129648 - crashes related to image blocking

Status: RESOLVED DUPLICATE of bug 129734

(Core :: Graphics: Image Blocking, defect)

Description

[Harshal Pradhan]

Dunno what component image blocking would fall under. The code looks like its 
in the cookie module so here goes.

I'm using a cvs debug build on Win2k from a couple of days back. Blocking image 
loading from a server by right clicking on a image and slecting "block images 
from server" seems to cause some sort of memory corruption.

If I vist three or four different sites and block images from there in the 
above manner, I eventually start getting heap corruption assertions and crash 
sometime later.

Dont know it it is relevant, but I'm using a web-proxy (squid on linux)

Comment 1

[Harshal Pradhan]

This may not be related to the actual problem, but this is where it asserts 
that the heap is corrupted.


_free_dbg_lk(void * 0x0012d450, int 1) line 1044 + 48 bytes
_free_dbg(void * 0x0012d450, int 1) line 1001 + 13 bytes
free(void * 0x0012d450) line 956 + 11 bytes
PR_Free(void * 0x0012d450) line 434 + 10 bytes
nsMemoryImpl::Free(nsMemoryImpl * const 0x00307ae8, void * 0x0012d450) line 342 
+ 10 bytes
nsMemory::Free(void * 0x0012d450) line 100
Recycle(char * 0x0012d450) line 349 + 12 bytes
Permission_AddHost(char * 0x0012d450, int 0, int 1, int 1) line 247 + 9 bytes
PERMISSION_Add(const char * 0x037aa860, int 0, int 1, nsIIOService * 
0x00fe0190) line 724 + 25 bytes
nsPermissionManager::Add(nsPermissionManager * const 0x035b3800, const char * 
0x037aa860, int 0, int 1) line 138 + 29 bytes
XPTC_InvokeByIndex(nsISupports * 0x035b3800, unsigned int 3, unsigned int 3, 
nsXPTCVariant * 0x0012d664) line 106
XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode 
CALL_METHOD) line 2020 + 42 bytes
XPC_WN_CallMethod(JSContext * 0x014794d8, JSObject * 0x031a1280, unsigned int 
3, long * 0x057bd124, long * 0x0012d940) line 1266 + 14 bytes
js_Invoke(JSContext * 0x014794d8, unsigned int 3, unsigned int 0) line 788 + 23 
bytes
js_Interpret(JSContext * 0x014794d8, long * 0x0012e780) line 2745 + 15 bytes
js_Invoke(JSContext * 0x014794d8, unsigned int 1, unsigned int 2) line 805 + 13 
bytes
js_InternalInvoke(JSContext * 0x014794d8, JSObject * 0x0344a978, long 54826424, 
unsigned int 0, unsigned int 1, long * 0x0012e9d8, long * 0x0012e8a8) line 880 
+ 20 bytes
JS_CallFunctionValue(JSContext * 0x014794d8, JSObject * 0x0344a978, long 
54826424, unsigned int 1, long * 0x0012e9d8, long * 0x0012e8a8) line 3388 + 31 
bytes
nsJSContext::CallEventHandler(nsJSContext * const 0x01479470, void * 
0x0344a978, void * 0x034495b8, unsigned int 1, void * 0x0012e9d8, int * 
0x0012e9dc, int 0) line 1016 + 33 bytes
nsJSEventListener::HandleEvent(nsJSEventListener * const 0x02c36ef8, 
nsIDOMEvent * 0x037517c8) line 180 + 77 bytes
nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x02ba5d20, 
nsIDOMEvent * 0x037517c8, nsIDOMEventTarget * 0x02bf7068, unsigned int 8, 
unsigned int 7) line 1217 + 20 bytes
nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x02bad778, 
nsIPresContext * 0x028e59b8, nsEvent * 0x0012f4ec, nsIDOMEvent * * 0x0012f39c, 
nsIDOMEventTarget * 0x02bf7068, unsigned int 7, nsEventStatus * 0x0012f538) 
line 2207 + 36 bytes
nsXULElement::HandleDOMEvent(nsXULElement * const 0x02bf7060, nsIPresContext * 
0x028e59b8, nsEvent * 0x0012f4ec, nsIDOMEvent * * 0x0012f39c, unsigned int 1, 
nsEventStatus * 0x0012f538) line 3457
PresShell::HandleDOMEventWithTarget(PresShell * const 0x028e6960, nsIContent * 
0x02bf7060, nsEvent * 0x0012f4ec, nsEventStatus * 0x0012f538) line 6052 + 36 
bytes
nsMenuFrame::Execute() line 1667
nsMenuFrame::HandleEvent(nsMenuFrame * const 0x053770cc, nsIPresContext * 
0x028e59b8, nsGUIEvent * 0x0012f90c, nsEventStatus * 0x0012f718) line 486
PresShell::HandleEventInternal(nsEvent * 0x0012f90c, nsIView * 0x05603570, 
unsigned int 1, nsEventStatus * 0x0012f718) line 6020 + 38 bytes
PresShell::HandleEvent(PresShell * const 0x028e6964, nsIView * 0x05603570, 
nsGUIEvent * 0x0012f90c, nsEventStatus * 0x0012f718, int 0, int & 1) line 5928 
+ 25 bytes
nsViewManager::HandleEvent(nsView * 0x0561a130, nsGUIEvent * 0x0012f90c, int 0) 
line 2043
nsView::HandleEvent(nsViewManager * 0x028e6298, nsGUIEvent * 0x0012f90c, int 0) 
line 306
nsViewManager::DispatchEvent(nsViewManager * const 0x028e6298, nsGUIEvent * 
0x0012f90c, nsEventStatus * 0x0012f808) line 1857 + 23 bytes
HandleEvent(nsGUIEvent * 0x0012f90c) line 83
nsWindow::DispatchEvent(nsWindow * const 0x058504cc, nsGUIEvent * 0x0012f90c, 
nsEventStatus & nsEventStatus_eIgnore) line 865 + 10 bytes
nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012f90c) line 886
nsWindow::DispatchMouseEvent(unsigned int 301, unsigned int 0, nsPoint * 
0x00000000) line 4711 + 21 bytes
ChildWindow::DispatchMouseEvent(unsigned int 301, unsigned int 0, nsPoint * 
0x00000000) line 4963
nsWindow::ProcessMessage(unsigned int 514, unsigned int 0, long 10027097, long 
* 0x0012fd20) line 3596 + 28 bytes
nsWindow::WindowProc(HWND__ * 0x003401ca, unsigned int 514, unsigned int 0, 
long 10027097) line 1130 + 27 bytes

Comment 2

[Stephen P. Morse]

I wonder if this is related to bug 129734.  However not enough evidence to dup 
it yet.

Comment 3

[WD]

I've noticed mozilla being very crashy (5 or 6 times per day) for the past week
or so.   I do have image blocking enabled for some sites.

Can somebody check TB3843048M to see if I'm seeing what's going on in this bug?

Comment 4

[Stephen P. Morse]

Now that bug 129734 is fixed and checked in, I'd like to know if anyone is still 
seeing this problem.

Comment 5

[Harshal Pradhan]

Indeed. The problem seems to have gone away after I cvs updated
mozilla/extensions/cookie

And the stack trace above also indicates that this was caused by the "double
free" that bug 129734 fixed. 

I agree that this looks a duplicate of that bug.

*** This bug has been marked as a duplicate of 129734 ***