the page (it crashes right after
i've selected the file where to save). I have also noticed if I choose a file
name like foo.html for saving, saving works fine (and doesn't crash with opt
build nor with debug build).
Here's the stacktrace with the debug build and when saving with the faulty(?!)
filename on Win2k with a current cvs trunk build and NTFS file system:
nsCOMPtr<nsIURI>::assign_assuming_AddRef(nsIURI * 0x0492b530) line 494 + 3 bytes
nsCOMPtr<nsIURI>::assign_with_AddRef(nsISupports * 0x0492b530) line 1023
nsCOMPtr<nsIURI>::operator=(const nsCOMPtr<nsIURI> & {...}) line 600
nsWebBrowserPersist::SaveSubframeContent(nsIDOMDocument * 0x047bd5f0, URIData *
0x0492bdc0) line 3300
nsWebBrowserPersist::OnWalkDOMNode(nsIDOMNode * 0x04634a20) line 2749
nsWebBrowserPersist::SaveDocumentInternal(nsIDOMDocument * 0x049265e0, nsIURI *
0x03defca8, nsIURI * 0x03de7780) line 1521
nsWebBrowserPersist::SaveDocument(nsWebBrowserPersist * const 0x049229f4,
nsIDOMDocument * 0x049265e0, nsISupports * 0x03defcac, nsISupports * 0x03e23568,
const char * 0x04701790, unsigned int 0x00002000, unsigned int 0x00000050) line
455 + 33 bytes
XPTC_InvokeByIndex(nsISupports * 0x049229f4, unsigned int 0x0000000a, unsigned
int 0x00000006, nsXPTCVariant * 0x0012e9b0) line 102
XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode
CALL_METHOD) line 2027 + 43 bytes
XPC_WN_CallMethod(JSContext * 0x02438028, JSObject * 0x039806a8, unsigned int
0x00000006, long * 0x03d3f1a4, long * 0x0012ec80) line 1287 + 14 bytes
js_Invoke(JSContext * 0x02438028, unsigned int 0x00000006, unsigned int
0x00000000) line 1281 + 23 bytes
js_Interpret(JSContext * 0x02438028, long * 0x0012f6b4) line 3366 + 15 bytes
js_Invoke(JSContext * 0x02438028, unsigned int 0x00000003, unsigned int
0x00000002) line 1301 + 13 bytes
nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJSClass * const 0x04923500,
nsXPCWrappedJS * 0x03de0868, unsigned short 0x0004, const nsXPTMethodInfo *
0x02417ee0, nsXPTCMiniVariant * 0x0012fa00) line 1336 + 22 bytes
nsXPCWrappedJS::CallMethod(nsXPCWrappedJS * const 0x03de0868, unsigned short
0x0004, const nsXPTMethodInfo * 0x02417ee0, nsXPTCMiniVariant * 0x0012fa00) line 450
PrepareAndDispatch(nsXPTCStubBase * 0x03de0868, unsigned int 0x00000004,
unsigned int * 0x0012fab0, unsigned int * 0x0012faa0) line 117 + 31 bytes
SharedStub() line 147
nsURIChecker::SetStatusAndCallBack(unsigned int 0x00000000) line 86
nsURIChecker::OnStartRequest(nsURIChecker * const 0x03e1a2f4, nsIRequest *
0x03de82a0, nsISupports * 0x00000000) line 319
nsHttpChannel::CallOnStartRequest() line 668 + 60 bytes
nsHttpChannel::OnStartRequest(nsHttpChannel * const 0x03de82a8, nsIRequest *
0x046fc4c0, nsISupports * 0x00000000) line 3551
nsInputStreamPump::OnStateStart() line 378 + 42 bytes
nsInputStreamPump::OnInputStreamReady(nsInputStreamPump * const 0x046fc4c4,
nsIAsyncInputStream * 0x03973c4c) line 334 + 11 bytes
nsInputStreamReadyEvent::EventHandler(PLEvent * 0x03df1324) line 119
PL_HandleEvent(PLEvent * 0x03df1324) line 692 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x00f17d98) line 627 + 9 bytes
_md_EventReceiverProc(HWND__ * 0x00070140, unsigned int 0x0000c11a, unsigned int
0x00000000, long 0x00f17d98) line 1433 + 9 bytes
241864
|
||
Comment 6•21 years ago
|
||
I was able to reproduce some sort of crash at
http://www.massagepraktijkdoorn.nl/...my stack looks a little different though:
Incident ID: 32197
Stack Signature ntdll.dll + 0x33aed (0x77f83aed) 8e69b24d
Email Address jay@mozilla.org
Product ID Mozilla17
Build ID 2004042109
Trigger Time 2004-04-27 16:38:35.0
Platform Win32
Operating System Windows NT 5.1 build 2600
Module ntdll.dll + (00033aed)
URL visited http://www.massagepraktijkdoorn.nl/
User Comments loaded page, saved page as, refreshed page
Since Last Crash sec
Total Uptime sec
Trigger Reason Access violation
Source File Name
Trigger Line No.
Stack Trace
ntdll.dll + 0x33aed (0x77f83aed)
ntdll.dll + 0x8cca (0x77f58cca)
msvcrt.dll + 0x1ab2e (0x77c2ab2e)
??3@YAXPAX@Z
nsChildContentList::`scalar deleting destructor'
nsHTMLScriptEventHandler::Release
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLScriptElement.cpp,
line 107]
nsDOMSlots::~nsDOMSlots
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 751]
nsGenericElement::~nsGenericElement
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp,
line 858]
nsHTMLImageElement::`scalar deleting destructor'
nsHTMLDListElement::Release
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLDListElement.cpp,
line 112]
nsAttrAndChildArray::Clear
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/base/src/nsAttrAndChildArray.cpp,
line 532]
nsAttrAndChildArray::~nsAttrAndChildArray
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/base/src/nsAttrAndChildArray.cpp,
line 77]
nsGenericElement::~nsGenericElement
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp]
nsHTMLDivElement::`scalar deleting destructor'
nsHTMLDListElement::Release
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLDListElement.cpp,
line 112]
nsAttrAndChildArray::Clear
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/base/src/nsAttrAndChildArray.cpp,
line 532]
nsAttrAndChildArray::~nsAttrAndChildArray
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/base/src/nsAttrAndChildArray.cpp,
line 77]
nsGenericElement::~nsGenericElement
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp]
nsHTMLDivElement::`scalar deleting destructor'
nsHTMLDListElement::Release
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLDListElement.cpp,
line 112]
nsAttrAndChildArray::Clear
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/base/src/nsAttrAndChildArray.cpp,
line 532]
nsAttrAndChildArray::~nsAttrAndChildArray
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/base/src/nsAttrAndChildArray.cpp,
line 77]
nsGenericElement::~nsGenericElement
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp]
nsHTMLBodyElement::`scalar deleting destructor'
nsHTMLDListElement::Release
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLDListElement.cpp,
line 112]
nsAttrAndChildArray::Clear
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/base/src/nsAttrAndChildArray.cpp,
line 532]
nsAttrAndChildArray::~nsAttrAndChildArray
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/base/src/nsAttrAndChildArray.cpp,
line 77]
nsGenericElement::~nsGenericElement
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp]
nsHTMLHtmlElement::`scalar deleting destructor'
nsHTMLDListElement::Release
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/html/content/src/nsHTMLDListElement.cpp,
line 112]
ReleaseObjects
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/xpcom/ds/nsCOMArray.cpp,
line 153]
nsVoidArray::EnumerateForwards
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/xpcom/ds/nsVoidArray.cpp,
line 652]
nsCOMArray_base::Clear
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/xpcom/ds/nsCOMArray.cpp,
line 160]
nsDocument::~nsDocument
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/base/src/nsDocument.cpp,
line 574]
nsDocument::Release
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/content/base/src/nsDocument.cpp,
line 668]
XPCJSRuntime::GCCallback
[d:/BUILDS/tinderbox/Mozilla1.7/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcjsruntime.cpp,
line 549]
0x56077401
Confirming to NEW. Adding M17rc1 to summary since I crashed with that milestone
and also putting in the topcrash keyword since this appears to be an easily
reproducible crash that others might be seeing (it's difficult to know for sure
because the stack signature is a .dll)
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: topcrash
Summary: Crash after trying to save page and visiting other url or reload current url → Crash after trying to save page and visiting other url or reload current url - M17rc1 [@ ntdll.dll - ???]
|
|
||
Comment 7•21 years ago
|
||
tweaking summary if someone trys with a debug build.
btw: In the console these warnings appear when clicking at File-Save Page As...
WARNING: malformed url: no scheme, file d:/mozilla/tree6/mozilla/netwerk/base/sr
c/nsStandardURL.cpp, line 705
spec=/_ Praktijk voor Natuurgeneeskunde en Massage Doorn Klassieke Lichaamsmas
sage _ Chinese Massage _ Sportmassage _ Stoelmassage _ Natuurgeneeskunde _ Bindw
eefselmassage _ Holistic Pulsing _ Lymfedrainage _ Diepe Lichaamsmassage
WARNING: malformed url: no scheme, file d:/mozilla/tree6/mozilla/netwerk/base/sr
c/nsStandardURL.cpp, line 705
Summary: Crash after trying to save page and visiting other url or reload current url - M17rc1 [@ ntdll.dll - ???] → Crash after trying to save page and visiting other url or reload current url - M17rc1 [@ ntdll.dll - ???] [@nsCOMPtr<nsIURI>::assign_assuming_AddRef]
|
|
||
Comment 8•21 years ago
|
||
This is definitely still around in Mozilla 1.8a2. I crashed using the urls in
this bug, but each stack is different (as the steps to the crash also varied
somewhat).
My incidents:
443197
443191
443221
Still, since we can't save pages like those described in comment #0 and the
steps here are easily reproducible, we should probably take a closer look here.
Marking topcrash+.
Summary: Crash after trying to save page and visiting other url or reload current url - M17rc1 [@ ntdll.dll - ???] [@nsCOMPtr<nsIURI>::assign_assuming_AddRef] → M18a2 Crash after trying to save page and visiting other url or reload current url - [@ ntdll.dll - ???] [@nsCOMPtr<nsIURI>::assign_assuming_AddRef]
|
|
||
Comment 9•21 years ago
|
||
This is definitely still around in Mozilla 1.8a2. I crashed using the urls in
this bug, but each stack is different (as the steps to the crash also varied
somewhat).
My incidents:
443197
443191
443221
Still, since we can't save pages like those described in comment #0 and the
steps here are easily reproducible, we should probably take a closer look here.
Marking topcrash+.
|
||
Comment 10•21 years ago
|
||
I just crashed trying this testcase with a Firefox trunk build from 2004-12-23.
TB2766977Z
Flags: blocking1.8a6?
|
||
Comment 11•21 years ago
|
||
Darin, can you take a look at this for alpha6?
|
|
Assignee | |
Comment 12•21 years ago
|
||
Martijn: Your testcase appears to be down (resulting in a 404). Would it be
possible for you to resurrect the testcase for us? Thanks!!
|
|
Reporter | |
Comment 13•21 years ago
|
||
Oops! Ok, here it is again (this testcase can't be attached to bugzilla, that's
why it is external).
It crashes for me when I do a File->Save Page as, and then reload the same page
a few times.
|
|
||
Comment 14•21 years ago
|
||
Doesn't look like a fix is at hand. Hopefully Darin can look into this for beta.
Flags: blocking1.8b+
Flags: blocking1.8a6?
Flags: blocking1.8a6-
|
|
||
Comment 15•21 years ago
|
||
The url in the steps to reproduce does not work (404 Not Found).
The actual testcase is in the URL text box under QA Contact, ie.
http://martijn.heelveel.info/test/mozilla/filesaveas5/
|
|
||
Comment 16•21 years ago
|
||
Found out why this crash is occurring.
The problem is the site's long title and Windows' MAX_PATH limit of 248 chars.
When a page is saved, a directory is normally created with the same name as the
site (+ "_files" + frame name + "_data") to store all the images. In this case,
<site_name>_files\content2_data easily exceeds the limit.
The actual cause of this crash is an unchecked call to SaveDocumentInternal()
[on line 3362 in nsWebBrowserPersist.cpp] which then tries to save the data even
though the CreateDirectory call has failed.
A simple return check of SaveDocumentInternal() will prevent this crash, but the
page save will then fail silently.
|
|
||
Comment 17•21 years ago
|
||
Check SaveDocumentInternal() return code patch.
|
||
Comment 18•21 years ago
|
||
great, thanks for tracking this down!
I see that this function sometimes returns NS_OK, sometimes PR_FALSE (both are
the same value, 0). since it's declared nsresult, those should return rv / some
nsresult code...
|
|
||
Comment 19•21 years ago
|
||
Should I make the changes as part of this bug? How about FixupURI(), which also
has the same problem?
|
|
||
Comment 20•21 years ago
|
||
Yes, if you could make changes as part of this bug, that would be great.
Also, please make similar changes to FixupURI, and change things like:
NS_ENSURE_SUCCESS(rv, NS_ERROR_FAILURE);
to
NS_ENSURE_SUCCESS(rv, rv);
|
|
||
Comment 21•21 years ago
|
||
Updated patch. Also changed an incorrect null-pointer check (!url).
Opened bug 281343 for MAX_PATH bug.
Attachment #173462 -
Attachment is obsolete: true
Attachment #173603 -
Flags: review?(bzbarsky)
|
|
||
Comment 22•21 years ago
|
||
Comment on attachment 173603 [details] [diff] [review]
patch v1
Looks reasonable
Attachment #173603 -
Flags: superreview?(darin)
Attachment #173603 -
Flags: review?(bzbarsky)
Attachment #173603 -
Flags: review+
|
|
||
Comment 23•21 years ago
|
||
Darin, if you get free from 1.0.1 fixes, can you help with a review here?
Flags: blocking1.8a6-
|
|
Assignee | |
Comment 24•21 years ago
|
||
Comment on attachment 173603 [details] [diff] [review]
patch v1
it sucks that the compiler can't distinguish nsresult from PRBool. sr=darin
Attachment #173603 -
Flags: superreview?(darin) → superreview+
|
|
Assignee | |
Updated•21 years ago
|
Attachment #173603 -
Flags: approval1.8b?
|
|
||
Comment 25•21 years ago
|
||
Comment on attachment 173603 [details] [diff] [review]
patch v1
a=asa for checkin to 1.8b
Attachment #173603 -
Flags: approval1.8b? → approval1.8b+
|
|
Assignee | |
Comment 26•21 years ago
|
||
fixed-on-trunk for 1.8b1
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
|
|
Reporter | |
Comment 27•21 years ago
|
||
Verified. Sorry, the url for my testcase changes again. (but should not be
necessary anymore :)
Status: RESOLVED → VERIFIED
|
||
Updated•14 years ago
|
Crash Signature: [@ ntdll.dll - ???]
[@nsCOMPtr<nsIURI>::assign_assuming_AddRef]
You need to log in
before you can comment on or make changes to this bug.
Description
•