Closed Bug 133410 Opened 23 years ago Closed 23 years ago

Trunk M1BR topcrash [@ nsImageBoxListener::OnStopDecode]

Categories

(Core :: Layout, defect, P1)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.0

People

(Reporter: jcarpenter0524, Assigned: attinasi)

References

(
URL
)

Details

(Keywords: crash, testcase, topcrash+, Whiteboard: [adt1][fix in hand][fixed on the trunk 04/11 and branch 04/19] [Needs a=] [ETA 04/19])

Crash Data

Attachments

(4 files)

test case
15.45 KB, text/html
Details
animated gif
16.28 KB, image/gif
Details
minimized test case
387 bytes, text/html
Details
patch v1.0
13.18 KB, patch
hjtoi-bugzilla
: review+
jst
: superreview+
dbaron
: approval+
Details | Diff | Splinter Review
This stack signature is a topcrasher for M099 on Windows nsImageBoxListener::OnStopDecode Build ID range: 2002031106 to 2002031106 Stack Trace: nsImageBoxListener::OnStopDecode [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsImageBoxFrame.cpp line 877] imgRequestProxy::FrameChanged [d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgRequestProxy.cpp line 295] imgRequest::FrameChanged [d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgRequest.cpp line 337] imgContainer::Notify [d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgContainer.cpp line 459] nsTimerImpl::Process [d:\builds\seamonkey\mozilla\xpcom\threads\nsTimerImpl.cpp line 342] handleMyEvent [d:\builds\seamonkey\mozilla\xpcom\threads\nsTimerImpl.cpp line 381] PL_HandleEvent [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c line 591] PL_ProcessPendingEvents [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c line 524] _md_EventReceiverProc [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c line 1072] USER32.dll + 0x3c076 (0x77d7c076) USER32.dll + 0x3c076 (0x77d7c076) _except_handler3() kernel32.dll + 0x3bb86 (0x77e9bb86) Source File : http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/layout/xul/base/src/nsImageBoxFrame.cpp line : 877 COMMENTS/URLs: (4407199) URL: http://knowhow.cdfreaks.com (4407199) Comments: Pressed back from the "no results page" after an unsuccessful search (4328945) URL: http://my.yahoo.com (4328945) Comments: Using AltaVista to translate a German tech site that I don't recall the URL to. Ack! (4284298) URL: cnn.com (4284298) Comments: clicked on link to story on Antarctica on CNN.com (4250323) URL: http://www.01net.com (4168294) URL: www.esprinet.it (4131762) URL: www.msnbc.com (4119907) Comments: Testing an update to a JSP page. (4078108) URL: http://www.looksmart.com/ (4078108) Comments: Tried to click on the "Computers" link. (4046514) URL: http://translate.google.com/translate?hl=en&sl=de&u=http://www.teccentral.de/reviews/mainboard/asus/asus_a7m266-d/&prev=/search%3Fq%3D%2522asus%2Ba7m266-d%2522%2Breview%26hl%3Den%26ie%3DISO-8859-1%26oe%3DISO-8859-1 (4046514) Comments: this happened just after a google page was translated from german to english. i then selected a dropdown menu from the bottom to go to the "result" of the review. after choosing this item netscape crashed. (4046436) URL: http://translate.google.com/translate?hl=en&sl=de&u=http://www.teccentral.de/reviews/mainboard/asus/asus_a7m266-d/&prev=/search%3Fq%3D%2522asus%2Ba7m266-d%2522%2Breview%26hl%3Den%26ie%3DISO-8859-1%26oe%3DISO-8859-1 (4046436) Comments: this is a link from a translated google search. just browsing. had the mail window open with an imap account and a pop account and a couple of tabs to other sites. (4043228) URL: http://www.prinz.de (4043228) Comments: Surfing in the Foto-Gallerie from PRinz online DE (4027895) URL: cnn.com (4027895) Comments: it was in the layout engine (gklayout.dll) i just typed something in the serach box hit search page came up program died.
Keywords: crash, qawanted, topcrash
over to layout
Component: Networking: HTTP → Layout
.
Assignee: darin → attinasi
QA Contact: tever → petersen
Severity: normal → critical
pavlov?
Adding Trunk to summary since there have been quite a few of these crashes on the Trunk recently. The most recent crash was with a build from 3/22: Incident ID 4412409 Stack Signature nsImageBoxListener::OnStopDecode a2b4b3f7 Trigger Time 2002-03-24 07:18:13 Email Address URL visited Build ID 2002032211 Product ID MozillaTrunk Platform Operating System Win32 Module Trigger Reason Access violation User Comments Stack Trace nsImageBoxListener::OnStopDecode [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsImageBoxFrame.cpp, line 877] imgRequestProxy::FrameChanged [d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgRequestProxy.cpp, line 294] imgRequest::FrameChanged [d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgRequest.cpp, line 336] imgContainer::Notify [d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgContainer.cpp, line 459] nsTimerImpl::Process [d:\builds\seamonkey\mozilla\xpcom\threads\nsTimerImpl.cpp, line 342] handleMyEvent [d:\builds\seamonkey\mozilla\xpcom\threads\nsTimerImpl.cpp, line 381] PL_HandleEvent [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c, line 591] PL_ProcessPendingEvents [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c, line 524] _md_EventReceiverProc [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c, line 1072] KERNEL32.DLL + 0x24407 (0xbff94407) 0x00648c16 It might be possible that this crash is no longer occuring. Do we know of anything checked in on 3/22 that might have fixed this? Either way, we need to see if we can reproduce this.
Summary: M099 topcrash [@ nsImageBoxListener::OnStopDecode] → Trunk M099 topcrash [@ nsImageBoxListener::OnStopDecode]
Launch Netscape build for 4-1-02. From the Bugzilla bug application, locate bug # 133410. There is a link on the bug for "CDFREAK" (http://knowhow.cdfreaks.com), click that link to launch and let the site load. After the site completely loads, I simply hit the "back" button to return to bug #133410. About 10 seconds elapse, before the Netscape browser crashes with a "Invalid Page Fault" error message. I tried this multiple times with the same result, however there were two different IPF messages, listed below. NETSCP6 caused an invalid page fault in module <unknown> at 0000:00000013. Registers: EAX=6111d9d8 CS=016f EIP=00000013 EFLGS=00010a86 EBX=00000001 SS=0177 ESP=0068fa90 EBP=0068faa4 ECX=c049db02 DS=0177 ESI=6111d968 FS=6f67 EDX=0068faac ES=0177 EDI=00000000 GS=0000 Bytes at CS:EIP: 00 54 ff 00 f0 40 ae 00 f0 6e af 00 f0 00 00 00 Stack dump: 03ac0177 611160f0 0580baa0 0068faac 0580b420 0068fad0 60430eca 01db49c0 0580baa0 03ac5a60 0588f290 0068fb2c 0580fc68 61118ec0 03ac5a60 00000000 NETSCP6 caused an invalid page fault in module GKLAYOUT.DLL at 016f:60430ebb. Registers: EAX=01e2b480 CS=016f EIP=60430ebb EFLGS=00010246 EBX=00000001 SS=0177 ESP=0068fab8 EBP=0068fad0 ECX=0587e070 DS=0177 ESI=05904660 FS=1d3f EDX=32dd8a5f ES=0177 EDI=00000000 GS=0000 Bytes at CS:EIP: 8b 08 ff 75 08 ff 75 0c 50 ff 91 4c 01 00 00 8d Stack dump: 05397c40 0068fb2c 05901e38 61118ec0 0587e070 00000000 0068fb58 605a51b0 0587e070 0537d0f0 0587e070 05397c40 0068fb2c 605a43e2 0537d0f0 05397c40
Keywords: qawanted
Keywords: testcase
Just tried the steps above on a Win2000 machine using the 2002040210 build and got no crash.
Instructions in comment 5 crash it for me. Chris offered to help, so over to him - thanks!
Assignee: attinasi → waterson
Marking it as topcrash+ since we have a reproducible case submitted by TUCSON Beta testing group. nominating for nsbeta1
Keywords: topcrashnsbeta1, topcrash+
Status: NEW → ASSIGNED
Priority: -- → P1
Target Milestone: --- → mozilla1.0
I can crash this on Linux. I had to hit `Shift Reload' on the page to crash.
OS: Windows NT → All
Hardware: PC → All
The URL of image that's causing the crash is <http://ads.cdfreaks.com/adview.php?bannerID=13>.
Attached file test case —
This page ought to crash the browser when you Shift+Reload.
Keywords: nsbeta1nsbeta1+
Whiteboard: [adt1]
Attached image animated gif —
Attached file minimized test case —
This test case refers to the animated gif attached above (attachment 77948 [details]).
To reproduce the bug, load the test case (attachment 77949 [details]), and then hit `Shift Reload'. Wait a second or two, and the browser should crash. This looks like it may be a problem with table teardown and/or with parser fixup. cc'ing karnaze & harishd. The minimized test case is as follows: <html> <head> <title>Bug 133410</title> </head> <body> <table> <tr> <td> <form> <input type="text"> <input type="submit" value="Search"> <!-- note missing form close tag --> </td> </tr> </table> <table> <span> <!-- simple animated gif --> <img src="attachment.cgi?id=77948&action=view"> </span> </table> </body> </html>
Here's the content model that gets created once you strip the whitespace out of the test case: html@0x81e3cd8 refcount=9< head@0x81e3d30 refcount=2< > body@0x81fdb28 refcount=4< table@0x82300f0 refcount=6< tbody@0x8230160 refcount=3< tr@0x82301b0 refcount=3< td@0x8230228 refcount=4< form@0x822ff68 refcount=3< input@0x8230560 type="text" refcount=48<> input@0x82275a8 type="submit" value="Search" refcount=5<> > > > > > table@0x82304e8 refcount=10< span@0x82398e8 refcount=3< img@0x8239990 src="adview.php.gif" refcount=3<> > > > > Note that if I put the </form> tag in, then the <span> is correctly rotated out from inside the <table> frame. So...looks like an htmlparser or content sink bug, reassigning to harishd. Of course, it _is_ unfortunate that this can crash the layout engine: <div style="display: table;"> <span> <img src="animated.gif"> </span> </div> karnaze, should we work on fixing that?
Assignee: waterson → harishd
Status: ASSIGNED → NEW
Component: Layout → Parser
karnaze: FWIW, I take it back -- I can't crash the browser with the above HTML. ;-)
waterson: Are you saying that the missing /FORM is not the problem.
Attached patch patch v1.0 — — Splinter Review
The problem was due to the difference in handling of a FORM in the navdtd and in the content sink. That is, FORM is never on the navdtd's stack however it may be on the content sink's stack depending on its ( FORM ) parent. Because of this difference the insertion point, for a misplaced table content, was incorrect and hence somehow messed up the layout. With this patch the DTD would check with the sink, whether a FORM is on the sink's stack or not, before inserting the misplaced table content.
Status: NEW → ASSIGNED
Whiteboard: [adt1] → [adt1][fix in hand]
Btw, a better way to fix this bug is to treat FORM, in navdtd and in the content-sink, alike ( Refer to bug 136397 ). However, ever since gecko was formed the FORM element was always treated as a leaf in CNavDTD and hence changing this behavior at this stage is asking for trouble. Will try to get to bug 136397 post 1.0. For now the proposed fix ( in Comment #18 ) is the safest.
Comment on attachment 78281 [details] [diff] [review] patch v1.0 sr=jst
Attachment #78281 - Flags: superreview+
Fix landed ( 04/11 ) on the trunk.
Whiteboard: [adt1][fix in hand] → [adt1][fix in hand][fixed on the trunk 04/11]
nominating adt1.0.0. After it's been tested on the trunk, please update the bug with the results.
Keywords: adt1.0.0
what's the good word from QA? we want this one, but we need to know, this issue was verified on the trunk, and did not cause any new regressions. Pls Note: When bugs are fixed on the 1.0 branch, pls replace adt1.0.0+ with fixed1.0.0 keyword. After QA has verified the fix is in the branch, pls replace fixed1.0.0, with verified1.0.0.
Checked on OS X trunk (2002-04-15-08) and Windows ME trunk (2002-04-15-03) and is fixed on both builds. Need to still check on Linux build before I mark verified.
Works under Linux Redhat 6.2 (2002-04-16-09). Marking verified.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Verified
Status: RESOLVED → VERIFIED
marking adt1.0.0+ on behalf of the adt for approval to checkin on the 1.0 branch. Please check this in today when you get drivers approval. When it's checked in, please add the fixed1.0.0 keyword.
