Closed Bug 239964 Opened 21 years ago Closed 15 years ago

Crash/Hang - nsIView::CreateWidget called with null nsNativeWidget

Categories

(Core :: Web Painting, defect)

Product:
Core
Component:
Web Painting
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: bc, Assigned: roc)

References

(
URL
)

Details

(Keywords: crash, top100)

While testing MSN properties, crashed when loading MSNBC from MSN. On visiting MSNBC directly, debug trunk winxp build hangs. Looks like DocumentViewerImpl::MakeWindow calls nsIView::CreateWidget with a null widget. Stack: NTDLL! 77f75a58() nsWindow::Create(nsWindow * const 0x06de6f84, nsIWidget * 0x00000000, const nsRect & {...}, nsEventStatus (nsGUIEvent *)* 0x012c42a0 HandleEvent(nsGUIEvent *), nsIDeviceContext * 0x0659e520, nsIAppShell * 0x00000000, nsIToolkit * 0x00000000, nsWidgetInitData * 0x0012f004) line 1593 nsIView::CreateWidget(const nsID & {...}, nsWidgetInitData * 0x0012f004, void * 0x00000000, int 1, int 0, nsContentType eContentTypeContent) line 604 DocumentViewerImpl::MakeWindow(nsIWidget * 0x0651437c, const nsRect & {...}) line 1945 + 70 bytes DocumentViewerImpl::InitInternal(nsIWidget * 0x0651437c, nsIDeviceContext * 0x0659e520, const nsRect & {...}, int 1, int 0) line 835 + 16 bytes DocumentViewerImpl::Init(DocumentViewerImpl * const 0x06921330, nsIWidget * 0x0651437c, nsIDeviceContext * 0x0659e520, const nsRect & {...}) line 639 nsDocShell::SetupNewViewer(nsDocShell * const 0x0632c808, nsIContentViewer * 0x06921330) line 4809 + 72 bytes nsDocShell::Embed(nsDocShell * const 0x0632c82c, nsIContentViewer * 0x06921330, const char * 0x01fc54f1, nsISupports * 0x00000000) line 4135 + 23 bytes nsDocShell::CreateContentViewer(nsDocShell * const 0x0632c808, const char * 0x06f94940, nsIRequest * 0x056608a8, nsIStreamListener * * 0x06e337c8) line 4547 + 32 bytes nsDSURIContentListener::DoContent(nsDSURIContentListener * const 0x058b55e0, const char * 0x06f94940, int 0, nsIRequest * 0x056608a8, nsIStreamListener * * 0x06e337c8, int * 0x0012f600) line 109 + 33 bytes nsDocumentOpenInfo::TryContentListener(nsIURIContentListener * 0x058b55e0, nsIChannel * 0x056608a8) line 709 + 66 bytes nsDocumentOpenInfo::DispatchContent(nsIRequest * 0x056608a8, nsISupports * 0x00000000) line 451 + 57 bytes nsDocumentOpenInfo::OnStartRequest(nsDocumentOpenInfo * const 0x06e337b8, nsIRequest * 0x056608a8, nsISupports * 0x00000000) line 322 + 16 bytes nsHttpChannel::CallOnStartRequest() line 637 + 60 bytes nsHttpChannel::ProcessNormal() line 766 + 8 bytes nsHttpChannel::ProcessResponse() line 666 + 8 bytes nsHttpChannel::OnStartRequest(nsHttpChannel * const 0x056608b0, nsIRequest * 0x0627ec98, nsISupports * 0x00000000) line 3311 + 11 bytes nsInputStreamPump::OnStateStart() line 377 + 42 bytes nsInputStreamPump::OnInputStreamReady(nsInputStreamPump * const 0x0627ec9c, nsIAsyncInputStream * 0x064f9bbc) line 333 + 11 bytes nsInputStreamReadyEvent::EventHandler(PLEvent * 0x04ca9a4c) line 119 PL_HandleEvent(PLEvent * 0x04ca9a4c) line 673 + 10 bytes PL_ProcessPendingEvents(PLEventQueue * 0x009c08c8) line 608 + 9 bytes _md_EventReceiverProc(HWND__ * 0x00130146, unsigned int 49380, unsigned int 0, long 10225864) line 1414 + 9 bytes USER32! 77d43a50() USER32! 77d43b1f() USER32! 77d43d79() USER32! 77d43ddf() nsAppShellService::Run(nsAppShellService * const 0x00a58e78) line 524 main1(int 1, char * * 0x002e2638, nsISupports * 0x0099f398) line 1303 + 32 bytes main(int 1, char * * 0x002e2638) line 1716 + 37 bytes mainCRTStartup() line 338 + 17 bytes KERNEL32! 77e8
Assignee: nobody → roc
Component: Layout: Misc Code → Layout: View Rendering
QA Contact: core.layout.misc-code → ian
Confirming, seems like this is something we don't want in 1.7. Looks like we've got a widget with a null hWnd in it, and that's causing problems...
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.7?
Don't see it on Linux.
I am seeing this again with a debug 1.7 winxp build from this morning.
Flags: blocking1.7? → blocking1.7+
Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.7) Gecko/20040429 it works under solaris 8.0
The window in qeustion gets destroyed at: nsWindow::Destroy() Line 1650 nsView::~nsView() Line 167 nsView::`scalar deleting destructor'() + 0xf C++ nsIView::Destroy() Line 252 nsView::~nsView() Line 118 nsView::`scalar deleting destructor'() + 0xf C++ nsIView::Destroy() Line 252 nsFrame::Destroy() Line 648 nsSubDocumentFrame::Destroy() Line 568 nsLineBox::DeleteLineList() Line 301 nsBlockFrame::Destroy() Line 300 nsLineBox::DeleteLineList() Line 301 nsBlockFrame::Destroy() Line 300 nsBlockFrame::DoRemoveFrame() Line 4788 nsBlockFrame::RemoveFrame() Line 4622 nsFrameManager::RemoveFrame() Line 774 nsCSSFrameConstructor::ContentRemoved() Line 9512 nsCSSFrameConstructor::RecreateFramesForContent() Line 11349 nsCSSFrameConstructor::AttributeChanged() Line 10089 PresShell::AttributeChanged() Line 5203 nsDocument::AttributeChanged() Line 1979 nsHTMLDocument::AttributeChanged() Line 1315 nsGenericHTMLElement::SetAttrAndNotify() Line 1680 nsGenericHTMLElement::SetInlineStyleRule() Line 1928 nsDOMCSSAttributeDeclaration::DeclarationChanged() Line 91 nsDOMCSSDeclaration::ParsePropertyValue() Line 243 nsDOMCSSDeclaration::SetProperty() Line 176 CSS2PropertiesTearoff::SetDisplay() Line 338 XPTC_InvokeByIndex() Line 102 xpc3250.dll!XPCWrappedNative::CallMethod() Line 2027 xpc3250.dll!XPCWrappedNative::SetAttribute() Line 1887 xpc3250.dll!XPC_WN_GetterSetter() Line 1311 js3250.dll!js_Invoke() Line 1281 js3250.dll!js_InternalInvoke() Line 1378 js3250.dll!js_InternalGetOrSet() Line 1421 js3250.dll!js_SetProperty() Line 2825 js3250.dll!js_Interpret() Line 3204 js3250.dll!js_Invoke() Line 1301 js3250.dll!js_Interpret() Line 3366 js3250.dll!js_Execute() Line 1507 js3250.dll!JS_EvaluateUCScriptForPrincipals() Line 3569 nsJSContext::EvaluateString() Line 927 nsScriptLoader::EvaluateScript() Line 676 nsScriptLoader::ProcessRequest() Line 589 nsScriptLoader::ProcessScriptElement() Line 535 nsHTMLScriptElement::MaybeProcessScript() Line 651 nsHTMLScriptElement::SetDocument() Line 470 nsGenericElement::AppendChildTo() Line 2525 HTMLContentSink::ProcessSCRIPTTag() Line 4335 HTMLContentSink::AddLeaf() Line 3186 CNavDTD::AddLeaf() Line 3786 CNavDTD::HandleScriptToken() Line 2324 CNavDTD::OpenContainer() Line 3438 CNavDTD::HandleDefaultStartToken() Line 1456 CNavDTD::HandleStartToken() Line 1834 CNavDTD::HandleToken() Line 1018 CNavDTD::BuildModel() Line 510 nsParser::BuildModel() Line 1893 nsParser::ResumeParse() Line 1760 nsParser::ContinueParsing() Line 1358 nsContentSink::ScriptEvaluated() Line 277 nsScriptLoaderObserverProxy::ScriptEvaluated() Line 135 nsScriptLoader::FireScriptEvaluated() Line 627 nsScriptLoader::ProcessRequest() Line 592 nsScriptLoader::OnStreamComplete() Line 913 nsStreamLoader::OnStopRequest() Line 137 nsStreamListenerTee::OnStopRequest() Line 66 nsHttpChannel::OnStopRequest() Line 3617 nsInputStreamPump::OnStateStop() Line 506 nsInputStreamPump::OnInputStreamReady() Line 340 nsInputStreamReadyEvent::EventHandler() Line 119 PL_HandleEvent() Line 692 PL_ProcessPendingEvents() Line 627 _md_EventReceiverProc() Line 1433 user32.dll!77d43a50() user32.dll!77d43b1f() user32.dll!77d43d79() user32.dll!77d43ddf() nsAppShellService::Run() Line 524 main1() Line 1302 main() Line 1779 mainCRTStartup() Line 400 Roc, any thoughts?
Looks like some Javascript set a style which required us to tear down the frame tree, but the frame tree and view tree were out of sync/corrupt which meant we destroyed the wrong view, or something like that. I don't suppose someone who can reproduce this can build a minimized testcase?
I can visit MSNBC directly or via MSN without any problems with the current 1.7 nightly build. Mozilla/5.0 (Windows; U; Windows NT 5.1; de-AT; rv:1.7) Gecko/20040503
I can't reproduce any crashes or hangs at http://msnbc.msn.com both logged in and not logged in. I've tried links from msn.com, a bookmark, and via entering the URL manually. Tested with 2004051108 windows branch build on XP. I'm wondering if this is debug build only? Is there anyone around with Purify that could test an optimized build with symbols and see if that reveals anything?
Yeah, seems like this is debug only, or close to, at least. I see this fairly reliably in my debug builds, but I haven't been able to reproduce this with release builds.
Flags: blocking1.7+ → blocking1.7-
I don't know if this is the appropriate bug to comment on, but www.msnbc.com consistantly crashes when using the back button to go back to the home page. Sent two Talkback dumps. Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050505 Firefox/1.0+
Crashed on http://www.espn.com/ in a Firefox 1.0.6 cvs debug build on winxpsp2 including Brendan's patch for 300964. Same stack.
(In reply to comment #11) > Crashed on http://www.espn.com/ in a Firefox 1.0.6 cvs debug build on winxpsp2 > including Brendan's patch for 300964. Same stack. jst's patch, but never mind -- it has nothing to do with this old bug, right? /be
(In reply to comment #12) > jst's patch, but never mind -- it has nothing to do with this old bug, right? Right, just letting ya'll know what I'm finding.
TB16044921G everytime I print in Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060306 Firefox/1.6a1 ID:2006030605
QA Contact: ian → layout.view-rendering
Loading http://msnbc.msn.com does not crash for me on Vista. In comment 6, roc couldn't figure this out based on the stack trace. But style and layout code have been subject to heavy testing in the last few years, so whatever bug was causing msnbc to crash a few years ago is probably gone by now ;)
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → WORKSFORME
Component: Layout: View Rendering → Layout: Web Painting
You need to log in before you can comment on or make changes to this bug.