Closed Bug 218556 Opened 21 years ago Closed 18 years ago

Crash immediately after finishing rendering www.inreview.com [@ nsQueryInterface::operator()] designmode/midas

Categories

(Core :: DOM: Editor, defect)

defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: ali, Unassigned)

References

()

Details

(4 keywords, Whiteboard: patch)

Crash Data

Attachments

(5 files)

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5b) Gecko/20030903 Firebird/0.6.1+ Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5b) Gecko/20030906 When I type in www.inreview.com into the URL bar, and hit enter, it loads the page. After the page is completely loaded, it crashes. Reproducible: Always Steps to Reproduce: 1. Type "www.inreview.com" in the URL bar. 2. Press enter and watch page fully load. 3. Watch Mozilla crash. Actual Results: Mozilla crashes with an error in xpcom.dll . Expected Results: After loading the page, it should not crash. Rather I should be able to browse the page. :) This problem occurs with Mozilla, as well as well as with Firebird (using 2003-09-06 nightlies for both). Some people have reported other weird behaviour other than crashing with this site. For one person, it worked fine. For some others, it didn't crash, but sort of sent the browser into a state of limbo where you could resize the window and such, but not browse unless you closed and reopened Mozilla. I believe this is an XPCOM problem because it is saying that there is a problem in xpcom.dll, though I'm not really a developer so I could be wrong about this. The "Error signature" it gives me is as follows: AppName: mozilla.exe AppVer: 1.5.20030.25068 ModName: xpcom.dll ModVer: 1.5.20030.25068 Offset: 00041169 Related links: http://forums.mozillazine.org/viewtopic.php?t=23006&start=60 http://forums.mozillazine.org/viewtopic.php?t=23589&start=10
I should also note that this bug isn't a recent regression. Some people have reported (see links above to the MZ forums) seeing it on Mozilla 1.4 and Firebird 0.6.1 (based on Mozilla 1.5a). I have not tried reproducing it on older builds myself, though.
Same problem here . just uploaded TB23397708G guenter
Same crash on Mac OS X 10.2.6 (build 2003090303), so All/All See Talkback TB23397802H
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Windows XP → All
Hardware: PC → All
Same problem here.\ Crash just after finish "downloading" the page. Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5b) Gecko/20030903 Firebird/0.6.1+
The page is in edit mode.
Assignee: dougt → mozeditor
Component: XPCOM → Editor: Core
QA Contact: scc → sairuh
The cause of the crash seems to be this JS function: function ShowAds() { parent.frames['ad468x60'].document.designMode = "on"; parent.frames['ad468x60'].document.open("text/html", "replace"); parent.frames['ad468x60'].document.write('<SCRIPT LANGUAGE=JavaScript SRC=http:\/\/servedby.advertising.com\/site=202196\/size=468060\/bnum=59660882\/optn=1><\/SCRIPT> <NOSCRIPT><A HREF=http:\/\/servedby.advertising.com\/click\/site=202196\/bnum=59660882 TARGET=_blank><IMG SRC=http:\/\/servedby.advertising.com\/site=202196\/size=468060\/bnum=59660882\/bins=1\/rich=0 WIDTH=468 HEIGHT=60 BORDER=0><\/A><\/NOSCRIPT> '); parent.frames['ad468x60'].document.close(); parent.frames['ad468x60'].document.designMode = "off"; parent.frames['ad120x600'].document.designMode = "on"; parent.frames['ad120x600'].document.open("text/html", "replace"); parent.frames['ad120x600'].document.write('<SCRIPT LANGUAGE=JavaScript SRC=http:\/\/servedby.advertising.com\/site=202195\/size=120600\/bnum=65697765\/optn=1><\/SCRIPT> <NOSCRIPT><A HREF=http:\/\/servedby.advertising.com\/click\/site=202195\/bnum=65697765 TARGET=_blank><IMG SRC=http:\/\/servedby.advertising.com\/site=202195\/size=120600\/bnum=65697765\/bins=1\/rich=0 WIDTH=120 HEIGHT=600 BORDER=0><\/A><\/NOSCRIPT> '); parent.frames['ad120x600'].document.close(); parent.frames['ad120x600'].document.designMode = "off"; }
Attached file Testcase
Keywords: testcase
Strange. do_QueryInterface appears to be crashing. nsCOMPtr<nsIEditor> editor = do_QueryInterface(aCommandRefCon); in nsCutCommand::IsCommandEnabled Which implies that the aCommandRefCon is bad...
1.4.1 RC is crashing on testcase.
Keywords: topcrash
Summary: Crash immediately after finishing rendering www.inreview.com → Crash immediately after finishing rendering www.inreview.com [@ nsQueryInterface::operator()]
Attached file Win2K stacktraces
>Mozilla 1.3.1 >This is WaMCom - the Web and Mail Communicator, a modified version of Mozilla, >based on the version of Mozilla shown above. >Mozilla/5.0 (Windows; U; Win 9x 4.90; en-US; rv:1.3.1) Gecko/20030614 Did not crash on test case. I clicked on background as instructed. Still no crash. I clicked on the Inreview window, got taken to a page on the inreview site--still no crash. I wrote in www.inreview.com into the address bar--WHAMO! "Caused an error in xpicom.dll and will be shut down." Talkback #23546846Z
brade: do we have another component for this? do you want to own it?
-->brade
Assignee: mozeditor → brade
Flags: blocking1.6a?
Flags: blocking1.5?
Flags: blocking1.5?
I made the object resizer hold weakptrs to the editor. This fixes the crash. a research problem for Simon of kathy or whoever is to determine if we should be getting resizer timer firings for stale editors. Note that this bug doesnt fix the other problem of visiting designmode pages leaving you perpetually in design mode when visiting other pages in same window. There is already an open bug on that somewhere.
Attachment #132655 - Flags: review?(brade)
assigning back to me at brade's request. brade, can you r=?
Assignee: brade → mozeditor
Whiteboard: patch
I'd like Daniel to do the review or at least comment on the patch. He and I did discuss the editor in the resize code at some point.
Kathy, Joe: yes the patch is fine and is most certainly the right answer to the problem reported. Thanks. r=daniel@glazman.org but I leave Kathy put her own r= through the attachment manager.
Comment on attachment 132655 [details] [diff] [review] patch to nsHTMLObjectResizer.{h,cpp} r=brade
Attachment #132655 - Flags: review?(brade) → review+
Whiteboard: patch → patch, need sr
Attachment #132655 - Flags: superreview?
Attachment #132655 - Flags: superreview? → superreview+
The fix for this landed at 10/09/2003 15:08. Joe, did you mean to leave this open for additional fixes?
fix checked in yesterday
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
This seems to be fixed in Seamonkey, but in my compile of Firebird which I pulled this morning, it's still broken (appears to be same crash as before). Do we need to switch to a different component?
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Moving over to Firebird. The site now works in: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6a) Gecko/20031011 but is still broken in: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6a) Gecko/20031011 Firebird/0.7+ (aebrahim)
Component: Editor: Core → General
Product: Browser → Firebird
Version: Trunk → unspecified
I suspect the original patch doesn't totally fix this bug. The problem I see that causes a crash is that the nsBaseCommandController's mCommandContext is dangling (it's not a strong ref). So, when we try to QI it, from nsCutCommand::IsCommandEnabled(), it crashes. Is this because of the ordering of editor->Init() and SetEditorOnControllers() in nsEditingSession::SetupEditorOnWindow()? Calling Init() is taking us into code that needs to use the command context, which isn't set yet.
Moving back to Browser | Editor: Core as per bryner's comments.
Component: General → Editor: Core
Product: Firebird → Browser
Version: unspecified → Trunk
Mozilla/5.0 (Windows; U; Win 9x 4.90; en-US; rv:1.6a) Gecko/20031020 Firebird/0.7+ (aebrahim) Crashes when attempting to load http://www.avast.com
Mozilla/5.0 (Windows; U; Win 9x 4.90; en-US; rv:1.6a) Gecko/20031024 Firebird/0.7+ works with www.avast.com
crash on testcase, TalkbackID: TB24791067H www.avast.com working Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.6a) Gecko/20031024
With no developer activity and 1.6a coming to a close, it doesn't look like this is gonna make it.
Flags: blocking1.6a? → blocking1.6a-
Weird thing: with the latest Mozilla trunk nightly, when I try the testcase, it doesn't crash immediately. If I press back enough to get back to this bugreport, and then press on stuff in the top part of the bugreport, for example the attachment table, it puts me into some edit mode that I've not seen before where I can hide rows/columns of the tables, and move stuff around. Also, the testcase still occasionally crashes the browser as well if I play around with it enough and come back to this page and mess around with stuff.
Flags: blocking1.6b?
Ali: What you're seeing is bug 215686, Can't disable designmode. This is what Joe was referencing comment 16. inreview.com turns on designMode (for some reason) which enables the behavior you saw, then tries to turn it off, which Moz does not currently support.
Flags: blocking1.6b? → blocking1.6b-
Depends on: 215686
WFM using Mozilla 1.6 Mozilla/5.0 (Windows; U; Windows NT 5.1; it-IT; rv:1.6) Gecko/20040113 and Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040616 Firefox/0.9 (MOOX-AV), it seems www.inreview.com fixed the problem with the site code. You can close this bug.
(In reply to comment #33) > it seems www.inreview.com fixed the problem with the site code. ...but the problem on the Mozilla end still exists. I just tried the attached testcase, and it still crashes for me. Until the crash is fixed, the bug stays open. (A bug summary change wouldn't hurt, tho.)
Same thing for mozilla 1.7.x 20041025 nightly build on Windows ME: http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=TB1543722G
bryner's analysis in comment 25 is spot on. We still crash on both Firefox and Seamonkey builds, with the same stack as in https://bugzilla.mozilla.org/attachment.cgi?id=131334&action=view
Summary: Crash immediately after finishing rendering www.inreview.com [@ nsQueryInterface::operator()] → Crash immediately after finishing rendering www.inreview.com [@ nsQueryInterface::operator()] designmode/midas
Is this still an issue? I don't crash with the url nor with the testcase with a 20050324 trunk build.
The bug is still reproducible with the testcase. Reproduced with: - Mozilla/5.0 (X11; U; Linux i686; de-AT; rv:1.6) Gecko/20040114 - Mozilla/5.0 (X11; U; Linux i686; de-AT; rv:1.7.7) Gecko/20050414 - Mozilla/5.0 (X11; U; Linux i686; de-AT; rv:1.8b) Gecko/20050217 - Mozilla/5.0 (X11; U; Linux i686; de-DE; rv:1.7.7) Gecko/20050414 Firefox/1.0.3 all under Suse Linux 9.1 with KDE. I have filed a talkback-entry (Incident-ID TB5394397K), which is also reproducible with the following steps: - open the URL: http://www.fckeditor.net/demo/default.html - press the button "Source" twice (I assume it toggles the document.designMode) - browser crashes I hope this helps to fix this nasty bug. Regards, Arne Jans (arne.jans@quinscape.de)
The fckeditor crash is bug 291183, so that's a different bug. Arne Jans, could you try a latest nightly build? http://ftp.uni-erlangen.de/pub/mozilla.org/firefox/nightly/latest-trunk/ If it is still crashing with the attached testcase in this bug, could you give a Talkback ID for that crash? There were some changes in designMode code between 2005-02-17 and now, if I remember correctly.
wfm with Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8b2) Gecko/20050427 Firefox/1.0+
WFM - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b3) Gecko/20050711 Firefox/1.0+
Arne and Stephen Donner are last two to report crash. Everything since is WFM. http://www.inreview.com - no crash testcase attachment 131028 [details] - no crash comment 39 http://www.fckeditor.net/demo/default.html I don't see a source button on the page FF 1.5.0.4 and trunk, windows 2000
Whiteboard: patch, need sr → patch
donner, does this crash for you? dup of bug 285972?
Assignee: mozeditor → nobody
Status: REOPENED → NEW
QA Contact: bugzilla
(In reply to comment #44) > donner, does this crash for you? > dup of bug 285972? Nope, I haven't seen this any longer. I meant to mark that; go ahead and do so, please?
I'm going to say FIXED, since we did have a patch which landed at one point.
Status: NEW → RESOLVED
Closed: 21 years ago18 years ago
Resolution: --- → FIXED
Crash Signature: [@ nsQueryInterface::operator()]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: