Closed Bug 305181 Opened 20 years ago Closed 20 years ago

[FIX]Crash when navigating between Gmail and another URL [@ nsXPConnect::ReleaseJSContext]

Categories

(Core :: DOM: Navigation, defect, P1)

Product:
Core
Component:
DOM: Navigation
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.8beta4

People

(Reporter: ria.klaassen, Assigned: bzbarsky)

References

Details

(Keywords: crash, fixed1.8, Whiteboard: [needs SR jst, review bryner])

Crash Data

Attachments

(2 files, 1 obsolete file)

Fix for the crash
2.09 KB, patch
bryner
: review+
jst
: superreview+
brendan
: approval1.8b4+
Details | Diff | Splinter Review
With issues fixed
3.96 KB, patch
darin.moz
: superreview+
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050818 Firefox/1.0+ Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050818 Firefox/1.0+ I get a crash when I navigate between my Gmail inbox and another URL. Both with branch and trunk. TB8513919M TB8513834Q TB8513943M Reproducible: Always Steps to Reproduce: 1. Go to Gmail Inbox. 2. Click the toolbar Home button or a bookmark. 3. Click Back (Firefox goes back to inbox) 4. Click Back (nothing happens) 5. Click Back (crash) Actual Results: Firefox should go the the first page. Expected Results: It crashed.
Incident ID: 8513919 Stack Signature nsXPConnect::ReleaseJSContext b6fc7098 Product ID Firefox15 Build ID 2005081819 Trigger Time 2005-08-19 01:29:04.0 Platform Win32 Operating System Windows NT 5.1 build 2600 Module firefox.exe + (0000d8c3) URL visited gmail User Comments Since Last Crash 324 sec Total Uptime 4358 sec Trigger Reason Access violation Source File, Line No. c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/nsXPConnect.cpp, line 1079 Stack Trace nsXPConnect::ReleaseJSContext [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/nsXPConnect.cpp, line 1079] nsDocShell::Destroy [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/docshell/base/nsDocShell.cpp, line 3403] nsFrameLoader::LoadFrame [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsFrameLoader.cpp, line 103] nsSubDocumentFrame::AttributeChanged [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsFrameFrame.cpp, line 500] nsSVGInnerSVGFrame::QueryInterface nsBoxFrame::GetMinSize [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 1022] nsBoxFrame::GetMinSize [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 1022] nsBoxFrame::GetMinSize [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 1022] nsBoxFrame::GetMinSize [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 1022] nsRootBoxFrame::AddTooltipSupport [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsRootBoxFrame.cpp, line 313] DocumentViewerImpl::Destroy [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsDocumentViewer.cpp, line 1298] nsDocShell::Destroy [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/docshell/base/nsDocShell.cpp, line 3397] nsXULWindow::Destroy [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/xpfe/appshell/src/nsXULWindow.cpp, line 490] nsWebShellWindow::Destroy [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/xpfe/appshell/src/nsWebShellWindow.cpp, line 834] nsWebShellWindow::HandleEvent [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/xpfe/appshell/src/nsWebShellWindow.cpp, line 382] nsWindow::InitEvent [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1193] nsWindow::DispatchEvent [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1255] nsWindow::ProcessMessage [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 4509] nsWindow::SetNSWindowPtr [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1384] USER32.dll + 0x27ad7 (0x77d37ad7) USER32.dll + 0x2ccd4 (0x77d3ccd4) USER32.dll + 0x45bd (0x77d145bd) USER32.dll + 0x47d4 (0x77d147d4) ntdll.dll + 0x25da3 (0x77f65da3) USER32.dll + 0x2b8e2 (0x77d3b8e2) uxtheme.dll + 0x1b48 (0x5b191b48) nsWindow::WindowProc [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1420] USER32.dll + 0x27ad7 (0x77d37ad7) USER32.dll + 0x2ccd4 (0x77d3ccd4) USER32.dll + 0x5cd6 (0x77d15cd6) USER32.dll + 0x13346 (0x77d23346) nsWindow::WindowProc [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1396] USER32.dll + 0x27ad7 (0x77d37ad7) USER32.dll + 0x2ccd4 (0x77d3ccd4) USER32.dll + 0x45bd (0x77d145bd) USER32.dll + 0x47d4 (0x77d147d4) ntdll.dll + 0x25da3 (0x77f65da3) USER32.dll + 0x6202 (0x77d16202) uxtheme.dll + 0x1cc85 (0x5b1acc85) uxtheme.dll + 0x1ae1 (0x5b191ae1) uxtheme.dll + 0x1b48 (0x5b191b48) nsWindow::WindowProc [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1420] USER32.dll + 0x27ad7 (0x77d37ad7) USER32.dll + 0x2ccd4 (0x77d3ccd4) USER32.dll + 0x5cd6 (0x77d15cd6) USER32.dll + 0x13346 (0x77d23346) nsWindow::WindowProc [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1396] USER32.dll + 0x27ad7 (0x77d37ad7) USER32.dll + 0x2ccd4 (0x77d3ccd4) USER32.dll + 0x4455 (0x77d14455) USER32.dll + 0x95d5 (0x77d195d5) nsAppStartup::QueryInterface [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup. cpp, line 124] main [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 61] kernel32.dll + 0x214c7 (0x77e614c7) Incident ID: 8513943 Stack Signature JS_GetClass a1e25076 Product ID FirefoxTrunk Build ID 2005081806 Trigger Time 2005-08-19 01:30:37.0 Platform Win32 Operating System Windows NT 5.1 build 2600 Module js3250.dll + (00002c8b) URL visited gmail User Comments Since Last Crash 5775 sec Total Uptime 5775 sec Trigger Reason Access violation Source File, Line No. c:/builds/tinderbox/Fx- Trunk/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 2112 Stack Trace JS_GetClass [c:/builds/tinderbox/Fx- Trunk/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 2112] WrappedNativeShutdownEnumerator [c:/builds/tinderbox/Fx- Trunk/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednativescope.cpp, line 429] nsXPConnect::InitClassesWithNewWrappedGlobal [c:/builds/tinderbox/Fx- Trunk/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/nsXPConnect.cpp, line 550] nsDOMEvent::GetBubbles [c:/builds/tinderbox/Fx- Trunk/WINNT_5.2_Depend/mozilla/content/events/src/nsDOMEvent.cpp, line 325] nsEventListenerManager::CompileEventHandlerInternal [c:/builds/tinderbox/Fx- Trunk/WINNT_5.2_Depend/mozilla/content/events/src/nsEventListenerManager.cpp, line 1504] nsEventListenerManager::HandleEventSubType [c:/builds/tinderbox/Fx- Trunk/WINNT_5.2_Depend/mozilla/content/events/src/nsEventListenerManager.cpp, line 1597] nsGlobalWindow::SetOpenerWindow [c:/builds/tinderbox/Fx- Trunk/WINNT_5.2_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp, line 1255] DocumentViewerImpl::PermitUnload [c:/builds/tinderbox/Fx- Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsDocumentViewer.cpp, line 1094] nsDocShell::LoadURI [c:/builds/tinderbox/Fx- Trunk/WINNT_5.2_Depend/mozilla/docshell/base/nsDocShell.cpp, line 622] nsDocShell::LoadURI [c:/builds/tinderbox/Fx- Trunk/WINNT_5.2_Depend/mozilla/docshell/base/nsDocShell.cpp, line 624] nsDocShell::LoadURI [c:/builds/tinderbox/Fx- Trunk/WINNT_5.2_Depend/mozilla/docshell/base/nsDocShell.cpp, line 624] nsDocShell::Stop [c:/builds/tinderbox/Fx- Trunk/WINNT_5.2_Depend/mozilla/docshell/base/nsDocShell.cpp, line 3172] nsXULWindow::SetZLevel [c:/builds/tinderbox/Fx- Trunk/WINNT_5.2_Depend/mozilla/xpfe/appshell/src/nsXULWindow.cpp, line 258] nsWebShellWindow::SetPersistenceTimer [c:/builds/tinderbox/Fx- Trunk/WINNT_5.2_Depend/mozilla/xpfe/appshell/src/nsWebShellWindow.cpp, line 565] nsWebShellWindow::Initialize [c:/builds/tinderbox/Fx- Trunk/WINNT_5.2_Depend/mozilla/xpfe/appshell/src/nsWebShellWindow.cpp, line 228] nsWindow::WidgetToScreen [c:/builds/tinderbox/Fx- Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 924] nsWindow::InitEvent [c:/builds/tinderbox/Fx- Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 984] nsWindow::ProcessMessage [c:/builds/tinderbox/Fx- Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 4113] nsWindow::CaptureRollupEvents [c:/builds/tinderbox/Fx- Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1138] USER32.dll + 0x27ad7 (0x77d37ad7) USER32.dll + 0x2ccd4 (0x77d3ccd4) USER32.dll + 0x45bd (0x77d145bd) USER32.dll + 0x47d4 (0x77d147d4) ntdll.dll + 0x25da3 (0x77f65da3) USER32.dll + 0x2b8e2 (0x77d3b8e2) uxtheme.dll + 0x1b48 (0x5b191b48) nsWindow::EventIsInsideWindow [c:/builds/tinderbox/Fx- Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1166] USER32.dll + 0x27ad7 (0x77d37ad7) USER32.dll + 0x2ccd4 (0x77d3ccd4) USER32.dll + 0x5cd6 (0x77d15cd6) USER32.dll + 0x13346 (0x77d23346) nsWindow::CaptureRollupEvents [c:/builds/tinderbox/Fx- Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1141] USER32.dll + 0x27ad7 (0x77d37ad7) USER32.dll + 0x2ccd4 (0x77d3ccd4) USER32.dll + 0x45bd (0x77d145bd) USER32.dll + 0x47d4 (0x77d147d4) ntdll.dll + 0x25da3 (0x77f65da3) USER32.dll + 0x6202 (0x77d16202) uxtheme.dll + 0x1cc85 (0x5b1acc85) uxtheme.dll + 0x1ae1 (0x5b191ae1) uxtheme.dll + 0x1b48 (0x5b191b48) nsWindow::EventIsInsideWindow [c:/builds/tinderbox/Fx- Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1166] USER32.dll + 0x27ad7 (0x77d37ad7) USER32.dll + 0x2ccd4 (0x77d3ccd4) USER32.dll + 0x5cd6 (0x77d15cd6) USER32.dll + 0x13346 (0x77d23346) nsWindow::CaptureRollupEvents [c:/builds/tinderbox/Fx- Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1141] USER32.dll + 0x27ad7 (0x77d37ad7) USER32.dll + 0x2ccd4 (0x77d3ccd4) USER32.dll + 0x4455 (0x77d14455) USER32.dll + 0x95d5 (0x77d195d5) nsClassHashtable<nsCStringHashKey,nsPasswordManager::SignonHashEntry>::Get [../../../../dist/include/xpcom/nsClassHashtable.h, line 101] main [c:/builds/tinderbox/Fx- Trunk/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 61] kernel32.dll + 0x214c7 (0x77e614c7) i believe JS_GetClass may be fixed
Severity: normal → critical
Keywords: crash
Summary: Crash when navigating between Gmail and another URL → Crash when navigating between Gmail and another URL [@ nsXPConnect::ReleaseJSContext]
This build WFM (no crash): 1.8b4_2005073013 And this one crashes: 1.8b4_2005073111
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b4) Gecko/20050818 Firefox/1.0+ ID:2005081823 I reproduced the steps of comment #0, nothing happened, i could push back as often as i wanted. The Gmail page opened just showed the word "loading...." but nothing happened. next I opened multiple tabs (from bookmarks) and crashed right away. TB8515774G [@ nsQueryInterface::operator() afa0d513 ]
Tried it Peter's way, which is if I understand it right: Gmail > Home > Back > Bookmarks > crash, and now I get TB8516387G. Regression range is the same.
And Martijn had these steps: Gmail > Other site > Back: TB8333137G. Could not reproduce this. So now there are 4 different talkback signatures.
Tried it also on another system: WinXP SP2. Branch: TB8520828Y TB8520832E Trunk: TB8521537M TB8521600E
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050819 Firefox/1.0+ ID:2005081921 Steps: Gmail -> Press Home button -> Press Back button -> Press Back button again TB8543839Y Can someone confirm this bug?
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.9a1) Gecko/20050819 SeaMonkey/1.0a TB8544333G, TB8544331Q, TB8544242M gmail > Throbber > Back > Throbber 1st try I went from an open message to my programmed throbber URL (w3c), going back didn't bring the message, but the inbox. Back > Forward > Back > Forward ... has no action on gmail besides activating/deactivating the button: 1. http://jigsaw.w3.org/css-validator/ 2. click 'by URI' http://jigsaw.w3.org/css-validator/ 3. http://mail.google.com/mail/ 4. open message 5. Back activates Forward Button, message stays 6. Forward deactivates Forward Button, message stays 7. repeat steps 5 and 6, message stays ravitca sediseb ,liamg)c2w(
crashed when I closed the browser clicking on the top right [x] TB8545278X Stack signature is the same as in my last comment. So the crash seems to come from some gmail activities, delayed about an hour. When I wrote comment 10 some typing wasn't seen so I had to reposition the cursor and retype. Now I see at the end of my comment a text which seems to be written from right to left. I never use RTL besides looking at a bug in a page, so I don't know how to activate RTL modes, and I didn't have a RTL page open today. the RTL text: ravitca sediseb ,liamg)c2w(
I can't reproduce the crash of comment #5 anymore. And instead of the crash described in comment #0 I get an ugly freeze, leaving firefox.exe as an idle process in the taskmanager after closing Firefox. This behaviour changed between these two builds: 1.8b4_2005081915 and 1.8b4_2005081920
Status: UNCONFIRMED → NEW
Ever confirmed: true
I've seen both the hang and the crash with todays trunk builds, we need to make sure to nail this for 1.8...
Flags: blocking1.8b4?
Following the steps in comment 0 when running in Purify I get the following when I click back once I've gone back to my gmail inbox: [E] FMR: Free memory read in nsSHEntry::GetParent(nsISHEntry * *) {1 occurrence} Reading 4 bytes from 0x0b7b7310 (4 bytes at 0x0b7b7310 illegal) Address 0x0b7b7310 is at the beginning of a 148 byte block Address 0x0b7b7310 points to a C++ new block in heap 0x01c70000 Thread ID: 0x4f0 Error location nsSHEntry::GetParent(nsISHEntry * *) [e:\tip\mozilla\docshell\shistory\src\nsshentry.cpp:399] GetRootSHEntry [e:\tip\mozilla\docshell\base\nsdocshell.cpp:7743] nsDocShell::SetHistoryEntry(nsCOMPtr<nsISHEntry> *,nsISHEntry *) [e:\tip\mozilla\docshell\base\nsdocshell.cpp:7767] nsDocShell::Embed(nsIContentViewer *,char const*,nsISupports *) [e:\tip\mozilla\docshell\base\nsdocshell.cpp:4469] nsDocShell::CreateContentViewer(char const*,nsIRequest *,nsIStreamListener * *) [e:\tip\mozilla\docshell\base\nsdocshell.cpp:5538] nsDSURIContentListener::DoContent(char const*,int,nsIRequest *,nsIStreamListener * *,int *) [e:\tip\mozilla\docshell\base\nsdsuricontentlistener.cpp:130] nsDocumentOpenInfo::TryContentListener(nsIURIContentListener *,nsIChannel *) [e:\tip\mozilla\uriloader\base\nsuriloader.cpp:774] nsDocumentOpenInfo::DispatchContent(nsIRequest *,nsISupports *) [e:\tip\mozilla\uriloader\base\nsuriloader.cpp:500] nsDocumentOpenInfo::OnStartRequest(nsIRequest *,nsISupports *) [e:\tip\mozilla\uriloader\base\nsuriloader.cpp:345] nsHttpChannel::CallOnStartRequest(void) [e:\tip\mozilla\netwerk\protocol\http\src\nshttpchannel.cpp:752] Allocation location new(UINT) [f:\vs70builds\3077\vc\crtbld\crt\src\newop.cpp:10] nsSHEntry::Clone(nsISHEntry * *) [e:\tip\mozilla\docshell\shistory\src\nsshentry.cpp:387] nsDocShell::CloneAndReplaceChild(nsISHEntry *,nsDocShell *,int,void *) [e:\tip\mozilla\docshell\base\nsdocshell.cpp:7631] nsDocShell::WalkHistoryEntries(nsISHEntry *,nsDocShell *,(*)(nsISHEntry *,nsDocShell *,int,void *),void *) [e:\tip\mozilla\docshell\base\nsdocshell.cpp:7589] nsDocShell::CloneAndReplaceChild(nsISHEntry *,nsDocShell *,int,void *) [e:\tip\mozilla\docshell\base\nsdocshell.cpp:7641] nsDocShell::CloneAndReplace(nsISHEntry *,nsDocShell *,UINT,nsISHEntry *,nsISHEntry * *) [e:\tip\mozilla\docshell\base\nsdocshell.cpp:7669] nsDocShell::AddChildSHEntry(nsISHEntry *,nsISHEntry *,int) [e:\tip\mozilla\docshell\base\nsdocshell.cpp:2606] nsDocShell::AddChildSHEntry(nsISHEntry *,nsISHEntry *,int) [e:\tip\mozilla\docshell\base\nsdocshell.cpp:2621] nsDocShell::DoAddChildSHEntry(nsISHEntry *,int) [e:\tip\mozilla\docshell\base\nsdocshell.cpp:2641] nsDocShell::AddToSessionHistory(nsIURI *,nsIChannel *,nsISHEntry * *) [e:\tip\mozilla\docshell\base\nsdocshell.cpp:7418] Free location strlen [f:\vs70builds\3077\vc\crtbld\crt\src\crtdll.c] nsSHEntry::Release(void) [e:\tip\mozilla\docshell\shistory\src\nsshentry.cpp:115] ReleaseObjects [e:\tip\mozilla\xpcom\ds\nscomarray.cpp:149] nsVoidArray::EnumerateForwards((*)(void *,void *),void *) [e:\tip\mozilla\xpcom\ds\nsvoidarray.cpp:648] nsCOMArray_base::Clear(void) [e:\tip\mozilla\xpcom\ds\nscomarray.cpp:156] nsSHEntry::~nsSHEntry(void) [e:\tip\mozilla\docshell\shistory\src\nsshentry.cpp:104] nsSHEntry::Release(void) [e:\tip\mozilla\docshell\shistory\src\nsshentry.cpp:115] nsSHTransaction::~nsSHTransaction(void) [e:\tip\mozilla\docshell\shistory\src\nsshtransaction.cpp:54] nsSHTransaction::`vector deleting destructor'(UINT) [E:\tip\fb-prf\dist\bin\components\docshell.dll] nsSHTransaction::Release(void) [e:\tip\mozilla\docshell\shistory\src\nsshtransaction.cpp:61] [E] IPR: Invalid pointer read in nsSHEntry::GetParent(nsISHEntry * *) {1 occurrence} Reading 4 bytes from 0xaeaeaeb2 (4 bytes at 0xaeaeaeb2 illegal) Address 0xaeaeaeb2 points into a reserved VirtualAlloc'd block Thread ID: 0x4f0 Error location nsSHEntry::GetParent(nsISHEntry * *) [e:\tip\mozilla\docshell\shistory\src\nsshentry.cpp:399] nsSHEntry::GetParent(nsISHEntry * *) [e:\tip\mozilla\docshell\shistory\src\nsshentry.cpp:399] GetRootSHEntry [e:\tip\mozilla\docshell\base\nsdocshell.cpp:7743] nsDocShell::SetHistoryEntry(nsCOMPtr<nsISHEntry> *,nsISHEntry *) [e:\tip\mozilla\docshell\base\nsdocshell.cpp:7767] nsDocShell::Embed(nsIContentViewer *,char const*,nsISupports *) [e:\tip\mozilla\docshell\base\nsdocshell.cpp:4469] nsDocShell::CreateContentViewer(char const*,nsIRequest *,nsIStreamListener * *) [e:\tip\mozilla\docshell\base\nsdocshell.cpp:5538] nsDSURIContentListener::DoContent(char const*,int,nsIRequest *,nsIStreamListener * *,int *) [e:\tip\mozilla\docshell\base\nsdsuricontentlistener.cpp:130] nsDocumentOpenInfo::TryContentListener(nsIURIContentListener *,nsIChannel *) [e:\tip\mozilla\uriloader\base\nsuriloader.cpp:774] nsDocumentOpenInfo::DispatchContent(nsIRequest *,nsISupports *) [e:\tip\mozilla\uriloader\base\nsuriloader.cpp:500] nsDocumentOpenInfo::OnStartRequest(nsIRequest *,nsISupports *) [e:\tip\mozilla\uriloader\base\nsuriloader.cpp:345]
This looks like a problem with the shentry object ownership model. An nsSHEntry has a weak mParent pointer, the docshell here ends up cloning one, and later on the clone's parent points to deleted memory...
This doesn't make the history traversal happy, but at least it doesn't crash. As far as I can tell gmail actually does a load somehow during our history traversal, which nukes the "next" SH transaction we used to have and kills its shentry. Why this shentry has kids at that point is a good question...
Attachment #193940 - Flags: superreview?(jst)
Attachment #193940 - Flags: review?(bryner)
This makes it possible to at least go back through gmail once (though it does take two clicks). Going forward after that and then back again breaks, most likely because of the session history tree mismatches that assert when you go back through it the first time. I'm not sure whether we want to take this or just work on a better arch for session history that deals with iframes.... If we do decide to take this, I could have also done this using WalkHistoryEntries if I made the calls before I remove the child docshell, but then that would mean walking all the kids looking for the one we have here (which would be passed as aData), which seems gratuitous.
Attachment #193942 - Flags: review?(bryner)
Attachment #193940 - Flags: review?(bryner) → review+
Flags: blocking1.8b4? → blocking1.8b4+
Assignee: nobody → bzbarsky
Priority: -- → P1
Summary: Crash when navigating between Gmail and another URL [@ nsXPConnect::ReleaseJSContext] → [FIX]Crash when navigating between Gmail and another URL [@ nsXPConnect::ReleaseJSContext]
Target Milestone: --- → mozilla1.8beta4
Whiteboard: [needs SR jst, review bryner]
Comment on attachment 193940 [details] [diff] [review] Fix for the crash sr=jst for stopping this crash.
Attachment #193940 - Flags: superreview?(jst) → superreview+
Comment on attachment 193940 [details] [diff] [review] Fix for the crash Requesting 1.8b approval. This is a very safe crash fix that just makes sure we don't leave dangling pointers to deleted memory around.
Attachment #193940 - Flags: approval1.8b4?
Fixed on trunk.
Status: NEW → RESOLVED
Closed: 20 years ago
OS: Windows XP → All
Hardware: PC → All
Resolution: --- → FIXED
Comment on attachment 193940 [details] [diff] [review] Fix for the crash This is safe for 1.8b4. /be
Attachment #193940 - Flags: approval1.8b4? → approval1.8b4+
Checked in the first diff on 1.8 branch.
Keywords: fixed1.8
I don't see the described problems anymore in trunk and branch.
bz, is this remaining patch necessary for the 1.8 branch or are we finished with this for 1.8b5?
This is done for 1.8b5; the remaining patch is a nice-to-have for trunk.
per bz's comment, moving off the blocker list.
Flags: blocking1.8b5+
Blocks: 310456
Comment on attachment 193942 [details] [diff] [review] Slight improvement on session history >--- docshell/base/nsDocShell.cpp 25 Aug 2005 21:21:07 -0000 1.734 >+++ docshell/base/nsDocShell.cpp 26 Aug 2005 18:04:04 -0000 >+ // Make sure to remove the child's SHEntry from out SHEntry's child list typo: s/out/our/ This should make things a little more consistent, thanks! (sorry the review took awhile)
Attachment #193942 - Flags: review?(bryner) → review+
Attachment #193942 - Flags: superreview?(darin)
Comment on attachment 193942 [details] [diff] [review] Slight improvement on session history >Index: docshell/base/nsDocShell.cpp >+ PRInt32 childCount; >+ container->GetChildCount(&childCount); >+ for (PRInt32 i = 0; i < childCount; i++) { >+ nsCOMPtr<nsISHEntry> childEntry; >+ container->GetChildAt(i, getter_AddRefs(childEntry)); ... >+ container->RemoveChild(childEntry); >+ } You don't need to iterator over this list in reverse order? Doesn't RemoveChild mess up your indexing?
Oh, man. Good catch, Darin! I'll post a patch with that fixed sometime tonight.
Attachment #193942 - Flags: superreview?(darin) → superreview-
Attachment #193942 - Attachment is obsolete: true
Attachment #212850 - Flags: superreview?(darin)
Comment on attachment 212850 [details] [diff] [review] With issues fixed sr=darin
Attachment #212850 - Flags: superreview?(darin) → superreview+
Checked that patch in.
Depends on: 346259
Component: History: Session → Document Navigation
QA Contact: history.session → docshell
Crash Signature: [@ nsXPConnect::ReleaseJSContext]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: