Closed
Bug 123914
Opened 23 years ago
Closed 22 years ago
[PATCH] segfault when going back; Linux topcrash on M098 [@ nsIsIndexFrame::GetInputFrame]
Categories
(Core :: Layout, defect, P1)
Tracking
()
VERIFIED
FIXED
mozilla1.0
People
(Reporter: rhornsby, Assigned: attinasi)
References
()
Details
(Keywords: crash, testcase, topcrash+)
Crash Data
Attachments
(1 file)
614 bytes,
patch
|
john
:
review+
roc
:
superreview+
asa
:
approval+
|
Details | Diff | Splinter Review |
I'm still looking for other sites where this happens, but if you visit the RBL at http://mail-abuse.org/cgi-bin/lookup enter a query, get the results, and then try to go back (gesture, or mash the back button) mozilla segfaults. I've tried this by using just mozilla without galeon and the same thing happens.
Comment 1•23 years ago
|
||
Reporter: Always add the build ID in a bug report Please upgrade if you are using 0.9.7.. Can you give us a talkback ID# of that crash ?
Severity: major → critical
Keywords: crash
This has been crashing my system, build 2002020409 Windows 98: 1. Log in to Bugzilla 2. Create a query and save it. 3. Click the back button. Don't think it generated Talkback.
Reporter | ||
Comment 3•23 years ago
|
||
The build identifer is 2002020415, and it is version 0.9.8. If I'm understanding what I'm doing correctly, a relevant talkback ID is TB2629187H.
Updated•23 years ago
|
Keywords: stackwanted
nsIsIndexFrame::GetInputFrame() nsIsIndexFrame::SetInputValue() nsIsIndexFrame::RestoreState() FrameManager::RestoreFrameStateFor() nsCSSFrameConstructor::InitAndRestoreFrame() nsCSSFrameConstructor::ConstructHTMLFrame() nsCSSFrameConstructor::ConstructFrameInternal() nsCSSFrameConstructor::ConstructFrame() nsCSSFrameConstructor::ContentAppended() StyleSetImpl::ContentAppended() PresShell::ContentAppended() nsDocument::ContentAppended() nsHTMLDocument::ContentAppended() HTMLContentSink::NotifyAppend() SinkContext::FlushTags() HTMLContentSink::CloseBody() CNavDTD::CloseBody() CNavDTD::CloseContainer() CNavDTD::CloseContainersTo() CNavDTD::CloseContainersTo() CNavDTD::DidBuildModel() nsParser::DidBuildModel() nsParser::ResumeParse() nsParser::OnStopRequest() nsDocumentOpenInfo::OnStopRequest() nsHttpChannel::OnStopRequest() nsOnStopRequestEvent::HandleEvent() nsARequestObserverEvent::HandlePLEvent() PL_HandleEvent() PL_ProcessPendingEvents() nsEventQueueImpl::ProcessPendingEvents() event_processor_callback() our_gdk_io_invoke() libglib-1.2.so.0 + 0x1001e (0x4039101e) libglib-1.2.so.0 + 0x117f3 (0x403927f3) libglib-1.2.so.0 + 0x11dd9 (0x40392dd9) libglib-1.2.so.0 + 0x11f8c (0x40392f8c) libgtk-1.2.so.0 + 0x9165b (0x402a565b) nsAppShell::Run() nsAppShellService::Run() main1() main() libc.so.6 + 0x1c306 (0x404db306)
Comment 5•23 years ago
|
||
-> Layout
Assignee: asa → attinasi
Status: UNCONFIRMED → NEW
Component: Browser-General → Layout
Ever confirmed: true
QA Contact: doronr → petersen
Comment 8•23 years ago
|
||
Topcrash on M098 for Linux, added topcrash keyword. Stack trace(Frame) nsIsIndexFrame::GetInputFrame() nsIsIndexFrame::SetInputValue() nsIsIndexFrame::RestoreState() FrameManager::RestoreFrameStateFor() nsCSSFrameConstructor::InitAndRestoreFrame() nsCSSFrameConstructor::ConstructHTMLFrame() nsCSSFrameConstructor::ConstructFrameInternal() nsCSSFrameConstructor::ConstructFrame() nsCSSFrameConstructor::ContentAppended() StyleSetImpl::ContentAppended() PresShell::ContentAppended() nsDocument::ContentAppended() nsHTMLDocument::ContentAppended() HTMLContentSink::NotifyAppend() SinkContext::FlushTags() HTMLContentSink::CloseBody() CNavDTD::CloseBody() CNavDTD::CloseContainer() CNavDTD::CloseContainersTo() CNavDTD::CloseContainersTo() CNavDTD::DidBuildModel() nsParser::DidBuildModel() nsParser::ResumeParse() nsParser::OnStopRequest() nsDocumentOpenInfo::OnStopRequest() nsHttpChannel::OnStopRequest() nsOnStopRequestEvent::HandleEvent() nsARequestObserverEvent::HandlePLEvent() PL_HandleEvent() PL_ProcessPendingEvents() nsEventQueueImpl::ProcessPendingEvents() event_processor_callback() our_gdk_io_invoke() libglib-1.2.so.0 + 0xec40 (0x40371c40) libglib-1.2.so.0 + 0x10308 (0x40373308) libglib-1.2.so.0 + 0x10913 (0x40373913) libglib-1.2.so.0 + 0x10aac (0x40373aac) libgtk-1.2.so.0 + 0x8d7e7 (0x402967e7) nsAppShell::Run() nsAppShellService::Run() main1() main() libc.so.6 + 0x1d2eb (0x404b52eb) COMMENTS/URLs: (2765157) URL: page is gone now... (2765157) Comments: I clicked the back button (2733198) URL: page is gone now... (2733198) Comments: I clicked the back button (2827265) URL: http://www.cs.indiana.edu:800/LCD/cover.html (2827265) Comments: search for a keywordclick on backmozilla will crash here (2826948) Comments: scrolling up (2827263) Comments: going back (2827059) Comments: going back (2744323) URL: http://mail-abuse.org/cgi-bin/lookup (2744323) Comments: I entered an IP address 204.97.12.58 into the search box and pressedENTER. The next page displayed told me that the IP address was notMAPS RBL their list of junk mail sources. I pressed ALT+LEFT to returnto the previous page. Mozilla disappeared (2744323) Comments: and the Quality FeedbackAgent took over. (2880136) URL: http://www.aunic.net/ (2880136) Comments: Was looking at the result of a whois entry and hit the back button to return to the whois entry form.
Keywords: topcrash
Summary: segfault when going back → segfault when going back; Linux topcrash on M098 [@ nsIsIndexFrame::GetInputFrame]
Comment 9•23 years ago
|
||
Adding testcase keyword since it appears that the original set of steps are reproducible: (2744323) URL: http://mail-abuse.org/cgi-bin/lookup (2744323) Comments: I entered an IP address 204.97.12.58 into the search box and pressedENTER. The next page displayed told me that the IP address was notMAPS RBL their list of junk mail sources. I pressed ALT+LEFT to returnto the previous page. Mozilla disappeared
Keywords: testcase
Updated•23 years ago
|
Keywords: stackwanted
Reporter | ||
Comment 10•23 years ago
|
||
The crash seems to happen after submitting a query to a cgi, though I can't be sure of it ... this is another URL that just crashed it in the same manner as the other: http://www.osu.edu/cgi-bin/Inquiry
Assignee | ||
Comment 11•23 years ago
|
||
fix coming up...
Status: NEW → ASSIGNED
OS: Linux → All
Priority: -- → P1
Assignee | ||
Comment 12•23 years ago
|
||
Patch prevents the crash, but it is not clear why we have a null content element to begin with.
Comment 13•23 years ago
|
||
Another site with what appears to be the same symptom: Go to this URL (the part after the ? can be anything) http://wwwtios.cs.utwente.nl/traduk/EN-EO/Translate?unfortunately Type any word to search for. For my own test I used "fish" Then from the "fish" translation page, press the BACK button to return to the "unfortunately" translation page. Crash. Build 2002022708 talkback TB3439521E and TB3439494E
Comment 14•23 years ago
|
||
Possibly related: bug 127569
Comment 15•23 years ago
|
||
*** Bug 128797 has been marked as a duplicate of this bug. ***
Comment 16•22 years ago
|
||
*** Bug 130082 has been marked as a duplicate of this bug. ***
Assignee | ||
Comment 17•22 years ago
|
||
It appears that we have a null mInputContent in the IsIndex frame because of the way the frame is initialized in the 'back' case. Normally, when the frame is created it is initialized (not from frame state data) before the anonymous frames are generated for it (see nsCSSFrameConstructor::ConstructHTMLFrame). It is within the creation fo the anonymous frames that the mInputContent and mTextContent are created (the call chain is nsCSSFrameConstructor::CreateAnonymousFrames --> nsCSSFrameConstructor::CreateAnonymousFrames --> nsIsIndexFrame::CreateAnonymousContent). When we are initializing the frame with teh frame state data, we have not yet processed the anonymous frames and content, so we have a null mInputContent and mTextContent. So, to really fix this the anonymous content has to be generated before we initialize the frame from the frame state data. Without that change, we will not actually be resetting the input value for the frame when we navigate back to the page that has the IsIndex. I'll try to get this corrected, but it may end up beig a little mroe volatile than I can stomach two weeks before Mozilla 1.0, in which case we will just prevent the crash and open a new bug on teh real solution.
Assignee | ||
Comment 18•22 years ago
|
||
I spoke with John Keiser and he is redoing the way the state is saved and restored anyway (maybe not for 1.0 though), so I'd like to just commit the crash-prevention and then let him hash out the better solution with the rest of his state management changes. (If I understand it correctly, he will be using content to restore the state instead of just the frames.)
Comment 19•22 years ago
|
||
Comment on attachment 71534 [details] [diff] [review] patch to prevent call to GetPrimaryFrameFor with null content r=jkeiser
Attachment #71534 -
Flags: review+
Assignee | ||
Comment 20•22 years ago
|
||
Ha! Amaya does not support <isindex>, so, how can it be used in a webpage anyway? ;)
Assignee | ||
Comment 21•22 years ago
|
||
Have Patch...
Summary: segfault when going back; Linux topcrash on M098 [@ nsIsIndexFrame::GetInputFrame] → [PATCH] segfault when going back; Linux topcrash on M098 [@ nsIsIndexFrame::GetInputFrame]
Comment 22•22 years ago
|
||
*** Bug 130606 has been marked as a duplicate of this bug. ***
Comment on attachment 71534 [details] [diff] [review] patch to prevent call to GetPrimaryFrameFor with null content sr=roc+moz
Attachment #71534 -
Flags: superreview+
Updated•22 years ago
|
Comment 24•22 years ago
|
||
Comment on attachment 71534 [details] [diff] [review] patch to prevent call to GetPrimaryFrameFor with null content a=asa (on behalf of drivers) for checkin to the 1.0 trunk
Attachment #71534 -
Flags: approval+
Assignee | ||
Comment 25•22 years ago
|
||
Checked in. /cvsroot/mozilla/layout/html/forms/src/nsIsIndexFrame.cpp,v <-- nsIsIndexFrame.cpp new revision: 1.30; previous revision: 1.29 (NOTE: bug 127360 would probably prevent the crash too, but the warning here is probably a good thing fo a while)
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Comment 26•22 years ago
|
||
*** Bug 135870 has been marked as a duplicate of this bug. ***
Comment 27•22 years ago
|
||
*** Bug 137524 has been marked as a duplicate of this bug. ***
Comment 28•22 years ago
|
||
Marking verified in the April 23rd trunk builds - Windows ME(2002-04-22-06) and OS X (2002-04-23-08).
Status: RESOLVED → VERIFIED
Comment 29•20 years ago
|
||
*** Bug 198826 has been marked as a duplicate of this bug. ***
Updated•13 years ago
|
Crash Signature: [@ nsIsIndexFrame::GetInputFrame]
You need to log in
before you can comment on or make changes to this bug.
Description
•