Closed
Bug 267804
Opened 20 years ago
Closed 19 years ago
FF10RC1 crash blocking iframes with AdBlock extension [@ nsDocShell::GetVisibility]
Categories
(Core :: Layout, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: jay, Assigned: dbaron)
Details
(Keywords: crash, topcrash)
Crash Data
Attachments
(1 file)
1.45 KB,
patch
|
jst
:
review+
jst
:
superreview+
dbaron
:
approval-aviary+
dbaron
:
approval1.7.5+
|
Details | Diff | Splinter Review |
This is a topcrash for Firefox 1.0 RC1 and is clearly related to the AdBlock extension. Comments suggest it's more directly a result of blocking iframes: Count Offset Real Signature [ 25 nsDocShell::GetVisibility d3962dc2 - nsDocShell::GetVisibility ] Crash date range: 01-NOV-04 to 31-OCT-04 Min/Max Seconds since last crash: 17 - 385701 Min/Max Runtime: 4077 - 396191 Count Platform List 25 Windows XP [Windows NT 5.1 build 2600] Count Build Id List 25 2004102622 No of Unique Users 22 Stack trace(Frame) nsDocShell::GetVisibility [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/docshell/base/nsDocShell.cpp line 3363] PresShell::IsVisible [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp line 6158] IsViewVisible [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp line 416] nsViewManager::SetWindowDimensions [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp line 684] DocumentViewerImpl::InitPresentationStuff [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/base/src/nsDocumentViewer.cpp line 690] DocumentViewerImpl::InitInternal [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/base/src/nsDocumentViewer.cpp line 876] DocumentViewerImpl::Init [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/base/src/nsDocumentViewer.cpp line 639] nsDocShell::Embed [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/docshell/base/nsDocShell.cpp line 4235] nsDocShell::CreateAboutBlankContentViewer [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/docshell/base/nsDocShell.cpp line 4549] nsDocShell::EnsureContentViewer [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/docshell/base/nsDocShell.cpp line 4478] nsWebShell::GetInterface [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/docshell/base/nsWebShell.cpp line 313] nsGetInterface::operator() [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/xpcom/glue/nsIInterfaceRequestorUtils.cpp line 53] nsCOMPtr_base::assign_from_helper [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/xpcom/glue/nsCOMPtr.cpp line 114] GlobalWindowImpl::GetDocument [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/dom/src/base/nsGlobalWindow.cpp line 1108] nsWindowSH::OnDocumentChanged [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/dom/src/base/nsDOMClassInfo.cpp line 4391] nsWindowSH::NewResolve [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/dom/src/base/nsDOMClassInfo.cpp line 4661] XPC_WN_Helper_NewResolve [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp line 929] js_LookupPropertyWithFlags [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsobj.c line 2489] js_LookupProperty [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsobj.c line 2587] js_GetProperty [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsobj.c line 2693] js_Interpret [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c line 2801] js_Invoke [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c line 958] js_InternalInvoke [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c line 1035] JS_CallFunctionValue [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsapi.c line 3698] nsJSContext::CallEventHandler [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/dom/src/base/nsJSEnvironment.cpp line 1297] GlobalWindowImpl::RunTimeout [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/dom/src/base/nsGlobalWindow.cpp line 5309] GlobalWindowImpl::TimerCallback [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/dom/src/base/nsGlobalWindow.cpp line 5671] nsXULWindow::ShowModal [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/xpfe/appshell/src/nsXULWindow.cpp line 362] nsContentTreeOwner::ShowAsModal [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/xpfe/appshell/src/nsContentTreeOwner.cpp line 443] GlobalWindowImpl::OpenInternal [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/dom/src/base/nsGlobalWindow.cpp line 4903] GlobalWindowImpl::OpenDialog [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/dom/src/base/nsGlobalWindow.cpp line 3448] XPTC_InvokeByIndex [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp line 102] XPCWrappedNative::CallMethod [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp line 2034] XPC_WN_CallMethod [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp line 1287] js_Invoke [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c line 941] js_Interpret [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c line 2972] js_Invoke [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c line 958] js_Interpret [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c line 2972] js_Invoke [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c line 958] js_InternalInvoke [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c line 1035] JS_CallFunctionValue [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsapi.c line 3698] nsJSContext::CallEventHandler [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/dom/src/base/nsJSEnvironment.cpp line 1297] nsJSEventListener::HandleEvent [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/dom/src/events/nsJSEventListener.cpp line 184] nsEventListenerManager::HandleEventSubType [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventListenerManager.cpp line 1436] nsEventListenerManager::HandleEvent [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventListenerManager.cpp line 1516] nsXULElement::HandleDOMEvent [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/xul/content/src/nsXULElement.cpp line 2841] PresShell::HandleDOMEventWithTarget [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp line 6139] nsMenuFrame::Execute [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/layout/xul/base/src/nsMenuFrame.cpp line 1671] nsMenuFrame::HandleEvent [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/layout/xul/base/src/nsMenuFrame.cpp line 454] PresShell::HandleEventInternal [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp line 6103] PresShell::HandleEvent [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp line 5921] nsViewManager::HandleEvent [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp line 2326] nsViewManager::DispatchEvent [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp line 2066] HandleEvent [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/view/src/nsView.cpp line 77] nsWindow::DispatchEvent [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp line 1067] nsWindow::DispatchMouseEvent [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp line 5261] ChildWindow::DispatchMouseEvent [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp line 5511] nsWindow::WindowProc [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp line 1349] USER32.dll + 0x8709 (0x77d48709) USER32.dll + 0x87eb (0x77d487eb) USER32.dll + 0x89a5 (0x77d489a5) USER32.dll + 0x89e8 (0x77d489e8) nsAppShell::Run [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsAppShell.cpp line 159] nsAppShellService::Run [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/xpfe/appshell/src/nsAppShellService.cpp line 495] (1708502) URL: www.bluesnews.com (1708502) Comments: configuring adblock extension (1689987) Comments: was adding an iframe to be blocked by 'adblock' firefox extension. (1680437) URL: http://www.nforce.nl (1680437) Comments: NOTHING (1675816) Comments: ad block iframe (1655812) URL: http://www.bluesnews.com (1655812) Comments: blocking an ad with adblocker extension (1636632) Comments: edited an Adblock address removing only the querystring from an url to a .php page (1621567) URL: http://www.xbitlabs.com/articles/cpu/display/athlon64-fx55.html (1621567) Comments: Twice this has happened so I think it may be repeatable. I was blocking an iFrame using Adblock. The iFrame is about halfway down the page and is in the middle of the content. (1600439) URL: www.betanews.com (1600439) Comments: adblocking without a * wildcard (1583888) URL: http://www.rage3d.com/board (1583888) Comments: Adblocking the banner ad. (1578070) URL: http://www.wired.com/news/ebiz/0 1272 65503 00.html/wn_ascii (1578070) Comments: Attempting to block an iframe with the adblock extension.
Reporter | ||
Comment 1•20 years ago
|
||
This is happening on all platforms.
OS: Windows XP → All
Hardware: PC → All
Reporter | ||
Comment 2•20 years ago
|
||
WFM using Firefox 1.0 RC2 build Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041103 Firefox/1.0RC2 I was not able to crash at any of the urls found in Talkback data after installing Adblock v.5 d2 * nightly 39. I tried blocking every iframe ad I could find on those websites and things worked fine for me.
Assignee | ||
Updated•20 years ago
|
Assignee: nobody → dbaron
Assignee | ||
Comment 3•20 years ago
|
||
I've looked at the disassembly from talkback incident 1758597. The line number in GetVisibility is completely bogus, and I can't see any good reason for it to be that way. However, the "code around the PC" section shows that slightly after the crash point there are three function calls: * 0x28 virtual function with 2 arguments (including this) * 0x74 virtual function with 2 arguments (including this) * 0x7c virtual function with 3 arguments (including this) * 0xc4 virtual function with 1 arguments (including this) The dissasembly seems to match the following code perfectly (in other respects as well): pPresShell->GetDocument(getter_AddRefs(pDoc)); nsIContent *shellContent = pDoc->FindContentForSubDocument(doc); NS_ASSERTION(shellContent, "subshell not in the map"); nsIFrame* frame; pPresShell->GetPrimaryFrameFor(shellContent, &frame); if (frame && !frame->AreAncestorViewsVisible()) { And if that's correct, the crash is because |pPresShell| is null.
Assignee | ||
Comment 4•20 years ago
|
||
Dunno if this is enough to really fix the crash, since I can't reproduce, but it's worth a try since this is pretty high on the topcrash list.
Assignee | ||
Updated•20 years ago
|
Attachment #164819 -
Flags: superreview?(jst)
Attachment #164819 -
Flags: review?(jst)
Attachment #164819 -
Flags: approval1.7.x?
Attachment #164819 -
Flags: approval-aviary?
Assignee | ||
Comment 5•20 years ago
|
||
I should add an NS_NOTREACHED as well.
Comment 6•20 years ago
|
||
Comment on attachment 164819 [details] [diff] [review] proposed patch r+sr=jst
Attachment #164819 -
Flags: superreview?(jst)
Attachment #164819 -
Flags: superreview+
Attachment #164819 -
Flags: review?(jst)
Attachment #164819 -
Flags: review+
Assignee | ||
Updated•20 years ago
|
Attachment #164819 -
Flags: approval1.7.x?
Attachment #164819 -
Flags: approval1.7.x+
Attachment #164819 -
Flags: approval-aviary?
Attachment #164819 -
Flags: approval-aviary+
Assignee | ||
Comment 7•20 years ago
|
||
Fix checked in to AVIARY_1_0_20040515_BRANCH, 2004-11-05 23:58 -0700. Fix checked in to MOZILLA_1_7_BRANCH, 2004-11-05 23:58 -0700. Fix checked in to trunk, 2004-11-05 23:59 -0700. Not marking fixed because I don't know if this fully fixed the crash (although it probably fixed this signature of the crash.)
Comment 8•20 years ago
|
||
Using today's FF branch Mac build 2004-11-06-06-0.11 - I tested going to a few of these sites with the Adblock extension installed. Going to http://www.nforce.nl and operating on the Adblock controls froze the browser (and I did get the spinning wheel like it wanted to crash, but it didn't) - the only way I could move forward was the Force-Quit. I then went back and uninstalled the extension and had no problems navigating that site. http://www.rage3d.com/board was also a problem.
Comment 9•20 years ago
|
||
I installed adblock on Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041106 Firefox/1.0 -- fedora core2 from u.m.o, then went to http://www.nforce.nl I didn't freeze, but I also had difficult in getting the extension to actually block images. flash block seems to work ok. but image blocking didn't happen.
Comment 10•20 years ago
|
||
the adblock tabs were shown on http://www.rage3d.com/board and worked to block the ads... no freeze or crash on linux on this site so far...
Comment 11•20 years ago
|
||
marcia@mozilla.org: can you 1. run "Activity Monitor" 2. double click "firefox" 3. click "sample" 4. copy the sample to a file and attach it here (or just show it to dbaron)
Comment 12•20 years ago
|
||
Using last night's trunk cvs on Windows XP I'm crashing while trying to block the atdmt iframe in the middle of the right-hand column on http://www.warp2search.net/. I'm getting the following stack often; I was only able to reproduce the nsESM::PreHandleEvent stack in talkback once. JS API usage error: the address passed to JS_AddNamedRoot currently holds an invalid jsval. This is usually caused by a missing call to JS_RemoveRoot. The root's name is "exn.report.root". Assertion failure: root_points_to_gcArenaPool, at c:/Mozilla/mozilla/js/src/jsgc.c:1335 ntdll.dll!7c901230() >js3250.dll!JS_Assert(const char * s=0x100cb0a0, const char * file=0x100cb07c, int ln=1335) Line 155 C js3250.dll!gc_root_marker(JSDHashTable * table=0x00af8028, JSDHashEntryHdr * hdr=0x02710264, unsigned long num=256, void * arg=0x02cf3c60) Line 1335 + 0x1c bytes C js3250.dll!JS_DHashTableEnumerate(JSDHashTable * table=0x00af8028, JSDHashOperator (JSDHashTable *, JSDHashEntryHdr *, unsigned long, void *)* etor=0x10043980, void * arg=0x02cf3c60) Line 618 + 0x19 bytes C js3250.dll!js_GC(JSContext * cx=0x02cf3c60, unsigned int gcflags=0) Line 1551 + 0x15 bytes C js3250.dll!js_ForceGC(JSContext * cx=0x02cf3c60, unsigned int gcflags=0) Line 1363 + 0xd bytes C js3250.dll!JS_GC(JSContext * cx=0x02cf3c60) Line 1747 + 0xb bytes C js3250.dll!JS_MaybeGC(JSContext * cx=0x02cf3c60) Line 1766 + 0x9 bytes C gklayout.dll!nsJSContext::ScriptEvaluated(int aTerminated=0) Line 1876 + 0xd bytes C++ gklayout.dll!nsJSContext::ScriptExecuted() Line 1947 C++ xpc3250.dll!AutoScriptEvaluate::~AutoScriptEvaluate() Line 107 C++ xpc3250.dll!nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS * wrapper=0x01ffc248, unsigned short methodIndex=3, const nsXPTMethodInfo * info=0x00ba4598, nsXPTCMiniVariant * nativeParams=0x0012b200) Line 1588 + 0x1f bytes C++ xpc3250.dll!nsXPCWrappedJS::CallMethod(unsigned short methodIndex=3, const nsXPTMethodInfo * info=0x00ba4598, nsXPTCMiniVariant * params=0x0012b200) Line 450 C++ xpcom_core.dll!PrepareAndDispatch(nsXPTCStubBase * self=0x01ffc248, unsigned int methodIndex=3, unsigned int * args=0x0012b2c8, unsigned int * stackBytesToPop=0x0012b2b8) Line 117 + 0x1e bytes C++ xpcom_core.dll!SharedStub() Line 147 C++ xpcom_core.dll!XPTC_InvokeByIndex(nsISupports * that=0x0012b3d8, unsigned int methodIndex=1226172, unsigned int paramCount=12802554, nsXPTCVariant * params=0x01ffc248) Line 102 C++ xpc3250.dll!AutoJSSuspendRequest::SuspendRequest() Line 3009 + 0xd bytes C++ js3250.dll!GetPropertyTreeChild(JSContext * cx=0x003e4aa0, JSScopeProperty * parent=0x02e3cdf8, JSScopeProperty * child=0x02d302e8) Line 785 + 0x9 bytes C 00000001()
sdwalker: interesting report with good data, but a different bug, I think. Could you file a new one on Core: JavaScript Engine with that last comment? Thanks.
Comment 14•20 years ago
|
||
(In reply to comment #13) > sdwalker: interesting report with good data, but a different bug, I think. > Could you file a new one on Core: JavaScript Engine with that last comment? Was filed as Bug 274096 and it is fixed.
Reporter | ||
Comment 15•19 years ago
|
||
I only see 6 incidents in Talkback data, which means this crash is long gone. Marking this fixed. If we find other AdBlock related crashes under a different stack signature, let's log a new bug.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Updated•13 years ago
|
Crash Signature: [@ nsDocShell::GetVisibility]
You need to log in
before you can comment on or make changes to this bug.
Description
•