Closed Bug 163874 Opened 23 years ago Closed 23 years ago

crash on www.xoip.com

Categories

(SeaMonkey :: General, defect)

Product:
SeaMonkey
Component:
General
Platform:
x86
Windows NT
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 159256

People

(Reporter: patoche.smart+mozilla, Assigned: asa)

References

(
URL
)

Details

(Keywords: crash)

Attachments

(4 files)

Screen shot of crash window
3.83 KB, image/gif
Details
Talkback stack traces (5)
7.72 KB, text/plain
Details
ico file to be used with HTML testcase
7.92 KB, text/plain
Details
testcase
302 bytes, text/html
Details
Browser version 20020818 crashes at that address.
WFM, 1.1 RC (20020818) - WinXP
Confirming bug, 2002-08-21-04 trunk Windows 2000. TB 9654983X
Severity: major → critical
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash, stackwanted
worksforme, linux trunk build 20020821
WFM 2002082008/trunk/W2K Stephen, should I ask you for TB9654983X?
URL: http://www.xoip.comhttp://www.xoip.com/
ntdll.dll + 0x491b6 (0x77fc91b6) ntdll.dll + 0x4a1c1 (0x77fca1c1) ntdll.dll + 0x4a47f (0x77fca47f) MSVCRT.DLL + 0x1089 (0x78001089) MSVCRT.DLL + 0x1026 (0x78001026) NewParseNode [c:/builds/seamonkey/mozilla/js/src/jsparse.c, line 145] Statement [c:/builds/seamonkey/mozilla/js/src/jsparse.c, line 1183] Statement [c:/builds/seamonkey/mozilla/js/src/jsparse.c, line 1448] Statement [c:/builds/seamonkey/mozilla/js/src/jsparse.c, line 1195] Statements [c:/builds/seamonkey/mozilla/js/src/jsparse.c, line 887] FunctionBody [c:/builds/seamonkey/mozilla/js/src/jsparse.c, line 558] FunctionDef [c:/builds/seamonkey/mozilla/js/src/jsparse.c, line 722] FunctionStmt [c:/builds/seamonkey/mozilla/js/src/jsparse.c, line 857] Statement [c:/builds/seamonkey/mozilla/js/src/jsparse.c, line 1172] Statements [c:/builds/seamonkey/mozilla/js/src/jsparse.c, line 887] js_CompileTokenStream [c:/builds/seamonkey/mozilla/js/src/jsparse.c, line 394] CompileTokenStream [c:/builds/seamonkey/mozilla/js/src/jsapi.c, line 2851] JS_CompileUCScriptForPrincipals [c:/builds/seamonkey/mozilla/js/src/jsapi.c, line 2931] JS_EvaluateUCScriptForPrincipals [c:/builds/seamonkey/mozilla/js/src/jsapi.c, line 3380] nsJSContext::EvaluateString [c:/builds/seamonkey/mozilla/dom/src/base/nsJSEnvironment.cpp, line 702] nsScriptLoader::EvaluateScript [c:/builds/seamonkey/mozilla/content/base/src/nsScriptLoader.cpp, line 570] nsScriptLoader::ProcessRequest [c:/builds/seamonkey/mozilla/content/base/src/nsScriptLoader.cpp, line 478] nsScriptLoader::OnStreamComplete [c:/builds/seamonkey/mozilla/content/base/src/nsScriptLoader.cpp, line 781] nsStreamLoader::OnStopRequest [c:/builds/seamonkey/mozilla/netwerk/base/src/nsStreamLoader.cpp, line 163] nsStreamListenerTee::OnStopRequest [c:/builds/seamonkey/mozilla/netwerk/base/src/nsStreamListenerTee.cpp, line 66] nsHttpChannel::OnStopRequest [c:/builds/seamonkey/mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp, line 2972] nsOnStopRequestEvent::HandleEvent [c:/builds/seamonkey/mozilla/netwerk/base/src/nsRequestObserverProxy.cpp, line 213] PL_HandleEvent [c:/builds/seamonkey/mozilla/xpcom/threads/plevent.c, line 597] PL_ProcessPendingEvents [c:/builds/seamonkey/mozilla/xpcom/threads/plevent.c, line 530] _md_EventReceiverProc [c:/builds/seamonkey/mozilla/xpcom/threads/plevent.c, line 1078] nsAppShellService::Run [c:/builds/seamonkey/mozilla/xpfe/appshell/src/nsAppShellService.cpp, line 452] main1 [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1523] main [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1874] WinMain [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1892] WinMainCRTStartup() KERNEL32.DLL + 0x7903 (0x77e87903)
Keywords: stackwanted
Crash on 2002082109 trunk with WinXP Talkback: TB9678971M OS -> All
OS: Windows NT → All
Also crashing on 1.0 branch: 2002082109/1.0branch/W2K -> TB9723975E, TB9723622Y, TB9723619M 2002082208/trunk/W2K -> TB9724191K
Based on the filename "jsparse.c" I'm guessing --> JavaScript Engine.
Assignee: asa → rogerl
Component: Browser-General → JavaScript Engine
QA Contact: asa → pschwartau
Note: some stack traces are unreliable because so much heap corruption has occurred: you have corrupted memory running through the entire stack. With a Mozilla debug build, one tipoff is the presence of function calls like this in the stack: _free_dbg_lk(void * 0x04fa6ba0, int 1) line 1062 + 11 bytes _free_dbg(void * 0x04fa6ba0, int 1) line 970 + 13 bytes free(void * 0x04fa6ba0) line 926 + 11 bytes I'm seeing that in a (non-current) debug Mozilla build. Also note that the Talkback stack traces are, for the most part, completely different from each other. Reassigning back to Browser-General. I think that to progress further, we need to run Purify on the site. cc'ing Stephen: do you have Purify available by any chance?
Assignee: rogerl → asa
Component: JavaScript Engine → Browser-General
QA Contact: pschwartau → asa
Win NT + Win XP = Win NT (All means more than just Windows) valgrind under linux shows bad things, but nothing that would result in heap corruption or a crash. filed bug 164381
OS: All → Windows NT
Under Purify, I get: [E] ABW: Array bounds write in memcpy {2 occurrences} Writing 8 bytes to 0x0f3c37c0 (8 bytes at 0x0f3c37c0 illegal) Address 0x0f3c37c0 is 8 bytes before the beginning of a 496 byte block at 0x0f3c37c8 Address 0x0f3c37c0 points to a C++ new block in heap 0x02770000 Thread ID: 0x58c Error location memcpy [memcpy.asm:109] gfxImageFrame::SetAlphaData(BYTE const*,UINT,int) [gfxImageFrame.cpp:385] nsICODecoder::SetAlphaData(void) [nsICODecoder.cpp:118] nsICODecoder::Flush(void) [nsICODecoder.cpp:187] imgRequest::OnStopRequest(nsIRequest *,nsISupports *,UINT) [imgRequest.cpp:635] ProxyListener::OnStopRequest(nsIRequest *,nsISupports *,UINT) [imgLoader.cpp:723] nsStreamListenerTee::OnStopRequest(nsIRequest *,nsISupports *,UINT) [nsStreamListenerTee.cpp:65] nsHttpChannel::OnStopRequest(nsIRequest *,nsISupports *,UINT) [nsHttpChannel.cpp:2971] nsOnStopRequestEvent::HandleEvent(void) [nsRequestObserverProxy.cpp:212] nsARequestObserverEvent::HandlePLEvent(PLEvent *) [nsRequestObserverProxy.cpp:115] Allocation location new(UINT) [new.cpp:23] nsImageWin::Init(int,int,int,nsMaskRequirements) [nsImageWin.cpp:218] gfxImageFrame::Init(int,int,int,int,int) [gfxImageFrame.cpp:120] nsICODecoder::ProcessData(char const*,UINT) [nsICODecoder.cpp:307] nsICODecoder::ReadSegCb(nsIInputStream *,void *,char const*,UINT,UINT,UINT *) [nsICODecoder.cpp:200] nsInputStreamTee::WriteSegmentFun(nsIInputStream *,void *,char const*,UINT,UINT,UINT *) [nsInputStreamTee.cpp:104] nsPipe::nsPipeInputStream::ReadSegments((*)(nsIInputStream *,void *,char const*,UINT,UINT,UINT *),void *,UINT,UINT *) [nsPipe2.cpp:419] nsInputStreamTee::ReadSegments((*)(nsIInputStream *,void *,char const*,UINT,UINT,UINT *),void *,UINT,UINT *) [nsInputStreamTee.cpp:158] nsICODecoder::WriteFrom(nsIInputStream *,UINT,UINT *) [nsICODecoder.cpp:205] imgRequest::OnDataAvailable(nsIRequest *,nsISupports *,nsIInputStream *,UINT,UINT) [imgRequest.cpp:752] AND [E] IPW: Invalid pointer write in memcpy {2 occurrences} Writing 188 bytes to 0x0f3e1e8c (4 bytes at 0x0f3e1e8c illegal) Address 0x0f3e1e8c points into a HeapAlloc'd block in unallocated region of heap 0x02770000 Thread ID: 0x58c Error location memcpy [memcpy.asm:109] gfxImageFrame::SetImageData(BYTE const*,UINT,int) [gfxImageFrame.cpp:285] nsICODecoder::SetImageData(void) [nsICODecoder.cpp:109] nsICODecoder::Flush(void) [nsICODecoder.cpp:188] imgRequest::OnStopRequest(nsIRequest *,nsISupports *,UINT) [imgRequest.cpp:635] ProxyListener::OnStopRequest(nsIRequest *,nsISupports *,UINT) [imgLoader.cpp:723] nsStreamListenerTee::OnStopRequest(nsIRequest *,nsISupports *,UINT) [nsStreamListenerTee.cpp:65] nsHttpChannel::OnStopRequest(nsIRequest *,nsISupports *,UINT) [nsHttpChannel.cpp:2971] nsOnStopRequestEvent::HandleEvent(void) [nsRequestObserverProxy.cpp:212] nsARequestObserverEvent::HandlePLEvent(PLEvent *) [nsRequestObserverProxy.cpp:115] AND [E] EXU: Unhandled exception in free_base {1 occurrence} Exception code: 0xc0000005 [Error: access violation] Exception address: RtlFreeHeap [ntdll.dll] Filter: mainCRTStartup [crtexe.c:345] Exception location RtlFreeHeap [ntdll.dll] RtlAllocateHeap [ntdll.dll] free_base [free.c:92] free_dbg [dbgheap.c:993] free [dbgheap.c:955] delete(void *) [delop.cpp:6] nsCacheEntryDescriptor::nsOutputStreamWrapper::`vector deleting destructor'(UINT) [nkcache.dll] nsCacheEntryDescriptor::nsOutputStreamWrapper::Release(void) [nsCacheEntryDescriptor.cpp:635] nsCOMPtr<nsIOutputStream>::assign_assuming_AddRef(nsIOutputStream *) [nsCOMPtr.h:472] nsCOMPtr<nsIOutputStream>::assign_with_AddRef(nsISupports *) [nsCOMPtr.h:914] DISCLAIMER: I'm not totally sure the latter is valid (actually, or the others). Purify can sometimes be quite erroneous. I'm clearing cache and rerunning to verify.
Loading http://www.xoip.com/content/home/home.jsp crashes on 2002082308, but saving it locally and opening = no crash. Something network related, or a timing issue? Nothing looks unusual in the headers. Document headers: HTTP/1.1 200 OK Date: Sat, 24 Aug 2002 06:53:40 GMT Server: Apache/1.3.14 (Unix) (Red-Hat/Linux) Set-Cookie: jsessionid=135391030172020899;path=/ Expires: Thu, 01 Dec 1994 16:00:00 GMT Connection: Keep-alive Cache-Control: no-cache="set-cookie,set-cookie2" Content-Length: 7102 Content-Type: text/html; charset=ISO-8859-1
OK guys! I figured it out. The problem is with the xoip.ico file that Mozilla tries to load when it loads that site. I will attach a testcase here.
Leaving text/plain as on original site (don't know if it's relevant)
Attached file testcase
This should crash Mozilla right away. The odd thing is that if I change the indentation of the HTML code, or if I get rid of the leading CRLFs, the crash is not a sure thing anymore.
If the MIME-type for the ico file is set to image/bmp, Mozilla promptly crashes upon accessing it directly.
This has been going on for awhile. Some of the traces on bug 159256 look similar. *** This bug has been marked as a duplicate of 159256 ***
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → DUPLICATE
Product: Browser → Seamonkey
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: