Closed
Bug 264032
Opened 20 years ago
Closed 19 years ago
Firefox crashes if I have more than one tab open and I close the tab containing the problem URL - Trunk [@ nsFormFillController::GetIndexOfDocShell]
Categories
(Toolkit :: Form Manager, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: katrunmuki, Assigned: bryner)
References
()
Details
(Keywords: crash, topcrash)
Crash Data
Attachments
(2 files)
32.24 KB,
text/plain
|
Details | |
667 bytes,
patch
|
mconnor
:
review+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20041001 Firefox/0.10.1 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20041001 Firefox/0.10.1 I tried to develop an extension for "multi-level" tabbed browsing, which would allow a single tab to contain other "subtags" - would make it easier to read some forum sites. To test if this was possible at all, I opened the URL "chrome://browser/content/browser.xul", and indeed, the idea works - I can open more tags in the "Firefox within Firefox" tab that results (but I can't close any of them). However, when I tried to close the tab containing the nested tab - crash. Reproducible: Always Steps to Reproduce: 1. Open a few (minimum 2 open) tabs. 2. Open the URL "chrome://browser/content/browser.xul" in one of the tabs 3. Close the tab containing the URL. Crash. Actual Results: The browser crashed. When running from command line, the error given was "/usr/firefox/run-mozilla.sh: line 451: 6172 Segmentation fault "$prog" ${1+"$@"}" Expected Results: Closed the tab and kept on running. Talkback crash IDs: TB1262754K TB1262701M TB1262689G TB1262676Y Firefox is pretty unstable in my system, crashing about once per day, usually when opening or closing a page (no detectable pattern on which pages cause the crash). I usually surf with a dozen browser windows with a dozen tags open in each. I have an AMD Duron 1GHz 512MB system running Red Hat Linux 9 with kernel 2.6. I used to use Mozilla which came with RHL9, then updated to FF 8, then to 0.10, then to 0.10.1. The XPI update to 0.10.1 didn't work for me, so I had to rm -Rf the old version and unpack the new. I have Sun JVM 1.5.0 installed. I use the default theme, but have several installed. I have DownTHEMall, Nuke Anything and Wikalong extensions installed.
Stack Signature nsFormFillController::GetIndexOfDocShell() 9c3b1a51 Product ID Firefox10 Build ID 2004100110 Trigger Time 2004-10-12 07:01:58.0 Platform LinuxIntel Operating System Linux 2.6.8.1 Module firefox-bin + (0063f2f5) URL visited User Comments Since Last Crash 0 sec Total Uptime 34 sec Trigger Reason SIGSEGV: Segmentation Fault: (signal 11) Source File, Line No. N/A Stack Trace nsFormFillController::GetIndexOfDocShell() nsFormFillController::DetachFromBrowser() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/toolkit/components/satchel/src/nsFormFillController.cpp, line 188] XPTC_InvokeByIndex() XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode)() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2027] XPC_WN_CallMethod() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 1287] js_Invoke() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/js/src/jsinterp.c, line 941] js_Interpret() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/js/src/jsinterp.c, line 2973] js_Invoke() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/js/src/jsinterp.c, line 958] js_InternalInvoke() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/js/src/jsinterp.c, line 1036] JS_CallFunctionValue() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/js/src/jsapi.c, line 3698] nsJSContext::CallEventHandler() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1296] nsJSEventListener::HandleEvent() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/dom/src/events/nsJSEventListener.cpp, line 177] nsXBLPrototypeHandler::ExecuteHandler() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/content/xbl/src/nsXBLPrototypeHandler.cpp, line 458] nsXBLPrototypeHandler::BindingDetached() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/content/xbl/src/nsXBLPrototypeHandler.cpp, line 228] nsXBLBinding::ExecuteDetachedHandler() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/content/xbl/src/nsXBLBinding.cpp, line 704] ExecuteDetachedHandler() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/content/xbl/src/nsBindingManager.cpp, line 957] PL_DHashTableEnumerate() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/xpcom/ds/pldhash.c, line 620] nsBindingManager::ExecuteDetachedHandlers() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/content/xbl/src/nsBindingManager.cpp, line 965] GlobalWindowImpl::HandleDOMEvent() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/dom/src/base/nsGlobalWindow.cpp, line 887] DocumentViewerImpl::Unload() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/content/base/src/nsDocumentViewer.cpp, line 1094] nsDocShell::FireUnloadNotification() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/docshell/base/nsDocShell.cpp, line 61] nsDocShell::Destroy() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/docshell/base/nsDocShell.cpp, line 3080] nsWebShell::Destroy() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/docshell/base/nsWebShell.cpp, line 1238] nsFrameLoader::Destroy() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/content/base/src/nsFrameLoader.cpp, line 710] nsSubDocumentFrame::Destroy() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/layout/html/document/src/nsFrameFrame.cpp, line 710] nsFrameList::DestroyFrames() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/layout/base/src/nsFrameList.cpp, line 130] nsContainerFrame::Destroy() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/layout/html/base/src/nsContainerFrame.cpp, line 166] nsBoxFrame::Destroy() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 1065] nsFrameList::DestroyFrame() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/layout/base/src/nsFrameList.cpp, line 214] nsBoxFrame::RemoveFrame() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 1118] nsFrameManager::RemoveFrame() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/layout/html/base/src/nsFrameManager.cpp, line 758] nsCSSFrameConstructor::ContentRemoved() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp, line 9522] PresShell::ContentRemoved() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp, line 5272] nsDocument::ContentRemoved() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/content/base/src/nsDocument.cpp, line 2006] nsXULElement::RemoveChildAt() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/content/xul/content/src/nsXULElement.cpp, line 704] nsGenericElement::doRemoveChild() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/content/base/src/nsGenericElement.cpp, line 3091] XPTC_InvokeByIndex() XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode)() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2027] XPC_WN_CallMethod() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 1287] js_Invoke() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/js/src/jsinterp.c, line 941] js_Interpret() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/js/src/jsinterp.c, line 2973] js_Invoke() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/js/src/jsinterp.c, line 958] js_InternalInvoke() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/js/src/jsinterp.c, line 1036] JS_CallFunctionValue() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/js/src/jsapi.c, line 3698] nsJSContext::CallEventHandler() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1296] nsJSEventListener::HandleEvent() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/dom/src/events/nsJSEventListener.cpp, line 177] nsEventListenerManager::HandleEventSubType() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/content/events/src/nsEventListenerManager.cpp, line 1436] nsEventListenerManager::HandleEvent() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/content/events/src/nsEventListenerManager.cpp, line 1529] nsXULElement::HandleDOMEvent() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/content/xul/content/src/nsXULElement.cpp, line 2841] PresShell::HandleDOMEventWithTarget() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp, line 6133] nsButtonBoxFrame::MouseClicked() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/layout/xul/base/src/nsButtonBoxFrame.cpp, line 175] nsButtonBoxFrame::HandleEvent() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/layout/xul/base/src/nsButtonBoxFrame.cpp, line 147] PresShell::HandleEventInternal() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp, line 6100] PresShell::HandleEventWithTarget() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp, line 5982] nsEventStateManager::CheckForAndDispatchClick() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/content/events/src/nsEventStateManager.cpp, line 2921] nsEventStateManager::PostHandleEvent() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/content/events/src/nsEventStateManager.cpp, line 142] PresShell::HandleEventInternal() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp, line 710] PresShell::HandleEvent() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp, line 5918] nsViewManager::HandleEvent() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/view/src/nsViewManager.cpp, line 710] nsViewManager::DispatchEvent() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/view/src/nsViewManager.cpp, line 2030] HandleEvent() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/view/src/nsView.cpp, line 243] nsCommonWidget::DispatchEvent() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/widget/src/gtk2/nsCommonWidget.cpp, line 215] nsWindow::OnButtonReleaseEvent() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/widget/src/gtk2/nsWindow.cpp, line 1449] button_release_event_cb() [/builds/tinderbox/firefox-0.10.1/Linux_2.4.20-28.8_Clobber/mozilla/widget/src/gtk2/nsWindow.cpp, line 3277]
Assignee: bugs → bryner
Component: Tabbed Browser → Form Manager
Keywords: crash
Summary: Firefox crashes if I have more than one tab open and I close the tab containing the problem URL → Firefox crashes if I have more than one tab open and I close the tab containing the problem URL [@ nsFormFillController::GetIndexOfDocShell]
Comment 2•20 years ago
|
||
Works for me on Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.3) Gecko/20041019 Firefox/1.0, but closing a "sub tab" closes Firefox completely. From what you're suggesting you'd have to go to a tab to see what sub tabs are open. To be honest this functionality sounds similar to what is already provided by Windows and tabs. I guess it would be useful if you could see it all on one screen, but would take up valuable browsing space.
Comment 3•20 years ago
|
||
Just tried it again and it does crash Firefox if you try to close the chrome://browser/content/browser.xul tab.
Comment 4•20 years ago
|
||
FF crashes only when closing original tab (oldest). Working up the page from newest to oldest is OK
*** Bug 264483 has been marked as a duplicate of this bug. ***
Comment 6•20 years ago
|
||
I get a very similar stack trace to the one already on this bug
Comment 7•20 years ago
|
||
This spackle applied around line 1007 of nsFormFillController.cpp if (docShell == aDocShell) return i; } // Recursively check the parent docShell of this one nsCOMPtr<nsIDocShellTreeItem> treeItem = do_QueryInterface(aDocShell); + + if(!treeItem) { + NS_WARNING( "nsFormFillController::GetIndexOfDocShell Early return because treeItem is null" ); + return -1; + } + nsCOMPtr<nsIDocShellTreeItem> parentItem; treeItem->GetParent(getter_AddRefs(parentItem)); if (parentItem) { nsCOMPtr<nsIDocShell> parentShell = do_QueryInterface(parentItem); stops the crash, but leaves the parent window in non-responsive state pretty much equivalent to 'dead'. I suspect that it is because the tab does not have a true parent window.
Comment 8•20 years ago
|
||
*** Bug 278778 has been marked as a duplicate of this bug. ***
Comment 9•19 years ago
|
||
There are a few of these crashes in Firefox 1.0/1.0.1 Talkback data, but it has become somewhat of a topcrasher with recent Firefox Trunk builds. Let's see if we can get this fixed for Firefox 1.1.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking-aviary1.1?
Keywords: topcrash
Summary: Firefox crashes if I have more than one tab open and I close the tab containing the problem URL [@ nsFormFillController::GetIndexOfDocShell] → Firefox crashes if I have more than one tab open and I close the tab containing the problem URL - Trunk [@ nsFormFillController::GetIndexOfDocShell]
Assignee | ||
Comment 10•19 years ago
|
||
Bulletproof against a null docshell being passed in. We could try to fix this at the call site but I think this provides better protection in the case of a misbehaved extension.
Attachment #178532 -
Flags: review?(mconnor)
Comment 11•19 years ago
|
||
Comment on attachment 178532 [details] [diff] [review] patch agreed. Extensions don't always do the right thing, unfortunately.
Attachment #178532 -
Flags: review?(mconnor) → review+
Updated•19 years ago
|
Flags: blocking-aviary1.1? → blocking-aviary1.1+
Comment 12•19 years ago
|
||
bryner: Can you get this patch checked in soon so we can keep an eye on Talkback data to see if it goes away? I still see a few crashes in the FFTrunk data: http://talkback-public.mozilla.org/reports/firefox/FFTrunk/FFTrunk-topcrashers.html
Assignee | ||
Comment 13•19 years ago
|
||
checked in on the trunk
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Comment 14•19 years ago
|
||
WARNING: NS_ENSURE_TRUE(index >= 0) failed, file ../../../../../../src/toolkit/components/satchel/src/nsFormFillController.cpp, Now prints a a warning every time, which I assume is intentional.
Comment 15•19 years ago
|
||
*** Bug 277388 has been marked as a duplicate of this bug. ***
Comment 16•19 years ago
|
||
Firefox locks up when closing the chrome:// tab with the ctrl+w hotkey. I even got it to crash at one point when I tested this. Not sure how.
Comment 17•19 years ago
|
||
(In reply to comment #16) > Firefox locks up when closing the chrome:// tab with the ctrl+w hotkey. > I even got it to crash at one point when I tested this. Not sure how. Which version of Firefox? Do you have a Talkback or stack? (See comment 3)
Updated•16 years ago
|
Product: Firefox → Toolkit
Updated•13 years ago
|
Crash Signature: [@ nsFormFillController::GetIndexOfDocShell]
You need to log in
before you can comment on or make changes to this bug.
Description
•