Closed Bug 23781 Opened 25 years ago Closed 25 years ago

Linux: bloaty crashes in layout; test 2 + test 8 -> crash

Categories

(Core :: Layout, defect, P3)

Product:
Core
Component:
Layout
Platform:
Sun
Solaris
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: mcafee, Assigned: nisheeth_mozilla)

References

Details

Linux.
bloaty test is down, bloaty runs this:

  http://www.mozilla.org
  res:///res/samples/test2.html
  res:///res/samples/test8.html

I tracked it to the combination of "visit test 2, then
visit test 8".  stack:

#0  0x412628a1 in nsFrameImageLoader::DamageRepairFrames (this=0x85a3d38,
    aDamageRect=0xbfffeec8) at nsFrameImageLoader.cpp:558
#1  0x412624ca in nsFrameImageLoader::Notify (this=0x85a3d38,
    aImageRequest=0x85a3f28, aImage=0x857c148,
    aNotificationType=nsImageNotification_kPixmapUpdate, aParam1=0,
    aParam2=0, aParam3=0xbfffef0c) at nsFrameImageLoader.cpp:419
#2  0x4002f78e in ns_observer_proc (aSource=0x85a3f70, aMsg=4,
    aMsgData=0xbfffef90, aClosure=0x85a3f28) at nsImageRequest.cpp:95
#3  0x40040e4e in XP_NotifyObservers (inObserverList=0x83a2208, inMessage=4,
    ioData=0xbfffef90) at obs.c:259
#4  0x40036ceb in il_pixmap_update_notify (ic=0x856ee30) at if.cpp:307
#5  0x4003ee32 in il_flush_image_data (ic=0x856ee30) at scale.cpp:215
#6  0x400368d7 in ImgDCallbk::ImgDCBFlushImage (this=0x856f040) at if.cpp:162
#7  0x41575087 in il_gif_write (ic=0x856ee30, buf=0x41576848 "", len=0)
    at gif.cpp:1487
#8  0x41572ec0 in process_buffered_gif_input_data (gs=0x854d468)
    at gif.cpp:669
#9  0x4157300b in gif_delay_time_callback (closure=0x856ee30) at gif.cpp:713
#10 0x4003044c in timer_callback (aTimer=0x851ae30, aClosure=0x82f3b88)
    at nsImageSystemServices.cpp:71
#11 0x40711105 in nsTimerGtk::FireTimeout (this=0x851ae30)
    at nsTimerGtk.cpp:35
#12 0x40711516 in nsTimerExpired (aCallData=0x851ae30) at nsTimerGtk.cpp:154
#13 0x408748a4 in g_timeout_dispatch ()
#14 0x40873a86 in g_main_dispatch ()
#15 0x40874041 in g_main_iterate ()
#16 0x408741e1 in g_main_run ()
#17 0x407a07a9 in gtk_main ()
#18 0x406c0a87 in nsAppShell::Run (this=0x80b0ad0) at nsAppShell.cpp:304
#19 0x4058f1dd in nsAppShellService::Run (this=0x80acdf0)
    at nsAppShellService.cpp:465
#20 0x804bf3d in main1 (argc=3, argv=0xbffff424) at nsAppRunner.cpp:622
#21 0x804c3c7 in main (argc=3, argv=0xbffff424) at nsAppRunner.cpp:710
#22 0x402dfcb3 in __libc_start_main (main=0x804c1ac <main>, argc=3,
    argv=0xbffff424, init=0x804a1f8 <_init>, fini=0x8050ce8 <_fini>,
    rtld_fini=0x4000a350 <_dl_fini>, stack_end=0xbffff41c)
    at ../sysdeps/generic/libc-start.c:78
waterson can reproduce this on WinNT, test 2 + test 8.
*** Bug 23865 has been marked as a duplicate of this bug. ***
Status: NEW → ASSIGNED
Target Milestone: M13
I have a fix for this.  nsImageFrame::UpdateImage wasn't releasing its reference
to the pres shell.  I'll check in the fix as soon as the tree opens.
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
Just checked in the fix.
Yes, this looks fixed.
Status: RESOLVED → VERIFIED
Marking verified fixed per last comments.
You need to log in before you can comment on or make changes to this bug.