Keywords: adt1.0.0adt1.0.0+
Reopening the bug for now. Will close it after landing the patch on the branch.
Status: VERIFIED → REOPENED
Resolution: FIXED → ---
Resolving as fixed because it has landed on the trunk. Once it has landed on the 1.0 branch, pls add the fixed1.0.0 keyword.
Status: REOPENED → RESOLVED
Closed: 23 years ago23 years ago
Keywords: approval
Resolution: --- → FIXED
Whiteboard: [adt1][fix in hand][fixed on the trunk 04/11] → [adt1][fix in hand][fixed on the trunk 04/11] [Needs a=] [ETA 04/19]
Fixed landed ( 04/19 ) on the branch.
Keywords: fixed1.0.0
Whiteboard: [adt1][fix in hand][fixed on the trunk 04/11] [Needs a=] [ETA 04/19] → [adt1][fix in hand][fixed on the trunk 04/11 and branch 04/19] [Needs a=] [ETA 04/19]
Status: RESOLVED → VERIFIED
Keywords: verified1.0.0
Verified on branch Win ME (2002-04-23-06) and OS X (2002-04-23-05) builds.
Comment on attachment 78281 [details] [diff] [review] patch v1.0 after-the-fact a= for 1.0 branch
Attachment #78281 - Flags: approval+
Reopening for more investigation. It looks like this crash is still around on the MozillaTrunk...there have been quite a few crashes with similar stacks reported after the checkin: Count Offset Real Signature [ 13 nsImageBoxListener::OnStopDecode 9974a836 - nsImageBoxListener::OnStopDecode ] [ 9 nsImageBoxListener::OnStopDecode 56f9cda2 - nsImageBoxListener::OnStopDecode ] [ 3 nsImageBoxListener::OnStopDecode 64e5e08e - nsImageBoxListener::OnStopDecode ] [ 2 nsImageBoxListener::OnStopDecode f8319efa - nsImageBoxListener::OnStopDecode ] Crash date range: 2002-04-24 to 2002-04-29 Min/Max Seconds since last crash: 104 - 149670 Min/Max Runtime: 200 - 150479 Keyword List : Count Platform List 13 Windows NT 5.1 build 2600 11 Windows NT 5.0 build 2195 3 Windows 98 4.10 build 67766222 Count Build Id List 7 2002042412 5 2002042703 5 2002042512 4 2002042708 3 2002042410 3 2002042406 No of Unique Users 23 Stack trace(Frame) nsImageBoxListener::OnStopDecode [nsImageBoxFrame.cpp line 877] imgRequestProxy::FrameChanged [imgRequestProxy.cpp line 294] imgRequest::FrameChanged [imgRequest.cpp line 336] imgContainer::Notify [imgContainer.cpp line 459] nsTimerImpl::Fire [nsTimerImpl.cpp line 357] nsTimerManager::FireNextIdleTimer [nsTimerImpl.cpp line 591] nsAppShell::Run [nsAppShell.cpp line 134] nsAppShellService::Run [nsAppShellService.cpp line 451] main1 [nsAppRunner.cpp line 1447] main [nsAppRunner.cpp line 1782] WinMain [nsAppRunner.cpp line 1800] WinMainCRTStartup() kernel32.dll + 0x1eb69 (0x77e7eb69) (5728311) URL: http://www.tucows.com/ (5720315) Comments: Browsing E-bay (5719910) Comments: just browsing (5683843) Comments: Had the Mozilla windows open for quite a while when I started using them again they were suddenly considerably slow. I suspect a memory leak somewhere in this build. (5677976) URL: www.betanews.com (5677976) Comments: Scrolling down the page using the scrollbar. (5677467) Comments: browsing Ebay auctions (5672521) URL: http://www.google.com (5643912) URL: somewhere on forum.sonique.com (5643912) Comments: Clicked the back button then tried to scroll up using the slider and the mouse was a text i-bar and mozilla was frozen *alas*. (5642825) URL: www.nytimes.com/auth/login:URL=http:// (missed the rest) (5622482) Comments: Clicked on "Reply" in order to reply to an e-mail message which appeared to cause a failure. (5600977) URL: http://www.chl.it/ (5600977) Comments: while browsinginformaticacomputer su misurared button procediprocessorisocket Aduron somethinginserisci nel progetto (5577848) URL: eastbayexpress.com (5577848) Comments: Clicking a link to continue reading an article
Status: VERIFIED → REOPENED
Resolution: FIXED → ---
There have also been a few incidents on the Mozilla1.0 Branch after the checking there: Count Offset Real Signature [ 3 nsImageBoxListener::OnStopDecode 829d1c60 - nsImageBoxListener::OnStopDecode ] [ 1 nsImageBoxListener::OnStopDecode c3a93772 - nsImageBoxListener::OnStopDecode ] Crash date range: 2002-04-21 to 2002-04-26 Min/Max Seconds since last crash: 1108 - 9369 Min/Max Runtime: 1108 - 9369 Keyword List : Count Platform List 3 Windows NT 5.0 build 2195 1 Windows 98 4.10 build 67766446 Count Build Id List 2 2002042308 1 2002042208 1 2002042108 No of Unique Users 3 Stack trace(Frame) nsImageBoxListener::OnStopDecode [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsImageBoxFrame.cpp line 877] imgRequestProxy::FrameChanged [d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgRequestProxy.cpp line 294] imgRequest::FrameChanged [d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgRequest.cpp line 336] imgContainer::Notify [d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgContainer.cpp line 459] nsTimerImpl::Process [d:\builds\seamonkey\mozilla\xpcom\threads\nsTimerImpl.cpp line 342] handleMyEvent [d:\builds\seamonkey\mozilla\xpcom\threads\nsTimerImpl.cpp line 381] PL_HandleEvent [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c line 597] PL_ProcessPendingEvents [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c line 530] _md_EventReceiverProc [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c line 1078] nsAppShellService::Run [d:\builds\seamonkey\mozilla\xpfe\appshell\src\nsAppShellService.cpp line 309] main1 [d:\builds\seamonkey\mozilla\xpfe\bootstrap\nsAppRunner.cpp line 1431] main [d:\builds\seamonkey\mozilla\xpfe\bootstrap\nsAppRunner.cpp line 1766] WinMain [d:\builds\seamonkey\mozilla\xpfe\bootstrap\nsAppRunner.cpp line 1784] WinMainCRTStartup() KERNEL32.DLL + 0xd326 (0x77e8d326) (5454284) Comments: Crashed doing a search
Summary: Trunk M099 topcrash [@ nsImageBoxListener::OnStopDecode] → Trunk M1BR topcrash [@ nsImageBoxListener::OnStopDecode]
jpatel: Is it reproducable?
Could this be another instance of bug 138292?
With the patch in bug 138292 I am not getting seeing a crash after loading/reloading the url and each test case. I haven't tried it without the patch. The minimized test case is similar to the test case in bug 138292.
I have never been able to reproduce this particular crash, not even with the latest urls and comments I just posted, but clearly people are still crashing at nsImageBoxListener::OnStopDecode. Maybe this is another instance of bug 138292, but we will only know for sure if someone is able to reproduce. I'll keep an eye on Talkback data after that checkin goes in to see if these crashes go away as well.
The fix for bug 138292 (checked in 4/30) didn't help much with this crash, there were 3 incidents with 5/1 MozillaTrunk builds. Here is the most recent incident: Incident ID 5839470 Stack Signature nsImageBoxListener::OnStopDecode 48adca0f Email Address Product ID MozillaTrunk Build ID 2002050108 Trigger Time 2002-05-01 20:01:31 Platform Win32 Operating System Windows 98 4.10 build 67766446 Module GKLAYOUT.DLL URL visited User Comments Trigger Reason Access violation Source File Name nsImageBoxFrame.cpp Trigger Line No. 877 Stack Trace nsImageBoxListener::OnStopDecode [nsImageBoxFrame.cpp, line 877] imgRequestProxy::FrameChanged [imgRequestProxy.cpp, line 294] imgRequest::FrameChanged [imgRequest.cpp, line 336] imgContainer::Notify [imgContainer.cpp, line 459] nsTimerImpl::Fire [nsTimerImpl.cpp, line 357] nsTimerManager::FireNextIdleTimer [nsTimerImpl.cpp, line 591] nsAppShell::Run [nsAppShell.cpp, line 134] nsAppShellService::Run [nsAppShellService.cpp, line 451] main1 [nsAppRunner.cpp, line 1447] main [nsAppRunner.cpp, line 1783] WinMain [nsAppRunner.cpp, line 1801] WinMainCRTStartup() KERNEL32.DLL + 0x1b6e6 (0xbff8b6e6) KERNEL32.DLL + 0x1b598 (0xbff8b598) KERNEL32.DLL + 0x19f5b (0xbff89f5b) 0x1c0e5d1c
Well, I tried several times but wasn't able to reproduce that crash. Is there a URL associated with the crash?
Here are some of the most current URLs noted in TB reports: http://www.gamasutra.com http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=2020334056 ebay.com http://www.tucows.com/
http://climate.netscape.com/reports/SingleIncidentInfo.cfm?dynamicBBID=5900773 has a slightly different stack (main1 [nsAppRunner.cpp, line 1472] instead of 1447)
I tried loading the urls mentioned in comment #42 several times but wasn't able to reproduce the crash. Can any one else?
Keywords: qawanted
Observation: ------------- On Initial Load: ImageFrame - 0x03dcc2f0 ImageListener - 0x039b6d58 - mFrame - 0x03dcc2f0 On Reload: ImageFrame - 0x03ba1300 ImageListener - 0x03c97de8 - mFrame - 0x03ba1300 When crashed: ImageFrame - 0x03dcc2f0 <<<< ImageListener - 0x039b6d58 <<<< IDENTICAL TO INITAL LOAD! - mFrame - 0x03dcc2f0 <<<< It looks like the ImageRequestProxy is holding on to an obsolete frame!
Note: To reproduce the crash undo my patch on your local tree. With my patch I was never able to crash. FYI: I smell something fishy in imgContainer but couldn't say where :( --> pavlov
Assignee: harishd → pavlov
Status: REOPENED → NEW
Objects in C++ can go away and be re-created at the same address that an old object lived at (i.e. heap memory is reused), so make sure that's not what you're seeing here...
this hasn't shown up in talkback since 2002050304...
*** Bug 142830 has been marked as a duplicate of this bug. ***
bug 142830 points out a reproducible URL to get this crash (I can get this consistently in a win2k trunk build). Try loading http://gamefix.free.fr/ and then 'about:blank', and repeating that once or twice.
http://gamefix.free.fr/ worksforme with linux trunk build 20020507.
John's steps crash for me incident #6064562 - build 2002050708. WinNT4. with the nsImageListener::FrameChanged signature (from duped bug 142830.)
Keywords: qawanted
Summary: Trunk M1BR topcrash [@ nsImageBoxListener::OnStopDecode] → Trunk M1BR topcrash [@ nsImageBoxListener::OnStopDecode][nsImageListener::FrameChanged]
Crashes with the nsImageBoxListener::OnStopDecode stack signature are no longer showing up in Talkback data after 5/3 MozillaTrunk builds. However, people seem to still be crashing at nsImageListener::FrameChanged with a similar stack trace. Should we leave this bug open or log a new bug? This bug seems to be cluttered with a lot of adt keywords that might confuse people.
Summary: Trunk M1BR topcrash [@ nsImageBoxListener::OnStopDecode][nsImageListener::FrameChanged] → Trunk M1BR topcrash [@ nsImageBoxListener::OnStopDecode][@ nsImageListener::FrameChanged]
The nsImageListener::FrameChanged crashes might be related to bug 138292.
Although the nsImageBoxListener::OnStopDecode stack signature isn't showing up in Talkback reports, it looks like this crash is still happening under the 0x00000000 stack signature: Count Offset Real Signature [ 3 0x00000000 917e95fa - nsImageBoxListener::OnStopDecode ] [ 3 0x00000000 5de130aa - nsImageBoxListener::OnStopDecode ] Crash date range: 2002-04-27 to 2002-05-03 Min/Max Seconds since last crash: 61 - 87928 Min/Max Runtime: 2647 - 87928 Keyword List : Count Platform List 3 Windows NT 5.1 build 2600 3 Windows NT 5.0 build 2195 Count Build Id List 3 2002050108 1 2002050208 1 2002042708 1 2002042703 No of Unique Users 5 Stack trace(Frame) 0x00000000 nsImageBoxListener::OnStopDecode [nsImageBoxFrame.cpp line 877] imgRequestProxy::FrameChanged [imgRequestProxy.cpp line 294] imgRequest::FrameChanged [imgRequest.cpp line 336] imgContainer::Notify [imgContainer.cpp line 459] nsTimerImpl::Fire [nsTimerImpl.cpp line 357] nsTimerManager::FireNextIdleTimer [nsTimerImpl.cpp line 591] nsAppShell::Run [nsAppShell.cpp line 134] nsAppShellService::Run [nsAppShellService.cpp line 451] main1 [nsAppRunner.cpp line 1447] main [nsAppRunner.cpp line 1783] WinMain [nsAppRunner.cpp line 1801] WinMainCRTStartup() KERNEL32.DLL + 0xd326 (0x77e8d326) (5895034) Comments: browzing eBay (5873107) URL: www.batshalom.org (5873107) Comments: (or is it www.bat-shalom.org ?)The java console kicked in... some java applet was taking forever to load (apparently)... I clicked on a link it started bringing up another page and Moz simply disapeared. (5702810) URL: www.antiwar.com (missed the rest) (5702810) Comments: I usually print through adobe pdf writer because I've discovered that Moz's (sp?) print preview has stopped being WYSIWYG. Anyway I looked at another site (www.ariga.com) and was going through www.antiwar.com when Moz simply vanished. Instantly.(that (5702810) Comments: was after printing a few pages here and there) (5683982) URL: www.foodtv.com
The crash with the original url and testcase is no longer happening, so I was wondering if we should log a new bug for these recent crashes? I already closed bug 138292 verified fixed again (the crash with the original url and testcase in that bug has been fixed). Pav: Any thoughts on that? Should we leave this one open or log a new bug?
harish, I don't understand your comments... the only reason we would crash in these places is because of memory getting stomped on due to a frame being recycled in the arena without the destroy method being called on it. We've seen this "bug" numerous times and it always points to layout not properly deleting a frame object.
Assignee: pavlov → harishd
QA Contact: petersen → moied
I hate to bounce bugs back and forth but this is not a parser problem anymore. Reassigning to layout for futher investigation.
Assignee: harishd → attinasi
Component: Parser → Layout
QA Contact: moied → petersen
Count Offset Real Signature [ 35 nsImageListener::FrameChanged 1c0e1f8a - nsImageListener::FrameChanged ] [ 26 nsImageListener::FrameChanged f0971e0e - nsImageListener::FrameChanged ] [ 21 nsImageListener::FrameChanged 0be4b6aa - nsImageListener::FrameChanged ] [ 9 nsImageListener::FrameChanged 2a5e057a - nsImageListener::FrameChanged ] [ 5 nsImageListener::FrameChanged 70ae2a6a - nsImageListener::FrameChanged ] [ 4 nsImageListener::FrameChanged a88c85df - nsImageListener::FrameChanged ] [ 4 nsImageListener::FrameChanged 937cff02 - nsImageListener::FrameChanged ] [ 3 nsImageListener::FrameChanged f4f6126b - nsImageListener::FrameChanged ] Crash date range: 2002-05-04 to 2002-05-12 Min/Max Seconds since last crash: 29 - 446127 Min/Max Runtime: 410 - 484914 Keyword List : click(4), Count Platform List 51 Windows NT 5.0 build 2195 49 Windows NT 5.1 build 2600 7 Windows 98 4.10 build 67766446 Stack trace(Frame) nsImageListener::FrameChanged [nsImageFrame.cpp line 2383] imgRequestProxy::FrameChanged [imgRequestProxy.cpp line 294] imgRequest::FrameChanged [imgRequest.cpp line 338] imgContainer::Notify [imgContainer.cpp line 459] nsTimerImpl::Fire [nsTimerImpl.cpp line 357] nsTimerManager::FireNextIdleTimer [nsTimerImpl.cpp line 591] nsAppShell::Run [nsAppShell.cpp line 134] nsAppShellService::Run [nsAppShellService.cpp line 451] main1 [nsAppRunner.cpp line 1472] main [nsAppRunner.cpp line 1808] WinMain [nsAppRunner.cpp line 1826] WinMainCRTStartup() kernel32.dll + 0x1eb69 (0x77e7eb69) (6211424) URL: http://slashdot.org (6159191) Comments: Click boom bah! Nothing out of the ordinary. Single window.I think these crashes are intention so you can gather marketroidle demographics information like what other programs I'm running at the time. Try tossing some more code at the screen to see if (6159191) Comments: it sticks. We don need no steenkin algorithms. (6147840) URL: www.ubid.com (6115349) URL: http://www.ubid.com/actn/opn/getpage.asp?AuctionId=7214002 (6101905) URL: groups.yahoo.com (6101822) URL: groups.yahoo.com (6067037) URL: www.paypal.com (6067037) Comments: I was trying to login to their secure site (6066401) Comments: Moving back and forth between eBay & Half.com. Was doing a "back" from Half.com to eBay when it errored. (6054065) URL: www.blockbuster.com (6041117) URL: http://www.ubid.com/actn/opn/getpage.asp?AuctionId=7214002 (6041117) Comments: Initial click on the page (6038291) Comments: scrolled a bugzilla query result-page before it had fully loaded (6033643) URL: http://gamefix.free.fr (6032400) URL: http://gamefix.free.fr (6032355) URL: http://www.winace.com (6012854) Comments: I was surfing eBay (6012843) Comments: I was surfing eBay (6012830) Comments: when pressing Home button (6012671) URL: http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&Item=1535479505 (6003592) URL: http://www.football365.com/Homegrounds/Chelsea/News/index.shtml (6003592) Comments: Clicked on Rangers Hero link (5992341) Comments: clicked on linik regarding 'armored ascii bug' in google search for 'armored ascii'. Kept going to linuxtoday site and when clicked back would not go back (link was redirecting me?) . Hit back a couple times then crashed. (5967321) URL: www.neimanmarcus.com (5956412) URL: http://www.wrestlingheadlines.com/index2.html (5929043) Comments: browsing a web site
"The crash with the original url and testcase is no longer happening, so I was wondering if we should log a new bug for these recent crashes?" jpatel: please file a new bug for the recent crashes. Thanks.
Thanks Kevin...I was waiting for that comment. Returning this bug to fixed. I will open a new bug on the recent nsImageListener::FrameChanged crashes.
Status: NEW → RESOLVED
Closed: 23 years ago23 years ago
Resolution: --- → FIXED
Verified fixed. As I stated before, the orginal url and testcase in this bug is no longer crashing for me (or others based on Talkback data). Removing [@ nsImageListener::FrameChanged] from summary, I will be logging a new bug for that crash soon and will post the bug # here for others that want to track it.
Status: RESOLVED → VERIFIED
Summary: Trunk M1BR topcrash [@ nsImageBoxListener::OnStopDecode][@ nsImageListener::FrameChanged] → Trunk M1BR topcrash [@ nsImageBoxListener::OnStopDecode]
Logged bug 144315 for new nsImageListener::FrameChanged crashes...please go there with any new info you might have for those crashes.
jpatel: This seems to be the top topcrasher on the branch, with 19 reproductions on Windows since 6/21 -- or am I doing something wrong? Should this be reopened?
Kevin, the original nsImageBoxListener::OnStopDecode stack trace is the #1 topcrash on branch, trunk, and M11A, and is the #4 crash on M100. Why did you request its closure?
Blake and Jan: See comment #60. The original crash reported in this bug was fixed and for a while we didn't see this stack in Talkback data and couldn't reproduce it. Then all of a sudden it reappeared. Keep this bug closed...here are a few newer bugs to look at: nsImageListener::FrameChanged bug 144315 (this bug has been fixed, but only for one testcase or url) nsImageListener::FrameChanged bug 153815 (this bug was opened to deal with the remaining crashes after bug 144315 was fixed) nsImageBoxListener::OnStopDecode bug 146027 (this bug was to deal with the remaining crashes after this bug (133410) was fixed, but Alexandru Savulov thought it might be the same or related to bug 144315...but even after the fix for bug 144315, I was still seeing crashes, so I just marked it a dup of bug 153815). So...now we need to figure out if bug 146027 is really the same as bug 153815. If it isn't we should reopen it and deal with just the nsImageBoxListener::OnStopDecode crashes alone in that bug and leave bug 153815 open to deal with just nsImageListener::FrameChanged crashes. Wow...that was some ugly writing. I hope it was clear enough though.
Crashtest added as part of http://hg.mozilla.org/mozilla-central/rev/54417ebbaea2
Flags: in-testsuite+
Crash Signature: [@ nsImageBoxListener::OnStopDecode]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: