Closed Bug 138292 Opened 22 years ago Closed 22 years ago

Trunk crash [@ 0x00000000 - nsImageListener::FrameChanged]

Categories

(Core :: Layout, defect, P2)

Product:
Core
Component:
Layout
Platform:
x86
All
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.0

People

(Reporter: jay, Assigned: karnaze)

References

(
URL
)

Details

(Keywords: crash, topcrash+)

Crash Data

Attachments

(3 files, 1 obsolete file)

yet another stack trace
3.29 KB, text/plain
Details
reduced test case without javascript that crashes when reloading
590 bytes, text/html
Details
patch to fix the bug
2.48 KB, patch
alexsavulov
: review+
waterson
: superreview+
jesup
: approval+
Details | Diff | Splinter Review 
Most of the crashes we were seeing in nsImageBoxListener::FrameChanged were
eliminated by the fix for bug 135222 (those crashes were noted in bug 120639).  

However, there have been a few recent incidents reported with the same stack
signature and trace.

People have been crashing at 2 URLs consistently: 
http://news.walla.co.il 
http://www.caranddriver.com

Here's the most recent crash reported by Talkback:
 Incident ID 5322265   Stack Signature  nsImageListener::FrameChanged f0971e0e
Trigger Time 2002-04-17 19:00:58
Email Address
URL visited caranddriver.com
Build ID 2002041606
Product ID MozillaTrunk
Platform Win32
Operating System Windows NT 5.0 build 2195
Module gklayout.dll
Trigger Reason Access violation
User Comments
Stack Trace
nsImageListener::FrameChanged
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsImageFrame.cpp, line 2383]
imgRequestProxy::FrameChanged
[d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgRequestProxy.cpp, line 294]
imgRequest::FrameChanged
[d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgRequest.cpp, line 336]
imgContainer::Notify
[d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgContainer.cpp, line 459]
nsTimerImpl::Fire [d:\builds\seamonkey\mozilla\xpcom\threads\nsTimerImpl.cpp,
line 352]
nsTimerManager::FireNextIdleTimer
[d:\builds\seamonkey\mozilla\xpcom\threads\nsTimerImpl.cpp, line 584]
nsAppShell::Run [d:\builds\seamonkey\mozilla\widget\src\windows\nsAppShell.cpp,
line 134]
nsAppShellService::Run
[d:\builds\seamonkey\mozilla\xpfe\appshell\src\nsAppShellService.cpp, line 309]
main1 [d:\builds\seamonkey\mozilla\xpfe\bootstrap\nsAppRunner.cpp, line 1430]
main [d:\builds\seamonkey\mozilla\xpfe\bootstrap\nsAppRunner.cpp, line 1765]
WinMain [d:\builds\seamonkey\mozilla\xpfe\bootstrap\nsAppRunner.cpp, line 1783]
WinMainCRTStartup()
KERNEL32.DLL + 0xd326 (0x77e8d326) 

And Vadim (cc'd in this bug) has also been crashing...he should be posting his
stack and any other info soon.
Cc'ing some folks from bug 120639...
Keywords: crash, nsbeta1, topcrash
you can ignore the stack trace if you want ... you probably have enough
already. 

but here's the talkbacks requested:
TB5357452G
TB5357479M
TB5357503G
TB5357609W

Very easy way to crash with this stack: 
Open caranddriver.com and hit reload quickly several times. Does it every time.
does anyone have time to look to see if there are places where mFrame is freed 
w/o being nulled?
Changing QA contact
QA Contact: petersen → amar
This crash is also showing up under the 0x00000000 stack signature:
Count   Offset    Real Signature
[ 2   0x00000000 e293507b - nsImageListener::FrameChanged ]
[ 1   0x00000000 cb96fae7 - nsImageListener::FrameChanged ]
 
     Crash date range: 2002-04-17 to 2002-04-21
     Min/Max Seconds since last crash: 507 - 94208
     Min/Max Runtime: 507 - 94208
     Keyword List :  
     Count   Platform List 
     2   Windows NT 5.1 build 2600
     1   Windows NT 5.0 build 2195
 
     Count   Build Id List 
     2   2002041914
     1   2002041606
 
     No of Unique Users         3
 
 Stack trace(Frame) 

	 0x00000000  
	 nsImageListener::FrameChanged
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsImageFrame.cpp  line 2383] 
	 imgRequestProxy::FrameChanged
[d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgRequestProxy.cpp  line 294] 
	 imgRequest::FrameChanged
[d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgRequest.cpp  line 336] 
	 imgContainer::Notify
[d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgContainer.cpp  line 459] 
	 nsTimerImpl::Fire
[d:\builds\seamonkey\mozilla\xpcom\threads\nsTimerImpl.cpp  line 352] 
	 nsTimerManager::FireNextIdleTimer
[d:\builds\seamonkey\mozilla\xpcom\threads\nsTimerImpl.cpp  line 584] 
	 nsAppShell::Run
[d:\builds\seamonkey\mozilla\widget\src\windows\nsAppShell.cpp  line 134] 
	 nsAppShellService::Run
[d:\builds\seamonkey\mozilla\xpfe\appshell\src\nsAppShellService.cpp  line 309] 
	 main1
[d:\builds\seamonkey\mozilla\xpfe\bootstrap\nsAppRunner.cpp  line 1430] 
	 main
[d:\builds\seamonkey\mozilla\xpfe\bootstrap\nsAppRunner.cpp  line 1765] 
	 WinMain
[d:\builds\seamonkey\mozilla\xpfe\bootstrap\nsAppRunner.cpp  line 1783] 
	 WinMainCRTStartup()  
	 kernel32.dll + 0x1eb69 (0x77e7eb69)   
 
     (5448419)	URL: http://www.google.com/
     (5322196)	URL: caranddriver.com
     (5322196)	Comments: Pressed back button

And new Talkback data shows people crashing at on ebay.com as well:
     Count   Offset    Real Signature
[ 5   nsImageListener::FrameChanged 1c0e1f8a - nsImageListener::FrameChanged ]
[ 4   nsImageListener::FrameChanged f0971e0e - nsImageListener::FrameChanged ]
[ 2   nsImageListener::FrameChanged c17c1f51 - nsImageListener::FrameChanged ]
[ 2   nsImageListener::FrameChanged 0be4b6aa - nsImageListener::FrameChanged ]
[ 1   nsImageListener::FrameChanged faf5dd69 - nsImageListener::FrameChanged ]
[ 1   nsImageListener::FrameChanged e1006a1f - nsImageListener::FrameChanged ]
[ 1   nsImageListener::FrameChanged e0dadd38 - nsImageListener::FrameChanged ]
 
     Crash date range: 2002-04-17 to 2002-04-21
     Min/Max Seconds since last crash: 22 - 123867
     Min/Max Runtime: 88 - 123867
     Keyword List :  
     Count   Platform List 
     6   Windows NT 5.0 build 2195
     5   Windows NT 5.1 build 2600
     3   Windows 98 4.10 build 67766446
     2   Windows 98 4.10 build 67766222
 
     Count   Build Id List 
     9   2002041914
     3   2002041906
     2   2002041909
     2   2002041606
 
     No of Unique Users        13
 
 Stack trace(Frame) 

	 nsImageListener::FrameChanged
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsImageFrame.cpp  line 2383] 
	 imgRequestProxy::FrameChanged
[d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgRequestProxy.cpp  line 294] 
	 imgRequest::FrameChanged
[d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgRequest.cpp  line 336] 
	 imgContainer::Notify
[d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgContainer.cpp  line 459] 
	 nsTimerImpl::Fire
[d:\builds\seamonkey\mozilla\xpcom\threads\nsTimerImpl.cpp  line 352] 
	 nsTimerManager::FireNextIdleTimer
[d:\builds\seamonkey\mozilla\xpcom\threads\nsTimerImpl.cpp  line 584] 
	 nsAppShell::Run
[d:\builds\seamonkey\mozilla\widget\src\windows\nsAppShell.cpp  line 134] 
	 nsAppShellService::Run
[d:\builds\seamonkey\mozilla\xpfe\appshell\src\nsAppShellService.cpp  line 309] 
	 main1
[d:\builds\seamonkey\mozilla\xpfe\bootstrap\nsAppRunner.cpp  line 1430] 
	 main
[d:\builds\seamonkey\mozilla\xpfe\bootstrap\nsAppRunner.cpp  line 1765] 
	 WinMain
[d:\builds\seamonkey\mozilla\xpfe\bootstrap\nsAppRunner.cpp  line 1783] 
	 WinMainCRTStartup()  
	 kernel32.dll + 0x1eb69 (0x77e7eb69)   
 
     (5426225)	Comments: I was submitting a form on eBay  the form being a regular ebay search
     (5404381)	URL: listings.ebay.com/aw/plistings/...
     (5404381)	Comments: roaming around ebay selecting from ...    browse --> clothing.mens
--> footware --> athletic shoes            and then back up the stack and then
back down the            stack as if I weren't sure I had gone down the right  
         path and
     (5404381)	Comments:  then decided I had so went back down it again.
     (5322265)	URL: caranddriver.com
     (5322220)	URL: caranddriver.com

Adding qawanted to see if we can get this reproduced in-house so we can make
this a topcrash+.  I have not been able to reproduce this with Vadim's steps at
caranddriver.com.
Keywords: qawanted
Summary: Trunk crash [@ nsImageBoxListener::FrameChanged] → Trunk crash [@ 0x00000000 - nsImageBoxListener::FrameChanged]
Keywords: nsbeta1nsbeta1+
Target Milestone: --- → mozilla1.0
 Setting the priority.
Priority: -- → P2
Looks like nsImageListener::FrameChanged, not nsImageBoxListener::FrameChanged -
changing summary...

Teh mFrame member is checked against null already, so it must be invalid -
egads. Need to reproduce.
Status: NEW → ASSIGNED
Summary: Trunk crash [@ 0x00000000 - nsImageBoxListener::FrameChanged] → Trunk crash [@ 0x00000000 - nsImageListener::FrameChanged]
Whiteboard: [adt1]
My guess is that a pending image load for an image frame is not being canceled
before the frame tree is destroyed, so when the timer fires and we process the
image request, the frame to which it refers has already been destroyed. I bet
this happens a lot more often than we get crashes for too, since the frames are
allocated from an arean and the memory is not cleared, allowing stale frames to
be 'safely' accessed in many cases. In this case, the image frame's memory
probably has been taken over by another frame )of a different type) so the
vtable entry for the new frame is null where the FrameChanged method would be
for an imageFrame.
I can reproduce this crash on both Windows ME (2002-04-23-10 trunk) and Mac OS X
(2002-04-26-05- branch) when clicking the reload button multiple times at
caranddriver. 


1) Load http://www.caranddriver.com
2) After page loads, I rapidily click the reload toolbar button (3- 5) times.
3) Crash occurs
Marking topcrash+ since there's a reproducible testcase now.
Keywords: topcrashtopcrash+
Taking the bug.
Assignee: attinasi → karnaze
Status: ASSIGNED → NEW
This simple test case crashes Viewer when reloading (sometimes it has to be
reloaded a 2nd time).

        Attachment #81551 -
        Attachment is obsolete: true

    
    

    
  
cc'ing harish. Probably another content model juggling bug.

    
    

    
  


  
The patch ensures that non table related frames that cause pseudo frames
(anonymous ancestor frames between a frame and a table related frame) to be
created get added to a child list. Without the patch, when the relevant code is
invoked, there are memory leaks, likely data loss, and crashes in the case of
image frames.

Although the test case probably exposes a parser bug, the obsoleted test case
and the url cannot be fixed by the parser because content gets added via
javascript.

    
  
Status: NEW → ASSIGNED
Keywords: adt1.0.0, 
          
            approval
Whiteboard: [adt1] → [adt1]PATCH

    
    

    
  
Comment on attachment 81699 [details] [diff] [review]
patch to fix the bug

sr=waterson

        Attachment #81699 -
        Flags: superreview+

    
    

    
  
Comment on attachment 81699 [details] [diff] [review]
patch to fix the bug

r= alexsavulov

        Attachment #81699 -
        Flags: review+

    
    

    
  
adding adt1.0.0+.  Please check into the branch as soon as possible after
getting drivers approval and add the fixed1.0.0 keyword.
Keywords: adt1.0.0adt1.0.0+

    
    

    
  
Comment on attachment 81699 [details] [diff] [review]
patch to fix the bug

a=rjesup@wgate.com for branch checkin

        Attachment #81699 -
        Flags: approval+

    
    

    
  
karnaze: Could you run your patch with the test case / url in bug 133410? Thanks.

    
    

    
  
Checked into the trunk and m1.0 branch.
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Keywords: fixed1.0.0
Resolution: --- → FIXED

    
    

    
  
*** Bug 142937 has been marked as a duplicate of this bug. ***

    
    

    
  
This crash has not gone away.  There have been crashes on the MozillaTrunk after
the checkin at other urls (with the same stack):

Count   Offset    Real Signature
[ 3   0x00000000 cb96fae7 - nsImageListener::FrameChanged ]
[ 2   0x00000000 f579f95b - nsImageListener::FrameChanged ]
[ 2   0x00000000 e293507b - nsImageListener::FrameChanged ]
 
     Crash date range: 2002-05-01 to 2002-05-07
     Min/Max Seconds since last crash: 51 - 329346
     Min/Max Runtime: 507 - 492637
     Keyword List :  
     Count   Platform List 
     5   Windows NT 5.0 build 2195
     2   Windows NT 5.1 build 2600
 
     Count   Build Id List 
     2   2002050708
     2   2002043010
     1   2002050608
     1   2002050604
     1   2002042908
 
     No of Unique Users         7
 
 Stack trace(Frame) 

	 0x00000000  
	 nsImageListener::FrameChanged
[nsImageFrame.cpp  line 2383] 
	 imgRequestProxy::FrameChanged
[imgRequestProxy.cpp  line 294] 
	 imgRequest::FrameChanged
[imgRequest.cpp  line 338] 
	 imgContainer::Notify
[imgContainer.cpp  line 459] 
	 nsTimerImpl::Fire
[nsTimerImpl.cpp  line 357] 
	 nsTimerManager::FireNextIdleTimer
[nsTimerImpl.cpp  line 591] 
	 nsAppShell::Run
[nsAppShell.cpp  line 134] 
	 nsAppShellService::Run
[nsAppShellService.cpp  line 451] 
	 main1
[nsAppRunner.cpp  line 1472] 
	 main
[nsAppRunner.cpp  line 1808] 
	 WinMain
[nsAppRunner.cpp  line 1826] 
	 WinMainCRTStartup()  
	 KERNEL32.DLL + 0xd326 (0x77e8d326)   
 
     (6052120)	URL: www.ubid.com
     (6052120)	Comments: I was just about to login to ubid and it crashed.
     (6033031)	URL: http://gamefix.free.fr
     (5863137)	URL: www.gamasutra.com
     (5863137)	Comments: Reading the post-mortem on Star Wars Rogue Leader 2 in a tabbed window

Reopening for now...let me know if I need to log a new bug.  Also see bug 133410
for what seems to be related crashes.

    
    

    
  
reopening for real this time.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---

    
    

    
  
I think talkback _may_ be slightly off in reporting the stack. See bug 133410
and particularly bug 142830 where talkback is reporting the crash slightly 
differently from what can be reproduced in a debugger (msvc).




    
    

    
  
jpatel, could you please open a new bug. This bug had multiple urls and a 
reduced test case that were fixed by the patch. The patch corrected a particular 
situation where an image frame was not hooked up properly in the frame 
hierarchy. If there are other problems with image frames elsewhere in the code, 
they could produce this stack. 
Status: REOPENED → RESOLVED
Closed: 22 years ago22 years ago
Resolution: --- → FIXED

    
    

    
  
Ok, verifying this fixed...no longer crashing at the original urls or with the
testcase (MozillaTrunk and Mozilla1.0 Branch).  I will open a new bug for the
other crashes at nsImageListener::FrameChanged.
Status: RESOLVED → VERIFIED

    
    

    
  
 Adding verified1.0.0 keyword
Keywords: verified1.0.0

    
  
Whiteboard: [adt1]PATCH
Crash Signature: [@ 0x00000000 - nsImageListener::FrameChanged]
Keywords: qawanted

    
    

    
      
  

    
    

    
      
  

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: