Closed Bug 256965 Opened 20 years ago Closed 10 years ago

FMR Crash going back to a dom/css modified instance of bookmarks.html

Categories

(Core :: Layout, defect, P5)

x86
Windows XP
defect

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: timeless, Unassigned)

References

()

Details

(Keywords: crash)

this build was tipped w/in the past 24hrs. it is very unstable but it normally crashes in other places, so i suspect this is real. app of record: winEmbed (mozilla has issues). steps: 1. run winEmbed.exe (from purify) 2. load http://viper.haque.net/~timeless/bookmarks.html 3. click color bookmarked links experimental (?) 4. click msdn link 5. server side modify bookmarks.html 6. click back [I] Starting Purify'd R:\mozilla\rel-i586-pc-msvc.1\dist\bin\winembed.exe at 08/26/2004 01:55:34 [I] Starting main [I] Starting thread 0x3c73c: midMessage [E] FMR: Free memory read in nsFrame::~nsFrame(void) {1 occurrence} Reading 4 bytes from 0x057ad4b0 (4 bytes at 0x057ad4b0 illegal) Address 0x057ad4b0 is at the beginning of a 28 byte block Address 0x057ad4b0 points to a C++ new block in heap 0x00330000 Thread ID: 0x3caa0 Error location nsFrame::~nsFrame(void)+0x3c [r:\mozilla\layout\html\base\src\nsframe.cpp:468 ip=0x045e2e63] nsFrame::~nsFrame() { MOZ_COUNT_DTOR(nsFrame); => NS_IF_RELEASE(mContent); if (mStyleContext) mStyleContext->Release(); } nsTableCellFrame::`scalar deleting destructor'(UINT)+0x1a [R:\mozilla\rel-i586-pc-msvc.1\dist\bin\components\gklayout.dll ip=0x046aa2b1] nsFrame::Destroy(nsPresContext *)+0x199 [r:\mozilla\layout\html\base\src\nsframe.cpp:644 ip=0x045eeda0] //XXX Why is this done in nsFrame instead of some frame class // that actually loads images? aPresContext->StopImagesFor(this); if (view) { // Break association between view and frame view->SetClientData(nsnull); // Destroy the view view->Destroy(); } // Deleting the frame doesn't really free the memory, since we're using an // arena for allocation, but we will get our destructors called. => delete this; // Now that we're totally cleaned out, we need to add ourselves to the presshell's // recycler. size_t* sz = (size_t*)this; shell->FreeFrame(*sz, (void*)this); return NS_OK; } nsSplittableFrame::Destroy(nsPresContext *)+0x80 [r:\mozilla\layout\html\base\src\nssplittableframe.cpp:71 ip=0x0460c4be] nsContainerFrame::Destroy(nsPresContext *)+0x13b [r:\mozilla\layout\html\base\src\nscontainerframe.cpp:170 ip=0x045fe635] nsFrameList::DestroyFrames(nsPresContext *)+0x5e [r:\mozilla\layout\base\src\nsframelist.cpp:129 ip=0x0473c3c5] nsContainerFrame::Destroy(nsPresContext *)+0xcc [r:\mozilla\layout\html\base\src\nscontainerframe.cpp:163 ip=0x045fe5c6] nsFrameList::DestroyFrames(nsPresContext *)+0x5e [r:\mozilla\layout\base\src\nsframelist.cpp:129 ip=0x0473c3c5] nsContainerFrame::Destroy(nsPresContext *)+0xcc [r:\mozilla\layout\html\base\src\nscontainerframe.cpp:163 ip=0x045fe5c6] nsFrameList::DestroyFrames(nsPresContext *)+0x5e [r:\mozilla\layout\base\src\nsframelist.cpp:129 ip=0x0473c3c5] nsContainerFrame::Destroy(nsPresContext *)+0xcc [r:\mozilla\layout\html\base\src\nscontainerframe.cpp:163 ip=0x045fe5c6] nsTableFrame::Destroy(nsPresContext *)+0x51 [r:\mozilla\layout\html\table\src\nstableframe.cpp:310 ip=0x04674b39] nsFrameList::DestroyFrames(nsPresContext *)+0x5e [r:\mozilla\layout\base\src\nsframelist.cpp:129 ip=0x0473c3c5] nsContainerFrame::Destroy(nsPresContext *)+0xcc [r:\mozilla\layout\html\base\src\nscontainerframe.cpp:163 ip=0x045fe5c6] nsTableOuterFrame::Destroy(nsPresContext *)+0x83 [r:\mozilla\layout\html\table\src\nstableouterframe.cpp:81 ip=0x0469692f] nsLineBox::DeleteLineList(nsPresContext *,nsLineList&)+0x83 [r:\mozilla\layout\html\base\src\nslinebox.cpp:300 ip=0x04626142] nsBlockFrame::Destroy(nsPresContext *)+0xeb [r:\mozilla\layout\html\base\src\nsblockframe.cpp:301 ip=0x046197a7] nsLineBox::DeleteLineList(nsPresContext *,nsLineList&)+0x83 [r:\mozilla\layout\html\base\src\nslinebox.cpp:300 ip=0x04626142] nsBlockFrame::Destroy(nsPresContext *)+0xeb [r:\mozilla\layout\html\base\src\nsblockframe.cpp:301 ip=0x046197a7] nsFrameList::DestroyFrames(nsPresContext *)+0x5e [r:\mozilla\layout\base\src\nsframelist.cpp:129 ip=0x0473c3c5] nsContainerFrame::Destroy(nsPresContext *)+0xcc [r:\mozilla\layout\html\base\src\nscontainerframe.cpp:163 ip=0x045fe5c6] CanvasFrame::Destroy(nsPresContext *)+0xdd [r:\mozilla\layout\html\base\src\nshtmlframe.cpp:239 ip=0x04abf3e9] nsFrameList::DestroyFrames(nsPresContext *)+0x5e [r:\mozilla\layout\base\src\nsframelist.cpp:129 ip=0x0473c3c5] nsContainerFrame::Destroy(nsPresContext *)+0xcc [r:\mozilla\layout\html\base\src\nscontainerframe.cpp:163 ip=0x045fe5c6] nsBoxFrame::Destroy(nsPresContext *)+0xb4 [r:\mozilla\layout\xul\base\src\nsboxframe.cpp:1084 ip=0x046eec11] Allocation location new(UINT)+0xc [f:\vs70builds\9466\vc\crtbld\crt\src\newop.cpp:10 ip=0x04a9821e] NS_NewHTMLTableCellElement(nsINodeInfo *,int)+0x19 [r:\mozilla\content\html\content\src\nshtmltablecellelement.cpp:90 ip=0x04b1e9c3] MakeContentObject+0x194 [r:\mozilla\content\html\document\src\nshtmlcontentsink.cpp:1033 ip=0x0488d448] HTMLContentSink::CreateContentObject(nsIParserNode const&,nsHTMLTag,nsIDOMHTMLFormElement *,nsIDocShell *)+0x48a [r:\mozilla\content\html\document\src\nshtmlcontentsink.cpp:915 ip=0x04892135] SinkContext::OpenContainer(nsIParserNode const&)+0x141 [r:\mozilla\content\html\document\src\nshtmlcontentsink.cpp:1217 ip=0x048957e7] HTMLContentSink::OpenContainer(nsIParserNode const&)+0xa5 [r:\mozilla\content\html\document\src\nshtmlcontentsink.cpp:3022 ip=0x04898b0b] CNavDTD::OpenContainer(nsCParserNode const*,nsHTMLTag,int,nsEntryStack *)+0x16f [r:\mozilla\parser\htmlparser\src\cnavdtd.cpp:3439 ip=0x05467db0] CNavDTD::HandleDefaultStartToken(CToken *,nsHTMLTag,nsCParserNode *)+0x307 [r:\mozilla\parser\htmlparser\src\cnavdtd.cpp:1430 ip=0x0546be6e] CNavDTD::HandleStartToken(CToken *)+0x529 [r:\mozilla\parser\htmlparser\src\cnavdtd.cpp:1808 ip=0x0546ee22] CNavDTD::HandleToken(CToken *,nsIParser *)+0xa85 [r:\mozilla\parser\htmlparser\src\cnavdtd.cpp:992 ip=0x0546f9c4] CNavDTD::BuildModel(nsIParser *,nsITokenizer *,nsITokenObserver *,nsIContentSink *)+0x5ce [r:\mozilla\parser\htmlparser\src\cnavdtd.cpp:471 ip=0x05468ed2] nsParser::BuildModel(void)+0x16d [r:\mozilla\parser\htmlparser\src\nsparser.cpp:1898 ip=0x05489b21] nsParser::ResumeParse(int,int,int)+0x243 [r:\mozilla\parser\htmlparser\src\nsparser.cpp:1765 ip=0x0548958c] nsParser::OnDataAvailable(nsIRequest *,nsISupports *,nsIInputStream *,UINT,UINT)+0x29e [r:\mozilla\parser\htmlparser\src\nsparser.cpp:2433 ip=0x0548a6c2] nsDocumentOpenInfo::OnDataAvailable(nsIRequest *,nsISupports *,nsIInputStream *,UINT,UINT)+0x62 [r:\mozilla\uriloader\base\nsuriloader.cpp:342 ip=0x05142330] nsHTTPCompressConv::do_OnDataAvailable(nsIRequest *,nsISupports *,UINT,char *,UINT)+0x1c9 [r:\mozilla\netwerk\streamconv\converters\nshttpcompressconv.cpp:390 ip=0x03e7213c] nsHTTPCompressConv::OnDataAvailable(nsIRequest *,nsISupports *,nsIInputStream *,UINT,UINT)+0x9ab [r:\mozilla\netwerk\streamconv\converters\nshttpcompressconv.cpp:326 ip=0x03e72b79] nsStreamListenerTee::OnDataAvailable(nsIRequest *,nsISupports *,nsIInputStream *,UINT,UINT)+0x285 [r:\mozilla\netwerk\base\src\nsstreamlistenertee.cpp:97 ip=0x03e3e535] nsHttpChannel::OnDataAvailable(nsIRequest *,nsISupports *,nsIInputStream *,UINT,UINT)+0x292 [r:\mozilla\netwerk\protocol\http\src\nshttpchannel.cpp:3713 ip=0x03ee5228] nsInputStreamPump::OnStateTransfer(void)+0x25e [r:\mozilla\netwerk\base\src\nsinputstreampump.cpp:435 ip=0x03e24d33] nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream *)+0x89 [r:\mozilla\netwerk\base\src\nsinputstreampump.cpp:338 ip=0x03e253c3] nsOutputStreamReadyEvent::EventHandler(PLEvent *)+0x67 [r:\mozilla\xpcom\io\nsstreamutils.cpp:118 ip=0x10051130] PL_HandleEvent+0x2d [r:\mozilla\xpcom\threads\plevent.c:692 ip=0x1008313e] PL_ProcessPendingEvents+0x198 [r:\mozilla\xpcom\threads\plevent.c:627 ip=0x1008364b] md_EventReceiverProc+0x61 [r:\mozilla\xpcom\threads\plevent.c:1433 ip=0x100837b2] Free location memset+0x1d [f:\vs70builds\9466\vc\crtbld\crt\src\newaop.cpp ip=0x04a982e8] nsHTMLTableCellElement::`vector deleting destructor'(UINT)+0x43 [R:\mozilla\rel-i586-pc-msvc.1\dist\bin\components\gklayout.dll ip=0x04b1d501] nsHTMLIFrameElement::Release(void)+0x52 [r:\mozilla\content\html\content\src\nshtmliframeelement.cpp:97 ip=0x04b450f7] => NS_IMPL_RELEASE(nsHTMLIFrameElement) nsFrame::~nsFrame(void)+0x51 [r:\mozilla\layout\html\base\src\nsframe.cpp:468 ip=0x045e2e78] nsFrame::~nsFrame() { MOZ_COUNT_DTOR(nsFrame); => NS_IF_RELEASE(mContent); if (mStyleContext) mStyleContext->Release(); } nsBlockFrame::`scalar deleting destructor'(UINT)+0x1a [R:\mozilla\rel-i586-pc-msvc.1\dist\bin\components\gklayout.dll ip=0x04a98fcd] nsFrame::Destroy(nsPresContext *)+0x199 [r:\mozilla\layout\html\base\src\nsframe.cpp:644 ip=0x045eeda0] //XXX Why is this done in nsFrame instead of some frame class // that actually loads images? aPresContext->StopImagesFor(this); if (view) { // Break association between view and frame view->SetClientData(nsnull); // Destroy the view view->Destroy(); } // Deleting the frame doesn't really free the memory, since we're using an // arena for allocation, but we will get our destructors called. => delete this; // Now that we're totally cleaned out, we need to add ourselves to the presshell's // recycler. size_t* sz = (size_t*)this; shell->FreeFrame(*sz, (void*)this); return NS_OK; } nsSplittableFrame::Destroy(nsPresContext *)+0x80 [r:\mozilla\layout\html\base\src\nssplittableframe.cpp:71 ip=0x0460c4be] nsContainerFrame::Destroy(nsPresContext *)+0x13b [r:\mozilla\layout\html\base\src\nscontainerframe.cpp:170 ip=0x045fe635] nsBlockFrame::Destroy(nsPresContext *)+0x1c8 [r:\mozilla\layout\html\base\src\nsblockframe.cpp:314 ip=0x04619884] nsFrameList::DestroyFrames(nsPresContext *)+0x5e [r:\mozilla\layout\base\src\nsframelist.cpp:129 ip=0x0473c3c5] nsContainerFrame::Destroy(nsPresContext *)+0xcc [r:\mozilla\layout\html\base\src\nscontainerframe.cpp:163 ip=0x045fe5c6] nsFrameList::DestroyFrames(nsPresContext *)+0x5e [r:\mozilla\layout\base\src\nsframelist.cpp:129 ip=0x0473c3c5] nsContainerFrame::Destroy(nsPresContext *)+0xcc [r:\mozilla\layout\html\base\src\nscontainerframe.cpp:163 ip=0x045fe5c6] nsFrameList::DestroyFrames(nsPresContext *)+0x5e [r:\mozilla\layout\base\src\nsframelist.cpp:129 ip=0x0473c3c5] nsContainerFrame::Destroy(nsPresContext *)+0xcc [r:\mozilla\layout\html\base\src\nscontainerframe.cpp:163 ip=0x045fe5c6] nsFrameList::DestroyFrames(nsPresContext *)+0x5e [r:\mozilla\layout\base\src\nsframelist.cpp:129 ip=0x0473c3c5] nsContainerFrame::Destroy(nsPresContext *)+0xcc [r:\mozilla\layout\html\base\src\nscontainerframe.cpp:163 ip=0x045fe5c6] nsTableFrame::Destroy(nsPresContext *)+0x51 [r:\mozilla\layout\html\table\src\nstableframe.cpp:310 ip=0x04674b39] nsFrameList::DestroyFrames(nsPresContext *)+0x5e [r:\mozilla\layout\base\src\nsframelist.cpp:129 ip=0x0473c3c5] nsContainerFrame::Destroy(nsPresContext *)+0xcc [r:\mozilla\layout\html\base\src\nscontainerframe.cpp:163 ip=0x045fe5c6] nsTableOuterFrame::Destroy(nsPresContext *)+0x83 [r:\mozilla\layout\html\table\src\nstableouterframe.cpp:81 ip=0x0469692f] nsLineBox::DeleteLineList(nsPresContext *,nsLineList&)+0x83 [r:\mozilla\layout\html\base\src\nslinebox.cpp:300 ip=0x04626142] nsBlockFrame::Destroy(nsPresContext *)+0xeb [r:\mozilla\layout\html\base\src\nsblockframe.cpp:301 ip=0x046197a7] nsLineBox::DeleteLineList(nsPresContext *,nsLineList&)+0x83 [r:\mozilla\layout\html\base\src\nslinebox.cpp:300 ip=0x04626142] nsBlockFrame::Destroy(nsPresContext *)+0xeb [r:\mozilla\layout\html\base\src\nsblockframe.cpp:301 ip=0x046197a7] [E] IPR: Invalid pointer read in nsFrame::~nsFrame(void) {1 occurrence} [E] EXU: Unhandled exception in nsFrame::~nsFrame(void) {1 occurrence}
What's the minimal testcase that shows the bug?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P5
i'm not able to reproduce this using: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4 ID:2007051502 or Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a6pre) Gecko/20070622 ID:2007062204 -> WORKSFORME ?
The URL is gone. Resolving per last comment. Please reopen if you can still reproduce this in a recent version of Firefox.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(timeless)
Resolution: --- → WORKSFORME
mats: I've updated the url to a web.archive.org version -- the file hadn't changed in years, it should be possible to retrieve the file and strip the web.archive.org bits if someone wants to. I don't have access to Purify (I'm currently investigating a build environment)...
You need to log in before you can comment on or make changes to this bug.