Closed
Bug 146907
Opened 22 years ago
Closed 22 years ago
crash viewing www.ipng.org.uk (M1RC3) [@ nsCacheEntryHashTable::MatchEntry]
Categories
(Core :: Networking: Cache, defect, P1)
Tracking
()
VERIFIED
FIXED
mozilla1.0.1
People
(Reporter: noodles, Assigned: brendan)
References
()
Details
(Keywords: crash, js1.5, Whiteboard: [adt1 RTM])
Crash Data
Attachments
(2 files)
742 bytes,
patch
|
Details | Diff | Splinter Review | |
1.18 KB,
patch
|
dbaron
:
review+
shaver
:
superreview+
asa
:
approval+
|
Details | Diff | Splinter Review |
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0rc3) Gecko/20020523 BuildID: 2002052309 If I go to www.ipng.org.uk then Mozilla crashes. However if I go to ipng.org.uk, which is the same site, then it doesn't. Repeatable with rc1, rc2 & rc3. Reproducible: Always Steps to Reproduce: 1. Start Mozilla. 2. Type www.ipng.org.uk in URL bar and hit enter. 3. Watch Mozilla crash. Actual Results: Mozilla crashes. Expected Results: Displayed the page. Debian GNU/Linux Woody, Mozilla tarball as downloaded from http://www.mozilla.org/releases/
Comment 1•22 years ago
|
||
Reporter: Can you please add a talkback Id from this crash to this bug report ?
Reporter | ||
Comment 2•22 years ago
|
||
Talkback reports an incident ID of: TB6647358Y
Crashed on exit with trunk 2002052107. No crash with a current trunk CVS, both Linux. Recently fixed?
Comment 4•22 years ago
|
||
reproducible: win2k sp2, m1rc3 ( 2002052306 ) talkback id:TB6650747W
Comment 5•22 years ago
|
||
Stephen, should I ask you for TB6650747W or TB6647358Y?
Keywords: crash
Summary: Crashes if I try to view the URL above. → crash viewing www.ipng.org.uk (M1RC3)
nsCacheEntryHashTable::MatchEntry [d:\builds\seamonkey\mozilla\netwerk\cache\src\nsCacheEntry.cpp, line 596] SearchTable [d:\builds\seamonkey\mozilla\xpcom\ds\pldhash.c, line 403] PL_DHashTableOperate [d:\builds\seamonkey\mozilla\xpcom\ds\pldhash.c, line 564] nsCacheEntryHashTable::GetEntry [d:\builds\seamonkey\mozilla\netwerk\cache\src\nsCacheEntry.cpp, line 506] nsCacheService::ActivateEntry [d:\builds\seamonkey\mozilla\netwerk\cache\src\nsCacheService.cpp, line 849] nsCacheService::ProcessRequest [d:\builds\seamonkey\mozilla\netwerk\cache\src\nsCacheService.cpp, line 747] nsCacheService::OpenCacheEntry [d:\builds\seamonkey\mozilla\netwerk\cache\src\nsCacheService.cpp, line 825] nsCacheSession::OpenCacheEntry [d:\builds\seamonkey\mozilla\netwerk\cache\src\nsCacheSession.cpp, line 84] nsHttpChannel::OpenCacheEntry [d:\builds\seamonkey\mozilla\netwerk\protocol\http\src\nsHttpChannel.cpp, line 886] nsHttpChannel::Connect [d:\builds\seamonkey\mozilla\netwerk\protocol\http\src\nsHttpChannel.cpp, line 215] nsHttpChannel::AsyncOpen [d:\builds\seamonkey\mozilla\netwerk\protocol\http\src\nsHttpChannel.cpp, line 2370] imgLoader::LoadImage [d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgLoader.cpp, line 372] nsImageFrame::RealLoadImage [d:\builds\seamonkey\mozilla\layout\html\base\src\nsImageFrame.cpp, line 1984] nsImageFrame::LoadImage [d:\builds\seamonkey\mozilla\layout\html\base\src\nsImageFrame.cpp, line 1924] nsImageFrame::Init [d:\builds\seamonkey\mozilla\layout\html\base\src\nsImageFrame.cpp, line 329] nsCSSFrameConstructor::InitAndRestoreFrame [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 6708] nsCSSFrameConstructor::ConstructHTMLFrame [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 4933] nsCSSFrameConstructor::ConstructFrameInternal [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 7327] nsCSSFrameConstructor::ConstructFrame [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 7215] nsCSSFrameConstructor::ProcessInlineChildren [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 13770] nsCSSFrameConstructor::ConstructInline [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 13546] nsCSSFrameConstructor::ConstructFrameByDisplayType [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 6490] nsCSSFrameConstructor::ConstructFrameInternal [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 7366] nsCSSFrameConstructor::ConstructFrame [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 7215] nsCSSFrameConstructor::ProcessChildren [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 12281] nsCSSFrameConstructor::ConstructTableCellFrame [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 2873] nsCSSFrameConstructor::TableProcessChild [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 3137] nsCSSFrameConstructor::TableProcessChildren [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 3031] nsCSSFrameConstructor::ConstructTableRowFrame [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 2717] nsCSSFrameConstructor::TableProcessChild [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 3123] nsCSSFrameConstructor::TableProcessChildren [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 3031] nsCSSFrameConstructor::ConstructTableRowGroupFrame [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 2608] nsCSSFrameConstructor::TableProcessChild [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 3117] nsCSSFrameConstructor::TableProcessChildren [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 3031] nsCSSFrameConstructor::ConstructTableFrame [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 2489] nsCSSFrameConstructor::ConstructFrameByDisplayType [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 6528] nsCSSFrameConstructor::ConstructFrameInternal [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 7366] nsCSSFrameConstructor::ConstructFrame [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 7215] nsCSSFrameConstructor::ContentAppended [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp, line 8383] StyleSetImpl::ContentAppended [d:\builds\seamonkey\mozilla\content\base\src\nsStyleSet.cpp, line 1515] PresShell::ContentAppended [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 5175] nsDocument::ContentAppended [d:\builds\seamonkey\mozilla\content\base\src\nsDocument.cpp, line 1953] nsHTMLDocument::ContentAppended [d:\builds\seamonkey\mozilla\content\html\document\src\nsHTMLDocument.cpp, line 1404] HTMLContentSink::NotifyAppend [d:\builds\seamonkey\mozilla\content\html\document\src\nsHTMLContentSink.cpp, line 4847] SinkContext::FlushTags [d:\builds\seamonkey\mozilla\content\html\document\src\nsHTMLContentSink.cpp, line 2198] HTMLContentSink::CloseBody [d:\builds\seamonkey\mozilla\content\html\document\src\nsHTMLContentSink.cpp, line 3255] CNavDTD::CloseBody [d:\builds\seamonkey\mozilla\htmlparser\src\CNavDTD.cpp, line 3182] CNavDTD::CloseContainer [d:\builds\seamonkey\mozilla\htmlparser\src\CNavDTD.cpp, line 3514] CNavDTD::CloseContainersTo [d:\builds\seamonkey\mozilla\htmlparser\src\CNavDTD.cpp, line 3580] CNavDTD::CloseContainersTo [d:\builds\seamonkey\mozilla\htmlparser\src\CNavDTD.cpp, line 3764] CNavDTD::DidBuildModel [d:\builds\seamonkey\mozilla\htmlparser\src\CNavDTD.cpp, line 595] nsParser::DidBuildModel [d:\builds\seamonkey\mozilla\htmlparser\src\nsParser.cpp, line 1253] nsParser::ResumeParse [d:\builds\seamonkey\mozilla\htmlparser\src\nsParser.cpp, line 1790] nsParser::ContinueParsing [d:\builds\seamonkey\mozilla\htmlparser\src\nsParser.cpp, line 1359] CSSLoaderImpl::Cleanup [d:\builds\seamonkey\mozilla\content\html\style\src\nsCSSLoader.cpp, line 807] CSSLoaderImpl::SheetComplete [d:\builds\seamonkey\mozilla\content\html\style\src\nsCSSLoader.cpp, line 914] CSSLoaderImpl::ParseSheet [d:\builds\seamonkey\mozilla\content\html\style\src\nsCSSLoader.cpp, line 949] CSSLoaderImpl::DidLoadStyle [d:\builds\seamonkey\mozilla\content\html\style\src\nsCSSLoader.cpp, line 985] SheetLoadData::OnStreamComplete [d:\builds\seamonkey\mozilla\content\html\style\src\nsCSSLoader.cpp, line 745] nsStreamLoader::OnStopRequest [d:\builds\seamonkey\mozilla\netwerk\base\src\nsStreamLoader.cpp, line 163] nsStreamListenerTee::OnStopRequest [d:\builds\seamonkey\mozilla\netwerk\base\src\nsStreamListenerTee.cpp, line 66] nsHttpChannel::OnStopRequest [d:\builds\seamonkey\mozilla\netwerk\protocol\http\src\nsHttpChannel.cpp, line 2897] nsOnStopRequestEvent::HandleEvent [d:\builds\seamonkey\mozilla\netwerk\base\src\nsRequestObserverProxy.cpp, line 213] PL_HandleEvent [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c, line 597]
Comment 7•22 years ago
|
||
-> Cache
Assignee: Matti → gordon
Status: UNCONFIRMED → NEW
Component: Browser-General → Networking: Cache
Ever confirmed: true
QA Contact: imajes-qa → tever
Comment 8•22 years ago
|
||
i will research this bug,please give me some time.
Updated•22 years ago
|
Summary: crash viewing www.ipng.org.uk (M1RC3) → crash viewing www.ipng.org.uk (M1RC3) [@ nsCacheEntryHashTable::MatchEntry]
Comment 9•22 years ago
|
||
have it too on WinXP, build 2002053106. Moving OS to All, since it occurs also on Windows.
OS: Linux → All
Comment 10•22 years ago
|
||
i found mozilla will crash when you reload the bug's URL,i found the error is when mozilla get keyHash use the page's image's url http://www.ipng.org.uk/images/powerlogo.gif with keyHash = table->ops->hashKey(table, key); ENSURE_LIVE_KEYHASH(keyHash); keyHash *= PL_DHASH_GOLDEN_RATIO; keyHash &= ~COLLISION_FLAG; in PL_DHashTableOperate,it will make keyHash is 0,then when netwerk get hashEntry objec,its keyHash is 0,it will something wrong and make netwerk crash.this bug still happen in mozilla099.i know my fix is not a good fix,i only want to discuss with somebody.
Comment 11•22 years ago
|
||
please see my demo patch,and give me some advice.
Comment 12•22 years ago
|
||
anto: gordon is on sabbatical right now... give me some time, and i'll look at your patch. -> me
Assignee: gordon → darin
Priority: -- → P1
Target Milestone: --- → mozilla1.0.1
Updated•22 years ago
|
Keywords: adt1.0.1,
mozilla1.0.1
Whiteboard: [adt1 RTM]
Comment 13•22 years ago
|
||
removing adt1.0.1 nomination. Please add it back when there's been a review and super review on the patch and it has been landed on the trunk.
Keywords: adt1.0.1
Comment 14•22 years ago
|
||
interesting, the crash seems to be fixed on the trunk, but i can repro it easily using a 1.0 debug build.
Comment 15•22 years ago
|
||
nevermind, this is easily reproducible on the trunk as well... just visit the problem link and then press shift-reload. crashes everytime.
Comment 16•22 years ago
|
||
on initial load of the page i get the following assertions when loading http://www.ipng.org.uk/images/powerlogo.gif ###!!! ASSERTION: ### Attempting to remove unknown cache entry!!!: 'check == cacheEntry', file nsCacheEntry.cpp, line 545 Break: at file nsCacheEntry.cpp, line 545 ###!!! ASSERTION: binding not in disk cache hashtable!: 'PL_DHASH_ENTRY_IS_BUSY(hashEntry)', file nsDiskCacheBinding.cpp, line 353 Break: at file nsDiskCacheBinding.cpp, line 353
Comment 17•22 years ago
|
||
one interesting thing... if i disable the disk cache (i.e., set it size to zero) then i still get the same assertion in nsCacheEntry.cpp... there are also some assertions in the memory cache device, but AFAICT it doesn't crash. so, i suspect fixing the cause of the first assertion should fix this bug. investigating...
Comment 18•22 years ago
|
||
ok, it looks to me like this crash is being caused by a bug in the pldhash code. i've already sent info to brendan about it... here's the message thread: >>> brendan, >>> >>> so i spoke with shaver about this via IRC today, but just wanted to >>> send out this mail summarizing what i found... >>> >>> turns out in some cases PL_DHashTableOperate(..., PL_DHASH_ADD) >>> returns a non-null hashEntry that is not LIVE. >>> >>> see http://bugzilla.mozilla.org/show_bug.cgi?id=146907 for the >>> related mozilla crash. >>> >>> i'm investigating further to see where the bug is... >>> >>> darin >>> >> >> ok, the problem seems to be related to this snipet of code at the top >> of PL_DHashTableOperate: >> >> keyHash = table->ops->hashKey(table, key); >> ENSURE_LIVE_KEYHASH(keyHash); >> keyHash *= PL_DHASH_GOLDEN_RATIO; >> keyHash &= ~COLLISION_FLAG; >> >> keyHash == 0 after this block of code. as a result, we return a >> hashEntry with keyHash == 0. >> >> darin >> >> > > and here's the string that is being used as a key (hash function = > PL_DHashStringKey): > > "HTTP:http://www.ipng.org.uk/images/powerlogo.gif" > > (everything between the double quotes). -> brendan
Assignee: darin → brendan
Assignee | ||
Comment 19•22 years ago
|
||
Obvious, sorry I didn't see this sooner. /be
Comment on attachment 86316 [details] [diff] [review] proposed fix sr=shaver.
Attachment #86316 -
Flags: superreview+
Assignee | ||
Comment 21•22 years ago
|
||
We need the fix in 1.0.0 ASAP too. /be
Comment on attachment 86316 [details] [diff] [review] proposed fix r=dbaron
Attachment #86316 -
Flags: review+
Assignee | ||
Comment 23•22 years ago
|
||
Ok, in trunk. Going for drivers approval for the 1.0 branch. /be
Assignee | ||
Comment 24•22 years ago
|
||
Checked into the branch too, a=Asa. /be
Assignee | ||
Comment 25•22 years ago
|
||
Fixed, I say. Please double-check and verify. /be
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Comment 26•22 years ago
|
||
Comment on attachment 86316 [details] [diff] [review] proposed fix a=asa (on behalf of drivers) for checkin to the 1.0 branch
Attachment #86316 -
Flags: approval+
Comment 27•22 years ago
|
||
good fix.
Comment 28•22 years ago
|
||
please land on the 1.0.1 branch. once there remove "mozilla1.0.1+" and add "fixed1.0.1" to the keyword field.
Keywords: mozilla1.0.1 → mozilla1.0.1+
Assignee | ||
Comment 29•22 years ago
|
||
Already checked in, please see earlier comments. /be
Keywords: mozilla1.0.1+ → fixed1.0.1
Comment 30•22 years ago
|
||
verified w/ a trunk build under linux. brendan's patch fixed the crash. thx brendan!!
Comment 31•22 years ago
|
||
verified trunk - 2002060508 builds - winNT4, mac osX checking branch
Status: RESOLVED → VERIFIED
Whiteboard: [adt1 RTM] → [adt1 RTM][verified-trunk]
Comment 32•22 years ago
|
||
verified branch 20020605 - win NT4, linux rh6, mac osX
Keywords: verified1.0.1
Comment 33•22 years ago
|
||
removing fixed1.0.1 keyword
Keywords: fixed1.0.1
Whiteboard: [adt1 RTM][verified-trunk] → [adt1 RTM]
Updated•13 years ago
|
Crash Signature: [@ nsCacheEntryHashTable::MatchEntry]
You need to log in
before you can comment on or make changes to this bug.
Description
•