Closed Bug 18191 Opened 25 years ago Closed 25 years ago

apprunner crashed in xpcom/ds/nsVoidArray.cpp

Categories

(Core :: Layout: Form Controls, defect, P3)

Product:
Core
Component:
Layout: Form Controls
Platform:
x86
Linux
Type:
defect

Tracking

()

Status:
VERIFIED WORKSFORME

People

(Reporter: dejong, Assigned: pollmann)

Details

I was doing some surfing and I clicked on a URL
when mozilla core dumped on me. I have a RedHat
5.2 system (Linux-Intel).
I was using Mozilla from the CVS (Sat Nov 6).
Here is the method that it crashed in.
(xpcom/ds/nsVoidArray.cpp line 185)



180     PRBool nsVoidArray::RemoveElement(void* aElement)
181     {
182       void** ep = mArray;
183       void** end = ep + mCount;
184       while (ep < end) {
185         void* e = *ep++;
186         if (e == aElement) {
187           ep--;
188           return RemoveElementAt(PRInt32(ep - mArray));
189         }



#0  0x4012ab47 in nsVoidArray::RemoveElement (this=0x8d44df4,
    aElement=0x89ece20) at ../../../xpcom/ds/nsVoidArray.cpp:185
#1  0x40e5c36d in nsFormFrame::RemoveFormControlFrame (this=0x8d44da8,
    aFrame=@0x89ece20)
    at ../../../../../layout/html/forms/src/nsFormFrame.cpp:326
#2  0x40e71363 in nsHTMLButtonControlFrame::~nsHTMLButtonControlFrame (
    this=0x89ecde8, __in_chrg=0)
    at ../../../../../layout/html/forms/src/nsHTMLButtonControlFrame.cpp:90
#3  0x40e62034 in nsGfxButtonControlFrame::~nsGfxButtonControlFrame (
    this=0x89ecde8, __in_chrg=3)
    at ../../../../../layout/html/forms/src/nsGfxButtonControlFrame.cpp:231
#4  0x40d5a4bf in nsFrame::Destroy (this=0x89ecde8, aPresContext=@0x8978dd0)
    at ../../../../../layout/html/base/src/nsFrame.cpp:374
#5  0x40d56576 in nsContainerFrame::Destroy (this=0x89ecde8,
    aPresContext=@0x8978dd0)
    at ../../../../../layout/html/base/src/nsContainerFrame.cpp:96
#6  0x40d797fb in nsLineBox::DeleteLineList (aPresContext=0x8978dd0,
    aLine=0x89f07f0) at ../../../../../layout/html/base/src/nsLineBox.cpp:232
#7  0x40d48f8f in nsBlockFrame::Destroy (this=0x89ec590,
    aPresContext=@0x8978dd0)
    at ../../../../../layout/html/base/src/nsBlockFrame.cpp:1122
#8  0x40d797fb in nsLineBox::DeleteLineList (aPresContext=0x8978dd0,
    aLine=0x89f0c88) at ../../../../../layout/html/base/src/nsLineBox.cpp:232
#9  0x40d48f8f in nsBlockFrame::Destroy (this=0x89f0840,
    aPresContext=@0x8978dd0)
    at ../../../../../layout/html/base/src/nsBlockFrame.cpp:1122
#10 0x40d797fb in nsLineBox::DeleteLineList (aPresContext=0x8978dd0,
    aLine=0x89f0d08) at ../../../../../layout/html/base/src/nsLineBox.cpp:232
#11 0x40d48f8f in nsBlockFrame::Destroy (this=0x89eb910,
    aPresContext=@0x8978dd0)
    at ../../../../../layout/html/base/src/nsBlockFrame.cpp:1122
#12 0x40d4fb98 in nsBlockFrame::DoRemoveFrame (this=0x8c139d8,
    aPresContext=0x8978dd0, aDeletedFrame=0x89eb910)
    at ../../../../../layout/html/base/src/nsBlockFrame.cpp:4709
#13 0x40d4f816 in nsBlockFrame::RemoveFrame (this=0x8c139d8,
    aPresContext=@0x8978dd0, aPresShell=@0x8d0d878, aListName=0x0,
    aOldFrame=0x89eb910)
    at ../../../../../layout/html/base/src/nsBlockFrame.cpp:4601
#14 0x40d626c9 in FrameManager::RemoveFrame (this=0x89e1370,
    aPresContext=@0x8978dd0, aPresShell=@0x8d0d878, aParentFrame=0x8c139d8,
    aListName=0x0, aOldFrame=0x89eb910)
    at ../../../../../layout/html/base/src/nsFrameManager.cpp:629
#15 0x40ea6059 in nsCSSFrameConstructor::ContentRemoved (this=0x89e00f8,
    aPresContext=0x8978dd0, aContainer=0x8cf6b64, aChild=0x8d3fd0c,
    aIndexInContainer=8)
    at ../../../../../layout/html/style/src/nsCSSFrameConstructor.cpp:6362
#16 0x40ea49e6 in nsCSSFrameConstructor::ContentReplaced (this=0x89e00f8,
    aPresContext=0x8978dd0, aContainer=0x8cf6b64, aOldChild=0x8d3fd0c,
    aNewChild=0x8d3fd0c, aIndexInContainer=8)
    at ../../../../../layout/html/style/src/nsCSSFrameConstructor.cpp:5966
#17 0x40eae420 in nsCSSFrameConstructor::ReframeContainingBlock (
    this=0x89e00f8, aPresContext=0x8978dd0, aFrame=0x89ebd70)
    at ../../../../../layout/html/style/src/nsCSSFrameConstructor.cpp:9532
#18 0x40ea2911 in nsCSSFrameConstructor::ContentAppended (this=0x89e00f8,
    aPresContext=0x8978dd0, aContainer=0x8d3fdb4, aNewIndexInContainer=2)
    at ../../../../../layout/html/style/src/nsCSSFrameConstructor.cpp:5321
#19 0x40f96889 in StyleSetImpl::ContentAppended (this=0x89e00d0,
    aPresContext=0x8978dd0, aContainer=0x8d3fdb4, aNewIndexInContainer=2)
    at ../../../../layout/base/src/nsStyleSet.cpp:938
#20 0x40d8a2cc in PresShell::ContentAppended (this=0x8d0d878,
    aDocument=0x8cf13f0, aContainer=0x8d3fdb4, aNewIndexInContainer=2)
    at ../../../../../layout/html/base/src/nsPresShell.cpp:1879
#21 0x40f59987 in nsDocument::ContentAppended (this=0x8cf13f0,
    aContainer=0x8d3fdb4, aNewIndexInContainer=2)
    at ../../../../layout/base/src/nsDocument.cpp:1511
#22 0x40e3e346 in nsHTMLDocument::ContentAppended (this=0x8cf13f0,
    aContainer=0x8d3fdb4, aNewIndexInContainer=2)
    at ../../../../../layout/html/document/src/nsHTMLDocument.cpp:997
#23 0x40da9e61 in nsGenericHTMLContainerElement::AppendChildTo (
    this=0x8d3fdc0, aKid=0x8cf9544, aNotify=1)
    at ../../../../../layout/html/content/src/nsGenericHTMLElement.cpp:2954
#24 0x40dac9be in nsHTMLAnchorElement::AppendChildTo (this=0x8d3fda8,
    aKid=0x8cf9544, aNotify=1)
    at ../../../../../layout/html/content/src/nsHTMLAnchorElement.cpp:111
#25 0x40e3102f in SinkContext::DemoteContainer (this=0x8cf2630,
    aNode=@0xbffff118)
    at ../../../../../layout/html/document/src/nsHTMLContentSink.cpp:1381
#26 0x40e3421d in HTMLContentSink::CloseForm (this=0x8922eb0,
    aNode=@0xbffff118)
    at ../../../../../layout/html/document/src/nsHTMLContentSink.cpp:2435
#27 0x410ee24c in CNavDTD::CloseForm (this=0x8d33650, aNode=@0xbffff118)
    at ../../../htmlparser/src/CNavDTD.cpp:2474
#28 0x410eeb26 in CNavDTD::CloseContainer (this=0x8d33650, aNode=@0xbffff118,
    aTag=eHTMLTag_form, aClosedByStartTag=0)
    at ../../../htmlparser/src/CNavDTD.cpp:2726
#29 0x410ec403 in CNavDTD::HandleEndToken (this=0x8d33650, aToken=0x82f2c60)
    at ../../../htmlparser/src/CNavDTD.cpp:1448
#30 0x410eac2a in CNavDTD::HandleToken (this=0x8d33650, aToken=0x82f2c60,
    aParser=0x8d5d018) at ../../../htmlparser/src/CNavDTD.cpp:660
#31 0x410ea5fc in CNavDTD::BuildModel (this=0x8d33650, aParser=0x8d5d018,
    aTokenizer=0x8cccfc0, anObserver=0x0, aSink=0x8922eb0)
    at ../../../htmlparser/src/CNavDTD.cpp:462
#32 0x410f917c in nsParser::BuildModel (this=0x8d5d018)
    at ../../../htmlparser/src/nsParser.cpp:1052
#33 0x410f903c in nsParser::ResumeParse (this=0x8d5d018, aDefaultDTD=0x0,
    aIsFinalChunk=0) at ../../../htmlparser/src/nsParser.cpp:963
#34 0x410f9b32 in nsParser::OnDataAvailable (this=0x8d5d018,
    channel=0x8cf1798, aContext=0x0, pIStream=0x8c01238, sourceOffset=0,
    aLength=1176) at ../../../htmlparser/src/nsParser.cpp:1339
#35 0x408e0cbb in nsDocumentBindInfo::OnDataAvailable (this=0x88e3cf8,
    channel=0x8cf1798, ctxt=0x0, aStream=0x8c01238, sourceOffset=0,
    aLength=1176) at ../../../webshell/src/nsDocLoader.cpp:1219
#36 0x408e1938 in nsChannelListener::OnDataAvailable (this=0x8957f28,
    aChannel=0x8cf1798, aContext=0x0, aInStream=0x8c01238, aOffset=0,
    aCount=1176) at ../../../webshell/src/nsDocLoader.cpp:1404
#37 0x408e1938 in nsChannelListener::OnDataAvailable (this=0x8957b68,
    aChannel=0x8cf1798, aContext=0x0, aInStream=0x8c01238, aOffset=0,
    aCount=1176) at ../../../webshell/src/nsDocLoader.cpp:1404
#38 0x4129dd81 in nsHTTPResponseListener::OnDataAvailable (this=0x8cf1fb8,
    channel=0x89590c0, context=0x8cf1798, i_pStream=0x8c01238,
    i_SourceOffset=5106, i_Length=1176)
    at ../../../../../netwerk/protocol/http/src/nsHTTPResponseListener.cpp:175
#39 0x40877dea in nsOnDataAvailableEvent::HandleEvent (this=0x41404860)
    at ../../../../netwerk/base/src/nsAsyncStreamListener.cpp:416
#40 0x40877392 in nsStreamListenerEvent::HandlePLEvent (aEvent=0x41403528)
    at ../../../../netwerk/base/src/nsAsyncStreamListener.cpp:173
#41 0x401872fb in PL_HandleEvent (self=0x41403528) at plevent.c:537
#42 0x4018720d in PL_ProcessPendingEvents (self=0x80a0118) at plevent.c:498
#43 0x4014a915 in nsEventQueueImpl::ProcessPendingEvents (this=0x80a00f0)
    at ../../../xpcom/threads/nsEventQueue.cpp:193
#44 0x4049d2fc in event_processor_callback (data=0x80a00f0, source=8,
    condition=GDK_INPUT_READ) at ../../../../widget/src/gtk/nsAppShell.cpp:232
#45 0x4049cc03 in our_gdk_io_invoke (source=0x8191f20, condition=G_IO_IN,
    data=0x81afe18) at ../../../../widget/src/gtk/nsAppShell.cpp:53
#46 0x4062c72e in g_io_unix_dispatch (source_data=0x8191f38,
    current_time=0xbffff620, user_data=0x81afe18) at giounix.c:135
#47 0x4062dc8f in g_main_dispatch (current_time=0xbffff620) at gmain.c:652
#48 0x4062e277 in g_main_iterate (block=1, dispatch=1) at gmain.c:870
#49 0x4062e3f9 in g_main_run (loop=0x81ad860) at gmain.c:928
#50 0x4055eedf in gtk_main () at gtkmain.c:475
#51 0x4049d80f in nsAppShell::Run (this=0x80a1f48)
    at ../../../../widget/src/gtk/nsAppShell.cpp:399
#52 0x4032a031 in nsAppShellService::Run (this=0x809fda0)
    at ../../../../xpfe/appshell/src/nsAppShellService.cpp:483
#53 0x804c85c in main1 (argc=1, argv=0xbffff834)
    at ../../../xpfe/bootstrap/nsAppRunner.cpp:580
#54 0x804cae9 in main (argc=1, argv=0xbffff834)
    at ../../../xpfe/bootstrap/nsAppRunner.cpp:670
Assignee: leger → karnaze
Component: Browser-General → HTML Form Controls
Assignee: karnaze → kmcclusk
Reassigning to Kevin.
Assignee: kmcclusk → pollmann
Eric, I think this is yours.
Status: NEW → ASSIGNED
Target Milestone: M12
Yes, this looks like it may be related to the mFormElements cleanup I did
recently. It would be extrememely helpful if you could add a reproducible test
case (which sites did you visit in what order to cause the crash?)  Thanks!
Perhaps this would be a good time to ask why mozilla does not save a log
of each URL that it tries to load. If each and every URL loaded was saved
into a log file, it would be really easy to attach that log file to a bug
report so you developers would know what steps to take to reproduce the
 problem.I have no idea what URLs I was looking at when it crashed, how
would i? The only place such a list exists is in the browser, and it just
crashed. If I knew how to get this info out of the core file, it might
help, but why not make it easy for bug reporters and developers by
having a simple logging system. This could be removed with a --without-urllog
switch to the configure script.
QA Contact: leger → cpratt
Updating QA contact.
QA Contact update.
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → WORKSFORME
I still am unable to reproduce this bug, so I'm marking it WORKSFORME.  If you
can find a reproducible test case, please reopen this bug.  Thanks!
Blocks: 21564
Marking VERIFIED WORKSFORME on:
- Linux6 2000-02-01-10 Commercial build
- Win98 2000-02-01-08 Commercial build
- MacOS86 2000-02-01-09 Commercial build
Status: RESOLVED → VERIFIED
No longer blocks: 21564
You need to log in before you can comment on or make changes to this bug.