Closed
Bug 256965
Opened 20 years ago
Closed 10 years ago
FMR Crash going back to a dom/css modified instance of bookmarks.html
Categories
(Core :: Layout, defect, P5)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: timeless, Unassigned)
References
()
Details
(Keywords: crash)
this build was tipped w/in the past 24hrs. it is very unstable but it normally
crashes in other places, so i suspect this is real.
app of record: winEmbed (mozilla has issues).
steps:
1. run winEmbed.exe (from purify)
2. load http://viper.haque.net/~timeless/bookmarks.html
3. click color bookmarked links experimental (?)
4. click msdn link
5. server side modify bookmarks.html
6. click back
[I] Starting Purify'd R:\mozilla\rel-i586-pc-msvc.1\dist\bin\winembed.exe at
08/26/2004 01:55:34
[I] Starting main
[I] Starting thread 0x3c73c: midMessage
[E] FMR: Free memory read in nsFrame::~nsFrame(void) {1 occurrence}
Reading 4 bytes from 0x057ad4b0 (4 bytes at 0x057ad4b0 illegal)
Address 0x057ad4b0 is at the beginning of a 28 byte block
Address 0x057ad4b0 points to a C++ new block in heap 0x00330000
Thread ID: 0x3caa0
Error location
nsFrame::~nsFrame(void)+0x3c
[r:\mozilla\layout\html\base\src\nsframe.cpp:468 ip=0x045e2e63]
nsFrame::~nsFrame()
{
MOZ_COUNT_DTOR(nsFrame);
=> NS_IF_RELEASE(mContent);
if (mStyleContext)
mStyleContext->Release();
}
nsTableCellFrame::`scalar deleting destructor'(UINT)+0x1a
[R:\mozilla\rel-i586-pc-msvc.1\dist\bin\components\gklayout.dll ip=0x046aa2b1]
nsFrame::Destroy(nsPresContext *)+0x199
[r:\mozilla\layout\html\base\src\nsframe.cpp:644 ip=0x045eeda0]
//XXX Why is this done in nsFrame instead of some frame class
// that actually loads images?
aPresContext->StopImagesFor(this);
if (view) {
// Break association between view and frame
view->SetClientData(nsnull);
// Destroy the view
view->Destroy();
}
// Deleting the frame doesn't really free the memory, since we're using an
// arena for allocation, but we will get our destructors called.
=> delete this;
// Now that we're totally cleaned out, we need to add ourselves to the
presshell's
// recycler.
size_t* sz = (size_t*)this;
shell->FreeFrame(*sz, (void*)this);
return NS_OK;
}
nsSplittableFrame::Destroy(nsPresContext *)+0x80
[r:\mozilla\layout\html\base\src\nssplittableframe.cpp:71 ip=0x0460c4be]
nsContainerFrame::Destroy(nsPresContext *)+0x13b
[r:\mozilla\layout\html\base\src\nscontainerframe.cpp:170 ip=0x045fe635]
nsFrameList::DestroyFrames(nsPresContext *)+0x5e
[r:\mozilla\layout\base\src\nsframelist.cpp:129 ip=0x0473c3c5]
nsContainerFrame::Destroy(nsPresContext *)+0xcc
[r:\mozilla\layout\html\base\src\nscontainerframe.cpp:163 ip=0x045fe5c6]
nsFrameList::DestroyFrames(nsPresContext *)+0x5e
[r:\mozilla\layout\base\src\nsframelist.cpp:129 ip=0x0473c3c5]
nsContainerFrame::Destroy(nsPresContext *)+0xcc
[r:\mozilla\layout\html\base\src\nscontainerframe.cpp:163 ip=0x045fe5c6]
nsFrameList::DestroyFrames(nsPresContext *)+0x5e
[r:\mozilla\layout\base\src\nsframelist.cpp:129 ip=0x0473c3c5]
nsContainerFrame::Destroy(nsPresContext *)+0xcc
[r:\mozilla\layout\html\base\src\nscontainerframe.cpp:163 ip=0x045fe5c6]
nsTableFrame::Destroy(nsPresContext *)+0x51
[r:\mozilla\layout\html\table\src\nstableframe.cpp:310 ip=0x04674b39]
nsFrameList::DestroyFrames(nsPresContext *)+0x5e
[r:\mozilla\layout\base\src\nsframelist.cpp:129 ip=0x0473c3c5]
nsContainerFrame::Destroy(nsPresContext *)+0xcc
[r:\mozilla\layout\html\base\src\nscontainerframe.cpp:163 ip=0x045fe5c6]
nsTableOuterFrame::Destroy(nsPresContext *)+0x83
[r:\mozilla\layout\html\table\src\nstableouterframe.cpp:81 ip=0x0469692f]
nsLineBox::DeleteLineList(nsPresContext *,nsLineList&)+0x83
[r:\mozilla\layout\html\base\src\nslinebox.cpp:300 ip=0x04626142]
nsBlockFrame::Destroy(nsPresContext *)+0xeb
[r:\mozilla\layout\html\base\src\nsblockframe.cpp:301 ip=0x046197a7]
nsLineBox::DeleteLineList(nsPresContext *,nsLineList&)+0x83
[r:\mozilla\layout\html\base\src\nslinebox.cpp:300 ip=0x04626142]
nsBlockFrame::Destroy(nsPresContext *)+0xeb
[r:\mozilla\layout\html\base\src\nsblockframe.cpp:301 ip=0x046197a7]
nsFrameList::DestroyFrames(nsPresContext *)+0x5e
[r:\mozilla\layout\base\src\nsframelist.cpp:129 ip=0x0473c3c5]
nsContainerFrame::Destroy(nsPresContext *)+0xcc
[r:\mozilla\layout\html\base\src\nscontainerframe.cpp:163 ip=0x045fe5c6]
CanvasFrame::Destroy(nsPresContext *)+0xdd
[r:\mozilla\layout\html\base\src\nshtmlframe.cpp:239 ip=0x04abf3e9]
nsFrameList::DestroyFrames(nsPresContext *)+0x5e
[r:\mozilla\layout\base\src\nsframelist.cpp:129 ip=0x0473c3c5]
nsContainerFrame::Destroy(nsPresContext *)+0xcc
[r:\mozilla\layout\html\base\src\nscontainerframe.cpp:163 ip=0x045fe5c6]
nsBoxFrame::Destroy(nsPresContext *)+0xb4
[r:\mozilla\layout\xul\base\src\nsboxframe.cpp:1084 ip=0x046eec11]
Allocation location
new(UINT)+0xc [f:\vs70builds\9466\vc\crtbld\crt\src\newop.cpp:10
ip=0x04a9821e]
NS_NewHTMLTableCellElement(nsINodeInfo *,int)+0x19
[r:\mozilla\content\html\content\src\nshtmltablecellelement.cpp:90 ip=0x04b1e9c3]
MakeContentObject+0x194
[r:\mozilla\content\html\document\src\nshtmlcontentsink.cpp:1033 ip=0x0488d448]
HTMLContentSink::CreateContentObject(nsIParserNode
const&,nsHTMLTag,nsIDOMHTMLFormElement *,nsIDocShell *)+0x48a
[r:\mozilla\content\html\document\src\nshtmlcontentsink.cpp:915 ip=0x04892135]
SinkContext::OpenContainer(nsIParserNode const&)+0x141
[r:\mozilla\content\html\document\src\nshtmlcontentsink.cpp:1217 ip=0x048957e7]
HTMLContentSink::OpenContainer(nsIParserNode const&)+0xa5
[r:\mozilla\content\html\document\src\nshtmlcontentsink.cpp:3022 ip=0x04898b0b]
CNavDTD::OpenContainer(nsCParserNode const*,nsHTMLTag,int,nsEntryStack
*)+0x16f [r:\mozilla\parser\htmlparser\src\cnavdtd.cpp:3439 ip=0x05467db0]
CNavDTD::HandleDefaultStartToken(CToken *,nsHTMLTag,nsCParserNode
*)+0x307 [r:\mozilla\parser\htmlparser\src\cnavdtd.cpp:1430 ip=0x0546be6e]
CNavDTD::HandleStartToken(CToken *)+0x529
[r:\mozilla\parser\htmlparser\src\cnavdtd.cpp:1808 ip=0x0546ee22]
CNavDTD::HandleToken(CToken *,nsIParser *)+0xa85
[r:\mozilla\parser\htmlparser\src\cnavdtd.cpp:992 ip=0x0546f9c4]
CNavDTD::BuildModel(nsIParser *,nsITokenizer *,nsITokenObserver
*,nsIContentSink *)+0x5ce [r:\mozilla\parser\htmlparser\src\cnavdtd.cpp:471
ip=0x05468ed2]
nsParser::BuildModel(void)+0x16d
[r:\mozilla\parser\htmlparser\src\nsparser.cpp:1898 ip=0x05489b21]
nsParser::ResumeParse(int,int,int)+0x243
[r:\mozilla\parser\htmlparser\src\nsparser.cpp:1765 ip=0x0548958c]
nsParser::OnDataAvailable(nsIRequest *,nsISupports *,nsIInputStream
*,UINT,UINT)+0x29e [r:\mozilla\parser\htmlparser\src\nsparser.cpp:2433
ip=0x0548a6c2]
nsDocumentOpenInfo::OnDataAvailable(nsIRequest *,nsISupports
*,nsIInputStream *,UINT,UINT)+0x62
[r:\mozilla\uriloader\base\nsuriloader.cpp:342 ip=0x05142330]
nsHTTPCompressConv::do_OnDataAvailable(nsIRequest *,nsISupports
*,UINT,char *,UINT)+0x1c9
[r:\mozilla\netwerk\streamconv\converters\nshttpcompressconv.cpp:390 ip=0x03e7213c]
nsHTTPCompressConv::OnDataAvailable(nsIRequest *,nsISupports
*,nsIInputStream *,UINT,UINT)+0x9ab
[r:\mozilla\netwerk\streamconv\converters\nshttpcompressconv.cpp:326 ip=0x03e72b79]
nsStreamListenerTee::OnDataAvailable(nsIRequest *,nsISupports
*,nsIInputStream *,UINT,UINT)+0x285
[r:\mozilla\netwerk\base\src\nsstreamlistenertee.cpp:97 ip=0x03e3e535]
nsHttpChannel::OnDataAvailable(nsIRequest *,nsISupports *,nsIInputStream
*,UINT,UINT)+0x292 [r:\mozilla\netwerk\protocol\http\src\nshttpchannel.cpp:3713
ip=0x03ee5228]
nsInputStreamPump::OnStateTransfer(void)+0x25e
[r:\mozilla\netwerk\base\src\nsinputstreampump.cpp:435 ip=0x03e24d33]
nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream *)+0x89
[r:\mozilla\netwerk\base\src\nsinputstreampump.cpp:338 ip=0x03e253c3]
nsOutputStreamReadyEvent::EventHandler(PLEvent *)+0x67
[r:\mozilla\xpcom\io\nsstreamutils.cpp:118 ip=0x10051130]
PL_HandleEvent+0x2d [r:\mozilla\xpcom\threads\plevent.c:692 ip=0x1008313e]
PL_ProcessPendingEvents+0x198 [r:\mozilla\xpcom\threads\plevent.c:627
ip=0x1008364b]
md_EventReceiverProc+0x61 [r:\mozilla\xpcom\threads\plevent.c:1433
ip=0x100837b2]
Free location
memset+0x1d [f:\vs70builds\9466\vc\crtbld\crt\src\newaop.cpp
ip=0x04a982e8]
nsHTMLTableCellElement::`vector deleting destructor'(UINT)+0x43
[R:\mozilla\rel-i586-pc-msvc.1\dist\bin\components\gklayout.dll ip=0x04b1d501]
nsHTMLIFrameElement::Release(void)+0x52
[r:\mozilla\content\html\content\src\nshtmliframeelement.cpp:97 ip=0x04b450f7]
=> NS_IMPL_RELEASE(nsHTMLIFrameElement)
nsFrame::~nsFrame(void)+0x51
[r:\mozilla\layout\html\base\src\nsframe.cpp:468 ip=0x045e2e78]
nsFrame::~nsFrame()
{
MOZ_COUNT_DTOR(nsFrame);
=> NS_IF_RELEASE(mContent);
if (mStyleContext)
mStyleContext->Release();
}
nsBlockFrame::`scalar deleting destructor'(UINT)+0x1a
[R:\mozilla\rel-i586-pc-msvc.1\dist\bin\components\gklayout.dll ip=0x04a98fcd]
nsFrame::Destroy(nsPresContext *)+0x199
[r:\mozilla\layout\html\base\src\nsframe.cpp:644 ip=0x045eeda0]
//XXX Why is this done in nsFrame instead of some frame class
// that actually loads images?
aPresContext->StopImagesFor(this);
if (view) {
// Break association between view and frame
view->SetClientData(nsnull);
// Destroy the view
view->Destroy();
}
// Deleting the frame doesn't really free the memory,
since we're using an
// arena for allocation, but we will get our destructors
called.
=> delete this;
// Now that we're totally cleaned out, we need to add
ourselves to the presshell's
// recycler.
size_t* sz = (size_t*)this;
shell->FreeFrame(*sz, (void*)this);
return NS_OK;
}
nsSplittableFrame::Destroy(nsPresContext *)+0x80
[r:\mozilla\layout\html\base\src\nssplittableframe.cpp:71 ip=0x0460c4be]
nsContainerFrame::Destroy(nsPresContext *)+0x13b
[r:\mozilla\layout\html\base\src\nscontainerframe.cpp:170 ip=0x045fe635]
nsBlockFrame::Destroy(nsPresContext *)+0x1c8
[r:\mozilla\layout\html\base\src\nsblockframe.cpp:314 ip=0x04619884]
nsFrameList::DestroyFrames(nsPresContext *)+0x5e
[r:\mozilla\layout\base\src\nsframelist.cpp:129 ip=0x0473c3c5]
nsContainerFrame::Destroy(nsPresContext *)+0xcc
[r:\mozilla\layout\html\base\src\nscontainerframe.cpp:163 ip=0x045fe5c6]
nsFrameList::DestroyFrames(nsPresContext *)+0x5e
[r:\mozilla\layout\base\src\nsframelist.cpp:129 ip=0x0473c3c5]
nsContainerFrame::Destroy(nsPresContext *)+0xcc
[r:\mozilla\layout\html\base\src\nscontainerframe.cpp:163 ip=0x045fe5c6]
nsFrameList::DestroyFrames(nsPresContext *)+0x5e
[r:\mozilla\layout\base\src\nsframelist.cpp:129 ip=0x0473c3c5]
nsContainerFrame::Destroy(nsPresContext *)+0xcc
[r:\mozilla\layout\html\base\src\nscontainerframe.cpp:163 ip=0x045fe5c6]
nsFrameList::DestroyFrames(nsPresContext *)+0x5e
[r:\mozilla\layout\base\src\nsframelist.cpp:129 ip=0x0473c3c5]
nsContainerFrame::Destroy(nsPresContext *)+0xcc
[r:\mozilla\layout\html\base\src\nscontainerframe.cpp:163 ip=0x045fe5c6]
nsTableFrame::Destroy(nsPresContext *)+0x51
[r:\mozilla\layout\html\table\src\nstableframe.cpp:310 ip=0x04674b39]
nsFrameList::DestroyFrames(nsPresContext *)+0x5e
[r:\mozilla\layout\base\src\nsframelist.cpp:129 ip=0x0473c3c5]
nsContainerFrame::Destroy(nsPresContext *)+0xcc
[r:\mozilla\layout\html\base\src\nscontainerframe.cpp:163 ip=0x045fe5c6]
nsTableOuterFrame::Destroy(nsPresContext *)+0x83
[r:\mozilla\layout\html\table\src\nstableouterframe.cpp:81 ip=0x0469692f]
nsLineBox::DeleteLineList(nsPresContext *,nsLineList&)+0x83
[r:\mozilla\layout\html\base\src\nslinebox.cpp:300 ip=0x04626142]
nsBlockFrame::Destroy(nsPresContext *)+0xeb
[r:\mozilla\layout\html\base\src\nsblockframe.cpp:301 ip=0x046197a7]
nsLineBox::DeleteLineList(nsPresContext *,nsLineList&)+0x83
[r:\mozilla\layout\html\base\src\nslinebox.cpp:300 ip=0x04626142]
nsBlockFrame::Destroy(nsPresContext *)+0xeb
[r:\mozilla\layout\html\base\src\nsblockframe.cpp:301 ip=0x046197a7]
[E] IPR: Invalid pointer read in nsFrame::~nsFrame(void) {1 occurrence}
[E] EXU: Unhandled exception in nsFrame::~nsFrame(void) {1 occurrence}
Comment 1•20 years ago
|
||
What's the minimal testcase that shows the bug?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P5
Comment 2•18 years ago
|
||
i'm not able to reproduce this using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4 ID:2007051502
or
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a6pre) Gecko/20070622 ID:2007062204
-> WORKSFORME ?
Comment 3•10 years ago
|
||
The URL is gone. Resolving per last comment. Please reopen if you can still
reproduce this in a recent version of Firefox.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(timeless)
Resolution: --- → WORKSFORME
mats: I've updated the url to a web.archive.org version -- the file hadn't changed in years, it should be possible to retrieve the file and strip the web.archive.org bits if someone wants to.
I don't have access to Purify (I'm currently investigating a build environment)...
Flags: needinfo?(timeless)
You need to log in
before you can comment on or make changes to this bug.
Description
•