Closed Bug 95688 Opened 23 years ago Closed 23 years ago

N610 crash [@ NS_MakeAbsoluteURI]

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86
Windows 98
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla0.9.5

People

(Reporter: greer, Assigned: karnaze)

Details

(Keywords: crash, topcrash, topembed)

Crash Data

Attachments

(2 files)

Talkback user comments
6.29 KB, text/plain
Details
null check that may fix the bug
581 bytes, patch
kinmoz
: superreview+
Details | Diff | Splinter Review 
Users are reporting lots of crashes at the following stack below. Most crashes 
are happening on Win98 systems. May user are crashing trying to open mail. 
Needs reproducible steps.

   9 Windows 95  4.0 build 67109814
  10 Windows 95  4.0 build 67109975
   6 Windows 95  4.0 build 67306684
  32 Windows 98  4.10 build 67766222
  46 Windows 98  4.10 build 67766446
  16 Windows 98  4.90 build 73010104 (WinME)
   2 Windows NT  4.0 build 1381
   5 Windows NT  5.0 build 2195 (Win 2K Pro)


Stack Trace: 

         NS_MakeAbsoluteURI     [..\..\..\..\dist\include\nsNetUtil.h  line 228]
         nsHTMLFrameInnerFrame::DoLoadURL
[d:\builds\seamonkey\mozilla\layout\html\document\src\nsFrameFrame.cpp  line
1185]
         nsHTMLFrameInnerFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\document\src\nsFrameFrame.cpp  line
1292]
         nsContainerFrame::ReflowChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp  line
747]
         nsHTMLFrameOuterFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\document\src\nsFrameFrame.cpp  line
466]
         nsBoxToBlockAdaptor::Reflow
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxToBlockAdaptor.cpp  line
869]
         nsBoxToBlockAdaptor::DoLayout
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxToBlockAdaptor.cpp  line
525]
         nsBox::Layout  
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBox.cpp  line
985]
         nsSprocketLayout::Layout
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsSprocketLayout.cpp  line 421]
         nsContainerBox::DoLayout
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsContainerBox.cpp  line 553]
         nsBoxFrame::DoLayout
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxFrame.cpp  line 979]
         nsBox::Layout  
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBox.cpp  line
985]
         nsSprocketLayout::Layout
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsSprocketLayout.cpp  line 421]
         nsContainerBox::DoLayout
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsContainerBox.cpp  line 553]
         nsBoxFrame::DoLayout
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxFrame.cpp  line 979]
         nsBox::Layout  
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBox.cpp  line
985]
         nsSprocketLayout::Layout
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsSprocketLayout.cpp  line 421]
         nsContainerBox::DoLayout
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsContainerBox.cpp  line 553]
         nsBoxFrame::DoLayout
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxFrame.cpp  line 979]
         nsBox::Layout  
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBox.cpp  line
985]
         nsStackLayout::Layout
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsStackLayout.cpp  line 256]
         nsContainerBox::DoLayout
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsContainerBox.cpp  line 553]
         nsBoxFrame::DoLayout
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxFrame.cpp  line 979]
         nsBox::Layout  
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBox.cpp  line
985]
         nsBoxFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxFrame.cpp  line 781]
         nsRootBoxFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsRootBoxFrame.cpp  line 215]
         nsContainerFrame::ReflowChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp  line
747]
         ViewportFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsViewportFrame.cpp  line 538]
         PresShell::InitialReflow
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp  line 2599]
         nsXULDocument::StartLayout
[d:\builds\seamonkey\mozilla\content\xul\document\src\nsXULDocument.cpp  line
3918]
         nsXULDocument::ResumeWalk
[d:\builds\seamonkey\mozilla\content\xul\document\src\nsXULDocument.cpp  line
5016]
         nsXULDocument::EndLoad
[d:\builds\seamonkey\mozilla\content\xul\document\src\nsXULDocument.cpp  line
1586]
         XULContentSinkImpl::DidBuildModel
[d:\builds\seamonkey\mozilla\content\xul\document\src\nsXULContentSink.cpp  line
513]
         CWellFormedDTD::DidBuildModel
[d:\builds\seamonkey\mozilla\htmlparser\src\nsWellFormedDTD.cpp  line 318]
         nsParser::DidBuildModel
[d:\builds\seamonkey\mozilla\htmlparser\src\nsParser.cpp  line 1615]
         nsParser::ResumeParse
[d:\builds\seamonkey\mozilla\htmlparser\src\nsParser.cpp  line 2143]
         nsParser::OnStopRequest
[d:\builds\seamonkey\mozilla\htmlparser\src\nsParser.cpp  line 2737]
         nsJARChannel::OnStopRequest
[d:\builds\seamonkey\mozilla\netwerk\protocol\jar\src\nsJARChannel.cpp  line
587]
         nsOnStopRequestEvent::HandleEvent
[d:\builds\seamonkey\mozilla\netwerk\base\src\nsRequestObserverProxy.cpp  line
161]
         PL_HandleEvent [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c  
line 591]
         PL_ProcessPendingEvents        
[d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c 
line 524]
         _md_EventReceiverProc  
[d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c 
line 1072]
 
        Source File : ../../../../dist/include/nsNetUtil.h line : 228
Attached file Talkback user comments 

    
  
Keywords: crash, 
          
            topcrash

    
    

    
  


  

    
  
Status: NEW → ASSIGNED
Keywords: topembed
Target Milestone: --- → mozilla0.9.5

    
  
Keywords: patch

    
  
Target Milestone: mozilla0.9.5 → mozilla0.9.4

    
    

    
  
r= Alex Savulov; checking for null pointers is always a good ideea

    
    

    
  
Hmmm.  nsIDocument.h says it may return null, so what *should* callers do when
it does?  There are other places (e.g., nsStyleUtil.cpp) that don't check for
null.  Should we fix those too?  (Were all the NS_MakeAbsoluteURI stack traces
coming from nsFrameFrame?)

    
    

    
  
I just spoke with karnaze via phone ... according to the stack trace in this
bug, we are crashing when trying to free specstr:


inline nsresult
NS_MakeAbsoluteURI(nsAWritableString& result,
                   const nsAReadableString& spec,
                   nsIURI* baseURI = nsnull,
                   nsIIOService* ioService = nsnull)     // pass in nsIIOService
 to optimize callers
{
    char* resultStr;
    char* specStr = ToNewUTF8String(spec);
    if (!specStr) {
        return NS_ERROR_OUT_OF_MEMORY;
    }
    nsresult rv = NS_MakeAbsoluteURI(&resultStr, specStr, baseURI, ioService);
    nsMemory::Free(specStr);


that would lead me to believe there was something wrong with the spec arg passed
 in from nsFrameFrame, not the actual baseURI arg.

    
    

    
  
kin, reassigning to you, as we agreed.
Assignee: karnaze → kin
Status: ASSIGNED → NEW

    
    

    
  
To answer dbaron's question, I did a query on all the talkback reports that
crashed in NS_MakeAbsoluteURI, I looked at about 40 or so of them (out of about
400+) and all of them were crashing as a result of nsFrameFrame::DoLoadURL()
calling NS_MakeAbsoluteURI(), no entry points from CSS that I saw.

The more I look at this stuff the more it looks like the line numbers in the
talkback reports are off by one (compared to the 0.9.2 and TRUNK source), so I
think karnaze's patch looking for baseURL == null was the correct thing.

I spent some time trying to figure out what situations nsDocument::GetBaseURL()
would return null, but had no luck, even using several of the URLs in the
talkback reports, as well as launching mail compose, and mail.

Giving back to karnaze so he can get credit for the fix.

sr=kin@netscape.com


Assignee: kin → karnaze
Keywords: nsbranch
Target Milestone: mozilla0.9.4 → mozilla0.9.5

    
    

    
  
kin, karnaze, does this belong in 0.9.4? 

(kin, also can you note your sr in the attachment manager by clicking Edit in
the Actions column of the Attachment table and checking the has-super-review
checkbox? thanks.)

    
    

    
  
I checked the patch into the trunk and m0.9.2 branch. I'll ask drivers for 
approval on the m0.9.4 branch.

kin, thanks for the credit and the exceptionaly thorough sr.
Status: NEW → ASSIGNED

    
    

    
  
a=chofmann for the 0.9.4 branch

    
    

    
  
Line numbers for talkback reports on Windows are always off-by-one (or, rather,
the next non-empty line, or something of that sort).

    
  

        Attachment #46732 -
        Flags: superreview+

    
    

    
  
checked into m0.9.4 branch. fixed???
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED

    
    

    
  
This stack trace is not showing at all on the trunk talkback topcrash reports
(still on N610) 

    
    

    
  
Based on the previous comments, marking verified in the Oct 20th builds.
Status: RESOLVED → VERIFIED
Crash Signature: [@ NS_MakeAbsoluteURI]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: