Closed Bug 146907 Opened 22 years ago Closed 22 years ago

crash viewing www.ipng.org.uk (M1RC3) [@ nsCacheEntryHashTable::MatchEntry]

Categories

(Core :: Networking: Cache, defect, P1)

Product:
Core
Component:
Networking: Cache
Platform:
x86
All
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.0.1

People

(Reporter: noodles, Assigned: brendan)

References

(
URL
)

Details

(Keywords: crash, js1.5, Whiteboard: [adt1 RTM])

Crash Data

Attachments

(2 files)

only a demo patch for discuss this problem
742 bytes, patch
Details | Diff | Splinter Review
proposed fix
1.18 KB, patch
dbaron
: review+
shaver
: superreview+
asa
: approval+
Details | Diff | Splinter Review 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0rc3) Gecko/20020523
BuildID:    2002052309

If I go to www.ipng.org.uk then Mozilla crashes. However if I go to ipng.org.uk,
which is the same site, then it doesn't. Repeatable with rc1, rc2 & rc3.

Reproducible: Always
Steps to Reproduce:
1. Start Mozilla.
2. Type www.ipng.org.uk in URL bar and hit enter.
3. Watch Mozilla crash.

Actual Results:  Mozilla crashes.

Expected Results:  Displayed the page.

Debian GNU/Linux Woody, Mozilla tarball as downloaded from
http://www.mozilla.org/releases/
Reporter:
Can you please add a talkback Id from this crash to this bug report ?

Talkback reports an incident ID of:

TB6647358Y

Crashed on exit with trunk 2002052107.
No crash with a current trunk CVS, both Linux.
Recently fixed?
reproducible: win2k sp2, m1rc3 ( 2002052306 )
talkback id:TB6650747W

Stephen, should I ask you for TB6650747W or TB6647358Y?
Keywords: crash
Summary: Crashes if I try to view the URL above. → crash viewing www.ipng.org.uk (M1RC3)
nsCacheEntryHashTable::MatchEntry
[d:\builds\seamonkey\mozilla\netwerk\cache\src\nsCacheEntry.cpp, line 596]
SearchTable [d:\builds\seamonkey\mozilla\xpcom\ds\pldhash.c, line 403]
PL_DHashTableOperate [d:\builds\seamonkey\mozilla\xpcom\ds\pldhash.c, line 564]
nsCacheEntryHashTable::GetEntry
[d:\builds\seamonkey\mozilla\netwerk\cache\src\nsCacheEntry.cpp, line 506]
nsCacheService::ActivateEntry
[d:\builds\seamonkey\mozilla\netwerk\cache\src\nsCacheService.cpp, line 849]
nsCacheService::ProcessRequest
[d:\builds\seamonkey\mozilla\netwerk\cache\src\nsCacheService.cpp, line 747]
nsCacheService::OpenCacheEntry
[d:\builds\seamonkey\mozilla\netwerk\cache\src\nsCacheService.cpp, line 825]
nsCacheSession::OpenCacheEntry
[d:\builds\seamonkey\mozilla\netwerk\cache\src\nsCacheSession.cpp, line 84]
nsHttpChannel::OpenCacheEntry
[d:\builds\seamonkey\mozilla\netwerk\protocol\http\src\nsHttpChannel.cpp, line 886]
nsHttpChannel::Connect
[d:\builds\seamonkey\mozilla\netwerk\protocol\http\src\nsHttpChannel.cpp, line 215]
nsHttpChannel::AsyncOpen
[d:\builds\seamonkey\mozilla\netwerk\protocol\http\src\nsHttpChannel.cpp, line 2370]
imgLoader::LoadImage
[d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgLoader.cpp, line 372]
nsImageFrame::RealLoadImage
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsImageFrame.cpp, line 1984]
nsImageFrame::LoadImage
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsImageFrame.cpp, line 1924]
nsImageFrame::Init
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsImageFrame.cpp, line 329]
nsCSSFrameConstructor::InitAndRestoreFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 6708]
nsCSSFrameConstructor::ConstructHTMLFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 4933]
nsCSSFrameConstructor::ConstructFrameInternal
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 7327]
nsCSSFrameConstructor::ConstructFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 7215]
nsCSSFrameConstructor::ProcessInlineChildren
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 13770]
nsCSSFrameConstructor::ConstructInline
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 13546]
nsCSSFrameConstructor::ConstructFrameByDisplayType
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 6490]
nsCSSFrameConstructor::ConstructFrameInternal
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 7366]
nsCSSFrameConstructor::ConstructFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 7215]
nsCSSFrameConstructor::ProcessChildren
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 12281]
nsCSSFrameConstructor::ConstructTableCellFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 2873]
nsCSSFrameConstructor::TableProcessChild
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 3137]
nsCSSFrameConstructor::TableProcessChildren
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 3031]
nsCSSFrameConstructor::ConstructTableRowFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 2717]
nsCSSFrameConstructor::TableProcessChild
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 3123]
nsCSSFrameConstructor::TableProcessChildren
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 3031]
nsCSSFrameConstructor::ConstructTableRowGroupFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 2608]
nsCSSFrameConstructor::TableProcessChild
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 3117]
nsCSSFrameConstructor::TableProcessChildren
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 3031]
nsCSSFrameConstructor::ConstructTableFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 2489]
nsCSSFrameConstructor::ConstructFrameByDisplayType
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 6528]
nsCSSFrameConstructor::ConstructFrameInternal
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 7366]
nsCSSFrameConstructor::ConstructFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 7215]
nsCSSFrameConstructor::ContentAppended
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 8383]
StyleSetImpl::ContentAppended
[d:\builds\seamonkey\mozilla\content\base\src\nsStyleSet.cpp, line 1515]
PresShell::ContentAppended
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 5175]
nsDocument::ContentAppended
[d:\builds\seamonkey\mozilla\content\base\src\nsDocument.cpp, line 1953]
nsHTMLDocument::ContentAppended
[d:\builds\seamonkey\mozilla\content\html\document\src\nsHTMLDocument.cpp, line
1404]
HTMLContentSink::NotifyAppend
[d:\builds\seamonkey\mozilla\content\html\document\src\nsHTMLContentSink.cpp,
line 4847]
SinkContext::FlushTags
[d:\builds\seamonkey\mozilla\content\html\document\src\nsHTMLContentSink.cpp,
line 2198]
HTMLContentSink::CloseBody
[d:\builds\seamonkey\mozilla\content\html\document\src\nsHTMLContentSink.cpp,
line 3255]
CNavDTD::CloseBody [d:\builds\seamonkey\mozilla\htmlparser\src\CNavDTD.cpp, line
3182]
CNavDTD::CloseContainer [d:\builds\seamonkey\mozilla\htmlparser\src\CNavDTD.cpp,
line 3514]
CNavDTD::CloseContainersTo
[d:\builds\seamonkey\mozilla\htmlparser\src\CNavDTD.cpp, line 3580]
CNavDTD::CloseContainersTo
[d:\builds\seamonkey\mozilla\htmlparser\src\CNavDTD.cpp, line 3764]
CNavDTD::DidBuildModel [d:\builds\seamonkey\mozilla\htmlparser\src\CNavDTD.cpp,
line 595]
nsParser::DidBuildModel
[d:\builds\seamonkey\mozilla\htmlparser\src\nsParser.cpp, line 1253]
nsParser::ResumeParse [d:\builds\seamonkey\mozilla\htmlparser\src\nsParser.cpp,
line 1790]
nsParser::ContinueParsing
[d:\builds\seamonkey\mozilla\htmlparser\src\nsParser.cpp, line 1359]
CSSLoaderImpl::Cleanup
[d:\builds\seamonkey\mozilla\content\html\style\src\nsCSSLoader.cpp, line 807]
CSSLoaderImpl::SheetComplete
[d:\builds\seamonkey\mozilla\content\html\style\src\nsCSSLoader.cpp, line 914]
CSSLoaderImpl::ParseSheet
[d:\builds\seamonkey\mozilla\content\html\style\src\nsCSSLoader.cpp, line 949]
CSSLoaderImpl::DidLoadStyle
[d:\builds\seamonkey\mozilla\content\html\style\src\nsCSSLoader.cpp, line 985]
SheetLoadData::OnStreamComplete
[d:\builds\seamonkey\mozilla\content\html\style\src\nsCSSLoader.cpp, line 745]
nsStreamLoader::OnStopRequest
[d:\builds\seamonkey\mozilla\netwerk\base\src\nsStreamLoader.cpp, line 163]
nsStreamListenerTee::OnStopRequest
[d:\builds\seamonkey\mozilla\netwerk\base\src\nsStreamListenerTee.cpp, line 66]
nsHttpChannel::OnStopRequest
[d:\builds\seamonkey\mozilla\netwerk\protocol\http\src\nsHttpChannel.cpp, line 2897]
nsOnStopRequestEvent::HandleEvent
[d:\builds\seamonkey\mozilla\netwerk\base\src\nsRequestObserverProxy.cpp, line 213]
PL_HandleEvent [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c, line 597] 
-> Cache
Assignee: Matti → gordon
Status: UNCONFIRMED → NEW
Component: Browser-General → Networking: Cache
Ever confirmed: true
QA Contact: imajes-qa → tever
i will research this bug,please give me some time.
Summary: crash viewing www.ipng.org.uk (M1RC3) → crash viewing www.ipng.org.uk (M1RC3) [@ nsCacheEntryHashTable::MatchEntry]
have it too on WinXP, build 2002053106.

Moving OS to All, since it occurs also on Windows.
OS: Linux → All
i found mozilla will crash when you reload the bug's URL,i found the error is
when mozilla get keyHash use the page's image's url
http://www.ipng.org.uk/images/powerlogo.gif with 
 keyHash = table->ops->hashKey(table, key);
    ENSURE_LIVE_KEYHASH(keyHash);
    keyHash *= PL_DHASH_GOLDEN_RATIO;
    keyHash &= ~COLLISION_FLAG;
in PL_DHashTableOperate,it will make keyHash is 0,then when netwerk get
hashEntry objec,its keyHash is 0,it will something wrong and make netwerk
crash.this bug still happen in mozilla099.i know my fix is not a good fix,i
only want to discuss with somebody.
please see my demo patch,and give me some advice.
anto: gordon is on sabbatical right now... give me some time, and i'll look at
your patch.

-> me
Assignee: gordon → darin
Priority: -- → P1
Target Milestone: --- → mozilla1.0.1
Keywords: adt1.0.1, mozilla1.0.1
Whiteboard: [adt1 RTM]
removing adt1.0.1 nomination.  Please add it back when there's been a review and
super review on the patch and it has been landed on the trunk.
Keywords: adt1.0.1
interesting, the crash seems to be fixed on the trunk, but i can repro it easily
using a 1.0 debug build.
nevermind, this is easily reproducible on the trunk as well... just visit the
problem link and then press shift-reload.  crashes everytime.
on initial load of the page i get the following assertions when loading

  http://www.ipng.org.uk/images/powerlogo.gif

###!!! ASSERTION: ### Attempting to remove unknown cache entry!!!: 'check ==
cacheEntry', file nsCacheEntry.cpp, line 545
Break: at file nsCacheEntry.cpp, line 545
###!!! ASSERTION: binding not in disk cache hashtable!:
'PL_DHASH_ENTRY_IS_BUSY(hashEntry)', file nsDiskCacheBinding.cpp, line 353
Break: at file nsDiskCacheBinding.cpp, line 353

one interesting thing... if i disable the disk cache (i.e., set it size to zero)
then i still get the same assertion in nsCacheEntry.cpp... there are also some
assertions in the memory cache device, but AFAICT it doesn't crash.  so, i
suspect fixing the cause of the first assertion should fix this bug. 
investigating...
ok, it looks to me like this crash is being caused by a bug in the pldhash code.

i've already sent info to brendan about it... here's the message thread:

  >>> brendan,
  >>>
  >>> so i spoke with shaver about this via IRC today, but just wanted to
  >>> send out this mail summarizing what i found...
  >>>
  >>> turns out in some cases PL_DHashTableOperate(..., PL_DHASH_ADD)
  >>> returns a non-null hashEntry that is not LIVE.
  >>>
  >>> see http://bugzilla.mozilla.org/show_bug.cgi?id=146907 for the
  >>> related mozilla crash.
  >>>
  >>> i'm investigating further to see where the bug is...
  >>>
  >>> darin
  >>>
  >>
  >> ok, the problem seems to be related to this snipet of code at the top
  >> of PL_DHashTableOperate:
  >>
  >>    keyHash = table->ops->hashKey(table, key);
  >>    ENSURE_LIVE_KEYHASH(keyHash);
  >>    keyHash *= PL_DHASH_GOLDEN_RATIO;
  >>    keyHash &= ~COLLISION_FLAG;
  >>
  >> keyHash == 0 after this block of code.  as a result, we return a
  >> hashEntry with keyHash == 0.
  >>
  >> darin
  >>
  >> 
  >
  > and here's the string that is being used as a key (hash function =
  > PL_DHashStringKey):
  >
  >  "HTTP:http://www.ipng.org.uk/images/powerlogo.gif"
  >
  > (everything between the double quotes).

-> brendan
Assignee: darin → brendan
Attached patch proposed fixSplinter Review 
Obvious, sorry I didn't see this sooner.

/be
Status: NEW → ASSIGNED
Keywords: js1.5
We need the fix in 1.0.0 ASAP too.

/be
Ok, in trunk.  Going for drivers approval for the 1.0 branch.

/be
Checked into the branch too, a=Asa.

/be
Fixed, I say.  Please double-check and verify.

/be
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Comment on attachment 86316 [details] [diff] [review]
proposed fix

a=asa (on behalf of drivers) for checkin to the 1.0 branch
Attachment #86316 - Flags: approval+
good fix.
please land on the 1.0.1 branch. once there remove "mozilla1.0.1+" and add
"fixed1.0.1" to the keyword field.
Keywords: mozilla1.0.1mozilla1.0.1+
Already checked in, please see earlier comments.

/be
Keywords: mozilla1.0.1+fixed1.0.1
verified w/ a trunk build under linux.  brendan's patch fixed the crash.  thx
brendan!!
verified trunk - 2002060508 builds - winNT4, mac osX    checking branch
Status: RESOLVED → VERIFIED
Whiteboard: [adt1 RTM] → [adt1 RTM][verified-trunk]
verified branch 20020605 - win NT4, linux rh6, mac osX
Keywords: verified1.0.1
removing fixed1.0.1 keyword
Keywords: fixed1.0.1
Whiteboard: [adt1 RTM][verified-trunk] → [adt1 RTM]
Crash Signature: [@ nsCacheEntryHashTable::MatchEntry]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: