123914 - [PATCH] segfault when going back; Linux topcrash on M098 [@ nsIsIndexFrame::GetInputFrame]

Status: VERIFIED FIXED

(Core :: Layout, defect, P1)

Description

[rj hornsby]

I'm still looking for other sites where this happens, but if you visit the RBL at

http://mail-abuse.org/cgi-bin/lookup

enter a query, get the results, and then try to go back (gesture, or mash the
back button) mozilla segfaults.  I've tried this by using just mozilla without
galeon and the same thing happens.

Comment 1

[Matthias Versen [:Matti]]

Reporter:
Always add the build ID in a bug report
Please upgrade if you are using 0.9.7..

Can you give us a talkback ID# of that crash ?

Comment 2

[xyzzy]

This has been crashing my system, build 2002020409 Windows 98:

1. Log in to Bugzilla
2. Create a query and save it.
3. Click the back button.

Don't think it generated Talkback.

Comment 3

[rj hornsby]

The build identifer is 2002020415, and it is version 0.9.8.

If I'm understanding what I'm doing correctly, a relevant talkback ID is 
TB2629187H.

Comment 4

[stephend@netscape.com (gone - use stephen.donner@gmail.com instead)]

nsIsIndexFrame::GetInputFrame()
nsIsIndexFrame::SetInputValue()
nsIsIndexFrame::RestoreState()
FrameManager::RestoreFrameStateFor()
nsCSSFrameConstructor::InitAndRestoreFrame()
nsCSSFrameConstructor::ConstructHTMLFrame()
nsCSSFrameConstructor::ConstructFrameInternal()
nsCSSFrameConstructor::ConstructFrame()
nsCSSFrameConstructor::ContentAppended()
StyleSetImpl::ContentAppended()
PresShell::ContentAppended()
nsDocument::ContentAppended()
nsHTMLDocument::ContentAppended()
HTMLContentSink::NotifyAppend()
SinkContext::FlushTags()
HTMLContentSink::CloseBody()
CNavDTD::CloseBody()
CNavDTD::CloseContainer()
CNavDTD::CloseContainersTo()
CNavDTD::CloseContainersTo()
CNavDTD::DidBuildModel()
nsParser::DidBuildModel()
nsParser::ResumeParse()
nsParser::OnStopRequest()
nsDocumentOpenInfo::OnStopRequest()
nsHttpChannel::OnStopRequest()
nsOnStopRequestEvent::HandleEvent()
nsARequestObserverEvent::HandlePLEvent()
PL_HandleEvent()
PL_ProcessPendingEvents()
nsEventQueueImpl::ProcessPendingEvents()
event_processor_callback()
our_gdk_io_invoke()
libglib-1.2.so.0 + 0x1001e (0x4039101e)
libglib-1.2.so.0 + 0x117f3 (0x403927f3)
libglib-1.2.so.0 + 0x11dd9 (0x40392dd9)
libglib-1.2.so.0 + 0x11f8c (0x40392f8c)
libgtk-1.2.so.0 + 0x9165b (0x402a565b)
nsAppShell::Run()
nsAppShellService::Run()
main1()
main()
libc.so.6 + 0x1c306 (0x404db306)

Comment 5

[Matthias Versen [:Matti]]

-> Layout

Comment 6

[Kevin McCluskey (gone)]

Marking nsbeta1+

Comment 7

[Kevin McCluskey (gone)]

nsbeta1+

Comment 8

[Jan Carpenter]

Topcrash on M098 for Linux, added topcrash keyword.
 Stack trace(Frame) 

	 nsIsIndexFrame::GetInputFrame()  
	 nsIsIndexFrame::SetInputValue()  
	 nsIsIndexFrame::RestoreState()  
	 FrameManager::RestoreFrameStateFor()  
	 nsCSSFrameConstructor::InitAndRestoreFrame()  
	 nsCSSFrameConstructor::ConstructHTMLFrame()  
	 nsCSSFrameConstructor::ConstructFrameInternal()  
	 nsCSSFrameConstructor::ConstructFrame()  
	 nsCSSFrameConstructor::ContentAppended()  
	 StyleSetImpl::ContentAppended()  
	 PresShell::ContentAppended()  
	 nsDocument::ContentAppended()  
	 nsHTMLDocument::ContentAppended()  
	 HTMLContentSink::NotifyAppend()  
	 SinkContext::FlushTags()  
	 HTMLContentSink::CloseBody()  
	 CNavDTD::CloseBody()  
	 CNavDTD::CloseContainer()  
	 CNavDTD::CloseContainersTo()  
	 CNavDTD::CloseContainersTo()  
	 CNavDTD::DidBuildModel()  
	 nsParser::DidBuildModel()  
	 nsParser::ResumeParse()  
	 nsParser::OnStopRequest()  
	 nsDocumentOpenInfo::OnStopRequest()  
	 nsHttpChannel::OnStopRequest()  
	 nsOnStopRequestEvent::HandleEvent()  
	 nsARequestObserverEvent::HandlePLEvent()  
	 PL_HandleEvent()  
	 PL_ProcessPendingEvents()  
	 nsEventQueueImpl::ProcessPendingEvents()  
	 event_processor_callback()  
	 our_gdk_io_invoke()  
	 libglib-1.2.so.0 + 0xec40 (0x40371c40)  
	 libglib-1.2.so.0 + 0x10308 (0x40373308)  
	 libglib-1.2.so.0 + 0x10913 (0x40373913)  
	 libglib-1.2.so.0 + 0x10aac (0x40373aac)  
	 libgtk-1.2.so.0 + 0x8d7e7 (0x402967e7)  
	 nsAppShell::Run()  
	 nsAppShellService::Run()  
	 main1()  
	 main()  
	 libc.so.6 + 0x1d2eb (0x404b52eb)   
 
COMMENTS/URLs:
     (2765157)	URL: page is gone now...
     (2765157)	Comments: I clicked the back button
     (2733198)	URL: page is gone now...
     (2733198)	Comments: I clicked the back button 
     (2827265)	URL: http://www.cs.indiana.edu:800/LCD/cover.html
     (2827265)	Comments: search for a keywordclick on backmozilla will crash here
     (2826948)	Comments: scrolling up
     (2827263)	Comments: going back
     (2827059)	Comments: going back
     (2744323)	URL: http://mail-abuse.org/cgi-bin/lookup
     (2744323)	Comments: I entered an IP address  204.97.12.58  into the search box and
pressedENTER.  The next page displayed told me that the IP address was notMAPS
RBL  their list of junk mail sources.  I pressed ALT+LEFT to returnto the
previous page.  Mozilla disappeared
     (2744323)	Comments:  and the Quality FeedbackAgent took over.
     (2880136)	URL: http://www.aunic.net/
     (2880136)	Comments: Was looking at the result of a whois entry and hit the back button
to return to the whois entry form.

Comment 9

[Jay Patel [:jay]]

Adding testcase keyword since it appears that the original set of steps are
reproducible:

(2744323)
URL: http://mail-abuse.org/cgi-bin/lookup
(2744323)
Comments: I entered an IP address  204.97.12.58  into the search box and
pressedENTER.  The next page displayed told me that the IP address was notMAPS
RBL  their list of junk mail sources.  I pressed ALT+LEFT to returnto the
previous page.  Mozilla disappeared

Comment 10

[rj hornsby]

The crash seems to happen after submitting a query to a cgi, though I can't be
sure of it ... this is another URL that just crashed it in the same manner as
the other:

http://www.osu.edu/cgi-bin/Inquiry

Comment 11

[Marc Attinasi]

fix coming up...

Comment 12

[Marc Attinasi]

Attachment: patch to prevent call to GetPrimaryFrameFor with null content

Patch prevents the crash, but it is not clear why we have a null content
element to begin with.

Comment 13

[James Paige]

Another site with what appears to be the same symptom:

Go to this URL (the part after the ? can be anything)
http://wwwtios.cs.utwente.nl/traduk/EN-EO/Translate?unfortunately

Type any word to search for. For my own test I used "fish"

Then from the "fish" translation page, press the BACK button to return to the
"unfortunately" translation page. Crash.

Build 2002022708
talkback TB3439521E and TB3439494E

Comment 14

[Boris Zbarsky [:bzbarsky]]

Possibly related: bug 127569

Comment 15

[Boris Zbarsky [:bzbarsky]]

*** Bug 128797 has been marked as a duplicate of this bug. ***

Comment 16

[Boris Zbarsky [:bzbarsky]]

*** Bug 130082 has been marked as a duplicate of this bug. ***

Comment 17

[Marc Attinasi]

It appears that we have a null mInputContent in the IsIndex frame because of the
way the frame is initialized in the 'back' case.  Normally, when the frame is
created it is initialized (not from frame state data) before the anonymous
frames are generated for it (see nsCSSFrameConstructor::ConstructHTMLFrame).  It
is within the creation fo the anonymous frames that the mInputContent and
mTextContent are created (the call chain is
nsCSSFrameConstructor::CreateAnonymousFrames -->
nsCSSFrameConstructor::CreateAnonymousFrames -->
nsIsIndexFrame::CreateAnonymousContent).

When we are initializing the frame with teh frame state data, we have not yet
processed the anonymous frames and content, so we have a null mInputContent and
mTextContent.  So, to really fix this the anonymous content has to be generated
before we initialize the frame from the frame state data.  Without that change,
we will not actually be resetting the input value for the frame when we navigate
back to the page that has the IsIndex.

I'll try to get this corrected, but it may end up beig a little mroe volatile
than I can stomach two weeks before Mozilla 1.0, in which case we will just
prevent the crash and open a new bug on teh real solution.

Comment 18

[Marc Attinasi]

I spoke with John Keiser and he is redoing the way the state is saved and
restored anyway (maybe not for 1.0 though), so I'd like to just commit the
crash-prevention and then let him hash out the better solution with the rest of
his state management changes. (If I understand it correctly, he will be using
content to restore the state instead of just the frames.)

Comment 19

[John Keiser (jkeiser)]

Comment on attachment 71534 [details] [diff] [review]
patch to prevent call to GetPrimaryFrameFor with null content

r=jkeiser

Comment 20

[Marc Attinasi]

Ha!  
Amaya does not support <isindex>, so, how can it be used in a webpage anyway? ;)

Comment 21

[Marc Attinasi]

Have Patch...

Comment 22

[Boris Zbarsky [:bzbarsky]]

*** Bug 130606 has been marked as a duplicate of this bug. ***

Comment 23

[Robert O'Callahan (:roc) (email my personal email if necessary)]

Comment on attachment 71534 [details] [diff] [review]
patch to prevent call to GetPrimaryFrameFor with null content

sr=roc+moz

Comment 24

[Asa Dotzler [:asa]]

Comment on attachment 71534 [details] [diff] [review]
patch to prevent call to GetPrimaryFrameFor with null content

a=asa (on behalf of drivers) for checkin to the 1.0 trunk

Comment 25

[Marc Attinasi]

Checked in.

/cvsroot/mozilla/layout/html/forms/src/nsIsIndexFrame.cpp,v  <--  nsIsIndexFrame.cpp
new revision: 1.30; previous revision: 1.29

(NOTE: bug 127360 would probably prevent the crash too, but the warning here is
probably a good thing fo a while)

Comment 26

[Andrew Schultz]

*** Bug 135870 has been marked as a duplicate of this bug. ***

Comment 27

[Vadim Berezniker]

*** Bug 137524 has been marked as a duplicate of this bug. ***

Comment 28

[Chris Petersen]

Marking verified in the April 23rd trunk builds - Windows ME(2002-04-22-06) and
OS X (2002-04-23-08).

Comment 29

[Robin Monks]

*** Bug 198826 has been marked as a duplicate of this bug. ***