Closed Bug 50628 Opened 24 years ago Closed 24 years ago

Crash when trying to create bugzilla attachment.

Categories

(Core :: DOM: UI Events & Focus Handling, defect, P1)

Product:
Core
Component:
DOM: UI Events & Focus Handling
Platform:
x86
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: jst, Assigned: bryner)

References

(
URL
)

Details

(Keywords: crash, Whiteboard: [nsbeta3+]) 

Using a linux build from today mozilla crashes if you go to any bug in bugzilla
and try to create an attachment, the crash happens when you click on the
"Browse" button, just before the filepicker should pop up. I only have a release
build so I can't point at the exact location where the crash occures, but I'll
attach a stacktrace that gives you some idea about where the crash occures...

I don't see this problem on WinNT.
Stacktrace from optimized build...

#0  0x856c0f8 in ?? ()
#1  0x40ecf8b1 in FindPreviousAnonymousSibling ()
   from /builds/rel/dist/bin/components/libgklayout.so
#2  0x40ed0f2a in nsCSSFrameConstructor::ContentInserted ()
   from /builds/rel/dist/bin/components/libgklayout.so
#3  0x40ed5ced in nsCSSFrameConstructor::RecreateFramesForContent ()
   from /builds/rel/dist/bin/components/libgklayout.so
#4  0x40ed37af in nsCSSFrameConstructor::ContentStatesChanged ()
   from /builds/rel/dist/bin/components/libgklayout.so
#5  0x40fc5e07 in StyleSetImpl::ContentStatesChanged ()
   from /builds/rel/dist/bin/components/libgklayout.so
#6  0x40dce717 in PresShell::ContentStatesChanged ()
   from /builds/rel/dist/bin/components/libgklayout.so
#7  0x404b282a in nsXULDocument::ContentStatesChanged ()
   from /builds/rel/dist/bin/components/librdf.so
#8  0x40d96a1e in nsEventStateManager::SetContentState ()
   from /builds/rel/dist/bin/components/libgklayout.so
#9  0x40e1ee9f in nsHTMLInputElement::SetFocus ()
   from /builds/rel/dist/bin/components/libgklayout.so
#10 0x40e1eda5 in nsHTMLInputElement::Focus ()
   from /builds/rel/dist/bin/components/libgklayout.so
#11 0x403e7bbd in HTMLInputElementFocus ()
   from /builds/rel/dist/bin/./libjsdom.so
#12 0x4011bd8f in js_Invoke () from /builds/rel/dist/bin/./libmozjs.so
#13 0x401226a2 in js_Interpret () from /builds/rel/dist/bin/./libmozjs.so
#14 0x4011bddd in js_Invoke () from /builds/rel/dist/bin/./libmozjs.so
#15 0x4011bfd0 in js_InternalInvoke () from /builds/rel/dist/bin/./libmozjs.so
#16 0x40102ebf in JS_CallFunctionValue ()
   from /builds/rel/dist/bin/./libmozjs.so
#17 0x4039f871 in nsJSContext::CallEventHandler ()
   from /builds/rel/dist/bin/./libjsdom.so
#18 0x403cdc56 in nsJSEventListener::HandleEvent ()
   from /builds/rel/dist/bin/./libjsdom.so
#19 0x40d8e820 in nsEventListenerManager::HandleEventSubType ()
   from /builds/rel/dist/bin/components/libgklayout.so
#20 0x40d8fa1c in nsEventListenerManager::HandleEvent ()
   from /builds/rel/dist/bin/components/libgklayout.so
#21 0x403a7ffe in GlobalWindowImpl::HandleDOMEvent ()
   from /builds/rel/dist/bin/./libjsdom.so
#22 0x4099939e in nsWebShell::OnEndDocumentLoad ()
   from /builds/rel/dist/bin/components/libdocshell.so
#23 0x409b2373 in nsDocLoaderImpl::FireOnEndDocumentLoad ()
   from /builds/rel/dist/bin/components/liburiloader.so
#24 0x409b2156 in nsDocLoaderImpl::DocLoaderIsEmpty ()
   from /builds/rel/dist/bin/components/liburiloader.so
#25 0x409b205b in nsDocLoaderImpl::OnStopRequest ()
   from /builds/rel/dist/bin/components/liburiloader.so
---Type <return> to continue, or q <return> to quit--- 
#26 0x408e7eae in nsLoadGroup::RemoveChannel ()
   from /builds/rel/dist/bin/components/libnecko.so
#27 0x409204c2 in nsFileChannel::OnStopRequest ()
   from /builds/rel/dist/bin/components/libnecko.so
#28 0x408d8cde in nsOnStopRequestEvent::HandleEvent ()
   from /builds/rel/dist/bin/components/libnecko.so
#29 0x408d8720 in nsStreamListenerEvent::HandlePLEvent ()
   from /builds/rel/dist/bin/components/libnecko.so
#30 0x400bc8eb in PL_HandleEvent () from /builds/rel/dist/bin/./libxpcom.so
#31 0x400bc826 in PL_ProcessPendingEvents ()
   from /builds/rel/dist/bin/./libxpcom.so
#32 0x400bd53d in nsEventQueueImpl::ProcessPendingEvents ()
   from /builds/rel/dist/bin/./libxpcom.so
#33 0x4055969f in event_processor_callback ()
   from /builds/rel/dist/bin/components/libwidget_gtk.so
#34 0x4055945d in our_gdk_io_invoke ()
   from /builds/rel/dist/bin/components/libwidget_gtk.so
...
Keywords: crash, dogfood, nsbeta3
This worked fine before, and considering it is crashing in CSS frame
constructor, I'm probably not the right person for this bug.

Pavlov or bryner, could one of you look at this?
I was actually the one who suggested jst assign it to you... based on the fact 
that the process that's actually going on here is setting focus to the dialog.  
Wondering if it's one of those weird state transition bugs.  The filepicker 
seems to come up fine everywhere else that it's invoked from.

It seems that the crash is in releasing the elt nsCOMPtr.  It seems to get
corrupted during the call to xblDoc->GetAnonymousNodes.  Before that call I can
do "p elt.get()->AddRef()" in gdb, but after it that crashes.
nsbeta3+, P1 for M18.  This really should be dogfood+ too, since it prevents a
lot of mozillians from contributing.  cc hyatt, danm
Priority: P3 → P1
Whiteboard: [nsbeta3+]
Target Milestone: --- → M18
First guess, XBL is corrupting the stack. This should really be hyatt's, but I 

can take a first pass at finding the nastyness.
Got this one tracked down...
Assignee: saari → bryner
Fixed!
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Verified 
2000-09-05-08 : Linux
Status: RESOLVED → VERIFIED
Component: Event Handling → User events and focus handling
You need to log in before you can comment on or make changes to this bug.