Closed Bug 119939 Opened 23 years ago Closed 23 years ago

Crash saving files at www.zdnet.com at nsWebBrowserPersist::OnWalkDOMNode

Categories

(Core Graveyard :: File Handling, defect)

Product:
Core Graveyard
Component:
File Handling
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
VERIFIED FIXED
Milestone:
mozilla0.9.8

People

(Reporter: kerz, Assigned: adamlock)

References

Details

(Keywords: crash)

Attachments

(1 file)

Patch corrects the problem
2.67 KB, patch
timeless
: review+
adamlock
: superreview+
dbaron
: approval+
Details | Diff | Splinter Review 
to reproduce:

.go to www.zdnet.com
.wait for page to load entirely, throbber should stop
.File > Save As...
.Be sure you have it set to save "Web Page Complete"
.save the page to your desktop
.crash

Talkback files at 
http://climate/reports/SingleIncidentInfo.cfm?dynamicBBID=1644717
build id? or was this a recent debug? will check on linux and mac os x verif
builds in a bit...

oh ha, the trace is in nsWebBrowserPersist --should prolly go to adam.

Incident ID 1644717 Stack Signature nsWebBrowserPersist::OnWalkDOMNode 5c7b242f
Trigger Time 2002-01-14 11:37:09
Email Address kerz@netscape.com
URL visited
User Comments Saving files
Build ID 2002011012
Product ID MozillaTrunk
Platform
Operating System Win32
Module
Trigger Reason Access violation
Stack Trace
nsWebBrowserPersist::OnWalkDOMNode
[d:\builds\seamonkey\mozilla\embedding\components\webbrowserpersist\src\nsWebBrowserPersist.cpp,
line 1096]
nsDOMWalker::WalkDOM
[d:\builds\seamonkey\mozilla\embedding\components\webbrowserpersist\src\nsDOMWalker.cpp,
line 74]
nsWebBrowserPersist::SaveDocumentInternal
[d:\builds\seamonkey\mozilla\embedding\components\webbrowserpersist\src\nsWebBrowserPersist.cpp,
line 635]
nsWebBrowserPersist::SaveDocument
[d:\builds\seamonkey\mozilla\embedding\components\webbrowserpersist\src\nsWebBrowserPersist.cpp,
line 237]
XPTC_InvokeByIndex
[d:\builds\seamonkey\mozilla\xpcom\reflect\xptcall\src\md\win32\xptcinvoke.cpp,
line 106]
XPCWrappedNative::CallMethod
[d:\builds\seamonkey\mozilla\js\src\xpconnect\src\xpcwrappednative.cpp, line 2011]
XPC_WN_CallMethod
[d:\builds\seamonkey\mozilla\js\src\xpconnect\src\xpcwrappednativejsops.cpp,
line 1267]
js_Invoke [d:\builds\seamonkey\mozilla\js\src\jsinterp.c, line 834]
js_Interpret [d:\builds\seamonkey\mozilla\js\src\jsinterp.c, line 2799]
js_Invoke [d:\builds\seamonkey\mozilla\js\src\jsinterp.c, line 850]
js_Interpret [d:\builds\seamonkey\mozilla\js\src\jsinterp.c, line 2799]
js_Invoke [d:\builds\seamonkey\mozilla\js\src\jsinterp.c, line 850]
js_InternalInvoke [d:\builds\seamonkey\mozilla\js\src\jsinterp.c, line 925]
JS_CallFunctionValue [d:\builds\seamonkey\mozilla\js\src\jsapi.c, line 3407]
nsJSContext::CallEventHandler
[d:\builds\seamonkey\mozilla\dom\src\base\nsJSEnvironment.cpp, line 1014]
nsJSEventListener::HandleEvent
[d:\builds\seamonkey\mozilla\dom\src\events\nsJSEventListener.cpp, line 182]
nsEventListenerManager::HandleEventSubType
[d:\builds\seamonkey\mozilla\content\events\src\nsEventListenerManager.cpp, line
1206]
nsEventListenerManager::HandleEvent
[d:\builds\seamonkey\mozilla\content\events\src\nsEventListenerManager.cpp, line
1881]
GlobalWindowImpl::HandleDOMEvent
[d:\builds\seamonkey\mozilla\dom\src\base\nsGlobalWindow.cpp, line 638]
DocumentViewerImpl::LoadComplete
[d:\builds\seamonkey\mozilla\content\base\src\nsDocumentViewer.cpp, line 1262]
nsDocShell::EndPageLoad
[d:\builds\seamonkey\mozilla\docshell\base\nsDocShell.cpp, line 3444]
nsWebShell::EndPageLoad
[d:\builds\seamonkey\mozilla\docshell\base\nsWebShell.cpp, line 695]
nsDocShell::OnStateChange
[d:\builds\seamonkey\mozilla\docshell\base\nsDocShell.cpp, line 3352]
nsDocLoaderImpl::FireOnStateChange
[d:\builds\seamonkey\mozilla\uriloader\base\nsDocLoader.cpp, line 1110]
nsDocLoaderImpl::doStopDocumentLoad
[d:\builds\seamonkey\mozilla\uriloader\base\nsDocLoader.cpp, line 749]
nsDocLoaderImpl::DocLoaderIsEmpty
[d:\builds\seamonkey\mozilla\uriloader\base\nsDocLoader.cpp, line 647]
nsDocLoaderImpl::OnStopRequest
[d:\builds\seamonkey\mozilla\uriloader\base\nsDocLoader.cpp, line 578]
nsLoadGroup::RemoveRequest
[d:\builds\seamonkey\mozilla\netwerk\base\src\nsLoadGroup.cpp, line 530]
nsCachedChromeChannel::HandleStopLoadEvent
[d:\builds\seamonkey\mozilla\rdf\chrome\src\nsChromeProtocolHandler.cpp, line 463]
PL_HandleEvent [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c, line 591]
_md_EventReceiverProc [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c, line
1072]
SETUPAPI.DLL + 0x30c24 (0x778b0c24)
Assignee: ben → adamlock
Keywords: crash
yep, i can repro this on both mac os x and linux [2002.01.14.08 comm].

here's the talkback info for linux:

Incident ID 1647517 Stack Signature nsWebBrowserPersist::OnWalkDOMNode() 8295a755
Trigger Time 2002-01-14 12:44:06
User Comments bug 119939
Build ID 2002011408
Product ID MozillaTrunk
Operating System LinuxIntel
Module
Trigger Reason SIGSEGV: Segmentation Fault: (signal 11)
Stack Trace
nsWebBrowserPersist::OnWalkDOMNode()
nsDOMWalker::WalkDOM()
nsWebBrowserPersist::SaveDocumentInternal()
nsWebBrowserPersist::SaveDocument()
XPTC_InvokeByIndex()
XPCWrappedNative::CallMethod()
XPC_WN_CallMethod()
js_Invoke()
js_Interpret()
js_Invoke()
js_Interpret()
js_Invoke()
js_InternalInvoke()
JS_CallFunctionValue()
nsJSContext::CallEventHandler()
nsJSEventListener::HandleEvent()
nsEventListenerManager::HandleEventSubType()
nsEventListenerManager::HandleEvent()
GlobalWindowImpl::HandleDOMEvent()
DocumentViewerImpl::LoadComplete()
nsDocShell::EndPageLoad()
nsWebShell::EndPageLoad()
nsDocShell::OnStateChange()
nsDocLoaderImpl::FireOnStateChange()
nsDocLoaderImpl::doStopDocumentLoad()
nsDocLoaderImpl::DocLoaderIsEmpty()
nsDocLoaderImpl::OnStopRequest()
nsLoadGroup::RemoveRequest()
nsJARChannel::OnStopRequest()
nsOnStopRequestEvent::HandleEvent()
nsARequestObserverEvent::HandlePLEvent()
PL_HandleEvent()
PL_ProcessPendingEvents()
nsEventQueueImpl::ProcessPendingEvents()
event_processor_callback()
our_gdk_io_invoke()
libglib-1.2.so.0 + 0xff9e (0x4038bf9e)
libglib-1.2.so.0 + 0x11773 (0x4038d773)
libglib-1.2.so.0 + 0x11d39 (0x4038dd39)
libglib-1.2.so.0 + 0x11eec (0x4038deec)
libgtk-1.2.so.0 + 0x94333 (0x402a9333)
nsAppShell::Run()
nsAppShellService::Run()
netscape-bin + 0x8099 (0x08050099)
netscape-bin + 0x8907 (0x08050907)
libc.so.6 + 0x1c507 (0x404d4507)
Keywords: nsbeta1
OS: Windows 2000 → All
Hardware: PC → All
Summary: Crash saving files → Crash saving files at www.zdnet.com
Summary: Crash saving files at www.zdnet.com → Crash saving files at www.zdnet.com at nsWebBrowserPersist::OnWalkDOMNode
...and crash report for mac os x:

Date/Time:  2002-01-14 12:51:55 -0800
OS Version: 10.1.2 (Build 5P48)

Command:    Netscape 6
PID:        629

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0x00000008

Thread 0:
 #0   0x02593124 in OnWalkDOMNode__19nsWebBrowserPersistFP10nsIDOMNodePi
 #1   0x02593114 in OnWalkDOMNode__19nsWebBrowserPersistFP10nsIDOMNodePi
 #2   0x0258ceb4 in WalkDOM__11nsDOMWalkerFP10nsIDOMNodeP19nsDOMWalkerCallback
 #3   0x02590be8 in SaveDocumentInternal__19nsWebBrowserPersistFP14nsIDOMDocumentP
 #4   0x0258e614 in SaveDocument__19nsWebBrowserPersistFP14nsIDOMDocumentP11nsISup
 #5   0x005be31c in XPTC_InvokeByIndex
 #6   0x005be210 in XPTC_InvokeByIndex
 #7   0x039891d0 in 0x39891d0
 #8   0x0398f60c in XPC_WN_CallMethod__FP9JSContextP8JSObjectUiPlPl
 #9   0x01dd85ac in js_Invoke
 #10  0x01de0664 in 0x1de0664
 #11  0x01dd8604 in js_Invoke
 #12  0x01de0664 in 0x1de0664
 #13  0x01dd8604 in js_Invoke
 #14  0x01dd8850 in js_InternalInvoke
 #15  0x01db9b2c in JS_CallFunctionValue
 #16  0x0250b0d0 in CallEventHandler__11nsJSContextFPvPvUiPvPii
 #17  0x025276a0 in HandleEvent__17nsJSEventListenerFP11nsIDOMEvent
 #18  0x020d0a40 in HandleEventSubType__22nsEventListenerManagerFP16nsListenerStru
 #19  0x020d24ec in 0x20d24ec
 #20  0x0251006c in HandleDOMEvent__16GlobalWindowImplFP14nsIPresContextP7nsEventP
 #21  0x0220229c in LoadComplete__18DocumentViewerImplFUi
 #22  0x024c7b20 in EndPageLoad__10nsDocShellFP14nsIWebProgressP10nsIChannelUi
 #23  0x024de824 in 0x24de824
 #24  0x024c7540 in OnStateChange__10nsDocShellFP14nsIWebProgressP10nsIRequestiUi
 #25  0x03842920 in FireOnStateChange__15nsDocLoaderImplFP14nsIWebProgressP10nsIRe
 #26  0x03841770 in doStopDocumentLoad__15nsDocLoaderImplFP10nsIRequestUi
 #27  0x0384150c in DocLoaderIsEmpty__15nsDocLoaderImplFv
 #28  0x03841214 in OnStopRequest__15nsDocLoaderImplFP10nsIRequestP11nsISupportsUi
 #29  0x03101d04 in RemoveRequest__11nsLoadGroupFP10nsIRequestP11nsISupportsUi
 #30  0x02ac0b84 in OnStopRequest__15imgRequestProxyFP10nsIRequestP11nsISupportsUi
 #31  0x02abeb08 in OnStopRequest__10imgRequestFP10nsIRequestP11nsISupportsUi
 #32  0x02abc3a4 in OnStopRequest__13ProxyListenerFP10nsIRequestP11nsISupportsUi
 #33  0x0313df84 in OnStopRequest__12nsJARChannelFP10nsIRequestP11nsISupportsUi
 #34  0x03158ce0 in HandleEvent__20nsOnStopRequestEventFv
 #35  0x031580e0 in HandlePLEvent__23nsARequestObserverEventFP7PLEvent
 #36  0x005f3240 in PL_HandleEvent
 #37  0x005f30ac in PL_ProcessPendingEvents
 #38  0x0059a04c in ProcessPendingEvents__16nsEventQueueImplFv
 #39  0x038d62dc in ProcessPLEventQueue__26nsMacNSPREventQueueHandlerFv
 #40  0x038d60a0 in RepeatAction__26nsMacNSPREventQueueHandlerFRC11EventRecord
 #41  0x01febb14 in DoRepeaters__8RepeaterFRC11EventRecord
 #42  0x038e92f8 in DispatchEvent__16nsMacMessagePumpFiP11EventRecord
 #43  0x038e8ed0 in DoMessagePump__16nsMacMessagePumpFv
 #44  0x038e880c in Run__10nsAppShellFv
 #45  0x01e2fd9c in Run__17nsAppShellServiceFv
 #46  0x004c93f8 in main1__FiPPcP11nsISupports
 #47  0x004c9efc in main

Thread 1:
 #0   0x7000497c in syscall
 #1   0x70557600 in BSD_waitevent
 #2   0x70554b80 in CarbonSelectThreadFunc
 #3   0x7002054c in _pthread_body

Thread 2:
 #0   0x7003f4c8 in semaphore_wait_signal_trap
 #1   0x7003f2c8 in _pthread_cond_wait
 #2   0x705593ec in CarbonOperationThreadFunc
 #3   0x7002054c in _pthread_body

Thread 3:
 #0   0x70044cf8 in semaphore_timedwait_signal_trap
 #1   0x70044cd8 in semaphore_timedwait_signal
 #2   0x7003f2b8 in _pthread_cond_wait
 #3   0x70283ea4 in TSWaitOnConditionTimedRelative
 #4   0x7027d748 in TSWaitOnSemaphoreCommon
 #5   0x702c2078 in TimerThread
 #6   0x7002054c in _pthread_body

Thread 4:
 #0   0x7003f4c8 in semaphore_wait_signal_trap
 #1   0x7003f2c8 in _pthread_cond_wait
 #2   0x70250ab0 in TSWaitOnCondition
 #3   0x7027d730 in TSWaitOnSemaphoreCommon
 #4   0x70243d14 in AsyncFileThread
 #5   0x7002054c in _pthread_body

Thread 5:
 #0   0x7003f4c8 in semaphore_wait_signal_trap
 #1   0x7003f2c8 in _pthread_cond_wait
 #2   0x7055b884 in CarbonInetOperThreadFunc
 #3   0x7002054c in _pthread_body

Thread 6:
 #0   0x70044cf8 in semaphore_timedwait_signal_trap
 #1   0x70044cd8 in semaphore_timedwait_signal
 #2   0x7003f2b8 in _pthread_cond_wait
 #3   0x70283ea4 in TSWaitOnConditionTimedRelative
 #4   0x70270138 in MPWaitOnQueue
 #5   0x70777cd8 in SyncTaskProc__13TNodeSyncTaskPv
 #6   0x702831a8 in PrivateMPEntryPoint
 #7   0x7002054c in _pthread_body

Thread 7:
 #0   0x70000978 in mach_msg_overwrite_trap
 #1   0x70005a04 in mach_msg
 #2   0x70026a2c in _pthread_become_available
 #3   0x70026724 in pthread_exit
 #4   0x70020550 in _pthread_body


PPC Thread State:
  srr0: 0x02593124 srr1: 0x0000f030                vrsave: 0x00000000
   xer: 0x20000018   lr: 0x02593114  ctr: 0x021f13f0   mq: 0x00000000
    r0: 0x00000001   r1: 0xbfffd290   r2: 0x02565000   r3: 0x00000000
    r4: 0x00000002   r5: 0x02599200   r6: 0x00000018   r7: 0x04290d3c
    r8: 0x00000001   r9: 0x00000000  r10: 0x00007420  r11: 0x00000000
   r12: 0x024174f0  r13: 0x00000000  r14: 0x00000036  r15: 0xbfffee58
   r16: 0x00646520  r17: 0x00000001  r18: 0x00646238  r19: 0x00002003
   r20: 0x00000000  r21: 0x0000001c  r22: 0x70004234  r23: 0x700042c8
   r24: 0x00000004  r25: 0x000006eb  r26: 0x8081ab5c  r27: 0x00058790
   r28: 0x00000000  r29: 0xbfffef00  r30: 0x8081d1cc  r31: 0x00000001
This site contains some JS that inserts an IFRAME with no SRC attribute. The
persist object expects a SRC attribute and when there is none it crashes on a
null pointer.

A patch will follow to correct this.
Reviews please?

The patch is ultra simple. Basically I've put a pointer check around the code
that assumes there is a src attribute so iframes/frames that don't have one are
are ignored. The HTML spec says the src attribute is #IMPLIED so this is the
correct thing to do anyway.
Comment on attachment 65040 [details] [diff] [review]
Patch corrects the problem

man a -w would have been so nice...
Attachment #65040 - Flags: review+
Target Milestone: --- → mozilla0.9.8
Comment on attachment 65040 [details] [diff] [review]
Patch corrects the problem

sr=rpotts@netscape.com
Attachment #65040 - Flags: superreview+
Comment on attachment 65040 [details] [diff] [review]
Patch corrects the problem

a=dbaron for 0.9.8 checkin (although I wouldn't mind if you remove the extra
null-check for |data| inside the second of the indented sections in the patch)
Attachment #65040 - Flags: approval+
Fix is checked in. Also removed the redundant second check for data
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
vrfy'd fixed using 2002.01.23.0x comm bits on linux rh7.2, win2k and mac os
10.1.2. no longer crash doing 'save as complete' at the zdnet site.
Status: RESOLVED → VERIFIED
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: