Closed Bug 18328 Opened 25 years ago Closed 25 years ago

[DOGFOOD]CRASH Clicking on "Personal Options" at this BofA site

Categories

(Core :: DOM: HTML Parser, defect, P3)

Product:
Core
Component:
DOM: HTML Parser
Platform:
x86
Windows NT
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: scalkins, Assigned: harishd)

References

(
URL
)

Details

(Whiteboard: [PDT+] 11/19) 

Go to the following Bank of America site on Mozilla -
http://www.bankofamerica.com/state.cgi?section=online , and click on the
"Personal Options" link.


Expected results:
You are taken to the following link successfully.

Actual results:
You will crash, almost immediately if you click on this link before the page has
had time to fully redraw. If you click on this link after the page has fully
redrawn, then it seems to go in some sort of loop trying to draw the page (Keeps
refreshing the page) before crashing.
Founfd this in Win build 1999-11-08-09 (M11, commercial release)
This works ok in Netscape 4.7 on the same Win NT box where I tested with
Mozilla.
scalkins, can you get us a stack trace please.  lchiang can explain to you how
to get this.  PDT wil review again tomorrow.  We need this to know who to assign
to.
Sorry, here is the talkback stack trace:
Incident ID 634052
 Trigger Time
               1999-11-10 09:47:40
 Email Address
               scalkins@netscape.com
 User Comments
               clicked on a link at this url and received the crash.
 Build ID
               1999110911
 Product ID
               Communicator5.0
 Platform ID
               Win32
 Stack Trace

MSVCRT.dll + 0xd4ec (0x7800d4ec)
MSVCRT.dll + 0xcc7a (0x7800cc7a)
MSVCRT.dll + 0x12d7 (0x780012d7)
StyleSetImpl::GetContext
[d:\builds\seamonkey\mozilla\layout\base\src\nsStyleSet.cpp, line 569]
StyleSetImpl::ResolveStyleFor
[d:\builds\seamonkey\mozilla\layout\base\src\nsStyleSet.cpp, line 649]
nsPresContext::ResolveStyleContextFor
[d:\builds\seamonkey\mozilla\layout\base\src\nsPresContext.cpp, line 410]
nsCSSFrameConstructor::ResolveStyleContext
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 4693]
nsCSSFrameConstructor::ConstructFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 4900]
nsCSSFrameConstructor::ProcessChildren
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 9133]
nsCSSFrameConstructor::ConstructTableCellFrameOnly
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 1777]
nsCSSFrameConstructor::ConstructTableCellFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 1688]
nsCSSFrameConstructor::ConstructFrameByDisplayType
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 4524]
nsCSSFrameConstructor::ConstructFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 4950]
nsCSSFrameConstructor::TableProcessChild
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 1858]
nsCSSFrameConstructor::TableProcessChildren
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 1833]
nsCSSFrameConstructor::ConstructTableRowFrameOnly
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 1578]
nsCSSFrameConstructor::ConstructTableRowFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 1521]
nsCSSFrameConstructor::ConstructFrameByDisplayType
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 4517]
nsCSSFrameConstructor::ConstructFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 4950]
nsCSSFrameConstructor::TableProcessChild
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 1858]
nsCSSFrameConstructor::TableProcessChildren
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 1833]
nsCSSFrameConstructor::ConstructTableGroupFrameOnly
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 1467]
nsCSSFrameConstructor::ConstructTableGroupFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 1362]
nsCSSFrameConstructor::ConstructTableFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 1101]
nsCSSFrameConstructor::ConstructFrameByDisplayType
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 4483]
nsCSSFrameConstructor::ConstructFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 4950]
nsCSSFrameConstructor::ContentAppended
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 5375]
StyleSetImpl::ContentAppended
[d:\builds\seamonkey\mozilla\layout\base\src\nsStyleSet.cpp, line 939]
PresShell::ContentAppended
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 2054]
nsDocument::ContentAppended
[d:\builds\seamonkey\mozilla\layout\base\src\nsDocument.cpp, line 1515]
nsHTMLDocument::ContentAppended
[d:\builds\seamonkey\mozilla\layout\html\document\src\nsHTMLDocument.cpp, line
998]
HTMLContentSink::NotifyAppend
[d:\builds\seamonkey\mozilla\layout\html\document\src\nsHTMLContentSink.cpp,
line 3477]
SinkContext::FlushTags
[d:\builds\seamonkey\mozilla\layout\html\document\src\nsHTMLContentSink.cpp,
line 1730]
HTMLContentSink::WillInterrupt
[d:\builds\seamonkey\mozilla\layout\html\document\src\nsHTMLContentSink.cpp,
line 2054]
CNavDTD::WillInterruptParse
[d:\builds\seamonkey\mozilla\htmlparser\src\CNavDTD.cpp, line 3151]
nsParser::ResumeParse [d:\builds\seamonkey\mozilla\htmlparser\src\nsParser.cpp,
line 1007]
nsParser::OnDataAvailable
[d:\builds\seamonkey\mozilla\htmlparser\src\nsParser.cpp, line 1340]
nsDocumentBindInfo::OnDataAvailable
[d:\builds\seamonkey\mozilla\webshell\src\nsDocLoader.cpp, line 1220]
nsChannelListener::OnDataAvailable
[d:\builds\seamonkey\mozilla\webshell\src\nsDocLoader.cpp, line 1405]
nsChannelListener::OnDataAvailable
[d:\builds\seamonkey\mozilla\webshell\src\nsDocLoader.cpp, line 1405]
nsChannelListener::OnDataAvailable
[d:\builds\seamonkey\mozilla\webshell\src\nsDocLoader.cpp, line 1405]
nsHTTPResponseListener::OnDataAvailable
[d:\builds\seamonkey\mozilla\netwerk\protocol\http\src\nsHTTPResponseListener.cp
p, line 184]
nsOnDataAvailableEvent::HandleEvent
[d:\builds\seamonkey\mozilla\netwerk\base\src\nsAsyncStreamListener.cpp, line
417]
nsStreamListenerEvent::HandlePLEvent
[d:\builds\seamonkey\mozilla\netwerk\base\src\nsAsyncStreamListener.cpp, line
174]
PL_HandleEvent [plevent.c, line 538]
PL_ProcessPendingEvents [plevent.c, line 499]
_md_EventReceiverProc [plevent.c, line 976]
USER32.dll + 0x1820 (0x77e71820)
nsAppShellService::Run
[d:\builds\seamonkey\mozilla\xpfe\appshell\src\nsAppShellService.cpp, line 484]
main1 [d:\builds\seamonkey\mozilla\xpfe\bootstrap\nsAppRunner.cpp, line 586]
main [d:\builds\seamonkey\mozilla\xpfe\bootstrap\nsAppRunner.cpp, line 677]
mainCRTStartup()
KERNEL32.dll + 0x1ba06 (0x77f1ba06)
Assignee: leger → pierre
Component: Browser-General → Style System
QA Contact: leger → chrisd
Whiteboard: [PDT+]
Putting on PDT+ radar.
I can reproduce this bug with a debug build on WinNT although the stack is
completely different (the reporter had an optimized build). I repetedly crash in
nsLocation.cpp line 145 because scriptCX is null. I did check that
JS_SetContextPrivate() is never called with a null 'data' so I'm puzzled.
Reassigned to norris who worked in that area.
Assignee: pierre → norris
Assignee: norris → rickg
Component: Style System → Parser
Summary: [DOGFOOD]CRASH Clicking on "Personnal Options" at this BofA site → [DOGFOOD]CRASH Clicking on "Personal Options" at this BofA site
I believe the crash that pierre was seeing is a result of bug 18408, which
waterson checked in a fix for yesterday. At any rate, I can't reproduce a crash
in nsLocation.cpp.

Instead, I get multiple assertions
   NS_ASSERTION(mStackPos == 1, "insufficient close container calls");
at
nsDebug::Assertion(const char * 0x019d5084, const char * 0x019d5074, const char
* 0x019d5030, int 1573) line 284 + 13 bytes
SinkContext::End() line 1573 + 35 bytes
HTMLContentSink::~HTMLContentSink() line 1891
HTMLContentSink::`scalar deleting destructor'(unsigned int 1) + 15 bytes
HTMLContentSink::Release(HTMLContentSink * const 0x02c1a570) line 1914 + 134
bytes
CNavDTD::~CNavDTD() line 321 + 27 bytes
CNavDTD::`vector deleting destructor'(unsigned int 1) + 84 bytes
CNavDTD::Release(CNavDTD * const 0x01e4e1f0) line 229 + 134 bytes
CParserContext::~CParserContext() line 74 + 27 bytes
CParserContext::`scalar deleting destructor'(unsigned int 1) + 15 bytes
nsParser::~nsParser() line 233 + 31 bytes
nsParser::`vector deleting destructor'(unsigned int 1) + 84 bytes
nsParser::Release(nsParser * const 0x02c1a780) line 238 + 134 bytes
nsDocumentBindInfo::OnStopRequest(nsDocumentBindInfo * const 0x02c21940,
nsIChannel * 0x02c120e0, nsISupports * 0x00000000, unsigned int 2152398850,
const unsigned short * 0x00000000) line 1264 + 27 bytes
nsChannelListener::OnStopRequest(nsChannelListener * const 0x02c216f0,
nsIChannel * 0x02c120e0, nsISupports * 0x00000000, unsigned int 2152398850,
const unsigned short * 0x00000000) line 1382 + 42 bytes
nsChannelListener::OnStopRequest(nsChannelListener * const 0x02c24090,
nsIChannel * 0x02c120e0, nsISupports * 0x00000000, unsigned int 2152398850,
const unsigned short * 0x00000000) line 1382 + 42 bytes
nsChannelListener::OnStopRequest(nsChannelListener * const 0x02c129f0,
nsIChannel * 0x02c120e0, nsISupports * 0x00000000, unsigned int 2152398850,
const unsigned short * 0x00000000) line 1382 + 42 bytes
nsHTTPChannel::ResponseCompleted(nsIChannel * 0x02c114a0, unsigned int
2152398850, const unsigned short * 0x00000000) line 783 + 42 bytes
nsHTTPResponseListener::OnStopRequest(nsHTTPResponseListener * const 0x02c1c550,
nsIChannel * 0x02c114a0, nsISupports * 0x02c120e0, unsigned int 2152398850,
const unsigned short * 0x00000000) line 243
nsOnStopRequestEvent::HandleEvent(nsOnStopRequestEvent * const 0x0267c930) line
326
nsStreamListenerEvent::HandlePLEvent(PLEvent * 0x0267d8b0) line 173 + 12 bytes
PL_HandleEvent(PLEvent * 0x0267d8b0) line 537 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x01071df0) line 498 + 9 bytes
_md_EventReceiverProc(HWND__ * 0x00880990, unsigned int 49361, unsigned int 0,
long 17243632) line 972 + 9 bytes
USER32! 77e71820()
01

and then finally a crash at

operator delete(void * 0xdddddddd) line 47 + 3 bytes
SinkContext::~SinkContext() line 990 + 18 bytes
SinkContext::`scalar deleting destructor'(unsigned int 1) + 15 bytes
HTMLContentSink::~HTMLContentSink() line 1894 + 28 bytes
HTMLContentSink::`scalar deleting destructor'(unsigned int 1) + 15 bytes
HTMLContentSink::Release(HTMLContentSink * const 0x02a290d0) line 1914 + 134
bytes
CNavDTD::~CNavDTD() line 321 + 27 bytes
CNavDTD::`vector deleting destructor'(unsigned int 1) + 84 bytes
CNavDTD::Release(CNavDTD * const 0x02a773f0) line 229 + 134 bytes
CParserContext::~CParserContext() line 74 + 27 bytes
CParserContext::`scalar deleting destructor'(unsigned int 1) + 15 bytes
nsParser::~nsParser() line 233 + 31 bytes
nsParser::`vector deleting destructor'(unsigned int 1) + 84 bytes
nsParser::Release(nsParser * const 0x02a2bda0) line 238 + 134 bytes
nsDocumentBindInfo::OnStopRequest(nsDocumentBindInfo * const 0x0267f450,
nsIChannel * 0x02a34f00, nsISupports * 0x00000000, unsigned int 2152398850,
const unsigned short * 0x00000000) line 1264 + 27 bytes
nsChannelListener::OnStopRequest(nsChannelListener * const 0x0267d710,
nsIChannel * 0x02a34f00, nsISupports * 0x00000000, unsigned int 2152398850,
const unsigned short * 0x00000000) line 1382 + 42 bytes
nsChannelListener::OnStopRequest(nsChannelListener * const 0x02a226a0,
nsIChannel * 0x02a34f00, nsISupports * 0x00000000, unsigned int 2152398850,
const unsigned short * 0x00000000) line 1382 + 42 bytes
nsChannelListener::OnStopRequest(nsChannelListener * const 0x02a35ec0,
nsIChannel * 0x02a34f00, nsISupports * 0x00000000, unsigned int 2152398850,
const unsigned short * 0x00000000) line 1382 + 42 bytes
nsHTTPChannel::ResponseCompleted(nsIChannel * 0x02a317e0, unsigned int
2152398850, const unsigned short * 0x00000000) line 783 + 42 bytes
nsHTTPResponseListener::OnStopRequest(nsHTTPResponseListener * const 0x02a32970,
nsIChannel * 0x02a317e0, nsISupports * 0x02a34f00, unsigned int 2152398850,
const unsigned short * 0x00000000) line 243
nsOnStopRequestEvent::HandleEvent(nsOnStopRequestEvent * const 0x02a81650) line
326
nsStreamListenerEvent::HandlePLEvent(PLEvent * 0x02a80570) line 173 + 12 bytes
PL_HandleEvent(PLEvent * 0x02a80570) line 537 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x01071df0) line 498 + 9 bytes
_md_EventReceiverProc(HWND__ * 0x00880990, unsigned int 49361, unsigned int 0,
long 17243632) line 972 + 9 bytes
USER32! 77e71820()

Reassigning to owner of parser component.
Status: NEW → ASSIGNED
Target Milestone: M12
Dogfood, putting on M12 radar.
It's clear from the stack trace that this isn't the parser, but I don't yet know
what the problem is. I'll run it through the debugger tonight.
Also note this: the bug appears to be in Kipps code, and kipp is gone. I'll
still try to track it down, but please cut me some slack here: I'm not even
supposed to be coding (per Hamerly).
It appears that the crash is the result an HTMLContentSink being free'd twice. I
need to go home to sleep now, so tomorrow I'll debug the addref/release pairs
involved with this object.
Assignee: rickg → harishd
Status: ASSIGNED → NEW
Assigning bug to myself.
*** Bug 19113 has been marked as a duplicate of this bug. ***
Whiteboard: [PDT+] → [PDT+] 11/19
Status: NEW → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
In the HTML sink, a couple of contexts, in the context stack, happened to be
identical and therefore freeing one of the contexts caused the other to get
freed twice...and...hence...a crash.  Problem taken care of.
QA Contact: chrisd → janc
Status: RESOLVED → VERIFIED
Marking VERIFIED FIXED on:
- WinNT 1999113012 mozilla

Also tested on:
- MacOS86 1999113008 mozilla

Could not test on Linux6 due to an apparent cookies bug (a new one?).  Will
address seperately.
You need to log in before you can comment on or make changes to this bug.