Closed Bug 218556 Opened 21 years ago Closed 18 years ago

Crash immediately after finishing rendering www.inreview.com [@ nsQueryInterface::operator()] designmode/midas

Categories

(Core :: DOM: Editor, defect)

Product:
Core
Component:
DOM: Editor
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: ali, Unassigned)

References

(
URL
)

Details

(4 keywords, Whiteboard: patch)

Crash Data

Attachments

(5 files)

Mac OS X 10.2.6 stacktrace for TB23397802H
11.46 KB, text/plain
Details
GDB stack trace on Linux
7.04 KB, text/plain
Details
Testcase
1.27 KB, text/html
Details
Win2K stacktraces
12.81 KB, text/plain
Details
patch to nsHTMLObjectResizer.{h,cpp}
5.17 KB, patch
Brade
: review+
peterv
: superreview+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5b) Gecko/20030903 Firebird/0.6.1+
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5b) Gecko/20030906

When I type in www.inreview.com into the URL bar, and hit enter, it loads the
page. After the page is completely loaded, it crashes.

Reproducible: Always

Steps to Reproduce:
1. Type "www.inreview.com" in the URL bar.
2. Press enter and watch page fully load.
3. Watch Mozilla crash.

Actual Results:  
Mozilla crashes with an error in xpcom.dll .

Expected Results:  
After loading the page, it should not crash. Rather I should be able to browse
the page. :)

This problem occurs with Mozilla, as well as well as with Firebird (using
2003-09-06 nightlies for both).

Some people have reported other weird behaviour other than crashing with this
site. For one person, it worked fine. For some others, it didn't crash, but sort
of sent the browser into a state of limbo where you could resize the window and
such, but not browse unless you closed and reopened Mozilla.

I believe this is an XPCOM problem because it is saying that there is a problem
in xpcom.dll, though I'm not really a developer so I could be wrong about this.

The "Error signature" it gives me is as follows:

AppName: mozilla.exe	 AppVer: 1.5.20030.25068	 ModName: xpcom.dll
ModVer: 1.5.20030.25068	 Offset: 00041169

Related links:
http://forums.mozillazine.org/viewtopic.php?t=23006&start=60
http://forums.mozillazine.org/viewtopic.php?t=23589&start=10
I should also note that this bug isn't a recent regression. Some people have
reported (see links above to the MZ forums) seeing it on Mozilla 1.4 and
Firebird 0.6.1 (based on Mozilla 1.5a). I have not tried reproducing it on older
builds myself, though.
Same problem here .
just uploaded TB23397708G

guenter
Same crash on Mac OS X 10.2.6 (build 2003090303), so All/All
See Talkback TB23397802H
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Windows XP → All
Hardware: PC → All
Same problem here.\
Crash just after finish "downloading" the page.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5b) Gecko/20030903
Firebird/0.6.1+
The page is in edit mode.
Assignee: dougt → mozeditor
Component: XPCOM → Editor: Core
QA Contact: scc → sairuh
The cause of the crash seems to be this JS function:

function ShowAds() {
  parent.frames['ad468x60'].document.designMode = "on";
  parent.frames['ad468x60'].document.open("text/html", "replace");
  parent.frames['ad468x60'].document.write('<SCRIPT LANGUAGE=JavaScript
SRC=http:\/\/servedby.advertising.com\/site=202196\/size=468060\/bnum=59660882\/optn=1><\/SCRIPT>
<NOSCRIPT><A
HREF=http:\/\/servedby.advertising.com\/click\/site=202196\/bnum=59660882
TARGET=_blank><IMG
SRC=http:\/\/servedby.advertising.com\/site=202196\/size=468060\/bnum=59660882\/bins=1\/rich=0
WIDTH=468 HEIGHT=60 BORDER=0><\/A><\/NOSCRIPT> ');
  parent.frames['ad468x60'].document.close();
  parent.frames['ad468x60'].document.designMode = "off";
  parent.frames['ad120x600'].document.designMode = "on";
  parent.frames['ad120x600'].document.open("text/html", "replace");
  parent.frames['ad120x600'].document.write('<SCRIPT LANGUAGE=JavaScript
SRC=http:\/\/servedby.advertising.com\/site=202195\/size=120600\/bnum=65697765\/optn=1><\/SCRIPT>
<NOSCRIPT><A
HREF=http:\/\/servedby.advertising.com\/click\/site=202195\/bnum=65697765
TARGET=_blank><IMG
SRC=http:\/\/servedby.advertising.com\/site=202195\/size=120600\/bnum=65697765\/bins=1\/rich=0
WIDTH=120 HEIGHT=600 BORDER=0><\/A><\/NOSCRIPT> ');
  parent.frames['ad120x600'].document.close();
  parent.frames['ad120x600'].document.designMode = "off";
}
Attached file Testcase 
Keywords: testcase

    
    

    
  
Strange. do_QueryInterface appears to be crashing.

nsCOMPtr<nsIEditor> editor = do_QueryInterface(aCommandRefCon);

in

nsCutCommand::IsCommandEnabled

Which implies that the aCommandRefCon is bad...

    
    

    
  
1.4.1 RC is crashing on testcase.

    
  
Keywords: topcrash
Summary: Crash immediately after finishing rendering www.inreview.com → Crash immediately after finishing rendering www.inreview.com [@ nsQueryInterface::operator()]

    
    

    
  

      
      
      
      

        Attached file
          
        Win2K stacktraces
      

    


  

    
    

    
  
>Mozilla 1.3.1
>This is WaMCom - the Web and Mail Communicator, a modified version of Mozilla,
>based on the version of Mozilla shown above.
>Mozilla/5.0 (Windows; U; Win 9x 4.90; en-US; rv:1.3.1) Gecko/20030614

Did not crash on test case.  I clicked on background as instructed.  Still no
crash.  I clicked on the Inreview window, got taken to a page on the inreview
site--still no crash.  I wrote in www.inreview.com into the address bar--WHAMO!

"Caused an error in xpicom.dll and will be shut down."

Talkback #23546846Z

    
    

    
  
brade: do we have another component for this?  do you want to own it?

    
    

    
  
-->brade
Assignee: mozeditor → brade

    
  
Flags: blocking1.6a?
Flags: blocking1.5?

    
  
Flags: blocking1.5?

    
    

    
  


  
I made the object resizer hold weakptrs to the editor.	This fixes the crash. 
a research problem for Simon of kathy or whoever is to determine if we should
be getting resizer timer firings for stale editors.  

Note that this bug doesnt fix the other problem of visiting designmode pages
leaving you perpetually in design mode when visiting other pages in same
window.  There is already an open bug on that somewhere.

    
  

        Attachment #132655 -
        Flags: review?(brade)

    
    

    
  
assigning back to me at brade's request.  brade, can you r=?
Assignee: brade → mozeditor
Whiteboard: patch

    
    

    
  
I'd like Daniel to do the review or at least comment on the patch.  He and I did
discuss the editor in the resize code at some point.

    
    

    
  
Kathy, Joe: yes the patch is fine and is most certainly the right answer to
the problem reported. Thanks. r=daniel@glazman.org but I leave Kathy put her
own r= through the attachment manager.

    
    

    
  
Comment on attachment 132655 [details] [diff] [review]
patch to nsHTMLObjectResizer.{h,cpp}

r=brade

        Attachment #132655 -
        Flags: review?(brade) → review+

    
  
Whiteboard: patch → patch, need sr

    
  

        Attachment #132655 -
        Flags: superreview?

        Attachment #132655 -
        Flags: superreview? → superreview+

    
    

    
  
The fix for this landed at 10/09/2003 15:08.

Joe, did you mean to leave this open for additional fixes?

    
    

    
  
fix checked in yesterday
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED

    
    

    
  
This seems to be fixed in Seamonkey, but in my compile of Firebird which I
pulled this morning, it's still broken (appears to be same crash as before). Do
we need to switch to a different component?
Status: RESOLVED → REOPENED
Resolution: FIXED → ---

    
    

    
  
Moving over to Firebird. The site now works in:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6a) Gecko/20031011
but is still broken in:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6a) Gecko/20031011
Firebird/0.7+ (aebrahim)
Component: Editor: Core → General
Product: Browser → Firebird
Version: Trunk → unspecified

    
    

    
  
I suspect the original patch doesn't totally fix this bug.  The problem I see
that causes a crash is that the nsBaseCommandController's mCommandContext is
dangling (it's not a strong ref).  So, when we try to QI it, from
nsCutCommand::IsCommandEnabled(), it crashes.

Is this because of the ordering of editor->Init() and SetEditorOnControllers()
in nsEditingSession::SetupEditorOnWindow()?  Calling Init() is taking us into
code that needs to use the command context, which isn't set yet.


    
    

    
  
Moving back to Browser | Editor: Core as per bryner's comments.
Component: General → Editor: Core
Product: Firebird → Browser
Version: unspecified → Trunk

    
    

    
  
Mozilla/5.0 (Windows; U; Win 9x 4.90; en-US; rv:1.6a) Gecko/20031020
Firebird/0.7+ (aebrahim)

Crashes when attempting to load  http://www.avast.com

    
    

    
  
Mozilla/5.0 (Windows; U; Win 9x 4.90; en-US; rv:1.6a) Gecko/20031024 Firebird/0.7+

works with www.avast.com

    
    

    
  
crash on testcase, TalkbackID: TB24791067H
www.avast.com working
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.6a) Gecko/20031024

    
    

    
  
With no developer activity and 1.6a coming to a close, it doesn't look like this
is gonna make it. 
Flags: blocking1.6a? → blocking1.6a-

    
    

    
  
Weird thing: with the latest Mozilla trunk nightly, when I try the testcase, it
doesn't crash immediately. If I press back enough to get back to this bugreport,
and then press on stuff in the top part of the bugreport, for example the
attachment table, it puts me into some edit mode that I've not seen before where
I can hide rows/columns of the tables, and move stuff around.

Also, the testcase still occasionally crashes the browser as well if I play
around with it enough and come back to this page and mess around with stuff.
Flags: blocking1.6b?

    
    

    
  
Ali: What you're seeing is bug 215686, Can't disable designmode. This is what
Joe was referencing comment 16. inreview.com turns on designMode (for some
reason) which enables the behavior you saw, then tries to turn it off, which Moz
does not currently support.

    
  
Flags: blocking1.6b? → blocking1.6b-

    
  
Depends on: 215686

    
    

    
  
WFM using Mozilla 1.6 Mozilla/5.0 (Windows; U; Windows NT 5.1; it-IT; rv:1.6)
Gecko/20040113 and Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7)
Gecko/20040616 Firefox/0.9 (MOOX-AV), it seems www.inreview.com fixed the
problem with the site code. You can close this bug.

    
    

    
  
(In reply to comment #33)
> it seems www.inreview.com fixed the problem with the site code.

...but the problem on the Mozilla end still exists.  I just tried the attached
testcase, and it still crashes for me.  Until the crash is fixed, the bug stays
open.  (A bug summary change wouldn't hurt, tho.)

    
    

    
  
Same thing for mozilla 1.7.x 20041025 nightly build on Windows ME:
http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=TB1543722G

    
    

    
  
bryner's analysis in comment 25 is spot on.

We still crash on both Firefox and Seamonkey builds, with the same stack as in
https://bugzilla.mozilla.org/attachment.cgi?id=131334&action=view
Summary: Crash immediately after finishing rendering www.inreview.com [@ nsQueryInterface::operator()] → Crash immediately after finishing rendering www.inreview.com [@ nsQueryInterface::operator()] designmode/midas

    
    

    
  
Is this still an issue? I don't crash with the url nor with the testcase with a
20050324 trunk build.

    
    

    
  
The bug is still reproducible with the testcase.
Reproduced with:
- Mozilla/5.0 (X11; U; Linux i686; de-AT; rv:1.6) Gecko/20040114
- Mozilla/5.0 (X11; U; Linux i686; de-AT; rv:1.7.7) Gecko/20050414
- Mozilla/5.0 (X11; U; Linux i686; de-AT; rv:1.8b) Gecko/20050217
- Mozilla/5.0 (X11; U; Linux i686; de-DE; rv:1.7.7) Gecko/20050414 Firefox/1.0.3

all under Suse Linux 9.1 with KDE.

I have filed a talkback-entry (Incident-ID TB5394397K), which is also
reproducible with the following steps:
- open the URL: http://www.fckeditor.net/demo/default.html
- press the button "Source" twice (I assume it toggles the document.designMode)
- browser crashes

I hope this helps to fix this nasty bug.

Regards,

Arne Jans (arne.jans@quinscape.de)

    
    

    
  
The fckeditor crash is bug 291183, so that's a different bug.
Arne Jans, could you try a latest nightly build?
http://ftp.uni-erlangen.de/pub/mozilla.org/firefox/nightly/latest-trunk/
If it is still crashing with the attached testcase in this bug, could you give a
Talkback ID for that crash?
There were some changes in designMode code between 2005-02-17 and now, if I
remember correctly.

    
    

    
  
wfm with Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8b2) Gecko/20050427
Firefox/1.0+ 

    
    

    
  
WFM - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b3) Gecko/20050711
Firefox/1.0+

    
    

    
  
Arne and  Stephen Donner are last two to report crash.  Everything since is WFM.

http://www.inreview.com - no crash
testcase attachment 131028 [details] - no crash
comment 39 http://www.fckeditor.net/demo/default.html I don't see a source button on the page

FF 1.5.0.4 and trunk, windows 2000
Whiteboard: patch, need sr → patch

    
    

    
  
donner, does this crash for you?
dup of bug 285972?
Assignee: mozeditor → nobody
Status: REOPENED → NEW
QA Contact: bugzilla

    
    

    
  
(In reply to comment #44)
> donner, does this crash for you?
> dup of bug 285972?

Nope, I haven't seen this any longer.  I meant to mark that; go ahead and do so, please?

    
    

    
  
I'm going to say FIXED, since we did have a patch which landed at one point.
Status: NEW → RESOLVED
Closed: 21 years ago18 years ago
Resolution: --- → FIXED
Crash Signature: [@ nsQueryInterface::operator()]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: