Closed Bug 267804 Opened 20 years ago Closed 19 years ago

FF10RC1 crash blocking iframes with AdBlock extension [@ nsDocShell::GetVisibility]

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Version:
Other Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jay, Assigned: dbaron)

Details

(Keywords: crash, topcrash)

Crash Data

Attachments

(1 file)

proposed patch
1.45 KB, patch
jst
: review+
jst
: superreview+
dbaron
: approval-aviary+
dbaron
: approval1.7.5+
Details | Diff | Splinter Review 
This is a topcrash for Firefox 1.0 RC1 and is clearly related to the AdBlock
extension.  Comments suggest it's more directly a result of blocking iframes:

Count   Offset    Real Signature
[ 25   nsDocShell::GetVisibility d3962dc2 - nsDocShell::GetVisibility ]
 
     Crash date range: 01-NOV-04 to 31-OCT-04
     Min/Max Seconds since last crash: 17 - 385701
     Min/Max Runtime: 4077 - 396191
 
     Count   Platform List 
     25   Windows XP [Windows NT 5.1 build 2600] 
 
     Count   Build Id List 
     25   2004102622
 
     No of Unique Users        22
 
 Stack trace(Frame) 

	 nsDocShell::GetVisibility
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/docshell/base/nsDocShell.cpp
 line 3363] 
	 PresShell::IsVisible
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp
 line 6158] 
	 IsViewVisible
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp
 line 416] 
	 nsViewManager::SetWindowDimensions
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp
 line 684] 
	 DocumentViewerImpl::InitPresentationStuff
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/base/src/nsDocumentViewer.cpp
 line 690] 
	 DocumentViewerImpl::InitInternal
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/base/src/nsDocumentViewer.cpp
 line 876] 
	 DocumentViewerImpl::Init
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/base/src/nsDocumentViewer.cpp
 line 639] 
	 nsDocShell::Embed
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/docshell/base/nsDocShell.cpp
 line 4235] 
	 nsDocShell::CreateAboutBlankContentViewer
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/docshell/base/nsDocShell.cpp
 line 4549] 
	 nsDocShell::EnsureContentViewer
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/docshell/base/nsDocShell.cpp
 line 4478] 
	 nsWebShell::GetInterface
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/docshell/base/nsWebShell.cpp
 line 313] 
	 nsGetInterface::operator()
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/xpcom/glue/nsIInterfaceRequestorUtils.cpp
 line 53] 
	 nsCOMPtr_base::assign_from_helper
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/xpcom/glue/nsCOMPtr.cpp
 line 114] 
	 GlobalWindowImpl::GetDocument
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/dom/src/base/nsGlobalWindow.cpp
 line 1108] 
	 nsWindowSH::OnDocumentChanged
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/dom/src/base/nsDOMClassInfo.cpp
 line 4391] 
	 nsWindowSH::NewResolve
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/dom/src/base/nsDOMClassInfo.cpp
 line 4661] 
	 XPC_WN_Helper_NewResolve
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp
 line 929] 
	 js_LookupPropertyWithFlags
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsobj.c  line
2489] 
	 js_LookupProperty
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsobj.c  line
2587] 
	 js_GetProperty
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsobj.c  line
2693] 
	 js_Interpret
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c 
line 2801] 
	 js_Invoke
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c 
line 958] 
	 js_InternalInvoke
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c 
line 1035] 
	 JS_CallFunctionValue
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsapi.c  line
3698] 
	 nsJSContext::CallEventHandler
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/dom/src/base/nsJSEnvironment.cpp
 line 1297] 
	 GlobalWindowImpl::RunTimeout
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/dom/src/base/nsGlobalWindow.cpp
 line 5309] 
	 GlobalWindowImpl::TimerCallback
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/dom/src/base/nsGlobalWindow.cpp
 line 5671] 
	 nsXULWindow::ShowModal
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/xpfe/appshell/src/nsXULWindow.cpp
 line 362] 
	 nsContentTreeOwner::ShowAsModal
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/xpfe/appshell/src/nsContentTreeOwner.cpp
 line 443] 
	 GlobalWindowImpl::OpenInternal
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/dom/src/base/nsGlobalWindow.cpp
 line 4903] 
	 GlobalWindowImpl::OpenDialog
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/dom/src/base/nsGlobalWindow.cpp
 line 3448] 
	 XPTC_InvokeByIndex
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp
 line 102] 
	 XPCWrappedNative::CallMethod
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp
 line 2034] 
	 XPC_WN_CallMethod
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp
 line 1287] 
	 js_Invoke
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c 
line 941] 
	 js_Interpret
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c 
line 2972] 
	 js_Invoke
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c 
line 958] 
	 js_Interpret
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c 
line 2972] 
	 js_Invoke
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c 
line 958] 
	 js_InternalInvoke
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c 
line 1035] 
	 JS_CallFunctionValue
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsapi.c  line
3698] 
	 nsJSContext::CallEventHandler
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/dom/src/base/nsJSEnvironment.cpp
 line 1297] 
	 nsJSEventListener::HandleEvent
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/dom/src/events/nsJSEventListener.cpp
 line 184] 
	 nsEventListenerManager::HandleEventSubType
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventListenerManager.cpp
 line 1436] 
	 nsEventListenerManager::HandleEvent
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventListenerManager.cpp
 line 1516] 
	 nsXULElement::HandleDOMEvent
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/xul/content/src/nsXULElement.cpp
 line 2841] 
	 PresShell::HandleDOMEventWithTarget
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp
 line 6139] 
	 nsMenuFrame::Execute
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/layout/xul/base/src/nsMenuFrame.cpp
 line 1671] 
	 nsMenuFrame::HandleEvent
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/layout/xul/base/src/nsMenuFrame.cpp
 line 454] 
	 PresShell::HandleEventInternal
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp
 line 6103] 
	 PresShell::HandleEvent
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp
 line 5921] 
	 nsViewManager::HandleEvent
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp
 line 2326] 
	 nsViewManager::DispatchEvent
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp
 line 2066] 
	 HandleEvent
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/view/src/nsView.cpp 
line 77] 
	 nsWindow::DispatchEvent
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp
 line 1067] 
	 nsWindow::DispatchMouseEvent
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp
 line 5261] 
	 ChildWindow::DispatchMouseEvent
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp
 line 5511] 
	 nsWindow::WindowProc
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp
 line 1349] 
	 USER32.dll + 0x8709 (0x77d48709)  
	 USER32.dll + 0x87eb (0x77d487eb)  
	 USER32.dll + 0x89a5 (0x77d489a5)  
	 USER32.dll + 0x89e8 (0x77d489e8)  
	 nsAppShell::Run
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsAppShell.cpp
 line 159] 
	 nsAppShellService::Run
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/xpfe/appshell/src/nsAppShellService.cpp
 line 495]  
 
     (1708502)	URL: www.bluesnews.com
     (1708502)	Comments: configuring adblock extension
     (1689987)	Comments: was adding an iframe to be blocked by 'adblock' firefox
extension.
     (1680437)	URL: http://www.nforce.nl
     (1680437)	Comments: NOTHING
     (1675816)	Comments: ad block iframe
     (1655812)	URL: http://www.bluesnews.com
     (1655812)	Comments: blocking an ad with adblocker extension
     (1636632)	Comments: edited an Adblock address  removing only the
querystring from an url to a .php page
     (1621567)	URL: http://www.xbitlabs.com/articles/cpu/display/athlon64-fx55.html
     (1621567)	Comments: Twice this has happened so I think it may be
repeatable. I was blocking an iFrame using Adblock. The iFrame is about halfway
down the page and is in the middle of the content.
     (1600439)	URL: www.betanews.com
     (1600439)	Comments: adblocking without a * wildcard
     (1583888)	URL: http://www.rage3d.com/board
     (1583888)	Comments: Adblocking the banner ad.
     (1578070)	URL: http://www.wired.com/news/ebiz/0 1272 65503 00.html/wn_ascii
     (1578070)	Comments: Attempting to block an iframe with the adblock extension.
This is happening on all platforms.
OS: Windows XP → All
Hardware: PC → All
WFM using Firefox 1.0 RC2 build Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.7.5) Gecko/20041103 Firefox/1.0RC2 

I was not able to crash at any of the urls found in Talkback data after
installing Adblock v.5 d2 * nightly 39.  I tried blocking every iframe ad I
could find on those websites and things worked fine for me.
Assignee: nobody → dbaron
I've looked at the disassembly from talkback incident 1758597.  The line number
in GetVisibility is completely bogus, and I can't see any good reason for it to
be that way.

However, the "code around the PC" section shows that slightly after the crash
point there are three function calls:
 * 0x28 virtual function with 2 arguments (including this)
 * 0x74 virtual function with 2 arguments (including this)
 * 0x7c virtual function with 3 arguments (including this)
 * 0xc4 virtual function with 1 arguments (including this)


The dissasembly seems to match the following code perfectly (in other respects
as well):

        pPresShell->GetDocument(getter_AddRefs(pDoc));
                                                                                
        nsIContent *shellContent = pDoc->FindContentForSubDocument(doc);
        NS_ASSERTION(shellContent, "subshell not in the map");
                                                                                
        nsIFrame* frame;
        pPresShell->GetPrimaryFrameFor(shellContent, &frame);
        if (frame && !frame->AreAncestorViewsVisible()) {

And if that's correct, the crash is because |pPresShell| is null.
Attached patch proposed patchSplinter Review 
Dunno if this is enough to really fix the crash, since I can't reproduce, but
it's worth a try since this is pretty high on the topcrash list.
Attachment #164819 - Flags: superreview?(jst)
Attachment #164819 - Flags: review?(jst)
Attachment #164819 - Flags: approval1.7.x?
Attachment #164819 - Flags: approval-aviary?
I should add an NS_NOTREACHED as well.
Comment on attachment 164819 [details] [diff] [review]
proposed patch

r+sr=jst
Attachment #164819 - Flags: superreview?(jst)
Attachment #164819 - Flags: superreview+
Attachment #164819 - Flags: review?(jst)
Attachment #164819 - Flags: review+
Attachment #164819 - Flags: approval1.7.x?
Attachment #164819 - Flags: approval1.7.x+
Attachment #164819 - Flags: approval-aviary?
Attachment #164819 - Flags: approval-aviary+
Fix checked in to AVIARY_1_0_20040515_BRANCH, 2004-11-05 23:58 -0700.
Fix checked in to MOZILLA_1_7_BRANCH, 2004-11-05 23:58 -0700.
Fix checked in to trunk, 2004-11-05 23:59 -0700.

Not marking fixed because I don't know if this fully fixed the crash (although
it probably fixed this signature of the crash.)
Using today's FF branch Mac build 2004-11-06-06-0.11 - I tested going to a few
of these sites with the Adblock extension installed. Going to
http://www.nforce.nl and operating on the Adblock controls froze the browser
(and I did get the spinning wheel like it wanted to crash, but it didn't) - the
only way I could move forward was the Force-Quit. I then went back and
uninstalled the extension and had no problems navigating that site.
http://www.rage3d.com/board was also a problem.
I installed adblock on 
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041106 Firefox/1.0 --
fedora core2 from u.m.o, 
then went to http://www.nforce.nl 

I didn't freeze, but I also had difficult in getting the extension to actually
block images.  flash block seems to work ok. but image blocking didn't happen.
the adblock tabs were shown on http://www.rage3d.com/board and worked to block
the ads...  no freeze or crash on linux on this site so far...
marcia@mozilla.org: can you
1. run "Activity Monitor"
2. double click "firefox"
3. click "sample"
4. copy the sample to a file and attach it here (or just show it to dbaron)

Using last night's trunk cvs on Windows XP I'm crashing while trying to block
the atdmt iframe in the middle of the right-hand column on
http://www.warp2search.net/.  I'm getting the following stack often; I was only
able to reproduce the nsESM::PreHandleEvent stack in talkback once.

JS API usage error: the address passed to JS_AddNamedRoot currently holds an
invalid jsval.  This is usually caused by a missing call to JS_RemoveRoot.
The root's name is "exn.report.root".
Assertion failure: root_points_to_gcArenaPool, at
c:/Mozilla/mozilla/js/src/jsgc.c:1335

 ntdll.dll!7c901230() 	
>js3250.dll!JS_Assert(const char * s=0x100cb0a0, const char * file=0x100cb07c,
int ln=1335)  Line 155	C
 js3250.dll!gc_root_marker(JSDHashTable * table=0x00af8028, JSDHashEntryHdr *
hdr=0x02710264, unsigned long num=256, void * arg=0x02cf3c60)  Line 1335 +
0x1c bytes	C
 js3250.dll!JS_DHashTableEnumerate(JSDHashTable * table=0x00af8028,
JSDHashOperator (JSDHashTable *, JSDHashEntryHdr *, unsigned long, void *)*
etor=0x10043980, void * arg=0x02cf3c60)  Line 618 + 0x19 bytes	C
 js3250.dll!js_GC(JSContext * cx=0x02cf3c60, unsigned int gcflags=0)  Line 1551
+ 0x15 bytes	C
 js3250.dll!js_ForceGC(JSContext * cx=0x02cf3c60, unsigned int gcflags=0)  Line
1363 + 0xd bytes	C
 js3250.dll!JS_GC(JSContext * cx=0x02cf3c60)  Line 1747 + 0xb bytes	C
 js3250.dll!JS_MaybeGC(JSContext * cx=0x02cf3c60)  Line 1766 + 0x9 bytes	C
 gklayout.dll!nsJSContext::ScriptEvaluated(int aTerminated=0)  Line 1876 + 0xd
bytes	C++
 gklayout.dll!nsJSContext::ScriptExecuted()  Line 1947	C++
 xpc3250.dll!AutoScriptEvaluate::~AutoScriptEvaluate()  Line 107	C++
 xpc3250.dll!nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS *
wrapper=0x01ffc248, unsigned short methodIndex=3, const nsXPTMethodInfo *
info=0x00ba4598, nsXPTCMiniVariant * nativeParams=0x0012b200)  Line 1588 +
0x1f bytes	C++
 xpc3250.dll!nsXPCWrappedJS::CallMethod(unsigned short methodIndex=3, const
nsXPTMethodInfo * info=0x00ba4598, nsXPTCMiniVariant * params=0x0012b200) 
Line 450	C++
 xpcom_core.dll!PrepareAndDispatch(nsXPTCStubBase * self=0x01ffc248, unsigned
int methodIndex=3, unsigned int * args=0x0012b2c8, unsigned int *
stackBytesToPop=0x0012b2b8)  Line 117 + 0x1e bytes	C++
 xpcom_core.dll!SharedStub()  Line 147	C++
 xpcom_core.dll!XPTC_InvokeByIndex(nsISupports * that=0x0012b3d8, unsigned int
methodIndex=1226172, unsigned int paramCount=12802554, nsXPTCVariant *
params=0x01ffc248)  Line 102	C++
 xpc3250.dll!AutoJSSuspendRequest::SuspendRequest()  Line 3009 + 0xd bytes	C++
 js3250.dll!GetPropertyTreeChild(JSContext * cx=0x003e4aa0, JSScopeProperty *
parent=0x02e3cdf8, JSScopeProperty * child=0x02d302e8)  Line 785 + 0x9 bytes	C
 00000001()
sdwalker: interesting report with good data, but a different bug, I think. 
Could you file a new one on Core: JavaScript Engine with that last comment?  Thanks.
(In reply to comment #13)
> sdwalker: interesting report with good data, but a different bug, I think. 
> Could you file a new one on Core: JavaScript Engine with that last comment? 

Was filed as Bug 274096 and it is fixed.


I only see 6 incidents in Talkback data, which means this crash is long gone. 
Marking this fixed.  If we find other AdBlock related crashes under a different
stack signature, let's log a new bug.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Crash Signature: [@ nsDocShell::GetVisibility]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: