Closed Bug 138292 Opened 23 years ago Closed 23 years ago

Trunk crash [@ 0x00000000 - nsImageListener::FrameChanged]

Categories

(Core :: Layout, defect, P2)

Product:
Core
Component:
Layout
Platform:
x86
All
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.0

People

(Reporter: jay, Assigned: karnaze)

References

(
URL
)

Details

(Keywords: crash, topcrash+)

Crash Data

Attachments

(3 files, 1 obsolete file)

yet another stack trace
3.29 KB, text/plain
Details
reduced test case without javascript that crashes when reloading
590 bytes, text/html
Details
patch to fix the bug
2.48 KB, patch
alexsavulov
: review+
waterson
: superreview+
jesup
: approval+
Details | Diff | Splinter Review
Most of the crashes we were seeing in nsImageBoxListener::FrameChanged were eliminated by the fix for bug 135222 (those crashes were noted in bug 120639). However, there have been a few recent incidents reported with the same stack signature and trace. People have been crashing at 2 URLs consistently: http://news.walla.co.il http://www.caranddriver.com Here's the most recent crash reported by Talkback: Incident ID 5322265 Stack Signature nsImageListener::FrameChanged f0971e0e Trigger Time 2002-04-17 19:00:58 Email Address URL visited caranddriver.com Build ID 2002041606 Product ID MozillaTrunk Platform Win32 Operating System Windows NT 5.0 build 2195 Module gklayout.dll Trigger Reason Access violation User Comments Stack Trace nsImageListener::FrameChanged [d:\builds\seamonkey\mozilla\layout\html\base\src\nsImageFrame.cpp, line 2383] imgRequestProxy::FrameChanged [d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgRequestProxy.cpp, line 294] imgRequest::FrameChanged [d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgRequest.cpp, line 336] imgContainer::Notify [d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgContainer.cpp, line 459] nsTimerImpl::Fire [d:\builds\seamonkey\mozilla\xpcom\threads\nsTimerImpl.cpp, line 352] nsTimerManager::FireNextIdleTimer [d:\builds\seamonkey\mozilla\xpcom\threads\nsTimerImpl.cpp, line 584] nsAppShell::Run [d:\builds\seamonkey\mozilla\widget\src\windows\nsAppShell.cpp, line 134] nsAppShellService::Run [d:\builds\seamonkey\mozilla\xpfe\appshell\src\nsAppShellService.cpp, line 309] main1 [d:\builds\seamonkey\mozilla\xpfe\bootstrap\nsAppRunner.cpp, line 1430] main [d:\builds\seamonkey\mozilla\xpfe\bootstrap\nsAppRunner.cpp, line 1765] WinMain [d:\builds\seamonkey\mozilla\xpfe\bootstrap\nsAppRunner.cpp, line 1783] WinMainCRTStartup() KERNEL32.DLL + 0xd326 (0x77e8d326) And Vadim (cc'd in this bug) has also been crashing...he should be posting his stack and any other info soon.
Cc'ing some folks from bug 120639...
Keywords: crash, nsbeta1, topcrash
you can ignore the stack trace if you want ... you probably have enough already. but here's the talkbacks requested: TB5357452G TB5357479M TB5357503G TB5357609W Very easy way to crash with this stack: Open caranddriver.com and hit reload quickly several times. Does it every time.
does anyone have time to look to see if there are places where mFrame is freed w/o being nulled?
Changing QA contact
QA Contact: petersen → amar
This crash is also showing up under the 0x00000000 stack signature: Count Offset Real Signature [ 2 0x00000000 e293507b - nsImageListener::FrameChanged ] [ 1 0x00000000 cb96fae7 - nsImageListener::FrameChanged ] Crash date range: 2002-04-17 to 2002-04-21 Min/Max Seconds since last crash: 507 - 94208 Min/Max Runtime: 507 - 94208 Keyword List : Count Platform List 2 Windows NT 5.1 build 2600 1 Windows NT 5.0 build 2195 Count Build Id List 2 2002041914 1 2002041606 No of Unique Users 3 Stack trace(Frame) 0x00000000 nsImageListener::FrameChanged [d:\builds\seamonkey\mozilla\layout\html\base\src\nsImageFrame.cpp line 2383] imgRequestProxy::FrameChanged [d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgRequestProxy.cpp line 294] imgRequest::FrameChanged [d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgRequest.cpp line 336] imgContainer::Notify [d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgContainer.cpp line 459] nsTimerImpl::Fire [d:\builds\seamonkey\mozilla\xpcom\threads\nsTimerImpl.cpp line 352] nsTimerManager::FireNextIdleTimer [d:\builds\seamonkey\mozilla\xpcom\threads\nsTimerImpl.cpp line 584] nsAppShell::Run [d:\builds\seamonkey\mozilla\widget\src\windows\nsAppShell.cpp line 134] nsAppShellService::Run [d:\builds\seamonkey\mozilla\xpfe\appshell\src\nsAppShellService.cpp line 309] main1 [d:\builds\seamonkey\mozilla\xpfe\bootstrap\nsAppRunner.cpp line 1430] main [d:\builds\seamonkey\mozilla\xpfe\bootstrap\nsAppRunner.cpp line 1765] WinMain [d:\builds\seamonkey\mozilla\xpfe\bootstrap\nsAppRunner.cpp line 1783] WinMainCRTStartup() kernel32.dll + 0x1eb69 (0x77e7eb69) (5448419) URL: http://www.google.com/ (5322196) URL: caranddriver.com (5322196) Comments: Pressed back button And new Talkback data shows people crashing at on ebay.com as well: Count Offset Real Signature [ 5 nsImageListener::FrameChanged 1c0e1f8a - nsImageListener::FrameChanged ] [ 4 nsImageListener::FrameChanged f0971e0e - nsImageListener::FrameChanged ] [ 2 nsImageListener::FrameChanged c17c1f51 - nsImageListener::FrameChanged ] [ 2 nsImageListener::FrameChanged 0be4b6aa - nsImageListener::FrameChanged ] [ 1 nsImageListener::FrameChanged faf5dd69 - nsImageListener::FrameChanged ] [ 1 nsImageListener::FrameChanged e1006a1f - nsImageListener::FrameChanged ] [ 1 nsImageListener::FrameChanged e0dadd38 - nsImageListener::FrameChanged ] Crash date range: 2002-04-17 to 2002-04-21 Min/Max Seconds since last crash: 22 - 123867 Min/Max Runtime: 88 - 123867 Keyword List : Count Platform List 6 Windows NT 5.0 build 2195 5 Windows NT 5.1 build 2600 3 Windows 98 4.10 build 67766446 2 Windows 98 4.10 build 67766222 Count Build Id List 9 2002041914 3 2002041906 2 2002041909 2 2002041606 No of Unique Users 13 Stack trace(Frame) nsImageListener::FrameChanged [d:\builds\seamonkey\mozilla\layout\html\base\src\nsImageFrame.cpp line 2383] imgRequestProxy::FrameChanged [d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgRequestProxy.cpp line 294] imgRequest::FrameChanged [d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgRequest.cpp line 336] imgContainer::Notify [d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgContainer.cpp line 459] nsTimerImpl::Fire [d:\builds\seamonkey\mozilla\xpcom\threads\nsTimerImpl.cpp line 352] nsTimerManager::FireNextIdleTimer [d:\builds\seamonkey\mozilla\xpcom\threads\nsTimerImpl.cpp line 584] nsAppShell::Run [d:\builds\seamonkey\mozilla\widget\src\windows\nsAppShell.cpp line 134] nsAppShellService::Run [d:\builds\seamonkey\mozilla\xpfe\appshell\src\nsAppShellService.cpp line 309] main1 [d:\builds\seamonkey\mozilla\xpfe\bootstrap\nsAppRunner.cpp line 1430] main [d:\builds\seamonkey\mozilla\xpfe\bootstrap\nsAppRunner.cpp line 1765] WinMain [d:\builds\seamonkey\mozilla\xpfe\bootstrap\nsAppRunner.cpp line 1783] WinMainCRTStartup() kernel32.dll + 0x1eb69 (0x77e7eb69) (5426225) Comments: I was submitting a form on eBay the form being a regular ebay search (5404381) URL: listings.ebay.com/aw/plistings/... (5404381) Comments: roaming around ebay selecting from ... browse --> clothing.mens --> footware --> athletic shoes and then back up the stack and then back down the stack as if I weren't sure I had gone down the right path and (5404381) Comments: then decided I had so went back down it again. (5322265) URL: caranddriver.com (5322220) URL: caranddriver.com Adding qawanted to see if we can get this reproduced in-house so we can make this a topcrash+. I have not been able to reproduce this with Vadim's steps at caranddriver.com.
Keywords: qawanted
Summary: Trunk crash [@ nsImageBoxListener::FrameChanged] → Trunk crash [@ 0x00000000 - nsImageBoxListener::FrameChanged]
Keywords: nsbeta1nsbeta1+
Target Milestone: --- → mozilla1.0
Setting the priority.
Priority: -- → P2
Looks like nsImageListener::FrameChanged, not nsImageBoxListener::FrameChanged - changing summary... Teh mFrame member is checked against null already, so it must be invalid - egads. Need to reproduce.
Status: NEW → ASSIGNED
Summary: Trunk crash [@ 0x00000000 - nsImageBoxListener::FrameChanged] → Trunk crash [@ 0x00000000 - nsImageListener::FrameChanged]
Whiteboard: [adt1]
My guess is that a pending image load for an image frame is not being canceled before the frame tree is destroyed, so when the timer fires and we process the image request, the frame to which it refers has already been destroyed. I bet this happens a lot more often than we get crashes for too, since the frames are allocated from an arean and the memory is not cleared, allowing stale frames to be 'safely' accessed in many cases. In this case, the image frame's memory probably has been taken over by another frame )of a different type) so the vtable entry for the new frame is null where the FrameChanged method would be for an imageFrame.
I can reproduce this crash on both Windows ME (2002-04-23-10 trunk) and Mac OS X (2002-04-26-05- branch) when clicking the reload button multiple times at caranddriver. 1) Load http://www.caranddriver.com 2) After page loads, I rapidily click the reload toolbar button (3- 5) times. 3) Crash occurs
Marking topcrash+ since there's a reproducible testcase now.
Keywords: topcrashtopcrash+
Taking the bug.
Assignee: attinasi → karnaze
Status: ASSIGNED → NEW
This simple test case crashes Viewer when reloading (sometimes it has to be reloaded a 2nd time).
Attachment #81551 - Attachment is obsolete: true
cc'ing harish. Probably another content model juggling bug.
The patch ensures that non table related frames that cause pseudo frames (anonymous ancestor frames between a frame and a table related frame) to be created get added to a child list. Without the patch, when the relevant code is invoked, there are memory leaks, likely data loss, and crashes in the case of image frames. Although the test case probably exposes a parser bug, the obsoleted test case and the url cannot be fixed by the parser because content gets added via javascript.
Status: NEW → ASSIGNED
Keywords: adt1.0.0, approval
Whiteboard: [adt1] → [adt1]PATCH
Comment on attachment 81699 [details] [diff] [review] patch to fix the bug sr=waterson
Attachment #81699 - Flags: superreview+
Comment on attachment 81699 [details] [diff] [review] patch to fix the bug r= alexsavulov
Attachment #81699 - Flags: review+
adding adt1.0.0+. Please check into the branch as soon as possible after getting drivers approval and add the fixed1.0.0 keyword.
Keywords: adt1.0.0adt1.0.0+
Comment on attachment 81699 [details] [diff] [review] patch to fix the bug a=rjesup@wgate.com for branch checkin
Attachment #81699 - Flags: approval+
karnaze: Could you run your patch with the test case / url in bug 133410? Thanks.
Checked into the trunk and m1.0 branch.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Keywords: fixed1.0.0
Resolution: --- → FIXED
*** Bug 142937 has been marked as a duplicate of this bug. ***
This crash has not gone away. There have been crashes on the MozillaTrunk after the checkin at other urls (with the same stack): Count Offset Real Signature [ 3 0x00000000 cb96fae7 - nsImageListener::FrameChanged ] [ 2 0x00000000 f579f95b - nsImageListener::FrameChanged ] [ 2 0x00000000 e293507b - nsImageListener::FrameChanged ] Crash date range: 2002-05-01 to 2002-05-07 Min/Max Seconds since last crash: 51 - 329346 Min/Max Runtime: 507 - 492637 Keyword List : Count Platform List 5 Windows NT 5.0 build 2195 2 Windows NT 5.1 build 2600 Count Build Id List 2 2002050708 2 2002043010 1 2002050608 1 2002050604 1 2002042908 No of Unique Users 7 Stack trace(Frame) 0x00000000 nsImageListener::FrameChanged [nsImageFrame.cpp line 2383] imgRequestProxy::FrameChanged [imgRequestProxy.cpp line 294] imgRequest::FrameChanged [imgRequest.cpp line 338] imgContainer::Notify [imgContainer.cpp line 459] nsTimerImpl::Fire [nsTimerImpl.cpp line 357] nsTimerManager::FireNextIdleTimer [nsTimerImpl.cpp line 591] nsAppShell::Run [nsAppShell.cpp line 134] nsAppShellService::Run [nsAppShellService.cpp line 451] main1 [nsAppRunner.cpp line 1472] main [nsAppRunner.cpp line 1808] WinMain [nsAppRunner.cpp line 1826] WinMainCRTStartup() KERNEL32.DLL + 0xd326 (0x77e8d326) (6052120) URL: www.ubid.com (6052120) Comments: I was just about to login to ubid and it crashed. (6033031) URL: http://gamefix.free.fr (5863137) URL: www.gamasutra.com (5863137) Comments: Reading the post-mortem on Star Wars Rogue Leader 2 in a tabbed window Reopening for now...let me know if I need to log a new bug. Also see bug 133410 for what seems to be related crashes.
reopening for real this time.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
I think talkback _may_ be slightly off in reporting the stack. See bug 133410 and particularly bug 142830 where talkback is reporting the crash slightly differently from what can be reproduced in a debugger (msvc).
jpatel, could you please open a new bug. This bug had multiple urls and a reduced test case that were fixed by the patch. The patch corrected a particular situation where an image frame was not hooked up properly in the frame hierarchy. If there are other problems with image frames elsewhere in the code, they could produce this stack.
Status: REOPENED → RESOLVED
Closed: 23 years ago23 years ago
Resolution: --- → FIXED
Ok, verifying this fixed...no longer crashing at the original urls or with the testcase (MozillaTrunk and Mozilla1.0 Branch). I will open a new bug for the other crashes at nsImageListener::FrameChanged.
Status: RESOLVED → VERIFIED
Adding verified1.0.0 keyword
Keywords: verified1.0.0
Whiteboard: [adt1]PATCH
Crash Signature: [@ 0x00000000 - nsImageListener::FrameChanged]
Keywords: qawanted
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: