Closed
Bug 15560
Opened 25 years ago
Closed 25 years ago
unsafe FireOnEndDocumentLoad code
Categories
(Core Graveyard :: Embedding: APIs, defect, P3)
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: kipp, Assigned: rpotts)
Details
The viewer triggers this with it's "-f file" argument. What happens is that during the firing of the end-document-load observer call, the observer removes itself (because its being destroyed). Unfortunately, this causes the loop in nsDocLoader.cpp to try to use an index past the end of the array of observers... What really needs to be done here is to have a safe iterator over the doc obserers that can handle changes to the observer list during iteration... I have a temporary work around which should fix viewer: just check for null combing back from ElementAt...But it's not a real solution.
Comment 1•25 years ago
|
||
When I execute the AutoFill smoke test I get a crash (stack trace follows). Is this related to this bug? nsDocLoaderImpl::FireOnEndDocumentLoad(nsDocLoaderImpl * 0x056d9c40, nsIChannel * 0x056dabc0, unsigned int 2152398850) line 870 + 25 bytes nsDocLoaderImpl::OnStopRequest(nsDocLoaderImpl * const 0x056d9c44, nsIChannel * 0x00000000, nsISupports * 0x00000000, unsigned int 2152398850, unsigned short * 0x00000000) line 752 + 31 bytes nsLoadGroup::Cancel(nsLoadGroup * const 0x056d9bd0) line 326 + 44 bytes nsDocLoaderImpl::Stop(nsDocLoaderImpl * const 0x056d9c40) line 584 + 26 bytes nsWebShell::Stop(nsWebShell * const 0x056d8350) line 2350 nsWebShell::Destroy(nsWebShell * const 0x056d8350) line 1146 nsGfxTextControlFrame::~nsGfxTextControlFrame() line 250 nsGfxTextControlFrame::`scalar deleting destructor'(unsigned int 1) + 15 bytes nsFrame::Destroy(nsFrame * const 0x0520e890, nsIPresContext & {...}) line 353 + 34 bytes nsFrameList::DestroyFrames(nsIPresContext & {...}) line 29 nsContainerFrame::Destroy(nsContainerFrame * const 0x04484598, nsIPresContext & {...}) line 88 nsFrameList::DestroyFrame(nsIPresContext & {...}, nsIFrame * 0x04484598) line 115 nsBoxFrame::RemoveFrame(nsBoxFrame * const 0x04482a70, nsIPresContext & {...}, nsIPresShell & {...}, nsIAtom * 0x00000000, nsIFrame * 0x04484598) line 1388 FrameManager::RemoveFrame(FrameManager * const 0x056d1760, nsIPresContext & {...}, nsIPresShell & {...}, nsIFrame * 0x04482a70, nsIAtom * 0x00000000, nsIFrame * 0x04484598) line 532 nsCSSFrameConstructor::ContentRemoved(nsCSSFrameConstructor * const 0x056d5660, nsIPresContext * 0x056d57c0, nsIContent * 0x056b8f90, nsIContent * 0x056b8c00, int 0) line 6411 + 58 bytes nsCSSFrameConstructor::RecreateFramesForContent(nsIPresContext * 0x056d57c0, nsIContent * 0x056b8c00) line 7814 + 28 bytes nsCSSFrameConstructor::AttributeChanged(nsCSSFrameConstructor * const 0x056d5660, nsIPresContext * 0x056d57c0, nsIContent * 0x056b8c00, nsIAtom * 0x01657df0, int 2) line 6951 + 16 bytes StyleSetImpl::AttributeChanged(StyleSetImpl * const 0x056d1a40, nsIPresContext * 0x056d57c0, nsIContent * 0x056b8c00, nsIAtom * 0x01657df0, int -1) line 923 PresShell::AttributeChanged(PresShell * const 0x056d5558, nsIDocument * 0x052596b0, nsIContent * 0x056b8c00, nsIAtom * 0x01657df0, int -1) line 1719 + 53 bytes XULDocumentImpl::AttributeChanged(XULDocumentImpl * const 0x052596b0, nsIContent * 0x056b8c00, nsIAtom * 0x01657df0, int -1) line 1735 RDFElementImpl::SetAttribute(RDFElementImpl * const 0x056b8c00, int 0, nsIAtom * 0x01657df0, const nsString & {...}, int 1) line 2453 RDFElementImpl::SetAttribute(RDFElementImpl * const 0x056b8bf0, const nsString & {...}, const nsString & {...}) line 1275 + 35 bytes ElementSetAttribute(JSContext * 0x051e7d50, JSObject * 0x02e42de0, unsigned int 2, long * 0x044790b4, long * 0x0012c18c) line 258 + 26 bytes js_Invoke(JSContext * 0x051e7d50, unsigned int 2, unsigned int 0) line 672 + 26 bytes js_Interpret(JSContext * 0x051e7d50, long * 0x0012ca04) line 2248 + 15 bytes js_Invoke(JSContext * 0x051e7d50, unsigned int 0, unsigned int 0) line 688 + 13 bytes js_Interpret(JSContext * 0x051e7d50, long * 0x0012d238) line 2248 + 15 bytes js_Invoke(JSContext * 0x051e7d50, unsigned int 1, unsigned int 2) line 688 + 13 bytes js_InternalCall(JSContext * 0x051e7d50, JSObject * 0x0260ba00, long 39893088, unsigned int 1, long * 0x0012d3b8, long * 0x0012d370) line 765 + 15 bytes JS_CallFunction(JSContext * 0x051e7d50, JSObject * 0x0260ba00, JSFunction * 0x056b75d0, unsigned int 1, long * 0x0012d3b8, long * 0x0012d370) line 2650 + 32 bytes nsJSContext::CallFunction(nsJSContext * const 0x0519c030, void * 0x0260ba00, void * 0x056b75d0, unsigned int 1, void * 0x0012d3b8, int * 0x0012d3b4) line 231 + 39 bytes nsJSEventListener::HandleEvent(nsIDOMEvent * 0x056dd7b0) line 103 + 48 bytes nsEventListenerManager::HandleEvent(nsIPresContext & {...}, nsEvent * 0x0012d710, nsIDOMEvent * * 0x0012d5b8, unsigned int 7, nsEventStatus & nsEventStatus_eIgnore) line 1025 + 21 bytes GlobalWindowImpl::HandleDOMEvent(GlobalWindowImpl * const 0x051981c4, nsIPresContext & {...}, nsEvent * 0x0012d710, nsIDOMEvent * * 0x0012d5b8, unsigned int 1, nsEventStatus & nsEventStatus_eIgnore) line 2784 nsWebShell::OnEndDocumentLoad(nsWebShell * const 0x05234e54, nsIDocumentLoader * 0x05233090, nsIChannel * 0x0361bf10, unsigned int 0, nsIDocumentLoaderObserver * 0x05234e54) line 3388 + 34 bytes nsDocLoaderImpl::FireOnEndDocumentLoad(nsDocLoaderImpl * 0x05233090, nsIChannel * 0x0361bf10, unsigned int 0) line 872 nsDocLoaderImpl::OnStopRequest(nsDocLoaderImpl * const 0x05233094, nsIChannel * 0x05256170, nsISupports * 0x00000000, unsigned int 0, unsigned short * 0x00000000) line 752 + 31 bytes nsLoadGroup::RemoveChannel(nsLoadGroup * const 0x05234dd0, nsIChannel * 0x05256170, nsISupports * 0x00000000, unsigned int 0, unsigned short * 0x00000000) line 597 + 39 bytes nsFileChannel::OnStopRequest(nsFileChannel * const 0x05256174, nsIChannel * 0x05257a50, nsISupports * 0x00000000, unsigned int 0, unsigned short * 0x00000000) line 423 nsOnStopRequestEvent::HandleEvent(nsOnStopRequestEvent * const 0x056d9fd0) line 293 nsStreamListenerEvent::HandlePLEvent(PLEvent * 0x056d9cb0) line 164 + 12 bytes PL_HandleEvent(PLEvent * 0x056d9cb0) line 541 + 10 bytes PL_ProcessPendingEvents(PLEventQueue * 0x05237140) line 500 + 9 bytes _md_EventReceiverProc(void * 0x00020e66, unsigned int 49450, unsigned int 0, long 86208832) line 970 + 9 bytes USER32! 77e71820() 05237140()
Assignee | ||
Updated•25 years ago
|
Status: NEW → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 2•25 years ago
|
||
I've just checked in code that reworks the way that the observer list is walked during document observer notifications... I believe that this should fix the problem. If not, the DocLoader will ASSERT :-) -- rick
Updated•25 years ago
|
Status: RESOLVED → VERIFIED
Comment 3•25 years ago
|
||
v
Updated•5 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•