Closed Bug 140931 Opened 23 years ago Closed 23 years ago

crash when accessing a certain URL [@nsPluginHostImpl::AddInstanceToActiveList][@ jpins32.dll]

Categories

(Core Graveyard :: Plug-ins, defect, P2)

Product:
Core Graveyard
Component:
Plug-ins
Platform:
x86
Windows 2000
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED FIXED
Milestone:
mozilla1.1beta

People

(Reporter: sagiem, Assigned: peterl-bugs)

References

(
URL
)

Details

(4 keywords, Whiteboard: [ADT2 RTM] [PL RTM] [06/25])

Crash Data

Attachments

(4 files, 4 obsolete files)

stack trace ID 5779479
5.77 KB, text/plain
Details
stack trace on crash
6.26 KB, text/plain
Details
combined patch
6.70 KB, patch
peterlubczynski-bugs
: review+
beard
: superreview+
Details | Diff | Splinter Review
new stack
14.91 KB, text/plain
Details
From Bugzilla Helper: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; TUCOWS) BuildID: 2002041711 When trying to access the above URL, either directly or by a link, mozilla crashes. Reproducible: Always Steps to Reproduce: 1. Go to: http://www.plonter.co.il/webcatalog/computerstore/writeus.tmpl? cart=310294907751040564&lang=heb Actual Results: Mozilla crashes. Expected Results: The page should load regulary.
WFM Reporter: Make sure java is correctly installed, as that page uses it. e.g. Does http://www.javasoft.com work for you?
confirming with win2k build 20020427.. and JRE1.4 JPINS32! 03eb4841() nsPluginHostImpl::AddInstanceToActiveList(nsCOMPtr<nsIPlugin> {...}, nsIPluginInstance * 0x1ab24368, nsIURI * 0x058224d0, int 0) line 3712 + 53 bytes nsPluginHostImpl::SetUpPluginInstance(nsPluginHostImpl * const 0x03b04284, const char * 0x02255b8c, nsIURI * 0x058224d0, nsIPluginInstanceOwner * 0x05826f58) line 3956 nsPluginHostImpl::InstantiateEmbededPlugin(nsPluginHostImpl * const 0x03b04284, const char * 0x02255b8c, nsIURI * 0x058224d0, nsIPluginInstanceOwner * 0x05826f58) line 3463 + 24 bytes nsObjectFrame::InstantiatePlugin(nsIPresContext * 0x057a4330, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, nsIPluginHost * 0x03b04284, const char * 0x02255b8c, nsIURI * 0x058224d0) line 1236 nsObjectFrame::Reflow(nsObjectFrame * const 0x0581dbc4, nsIPresContext * 0x057a4330, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 1046 + 49 bytes nsLineLayout::ReflowFrame(nsIFrame * 0x0581dbc4, nsIFrame * * 0x0012c7e4, unsigned int & 0, nsHTMLReflowMetrics * 0x00000000, int & 0) line 1088 + 43 bytes nsInlineFrame::ReflowInlineFrame(nsIPresContext * 0x057a4330, const nsHTMLReflowState & {...}, nsInlineFrame::InlineReflowState & {...}, nsIFrame * 0x0581dbc4, unsigned int & 0) line 726 + 26 bytes nsInlineFrame::ReflowFrames(nsIPresContext * 0x057a4330, const nsHTMLReflowState & {...}, nsInlineFrame::InlineReflowState & {...}, nsHTMLReflowMetrics & {...}, unsigned int & 0) line 531 + 28 bytes nsInlineFrame::Reflow(nsInlineFrame * const 0x0581d858, nsIPresContext * 0x057a4330, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 442 + 28 bytes nsLineLayout::ReflowFrame(nsIFrame * 0x0581d858, nsIFrame * * 0x0012d634, unsigned int & 0, nsHTMLReflowMetrics * 0x00000000, int & 0) line 1088 + 43 bytes nsBlockFrame::ReflowInlineFrame(nsBlockReflowState & {...}, nsLineLayout & {...}, nsLineList_iterator {...}, nsIFrame * 0x0581d858, unsigned char * 0x0012ca7c) line 3655 + 29 bytes nsBlockFrame::DoReflowInlineFrames(nsBlockReflowState & {...}, nsLineLayout & {...}, nsLineList_iterator {...}, int * 0x0012d194, unsigned char * 0x0012cf70, int 0, int 1) line 3536 + 32 bytes nsBlockFrame::DoReflowInlineFramesAuto(nsBlockReflowState & {...}, nsLineList_iterator {...}, int * 0x0012d194, unsigned char * 0x0012cf70, int 0, int 1) line 3461 + 46 bytes nsBlockFrame::ReflowInlineFrames(nsBlockReflowState & {...}, nsLineList_iterator {...}, int * 0x0012d194, int 1, int 0) line 3405 + 36 bytes nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineList_iterator {...}, int * 0x0012d194, int 1) line 2564 + 33 bytes nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2208 + 31 bytes nsBlockFrame::Reflow(nsBlockFrame * const 0x0581d6c0, nsIPresContext * 0x057a4330, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 864 + 15 bytes nsBlockReflowContext::DoReflowBlock(nsHTMLReflowState & {...}, nsReflowReason eReflowReason_Dirty, nsIFrame * 0x0581d6c0, const nsRect & {...}, int 0, nsCollapsingMargin & {...}, int 1, nsMargin & {...}, unsigned int & 0) line 580 + 36 bytes nsBlockReflowContext::ReflowBlock(nsIFrame * 0x0581d6c0, const nsRect & {...}, int 0, nsCollapsingMargin & {...}, int 1, nsMargin & {...}, unsigned int & 0) line 356 + 50 bytes nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & {...}, nsLineList_iterator {...}, int * 0x0012de38) line 3162 + 59 bytes nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineList_iterator {...}, int * 0x0012de38, int 1) line 2426 + 27 bytes nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2208 + 31 bytes nsBlockFrame::Reflow(nsBlockFrame * const 0x0581d2b4, nsIPresContext * 0x057a4330, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 864 + 15 bytes nsBlockReflowContext::DoReflowBlock(nsHTMLReflowState & {...}, nsReflowReason eReflowReason_Incremental, nsIFrame * 0x0581d2b4, const nsRect & {...}, int 1, nsCollapsingMargin & {...}, int 1, nsMargin & {...}, unsigned int & 0) line 580 + 36 bytes nsBlockReflowContext::ReflowBlock(nsIFrame * 0x0581d2b4, const nsRect & {...}, int 1, nsCollapsingMargin & {...}, int 1, nsMargin & {...}, unsigned int & 0) line 356 + 50 bytes nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & {...}, nsLineList_iterator {...}, int * 0x0012eadc) line 3162 + 59 bytes nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineList_iterator {...}, int * 0x0012eadc, int 1) line 2426 + 27 bytes nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2208 + 31 bytes nsBlockFrame::Reflow(nsBlockFrame * const 0x0581d094, nsIPresContext * 0x057a4330, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 864 + 15 bytes nsContainerFrame::ReflowChild(nsIFrame * 0x0581d094, nsIPresContext * 0x057a4330, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0, int 0, unsigned int 0, unsigned int & 0) line 784 + 31 bytes CanvasFrame::Reflow(CanvasFrame * const 0x03b3d170, nsIPresContext * 0x057a4330, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 562 nsBoxToBlockAdaptor::Reflow(nsBoxLayoutState & {...}, nsIPresContext * 0x057a4330, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0, int 0, int 0, int 15330, int 9480, int 1) line 833 nsBoxToBlockAdaptor::DoLayout(nsBoxToBlockAdaptor * const 0x0581cff8, nsBoxLayoutState & {...}) line 617 + 46 bytes nsBox::Layout(nsBox * const 0x0581cff8, nsBoxLayoutState & {...}) line 1052 nsScrollBoxFrame::DoLayout(nsScrollBoxFrame * const 0x03b3d640, nsBoxLayoutState & {...}) line 395 nsBox::Layout(nsBox * const 0x03b3d640, nsBoxLayoutState & {...}) line 1052 nsContainerBox::LayoutChildAt(nsBoxLayoutState & {...}, nsIBox * 0x03b3d640, const nsRect & {...}) line 646 + 16 bytes nsGfxScrollFrameInner::LayoutBox(nsBoxLayoutState & {...}, nsIBox * 0x03b3d640, const nsRect & {...}) line 1062 + 17 bytes nsGfxScrollFrameInner::Layout(nsBoxLayoutState & {...}) line 1217 nsGfxScrollFrame::DoLayout(nsGfxScrollFrame * const 0x03b3d448, nsBoxLayoutState & {...}) line 1070 + 15 bytes nsBox::Layout(nsBox * const 0x03b3d448, nsBoxLayoutState & {...}) line 1052 nsBoxFrame::Reflow(nsBoxFrame * const 0x03b3d410, nsIPresContext * 0x057a4330, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 1001 nsGfxScrollFrame::Reflow(nsGfxScrollFrame * const 0x03b3d410, nsIPresContext * 0x057a4330, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 777 + 25 bytes nsContainerFrame::ReflowChild(nsIFrame * 0x03b3d410, nsIPresContext * 0x057a4330, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int 0, int 0, unsigned int 0, unsigned int & 0) line 784 + 31 bytes ViewportFrame::Reflow(ViewportFrame * const 0x03b3d134, nsIPresContext * 0x057a4330, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0) line 588 nsHTMLReflowCommand::Dispatch(nsIPresContext * 0x057a4330, nsHTMLReflowMetrics & {...}, const nsSize & {...}, nsIRenderingContext & {...}) line 222 PresShell::ProcessReflowCommand(nsVoidArray & {...}, int 1, nsHTMLReflowMetrics & {...}, nsSize & {...}, nsIRenderingContext & {...}) line 6194 PresShell::ProcessReflowCommands(int 1) line 6249 ReflowEvent::HandleEvent() line 6105 HandlePLEvent(ReflowEvent * 0x057b8e08) line 6119 PL_HandleEvent(PLEvent * 0x057b8e08) line 596 + 10 bytes PL_ProcessPendingEvents(PLEventQueue * 0x012159c8) line 526 + 9 bytes _md_EventReceiverProc(HWND__ * 0x0005014a, unsigned int 49375, unsigned int 0, long 18962888) line 1077 + 9 bytes USER32! 77e02e98() USER32! 77e030e0() USER32! 77e05824() nsAppShellService::Run(nsAppShellService * const 0x03aab4a8) line 451 main1(int 2, char * * 0x002830b0, nsISupports * 0x00000000) line 1431 + 32 bytes main(int 2, char * * 0x002830b0) line 1779 + 37 bytes mainCRTStartup() line 338 + 17 bytes KERNEL32! 77e87d08() -> Plugins (or Oji ?)
Assignee: Matti → beppe
Status: UNCONFIRMED → NEW
Component: Browser-General → Plug-ins
Ever confirmed: true
Keywords: crash
QA Contact: imajes-qa → shrir
I could not repro this but I won't be surprised if this is one of the flash crashers that happen when one visits a webpage. we have some bugs filed for that issue.
DFM with Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.0rc1) Gecko/20020425 A Talkback is available: TB5738954 dated 29-02.2002 19:27
#1, Java is not installed here. But it still isn't a reason for my browser to crash, is it?
reporter, pls try a recent nightly... this is definitely fixed with bug 138500. pls make sure u use a recent nightly, Thx for the help !
verifying with nightly build (2002042908/win2k): mozilla doesn't crash but stops responding (can only close it through the task manager) this time.
I think this may have something to do with the applet that is running on that page -- open up the java console and watch the activity. I was able to crash going back and forth from the page. I will attach the stack trace.
Attached file stack trace ID 5779479
attaching stack trace
shrirang khanzode: I see this with build 20020427.. and later (see comment #2). I saw this crash without going back/forward.. (first load of the page) I use : JRE1.4 and flash6
20040430 on NT4 with same version of flash/java as urs , I don't crash on the url.:(
for someone who can repro this, could you copy it locally, add the appropriate link paths so the page loads on your desktop and see if you get the same results.
Whiteboard: [need repro]
Using MachV build 2002042906 on win2k with all the service packs and the 1.4.0_01 JRE, I managed to reproduce after 2 times: Stack Signature jpins32.dll + 0x4841 (0x01c44841) 1d8a895e Email Address doron@netscape.com Product ID Mozilla1.0 Build ID 2002042908 Trigger Time 2002-05-01 09:13:08 Platform Win32 Operating System Windows NT 5.0 build 2195 Module jpins32.dll URL visited bugzilla 140931 User Comments Trigger Reason Access violation Source File Name Trigger Line No. Stack Trace jpins32.dll + 0x4841 (0x01c44841) nsPluginHostImpl::AddInstanceToActiveList [d:\builds\seamonkey\mozilla\modules\plugin\base\src\nsPluginHostImpl.cpp, line 3699] nsPluginHostImpl::SetUpPluginInstance [d:\builds\seamonkey\mozilla\modules\plugin\base\src\nsPluginHostImpl.cpp, line 3941] nsPluginHostImpl::InstantiateEmbededPlugin [d:\builds\seamonkey\mozilla\modules\plugin\base\src\nsPluginHostImpl.cpp, line 3450] nsObjectFrame::InstantiatePlugin [d:\builds\seamonkey\mozilla\layout\html\base\src\nsObjectFrame.cpp, line 1236] nsObjectFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\base\src\nsObjectFrame.cpp, line 1047] nsLineLayout::ReflowFrame [d:\builds\seamonkey\mozilla\layout\html\base\src\nsLineLayout.cpp, line 1089] nsInlineFrame::ReflowInlineFrame [d:\builds\seamonkey\mozilla\layout\html\base\src\nsInlineFrame.cpp, line 732] nsInlineFrame::ReflowFrames [d:\builds\seamonkey\mozilla\layout\html\base\src\nsInlineFrame.cpp, line 532] nsInlineFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\base\src\nsInlineFrame.cpp, line 448] nsLineLayout::ReflowFrame [d:\builds\seamonkey\mozilla\layout\html\base\src\nsLineLayout.cpp, line 1089] nsBlockFrame::ReflowInlineFrame [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 3691] nsBlockFrame::DoReflowInlineFrames [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 3572] nsBlockFrame::DoReflowInlineFramesAuto [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 3497] nsBlockFrame::ReflowInlineFrames [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 3442] nsBlockFrame::ReflowLine [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 2600] nsBlockFrame::ReflowDirtyLines [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 2239] nsBlockFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 846] nsBlockReflowContext::DoReflowBlock [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockReflowContext.cpp, line 581] nsBlockReflowContext::ReflowBlock [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockReflowContext.cpp, line 359] nsBlockFrame::ReflowBlockFrame [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 3198] nsBlockFrame::ReflowLine [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 2466] nsBlockFrame::ReflowDirtyLines [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 2239] nsBlockFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 846] nsBlockReflowContext::DoReflowBlock [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockReflowContext.cpp, line 581] nsBlockReflowContext::ReflowBlock [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockReflowContext.cpp, line 359] nsBlockFrame::ReflowBlockFrame [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 3198] nsBlockFrame::ReflowLine [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 2466] nsBlockFrame::ReflowDirtyLines [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 2239] nsBlockFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 846] nsContainerFrame::ReflowChild [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line 807] CanvasFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\base\src\nsHTMLFrame.cpp, line 565] nsBoxToBlockAdaptor::Reflow [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxToBlockAdaptor.cpp, line 837] nsBoxToBlockAdaptor::DoLayout [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxToBlockAdaptor.cpp, line 619] nsBox::Layout [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBox.cpp, line 1052] nsScrollBoxFrame::DoLayout [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsScrollBoxFrame.cpp, line 395] nsBox::Layout [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBox.cpp, line 1052] nsContainerBox::LayoutChildAt [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsContainerBox.cpp, line 650] nsGfxScrollFrameInner::LayoutBox [d:\builds\seamonkey\mozilla\layout\html\base\src\nsGfxScrollFrame.cpp, line 1063] nsGfxScrollFrameInner::Layout [d:\builds\seamonkey\mozilla\layout\html\base\src\nsGfxScrollFrame.cpp, line 1222] nsGfxScrollFrame::DoLayout [d:\builds\seamonkey\mozilla\layout\html\base\src\nsGfxScrollFrame.cpp, line 1071] nsBox::Layout [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBox.cpp, line 1052] nsBoxFrame::Reflow [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBoxFrame.cpp, line 1001] nsGfxScrollFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\base\src\nsGfxScrollFrame.cpp, line 780] nsContainerFrame::ReflowChild [d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line 807] ViewportFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\base\src\nsViewportFrame.cpp, line 588] nsHTMLReflowCommand::Dispatch [d:\builds\seamonkey\mozilla\layout\html\base\src\nsHTMLReflowCommand.cpp, line 218] PresShell::ProcessReflowCommand [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 6305] PresShell::ProcessReflowCommands [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 6360] ReflowEvent::HandleEvent [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 6216] PL_HandleEvent [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c, line 597] PL_ProcessPendingEvents [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c, line 530] _md_EventReceiverProc [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c, line 1078] nsAppShellService::Run [d:\builds\seamonkey\mozilla\xpfe\appshell\src\nsAppShellService.cpp, line 309] netscp6.exe + 0x1f5d (0x00401f5d) netscp6.exe + 0x1aed (0x00401aed) netscp6.exe + 0x365b (0x0040365b) netscp6.exe + 0x699a (0x0040699a) KERNEL32.DLL + 0xd326 (0x77e8d326)
assigning to av for debugging
Assignee: beppe → av
Priority: -- → P2
Target Milestone: --- → mozilla1.0.1
Shrirang, it crashes on my windows NT (jre 1.4.0_01 with the "CUSTOM Install (branch build: 2002-05-01-08-1.0.0) with this url: http://www.plonter.co.il/webcatalog/computerstore/writeus.tmpl?cart= 310294907751040564&lang=heb
Here is the stacktrace: Stack Trace jpins32.dll + 0x4841 (0x02864841) nsPluginHostImpl::AddInstanceToActiveList [d:\builds\seamonkey\mozilla\modules\ plugin\base\src\nsPluginHostImpl.cpp, line 3719] nsPluginHostImpl::SetUpPluginInstance [d:\builds\seamonkey\mozilla\modules\ plugin\base\src\nsPluginHostImpl.cpp, line 3960] nsPluginHostImpl::InstantiateEmbededPlugin [d:\builds\seamonkey\mozilla\modules\ plugin\base\src\nsPluginHostImpl.cpp, line 3470] nsObjectFrame::InstantiatePlugin [d:\builds\seamonkey\mozilla\layout\html\base\ src\nsObjectFrame.cpp, line 1236] nsObjectFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\base\src\ nsObjectFrame.cpp, line 1047] nsLineLayout::ReflowFrame [d:\builds\seamonkey\mozilla\layout\html\base\src\ nsLineLayout.cpp, line 1089] nsInlineFrame::ReflowInlineFrame [d:\builds\seamonkey\mozilla\layout\html\base\ src\nsInlineFrame.cpp, line 732] nsInlineFrame::ReflowFrames [d:\builds\seamonkey\mozilla\layout\html\base\src\ nsInlineFrame.cpp, line 532] nsInlineFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\base\src\ nsInlineFrame.cpp, line 448] nsLineLayout::ReflowFrame [d:\builds\seamonkey\mozilla\layout\html\base\src\ nsLineLayout.cpp, line 1089] nsBlockFrame::ReflowInlineFrame [d:\builds\seamonkey\mozilla\layout\html\base\ src\nsBlockFrame.cpp, line 3691] nsBlockFrame::DoReflowInlineFrames [d:\builds\seamonkey\mozilla\layout\html\base\ src\nsBlockFrame.cpp, line 3572] nsBlockFrame::DoReflowInlineFramesAuto [d:\builds\seamonkey\mozilla\layout\html\ base\src\nsBlockFrame.cpp, line 3497] nsBlockFrame::ReflowInlineFrames [d:\builds\seamonkey\mozilla\layout\html\base\ src\nsBlockFrame.cpp, line 3442] nsBlockFrame::ReflowLine [d:\builds\seamonkey\mozilla\layout\html\base\src\ nsBlockFrame.cpp, line 2600] nsBlockFrame::ReflowDirtyLines [d:\builds\seamonkey\mozilla\layout\html\base\src\ nsBlockFrame.cpp, line 2239] nsBlockFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\base\src\ nsBlockFrame.cpp, line 846] nsBlockReflowContext::DoReflowBlock [d:\builds\seamonkey\mozilla\layout\html\ base\src\nsBlockReflowContext.cpp, line 581] nsBlockReflowContext::ReflowBlock [d:\builds\seamonkey\mozilla\layout\html\base\ src\nsBlockReflowContext.cpp, line 359] nsBlockFrame::ReflowBlockFrame [d:\builds\seamonkey\mozilla\layout\html\base\src\ nsBlockFrame.cpp, line 3198] nsBlockFrame::ReflowLine [d:\builds\seamonkey\mozilla\layout\html\base\src\ nsBlockFrame.cpp, line 2466] nsBlockFrame::ReflowDirtyLines [d:\builds\seamonkey\mozilla\layout\html\base\src\ nsBlockFrame.cpp, line 2239] nsBlockFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\base\src\ nsBlockFrame.cpp, line 846] nsBlockReflowContext::DoReflowBlock [d:\builds\seamonkey\mozilla\layout\html\ base\src\nsBlockReflowContext.cpp, line 581] nsBlockReflowContext::ReflowBlock [d:\builds\seamonkey\mozilla\layout\html\base\ src\nsBlockReflowContext.cpp, line 359] nsBlockFrame::ReflowBlockFrame [d:\builds\seamonkey\mozilla\layout\html\base\src\ nsBlockFrame.cpp, line 3198] nsBlockFrame::ReflowLine [d:\builds\seamonkey\mozilla\layout\html\base\src\ nsBlockFrame.cpp, line 2466] nsBlockFrame::ReflowDirtyLines [d:\builds\seamonkey\mozilla\layout\html\base\src\ nsBlockFrame.cpp, line 2239] nsBlockFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\base\src\ nsBlockFrame.cpp, line 846] nsContainerFrame::ReflowChild [d:\builds\seamonkey\mozilla\layout\html\base\src\ nsContainerFrame.cpp, line 807] CanvasFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\base\src\ nsHTMLFrame.cpp, line 565] nsBoxToBlockAdaptor::Reflow [d:\builds\seamonkey\mozilla\layout\xul\base\src\ nsBoxToBlockAdaptor.cpp, line 837] nsBoxToBlockAdaptor::DoLayout [d:\builds\seamonkey\mozilla\layout\xul\base\src\ nsBoxToBlockAdaptor.cpp, line 619] nsBox::Layout [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBox.cpp, line 1052] nsScrollBoxFrame::DoLayout [d:\builds\seamonkey\mozilla\layout\xul\base\src\ nsScrollBoxFrame.cpp, line 395] nsBox::Layout [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBox.cpp, line 1052] nsContainerBox::LayoutChildAt [d:\builds\seamonkey\mozilla\layout\xul\base\src\ nsContainerBox.cpp, line 650] nsGfxScrollFrameInner::LayoutBox [d:\builds\seamonkey\mozilla\layout\html\base\ src\nsGfxScrollFrame.cpp, line 1063] nsGfxScrollFrameInner::Layout [d:\builds\seamonkey\mozilla\layout\html\base\src\ nsGfxScrollFrame.cpp, line 1222] nsGfxScrollFrame::DoLayout [d:\builds\seamonkey\mozilla\layout\html\base\src\ nsGfxScrollFrame.cpp, line 1071] nsBox::Layout [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsBox.cpp, line 1052] nsBoxFrame::Reflow [d:\builds\seamonkey\mozilla\layout\xul\base\src\ nsBoxFrame.cpp, line 1001] nsGfxScrollFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\base\src\ nsGfxScrollFrame.cpp, line 780] nsContainerFrame::ReflowChild [d:\builds\seamonkey\mozilla\layout\html\base\src\ nsContainerFrame.cpp, line 807] ViewportFrame::Reflow [d:\builds\seamonkey\mozilla\layout\html\base\src\ nsViewportFrame.cpp, line 588] nsHTMLReflowCommand::Dispatch [d:\builds\seamonkey\mozilla\layout\html\base\src\ nsHTMLReflowCommand.cpp, line 218] PresShell::ProcessReflowCommand [d:\builds\seamonkey\mozilla\layout\html\base\ src\nsPresShell.cpp, line 6305] PresShell::ProcessReflowCommands [d:\builds\seamonkey\mozilla\layout\html\base\ src\nsPresShell.cpp, line 6360] ReflowEvent::HandleEvent [d:\builds\seamonkey\mozilla\layout\html\base\src\ nsPresShell.cpp, line 6216] PL_HandleEvent [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c, line 597] PL_ProcessPendingEvents [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c, line 530] _md_EventReceiverProc [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c, line 1078] nsAppShellService::Run [d:\builds\seamonkey\mozilla\xpfe\appshell\src\ nsAppShellService.cpp, line 309] main1 [d:\builds\seamonkey\mozilla\xpfe\bootstrap\nsAppRunner.cpp, line 1434] main [d:\builds\seamonkey\mozilla\xpfe\bootstrap\nsAppRunner.cpp, line 1769] WinMain [d:\builds\seamonkey\mozilla\xpfe\bootstrap\nsAppRunner.cpp, line 1787] WinMainCRTStartup() KERNEL32.DLL + 0xd326 (0x77e8d326)
pmac could repro, removing status whiteboard request
Whiteboard: [need repro]
I don't see the stack trace reported, but I can see the crash, and it crashes in layout for me. Usually requires several reloads to crash. One time I saw freeze and it was also in layout -- it could not break out of the |for| loop in nsBlockFrame::ReflowDirtyLines. This loop seemed to have out of bound parameters: for ( ; line != line_end; ++line, aState.AdvanceToNextLine()) { I did not see the loop since then, but the crash is reproducable. Reassigning to Layout, stack trace to follow.
Assignee: av → attinasi
Component: Plug-ins → Layout
QA Contact: shrir → petersen
Attached file stack trace on crash
Here is the stack trace, it crashes on dereferencing null pointer here: nsresult GetNextSibling(nsIFrame** aNextSibling) const { *aNextSibling = mNextSibling; return NS_OK; }
Oops, sorry, this is not null-pointer business. The |this| object is gone at the moment the program comes to its code segment.
AV: Are you sure that you see the same crash ? We have 3 near identical stacks (2x talkback and 1x win2k debug) that doesn't match your stack..
What do you mean? I go to the indicated URL and crash. The stack I see is indeed different from others. Could it be because my Java version is 1.3.1_02? By the way, is Java there? I see Flash, but I don't think I see Java.
AV: It's of course possible that you see a different stack trace because you are using JRE1.3 But this page must "trigger" Java because : The Java plugin is loading if i open the page in a fresh browser session and the JPINS32 (stack trace) is from the Java Plugin.. You wrote in comment #18: "Usually requires several reloads to crash" I see the crash with the first loading of the URL (90% of the time) and i don't need to reload for a crash. It is possible that you got this different crash because you are reloading x times ? Note: This crash seems to be releated to the network connection/speed (using a 64kbit connection) URL : crash (debug and optimized build) as local file : no crash (added a base href for the content) local web-server : no crash (added a base href for the content) I-Net Web-Space : crash (added a base href for the content) no crash in all cases if i remove this line: "<a href="javascript:loadApplets()"><font face="Arial (hebrew)" Size=2 Color=Yellow>Communicate</a>"
*** Bug 142991 has been marked as a duplicate of this bug. ***
Summary: crash when accessing a certain URL → crash when accessing a certain URL [@nsPluginHostImpl::AddInstanceToActiveList}
this is jre 1.4 regression, the crash doesn't occur with jre 1.3.x av, I would suggest to reassign it to oji or jre team, and open a new bug against layout if there is a reproducible test case.
Does this happen with 6.2.2 or 0.9.9 and JRE 1.4 also?
I see no crash with 0.9.5 and JRE1.4 (I know it's old but i need 40min to download 0.9.9) I see ~90% that RC1 or a nightly build is crashing (if the page loads without crash, delete the cache. If it crashes, the cache will automatically deleted)
I was wrong about jre 1.4 regression:( this looks like the old JPI problem I was able to crash mozilla 2001121814 Java console shows: Java(TM) Plug-in: Version 1.3.0_01 Using JRE version 1.3.0_01 Java HotSpot(TM) Client VM TB report for http://www.realgm.com/src_wiretap_teams.php?team=Sacramento http://climate.netscape.com/reports/SingleIncidentInfo.cfm?dynamicBBID=6112194 TB report http://www.plonter.co.il/webcatalog/computerstore/writeus.tmpl?cart=310294907751 040564&lang=heb http://climate.netscape.com/reports/SingleIncidentInfo.cfm?dynamicBBID=6112995 with my current debug build (2002-05-08) and Java(TM) Plug-in: Version 1.4.0_01 msdev6+srp3 shows the crahs stack trace JPINS32! Java_sun_plugin_cachescheme_BookmarkManager_nativeAddBookmark@16 + -30345 bytes nsPluginHostImpl::AddInstanceToActiveList(nsCOMPtr<nsIPlugin> {...}, nsIPluginInstance * 0x1a5cd580, nsIURI * 0x045ac438, int 0x00000000) line 3696 + 53 bytes nsPluginHostImpl::SetUpPluginInstance(nsPluginHostImpl * const 0x0158eb8c, const char * 0x02fae6a0, nsIURI * 0x045ac438, nsIPluginInstanceOwner * 0x0433e840) line 3942 --- though the crash actually occurred when I did step into aInstance->GetPeer(&mPeer) 379 nsActivePlugin::nsActivePlugin(nsPluginTag* aPluginTag, 380 nsIPluginInstance* aInstance, 381 const char * url, 382 PRBool aDefaultPlugin) 383 { 384 mNext = nsnull; 385 mPeer = nsnull; 386 mPluginTag = aPluginTag; 387 388 mURL = PL_strdup(url); 389 mInstance = aInstance; 390 if(aInstance != nsnull) 391 { ==> 392 aInstance->GetPeer(&mPeer); I did not experienced hang in layout, av described above, so, I'm changing component to OJI & reassign this to xiaobin.lu@eng.sun.com
Assignee: attinasi → xiaobin.lu
Component: Layout → OJI
*** Bug 146185 has been marked as a duplicate of this bug. ***
*** Bug 147386 has been marked as a duplicate of this bug. ***
Whiteboard: [PL RTM]
Attached patch wallpaper crash in mozilla code (obsolete) — Splinter Review
Here is a patch from bug 147368 to wallpaper over the crash. However, I am not sure of the real cause of the crash. Xiaobin (or anyone else from Sun): Do you know why the Java plugin crashes on |nsIPluginInstance->GetPeer(&mPeer)|?
Moving summary info, keywords, url and cc's from duped bug 147386.
URL: http://www.plonter.co.il/webcatalog/c...mhttp://www.plonter.co.il/webcatalog/...
Keywords: testcase, topcrash+
Summary: crash when accessing a certain URL [@nsPluginHostImpl::AddInstanceToActiveList} → crash when accessing a certain URL [@nsPluginHostImpl::AddInstanceToActiveList][@ jpins32.dll]
Whiteboard: [PL RTM] → [PL RTM][grr]
Attachment #85332 - Flags: review+
Comment on attachment 85332 [details] [diff] [review] wallpaper crash in mozilla code this patch will definitely prevent the crash in aInstance->GetPeer(&mPeer); and I like the idea do not call it at all, because peer is getting created by mozilla code: nsPluginInstancePeerImpl *peer = new nsPluginInstancePeerImpl(); if(peer == nsnull) return NS_ERROR_OUT_OF_MEMORY; and we do not have to ask plugin instace for the ptr we created, well, except for the case, when the next call is into plugin's code // tell the plugin instance to initialize itself and pass in the peer. instance->Initialize(pi); // this will not add a ref to the instance (or owner). MMP can release this peer obj, then we are doomed, even with this patch:( Probably we have to add nsISupportsWeakReference to nsIPluginInstancePeer to avoid such kind of situation. In case of the current crash it looks like jpins32 does not register peer in its code, at list after instance->Initialize(pi) call, refCnt of peer is the same == 1, and return code is NS_OK. The crash actually happens on dereferencing of null prt according to http://climate.netscape.com/reports/incidenttemplate.cfm?setvar=DeveloperDevelo perTabSet:Code+Around+the+PC&bbid=6112194#DeveloperMachineState x86 Registers: EAX: 00000000 EBX: 03f32f78 ECX: 03f32f78 EDX: 00000000 Code Around the PC: 502e5ac1 8b08 mov ecx,[eax] <=== HERE 502e5ac3 ff5104 call dword ptr [ecx+0x4] so, for this patch r=serge
SInce I am working for OJI, reassign to Joe.Chou to investigate.
Assignee: xiaobin.lu → joe.chou
Attached patch updated wallpaper (obsolete) — Splinter Review
New patch: fixing calling NS_RELEASE(pi) AFTER using it. Please review. I would also really like to know why the peer is not being addrefed by Java in this testcase whereas on other Java sites it is. The only other time in this file we get the peer from the instance is when a new plugin stream is created and I'm not sure if the plugin uses our streams.
Comment on attachment 85789 [details] [diff] [review] updated wallpaper > // tell the plugin instance to initialize itself and pass in the peer. > instance->Initialize(pi); // this will not add a ref to the instance (or owner). MMP this can fail and I would add result = instance->Initialize(pi); if(NS_FAILED(result)) { delete peer; return result; } other than that, and with asumption plugin wont release peer on init, all looks good, r=serge
Attachment #85789 - Flags: review+
*** Bug 146817 has been marked as a duplicate of this bug. ***
*** Bug 148502 has been marked as a duplicate of this bug. ***
Attached patch updated patch (obsolete) — Splinter Review
I updated the patch for Serge's comments using a nsCOMPtr.
Attachment #85332 - Attachment is obsolete: true
Attachment #85789 - Attachment is obsolete: true
-->peterl
Assignee: joe.chou → peterl
Component: OJI → Plug-ins
Keywords: nsbeta1, patch, review
Comment on attachment 86060 [details] [diff] [review] updated patch >+ nsCOMPtr<nsIPluginInstancePeer> pIpeer; >+ peer->QueryInterface(kIPluginInstancePeerIID, getter_AddRefs(pIpeer)); >+ if (!pIpeer) { >+ delete peer; >+ return NS_ERROR_NO_INTERFACE; >+ } >+ >+ result = instance->Initialize(pIpeer); // this should addref the peer but not the instance or owner >+ if (NS_FAILED(result)) // except in some cases not Java, see bug 140931 >+ return result; // our COM pointer will free the peer if plugin returns an error but addrefs pIpeer, we'll leak peer here
Attached patch addon to peterl's patch (obsolete) — Splinter Review
Peter, with these changes in ns4xPluginInstance.cpp we wont leak in 4.x based plugins, we cannot control xpcom plugins though.
Attached patch combined patchSplinter Review
Thanks Serge! I didn't realize 4.x plugins would leak the peer on error. Not much we can do about XPCOM plugins.
Attachment #86060 - Attachment is obsolete: true
Attachment #86258 - Attachment is obsolete: true
Attachment #86297 - Flags: review+
Comment on attachment 86297 [details] [diff] [review] combined patch r=serge
Status: NEW → ASSIGNED
Whiteboard: [PL RTM][grr] → [PL RTM][grr][needs super review]
Comment on attachment 86297 [details] [diff] [review] combined patch nsPluginHostImpl::AddInstanceToActiveList() should return an nsresult code. This isn't really part of your patch, but we should fix it. sr=beard
Attachment #86297 - Flags: superreview+
Patch in trunk, marking FIXED. New bug opened for Patrick's comment: bug 151920
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Keywords: review
Resolution: --- → FIXED
Whiteboard: [PL RTM][grr][needs super review] → [PL RTM][grr]
Whiteboard: [PL RTM][grr] → [PL RTM]
This is topcrash+ and the fix is pretty safe so nominating for 1.0.
Keywords: adt1.0.1, mozilla1.0.1
Target Milestone: mozilla1.0.1 → mozilla1.1beta
Keywords: verifyme
uh oh...not fixofied ! I crashed on 0620 trunk doing this: load this url- http://www.plonter.co.il/webcatalog/computerstore/writeus.tmpl? cart=310294907751040564&lang=heb It might load partially..not load at all...so click STOP and enter the next url..www.realgm.com and BOOM !!
well, I just loaded www.realgm.com upon browser launch and crashed...so no need of the earlier steps..hm
Shrir, I don't think the new crash is caused by this checkin but rather revealed it. The stack points to deep inside layout during what looks like reflowing an nsHTMLOption Element. I suggest a new bug be opened and the HTML be taken appart to find out what's cause the crash.
Shrir, I don't think the new crash is caused by this checkin but rather revealed it. The stack points to deep inside layout during what looks like reflowing an nsHTMLOption Element. I suggest a new bug be opened and the HTML be taken appart to find out what's cause the crash. The crash also happens if all the applets are removed and a Flash animation is replaced for the first plugin.
Blocks: 143047
Whiteboard: [PL RTM] → [PL RTM] [Need Impact] [ETA Needed]
this should have been marked as nsbeta1+ already
Keywords: nsbeta1nsbeta1+
Whiteboard: [PL RTM] [Need Impact] [ETA Needed] → [PL RTM] [ADT1] [ETA Needed]
Whiteboard: [PL RTM] [ADT1] [ETA Needed] → [ADT1 RTM] [PL RTM] [06/25]
lowering impact to adt2.
Whiteboard: [ADT1 RTM] [PL RTM] [06/25] → [ADT2 RTM] [PL RTM] [06/25]
shrir - where are we on the verification of this fix?
I just wanted to verify shrir's comments that we are going to crash regardless of whether we take this fix, just in a different place? Or is the new crash less frequent?
Attached file new stack
Yes, that's what's holding up this bug. We are now crashing somewhere in layout during relfow. A simplified testcase is needed (of the trunk) to determine what markup is causing the problem. Here's the ASSERTION I get: ###!!! ASSERTION: empty line: 'aLine->GetChildCount()', file ./nsBlockFrame.cpp, line 2716 The |this| of nsLineBox is pointing at invalid memory: nsLineBox::GetCombinedArea nsBlockFrame::ReflowDirtyLines The nsBlockFrame's content is an nsHTMLOptionElement. The block frame's code appears to have called |GetConbinedArea| because |IsDirty| returned true.
Adding adt1.0.1- per the adt. If you have a patch that fixes the crash please renominate.
Keywords: adt1.0.1adt1.0.1-
Hmm, I cannot repro the crash using 20020710 trunk build.
Marking this Verified Fixed Unable to reproduce the described crash after testing with Mozilla ID 2003051204
Status: RESOLVED → VERIFIED
Crash Signature: [@nsPluginHostImpl::AddInstanceToActiveList] [@ jpins32.dll]
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: