Closed Bug 206021 Opened 21 years ago Closed 19 years ago

[FIX] Crash on quit [@ nsImageMap::FreeAreas]

Categories

(Core :: Layout, defect)

defect
Not set
critical

Tracking

()

VERIFIED FIXED

People

(Reporter: bc, Assigned: MatsPalmgren_bugz)

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(6 files, 1 obsolete file)

Found a script in npd.dom which seems like it should work but actually crashes.
The script dynamically adds/removes children of a MAP. This seems related to the
fix for bug 49122.

Steps to reproduce:

1. load test case
2. click around in the map
3. exit browser
4. crash

Talkback: 20164875

Looks like

nsImageMap::FreeAreas()
{
nsCOMPtr<nsIFrameManager> frameManager;
*here*=> mPresShell->GetFrameManager(getter_AddRefs(frameManager));


Reproducible Everytime

Build 2003051608 on Win2k
Attached file Crash TestCase
Severity: normal → critical
Keywords: crash, testcase
Summary: Crash - nsImageMap::FreeAreas → Crash [@ nsImageMap::FreeAreas]
Reproduced using FizzillaMach/2003-05-16-08-trunk, generating TB262612Q. Setting
All/All.
OS: Windows 2000 → All
Hardware: PC → All
Summary: Crash [@ nsImageMap::FreeAreas] → Crash on quit [@ nsImageMap::FreeAreas]
Attached file Crash data
We crash in |nsImageMap::FreeAreas| using a null |frameManager|.
The real problem is that it is called from |nsImageMap::~nsImageMap| which
is too late since the owning frame |mImageFrame| is destroyed by that time and
thus we can't use the weak pointers (nsImageMap::mPresShell etc).

Taking, patch coming up...
Assignee: waterson → mats.palmgren
Summary: Crash on quit [@ nsImageMap::FreeAreas] → [FIX] Crash on quit [@ nsImageMap::FreeAreas]
Attached patch Patch rev. 1 (obsolete) — Splinter Review
Move the |SetPrimaryFrameFor| and |RemoveObserver| calls from the destructor
to |nsImageMap::Destroy|.
Attachment #137353 - Flags: review?(dbaron)
Comment on attachment 137353 [details] [diff] [review]
Patch rev. 1

Wouldn't it be easier to just NS_ASSERTION(mAreas.Count() == 0, "..."); in
~nsImageMap and skip the extra parameter to FreeAreas?
Attachment #137353 - Flags: review?(dbaron) → review-
Attached file Testcase #2
I suspect this is the same bug...
Mats, any chance of an updated patch here?  (Did my comment not make sense?)
Attached patch patch rev. 2Splinter Review
This is what I was thinking of.  I can't reproduce the crash, though, so I
can't tell if this really fixes it.
Attachment #137353 - Attachment is obsolete: true
Attachment #178653 - Flags: review?(mats.palmgren)
Comment on attachment 178653 [details] [diff] [review]
patch rev. 2

I can still reproduce the crashes (both testcases) in a 
Linux debug build and this patch (also) fix them.
r=mats

How about that assertion in ~nsImageMap() ? (comment 7)
Attachment #178653 - Flags: review?(mats.palmgren) → review+
Comment on attachment 178653 [details] [diff] [review]
patch rev. 2

ok, assertion added (with text "Destroy was not called")
Attachment #178653 - Flags: superreview?(roc)
Attachment #178653 - Flags: superreview?(roc) → superreview+
Fix checked in to trunk, 2005-03-28 15:03 -0800.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Verified FIXED using build 2005-04-18-05, Windows XP Seamonkey trunk.
Status: RESOLVED → VERIFIED
Crash Signature: [@ nsImageMap::FreeAreas]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: