Closed Bug 20161 Opened 25 years ago Closed 25 years ago

[DOGFOOD]Crashing in delete in nsBoxFrame

Categories

(Core :: XUL, defect, P3)

Product:
Core
Component:
XUL
Platform:
x86
All
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: slogan, Assigned: eric)

References

Details

(Whiteboard: [PDT+] 12/03/1999) 

Build ns mozilla.
Remove your mozregistry.dat file to force a new profile (may or may not have
any bearing on the problem, probably doesn't).
Launch it.
In the sidebar IM panel, set your screename, and click on the "send" button.
You will crash when mozilla tries to render the next (login) panel.

here is the stack.

_free_dbg_lk(void * 0x03696c20, int 0x00000001) line 1033 + 60 bytes
_free_dbg(void * 0x03696c20, int 0x00000001) line 970 + 13 bytes
operator delete(void * 0x03696c20) line 49 + 16 bytes
nsBoxFrame::FlowChildren(nsIPresContext * 0x0313dec0, nsHTMLReflowMetrics &
{...}, const nsHTMLReflowState & {...}, unsigned int & 0x00000000, nsRect &
{...}) line 729 + 24 bytes
nsBoxFrame::Reflow(nsBoxFrame * const 0x034fce30, nsIPresContext * 0x0313dec0,
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int &
0x00000000) line 593
nsContainerFrame::ReflowChild(nsIFrame * 0x034fce30, nsIPresContext *
0x0313dec0, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int
0x00000000, int 0x00000000, unsigned int 0x00000000, unsigned int & 0x00000000)
line 639 + 31 bytes
RootFrame::Reflow(RootFrame * const 0x034fbd30, nsIPresContext * 0x0313dec0,
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int &
0x00000000) line 333
nsContainerFrame::ReflowChild(nsIFrame * 0x034fbd30, nsIPresContext *
0x0313dec0, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, int
0x00000000, int 0x00000000, unsigned int 0x00000000, unsigned int & 0x00000000)
line 639 + 31 bytes
ViewportFrame::Reflow(ViewportFrame * const 0x034fa080, nsIPresContext *
0x0313dec0, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...},
unsigned int & 0x00000000) line 527
nsHTMLReflowCommand::Dispatch(nsHTMLReflowCommand * const 0x036429b0,
nsIPresContext * 0x0313dec0, nsHTMLReflowMetrics & {...}, const nsSize & {...},
nsIRenderingContext & {...}) line 145
PresShell::ProcessReflowCommands(PresShell * const 0x03179610) line 1650
PresShell::ExitReflowLock(PresShell * const 0x03179610, int 0x00000001, int
0x00000001) line 709
PresShell::AttributeChanged(PresShell * const 0x03179618, nsIDocument *
0x03139050, nsIContent * 0x034bb060, int 0x00000000, nsIAtom * 0x0348c230, int
0xffffffff) line 2073
nsXULDocument::AttributeChanged(nsXULDocument * const 0x03139050, nsIContent *
0x034bb060, int 0x00000000, nsIAtom * 0x0348c230, int 0xffffffff) line 1256
nsXULElement::SetAttribute(nsXULElement * const 0x034bb060, int 0x00000000,
nsIAtom * 0x0348c230, const nsString & {...}, int 0x00000001) line 2151
nsXULElement::SetAttribute(nsXULElement * const 0x034bb070, const nsString &
{...}, const nsString & {...}) line 1008 + 35 bytes
ElementSetAttribute(JSContext * 0x0313b440, JSObject * 0x00dab1f8, unsigned int
0x00000002, long * 0x00de6e94, long * 0x0012e1fc) line 263 + 26 bytes
js_Invoke(JSContext * 0x0313b440, unsigned int 0x00000002, unsigned int
0x00000000) line 665 + 26 bytes
js_Interpret(JSContext * 0x0313b440, long * 0x0012ea6c) line 2226 + 15 bytes
js_Invoke(JSContext * 0x0313b440, unsigned int 0x00000000, unsigned int
0x00000000) line 681 + 13 bytes
js_Interpret(JSContext * 0x0313b440, long * 0x0012f298) line 2226 + 15 bytes
js_Invoke(JSContext * 0x0313b440, unsigned int 0x00000001, unsigned int
0x00000002) line 681 + 13 bytes
js_InternalCall(JSContext * 0x0313b440, JSObject * 0x00dab3d0, long 0x00dac0b8,
unsigned int 0x00000001, long * 0x0012f414, long * 0x0012f3bc) line 758 + 15
bytes
JS_CallFunction(JSContext * 0x0313b440, JSObject * 0x00dab3d0, JSFunction *
0x03568fd0, unsigned int 0x00000001, long * 0x0012f414, long * 0x0012f3bc) line
2722 + 32 bytes
nsJSContext::CallFunction(nsJSContext * const 0x0313a890, void * 0x00dab3d0,
void * 0x03568fd0, unsigned int 0x00000001, void * 0x0012f414, int * 0x0012f410)
line 468 + 33 bytes
nsJSEventListener::HandleEvent(nsIDOMEvent * 0x03569994) line 133 + 51 bytes
nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x034dffe0,
nsIDOMEvent * 0x03569994, unsigned int 0x00000004) line 623 + 19 bytes
nsEventListenerManager::HandleEvent(nsIPresContext * 0x0313dec0, nsEvent *
0x0012f7e8, nsIDOMEvent * * 0x0012f764, unsigned int 0x00000007, nsEventStatus *
0x0012fac0) line 758 + 25 bytes
nsGenericElement::HandleDOMEvent(nsIPresContext * 0x0313dec0, nsEvent *
0x0012f7e8, nsIDOMEvent * * 0x0012f764, unsigned int 0x00000001, nsEventStatus *
0x0012fac0) line 795
nsHTMLInputElement::HandleDOMEvent(nsHTMLInputElement * const 0x034de31c,
nsIPresContext * 0x0313dec0, nsEvent * 0x0012f7e8, nsIDOMEvent * * 0x00000000,
unsigned int 0x00000001, nsEventStatus * 0x0012fac0) line 626 + 31 bytes
nsEventStateManager::CheckForAndDispatchClick(nsEventStateManager * const
0x0350ef80, nsIPresContext * 0x0313dec0, nsMouseEvent * 0x0012fbb4,
nsEventStatus * 0x0012fac0) line 1363 + 42 bytes
nsEventStateManager::PostHandleEvent(nsEventStateManager * const 0x0350ef80,
nsIPresContext * 0x0313dec0, nsGUIEvent * 0x0012fbb4, nsIFrame * 0x0350ea90,
nsEventStatus * 0x0012fac0, nsIView * 0x03179a30) line 629 + 24 bytes
PresShell::HandleEvent(PresShell * const 0x03179614, nsIView * 0x03179a30,
nsGUIEvent * 0x0012fbb4, nsEventStatus * 0x0012fac0) line 2458 + 43 bytes
nsView::HandleEvent(nsView * const 0x03179a30, nsGUIEvent * 0x0012fbb4, unsigned
int 0x0000001c, nsEventStatus * 0x0012fac0, int & 0x00000000) line 841
nsViewManager::DispatchEvent(nsViewManager * const 0x03179c00, nsGUIEvent *
0x0012fbb4, nsEventStatus * 0x0012fac0) line 1725
HandleEvent(nsGUIEvent * 0x0012fbb4) line 69
nsWindow::DispatchEvent(nsWindow * const 0x031798f4, nsGUIEvent * 0x0012fbb4,
nsEventStatus & nsEventStatus_eIgnore) line 438 + 10 bytes
nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012fbb4) line 459
nsWindow::DispatchMouseEvent(unsigned int 0x0000012d, nsPoint * 0x00000000) line
3482 + 21 bytes
ChildWindow::DispatchMouseEvent(unsigned int 0x0000012d, nsPoint * 0x00000000)
line 3700
nsWindow::ProcessMessage(unsigned int 0x00000202, unsigned int 0x00000000, long
0x00d8004d, long * 0x0012fde0) line 2760 + 24 bytes
nsWindow::WindowProc(HWND__ * 0x014305b8, unsigned int 0x00000202, unsigned int
0x00000000, long 0x00d8004d) line 625 + 27 bytes
USER32! 77e71820()
00d8004d()
Summary: Crashing in delete in nsBoxFrame → [DOGFOOD]Crashing in delete in nsBoxFrame
Whiteboard: [PDT+]
Putting on PDT+ radar.
Do we have a target fix date for this bug?
Status: NEW → ASSIGNED
Whiteboard: [PDT+] → [PDT+] 12/03/1999
Target Milestone: M12
targetting m12
*** Bug 20237 has been marked as a duplicate of this bug. ***
Adding iqa to cc list
note to QA: pls verify the duplicate bug 20237 when this bug is fixed. Thanks.
OS: Windows NT → All
Marking platform to all.
adding myself to CC
I changed some of the tree XUL in AIM last night - we had a tree contained
directly within a box, which could have caused wierd problems... can you try it
again with the new XUL?
Sure - I'll try it out
OS: All → Windows NT
I will try this too. Changing platform back to NT because in Linux and Mac, the
problem occurs after the login window comes up and when the signon button is
clicked. Am not too sure if it is the same problem. It crashes on Connecting
state. Investigating more.
I cannot repro this on windows anymore.
I still see this problem with a new build :-(
Never mind - I can still repro this.
*** Bug 19967 has been marked as a duplicate of this bug. ***
OS: Windows NT → All
although it doesn't match the subject, this is a stack trace from the same crash
on linux.

here's how to reproduce it:

remove ~/.mozilla
start up mozilla, create a new profile
enter in your screen name in the side bar area (NOTE, don't start up aim from
the tasks menu)
crash when you try to render the next panel.

notice how the tail of the stack is different.

#0  __pthread_mutex_lock (mutex=0x2040616) at mutex.c:82
#1  0x402f34f9 in __libc_free (mem=0x86d51d0) at malloc.c:2930
#2  0x407e5835 in XDestroyRegion ()
#3  0x40772dff in gdk_region_destroy ()
#4  0x40a32fe1 in nsRegionGTK::Union (this=0x85af660, aX=4, aY=286, aWidth=159,
aHeight=11) at
nsRegionGTK.cpp:135
#5  0x406063f1 in nsWindow::Invalidate (this=0x85af540, aRect=@0xbfffcb80,
aIsSynchronous=0) at
nsWindow.cpp:478
#6  0x411b49df in nsViewManager::UpdateView (this=0x85af2d0, aView=0x85af4d8,
aRect=@0xbfffcbbc,
aUpdateFlags=4) at nsViewManager.cpp:1471
#7  0x411b59be in nsViewManager::MoveViewTo (this=0x85af2d0, aView=0x8646c90,
aX=60, aY=4298) at
nsViewManager.cpp:1869
#8  0x40d2f809 in nsContainerFrame::PositionFrameView (aPresContext=0x855c4f8,
aKidFrame=0x8657b48, aView=0x8646c90) at nsContainerFrame.cpp:380
#9  0x40d2ff7c in nsContainerFrame::PositionChildViews (aPresContext=0x855c4f8,
aFrame=0x8656090)
at nsContainerFrame.cpp:664
#10 0x40f05afd in nsBoxFrame::PlaceChildren (this=0x864d5e8,
aPresContext=0x855c4f8,
boxRect=@0xbfffcd64) at nsBoxFrame.cpp:989
#11 0x40f04d87 in nsBoxFrame::Reflow (this=0x864d5e8, aPresContext=0x855c4f8,
aDesiredSize=@0xbfffcec8, aReflowState=@0xbfffce28, aStatus=@0xbfffd158) at
nsBoxFrame.cpp:593
#12 0x40d2fe35 in nsContainerFrame::ReflowChild (this=0x864c3c8,
aKidFrame=0x864d5e8,
aPresContext=0x855c4f8, aDesiredSize=@0xbfffcec8, aReflowState=@0xbfffce28,
aX=0, aY=0, aFlags=0,
aStatus=@0xbfffd158) at nsContainerFrame.cpp:605
#13 0x40d456ca in RootFrame::Reflow (this=0x864c3c8, aPresContext=0x855c4f8,
aDesiredSize=@0xbfffd018, aReflowState=@0xbfffcf70, aStatus=@0xbfffd158) at
nsHTMLFrame.cpp:328
#14 0x40d2fe35 in nsContainerFrame::ReflowChild (this=0x864c148,
aKidFrame=0x864c3c8,
aPresContext=0x855c4f8, aDesiredSize=@0xbfffd018, aReflowState=@0xbfffcf70,
aX=0, aY=0, aFlags=0,
aStatus=@0xbfffd158) at nsContainerFrame.cpp:605
#15 0x40d76dc5 in ViewportFrame::Reflow (this=0x864c148, aPresContext=0x855c4f8,
aDesiredSize=@0xbfffd1ac, aReflowState=@0xbfffd0b8, aStatus=@0xbfffd158) at
nsViewportFrame.cpp:526
#16 0x40d46ee7 in nsHTMLReflowCommand::Dispatch (this=0x869ce08,
aPresContext=0x855c4f8,
aDesiredSize=@0xbfffd1ac, aMaxSize=@0xbfffd190, aRendContext=@0x869ce40) at
nsHTMLReflowCommand.cpp:144
#17 0x40d626bd in PresShell::ProcessReflowCommands (this=0x85af8b0) at
nsPresShell.cpp:1649
#18 0x40d5f943 in PresShell::ExitReflowLock (this=0x85af8b0, aTryToReflow=1,
aDoSynchronousReflow=1) at nsPresShell.cpp:708
#19 0x40d63d1e in PresShell::AttributeChanged (this=0x85af8b0,
aDocument=0x841fe68,
aContent=0x8623040, aNameSpaceID=0, aAttribute=0x85a77d0, aHint=-1) at
nsPresShell.cpp:2072
#20 0x40979014 in nsXULDocument::AttributeChanged (this=0x841fe68,
aElement=0x8623040,
aNameSpaceID=0, aAttribute=0x85a77d0, aHint=-1) at nsXULDocument.cpp:1292
#21 0x40955c2c in nsXULElement::SetAttribute (this=0x8623040, aNameSpaceID=0,
aName=0x85a77d0,
aValue=@0xbfffd5b8, aNotify=1) at nsXULElement.cpp:2140
#22 0x40951750 in nsXULElement::SetAttribute (this=0x8623040, aName=@0xbfffd650,
aValue=@0xbfffd5b8) at nsXULElement.cpp:1008
#23 0x4043f2c0 in ElementSetAttribute (cx=0x855c780, obj=0x85b08e8, argc=2,
argv=0x85ad184,
rval=0xbfffd790) at nsJSElement.cpp:263
#24 0x4008732e in ?? () from /export/builds/ns/dist/bin/libmozjs.so
#25 0x40095aa1 in ?? () from /export/builds/ns/dist/bin/libmozjs.so
#26 0x4008738d in ?? () from /export/builds/ns/dist/bin/libmozjs.so
#27 0x40095aa1 in ?? () from /export/builds/ns/dist/bin/libmozjs.so
#28 0x4008738d in ?? () from /export/builds/ns/dist/bin/libmozjs.so
#29 0x400876a8 in ?? () from /export/builds/ns/dist/bin/libmozjs.so
#30 0x4005c4a8 in ?? () from /export/builds/ns/dist/bin/libmozjs.so
#31 0x4040fa29 in nsJSContext::CallFunction (this=0x85385c8, aObj=0x85b18a8,
aFunction=0x8698510,
argc=1, argv=0xbfffedb8, aBoolResult=0xbfffed04) at nsJSEnvironment.cpp:468
#32 0x4044a6ab in nsJSEventListener::HandleEvent (this=0x8635d20,
aEvent=0x8659f04) at
nsJSEventListener.cpp:133
#33 0x40d11d22 in nsEventListenerManager::HandleEventSubType (this=0x8635ce0,
aListenerStruct=0x8639810, aDOMEvent=0x8659f04, aSubType=4) at
nsEventListenerManager.cpp:623
#34 0x40d122ca in nsEventListenerManager::HandleEvent (this=0x8635ce0,
aPresContext=0x855c4f8,
aEvent=0xbffff1a8, aDOMEvent=0xbffff114, aFlags=7, aEventStatus=0xbffff57c) at
nsEventListenerManager.cpp:758
#35 0x40f53e7d in nsGenericElement::HandleDOMEvent (this=0x8635bf8,
aPresContext=0x855c4f8,
aEvent=0xbffff1a8, aDOMEvent=0xbffff114, aFlags=1, aEventStatus=0xbffff57c) at
nsGenericElement.cpp:790
#36 0x40db9f94 in nsHTMLInputElement::HandleDOMEvent (this=0x8635bd8,
aPresContext=0x855c4f8,
aEvent=0xbffff1a8, aDOMEvent=0x0, aFlags=1, aEventStatus=0xbffff57c) at
nsHTMLInputElement.cpp:642
#37 0x40d18932 in nsEventStateManager::CheckForAndDispatchClick (this=0x8658a28,
aPresContext=0x855c4f8, aEvent=0xbffff680, aStatus=0xbffff57c) at
nsEventStateManager.cpp:1383
#38 0x40d167be in nsEventStateManager::PostHandleEvent (this=0x8658a28,
aPresContext=0x855c4f8,
aEvent=0xbffff680, aTargetFrame=0x8658e68, aStatus=0xbffff57c, aView=0x85af4d8)
at
nsEventStateManager.cpp:652
#39 0x40d64e85 in PresShell::HandleEvent (this=0x85af8b0, aView=0x85af4d8,
aEvent=0xbffff680,
aEventStatus=0xbffff57c) at nsPresShell.cpp:2458
#40 0x411a95a9 in nsView::HandleEvent (this=0x85af4d8, event=0xbffff680,
aEventFlags=28,
aStatus=0xbffff57c, aHandled=@0xbffff520) at nsView.cpp:840
#41 0x411b5283 in nsViewManager::DispatchEvent (this=0x85af2d0,
aEvent=0xbffff680,
aStatus=0xbffff57c) at nsViewManager.cpp:1676
#42 0x411a7674 in HandleEvent (aEvent=0xbffff680) at nsView.cpp:68
#43 0x4060188b in nsWidget::DispatchEvent (this=0x85af540, aEvent=0xbffff680,
aStatus=@0xbffff618) at nsWidget.cpp:1389
#44 0x406014bc in nsWidget::DispatchWindowEvent (this=0x85af540,
event=0xbffff680) at
nsWidget.cpp:1280
#45 0x40601945 in nsWidget::DispatchMouseEvent (this=0x85af540,
aEvent=@0xbffff680) at
nsWidget.cpp:1416
#46 0x40602edf in nsWidget::OnButtonReleaseSignal (this=0x85af540,
aGdkButtonEvent=0x810aa50) at
nsWidget.cpp:2058
#47 0x40606cd5 in nsWindow::HandleGDKEvent (this=0x85af540, event=0x810aa50) at
nsWindow.cpp:868
#48 0x405f4a3d in handle_gdk_event (event=0x810aa50, data=0x0) at
nsGtkEventHandler.cpp:886
#49 0x407670fb in gdk_event_dispatch ()
#50 0x40794a86 in ?? () from /usr/lib/libglib-1.2.so.0
#51 0x40795041 in ?? () from /usr/lib/libglib-1.2.so.0
#52 0x407951e1 in ?? () from /usr/lib/libglib-1.2.so.0
#53 0x406be7a9 in gtk_main ()
#54 0x405ea2a5 in nsAppShell::Run (this=0x80b4af0) at nsAppShell.cpp:404
#55 0x403af871 in ?? () from /export/builds/ns/dist/bin/libnsappshell.so
#56 0x804bfed in main1 (argc=1, argv=0xbffff9f4) at nsAppRunner.cpp:608
#57 0x804c2b9 in main (argc=1, argv=0xbffff9f4) at nsAppRunner.cpp:659
#58 0x402b2cb3 in __libc_start_main (main=0x804c128 <main>, argc=1,
argv=0xbffff9f4,
init=0x804a248 <_init>, fini=0x80507d8 <_fini>, rtld_fini=0x4000a350,
stack_end=0xbffff9ec) at
../sysdeps/generic/libc-start.c:78
This does not happen in the debug build. Will try with commercial.
I see it in the debug build.

the key is to start with a new profile.
This looks fixed.
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
Verified on Windows NT and linux. Waiting for Mac.
Status: RESOLVED → VERIFIED
VERIFIED fixed for 1999120208 builds.
You need to log in before you can comment on or make changes to this bug.