Closed
Bug 264557
Opened 20 years ago
Closed 20 years ago
Javascript pop-up windows trigger crash in Firefox 1.0PR (0.10.1)
Categories
(Firefox :: General, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 255372
People
(Reporter: marcus, Assigned: bugzilla)
References
()
Details
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.2) Gecko/20041012 Galeon/1.3.17
Build Identifier: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.2) Gecko/20041012 Galeon/1.3.17
Go to the above URL, and click on the "Click here to crash" link. The browser
will immediately crash. The crash seems memory related, and may not occur
everytime. The most reproduceable crashes occur when using a locale other than
en_US (e.g. en_CA, de_DE, es_ES, or pl_PL).
I rebuilt Firefox with debugging and trace support, and this is what I see when
I click on the submit button:
++WEBSHELL == 4
++DOMWINDOW == 4
++WEBSHELL == 5
++DOMWINDOW == 5
Bus error (core dumped)
Here is the back trace of the crash:
#0 0x28206a21 in nsTraceRefcntImpl::LogReleaseCOMPtr (this=0x80727b0,
aCOMPtr=0x8bedc90, aObject=0xdddddddd) at nsTraceRefcntImpl.cpp:1350
#1 0x2822bffa in nsTraceRefcnt::LogReleaseCOMPtr (aPtr=0x8bedc90,
aObject=0xdddddddd) at nsTraceRefcnt.cpp:123
#2 0x2942d702 in nsCOMPtr<imgIRequest>::assign_assuming_AddRef (this=0x8bedc90,
newPtr=0x80727b0) at nsCOMPtr.h:492
#3 0x2942d038 in nsCOMPtr<imgIRequest>::assign_with_AddRef (this=0x8bedc90,
rawPtr=0x0) at nsCOMPtr.h:1022
#4 0x2942c7e0 in nsCOMPtr<imgIRequest>::operator= (this=0x8bedc90, rhs=0x0) at
nsCOMPtr.h:607
#5 0x29599969 in nsImageBoxFrame::UpdateImage (this=0x8bedc54) at
nsImageBoxFrame.cpp:428
#6 0x2959954e in nsImageBoxFrame::UpdateAttributes (this=0x8bedc54,
aAttribute=0xdddddddd) at nsImageBoxFrame.cpp:372
#7 0x29598c6f in nsImageBoxFrame::AttributeChanged (this=0x8bedc54,
aPresContext=0x8967400, aChild=0x8bf3e40, aNameSpaceID=0, aAttribute=0x80a78d8,
aModType=2) at nsImageBoxFrame.cpp:264
#8 0x29527936 in nsCSSFrameConstructor::AttributeChanged (this=0x8a65280,
aPresContext=0x8967400, aContent=0x8bf3e40, aNameSpaceID=0,
aAttribute=0x80a78d8, aModType=2) at nsCSSFrameConstructor.cpp:10105
#9 0x294b7308 in PresShell::AttributeChanged (this=0x88f7c00,
aDocument=0x899a800, aContent=0x8bf3e40, aNameSpaceID=0, aAttribute=0x80a78d8,
aModType=2) at nsPresShell.cpp:5189
#10 0x298399e3 in nsXULDocument::AttributeChanged (this=0x899a800,
aElement=0x8bf3e40, aNameSpaceID=0, aAttribute=0x80a78d8, aModType=2) at
nsXULDocument.cpp:1139
#11 0x298f28af in nsXULElement::SetAttrAndNotify (this=0x8bf3e40,
aNamespaceID=0, aAttribute=0x80a78d8, aPrefix=0x0, aOldValue=@0xbfbf8ee8,
aParsedValue=@0xbfbf8ed8, aModification=0, aFireMutation=0, aNotify=1) at
nsXULElement.cpp:2223
#12 0x298f213a in nsXULElement::SetAttr (this=0x8bf3e40, aNamespaceID=0,
aName=0x80a78d8, aPrefix=0x0, aValue=@0xbfbf90d8, aNotify=1) at
nsXULElement.cpp:2147
#13 0x29808783 in nsXBLPrototypeBinding::AttributeChanged (this=0x874a8c0,
aAttribute=0x80a78d8, aNameSpaceID=0, aRemoveFlag=0, aChangedElement=0x8becb80,
aAnonymousContent=0x8bf3d80, aNotify=1) at nsIContent.h:256
#14 0x298051cc in nsXBLBinding::AttributeChanged (this=0x8bf3d00,
aAttribute=0x80a78d8, aNameSpaceID=0, aRemoveFlag=0, aNotify=1) at
nsXBLBinding.cpp:840
#15 0x298f24e9 in nsXULElement::SetAttrAndNotify (this=0x8becb80,
aNamespaceID=0, aAttribute=0x80a78d8, aPrefix=0x0, aOldValue=@0xbfbf9518,
aParsedValue=@0xbfbf9508, aModification=0, aFireMutation=0, aNotify=1) at
nsXULElement.cpp:2190
#16 0x298f213a in nsXULElement::SetAttr (this=0x8becb80, aNamespaceID=0,
aName=0x80a78d8, aPrefix=0x0, aValue=@0xbfbf9708, aNotify=1) at
nsXULElement.cpp:2147
#17 0x29808783 in nsXBLPrototypeBinding::AttributeChanged (this=0x872aac0,
aAttribute=0x80a78d8, aNameSpaceID=0, aRemoveFlag=0, aChangedElement=0x8bec880,
aAnonymousContent=0x8bec9c0, aNotify=1) at nsIContent.h:256
#18 0x298051cc in nsXBLBinding::AttributeChanged (this=0x8bec980,
aAttribute=0x80a78d8, aNameSpaceID=0, aRemoveFlag=0, aNotify=1) at
nsXBLBinding.cpp:840
#19 0x298f24e9 in nsXULElement::SetAttrAndNotify (this=0x8bec880,
aNamespaceID=0, aAttribute=0x80a78d8, aPrefix=0x0, aOldValue=@0xbfbf9b48,
aParsedValue=@0xbfbf9b38, aModification=0, aFireMutation=0, aNotify=1) at
nsXULElement.cpp:2190
#20 0x298f213a in nsXULElement::SetAttr (this=0x8bec880, aNamespaceID=0,
aName=0x80a78d8, aPrefix=0x0, aValue=@0x8c13b90, aNotify=1) at nsXULElement.cpp:2147
#21 0x298ee388 in nsXULElement::SetAttribute (this=0x8bec880, aName=@0xbfbf9c48,
aValue=@0x8c13b90) at nsXULElement.h:462
#22 0x282194d4 in XPTC_InvokeByIndex (that=0x8bec88c, methodIndex=30,
paramCount=3217000080, params=0xbfbf9ea8) at xptcinvoke_unixish_x86.cpp:130
#23 0x28bfd6fd in XPCWrappedNative::CallMethod (ccx=@0xbfbf9f68,
mode=XPCWrappedNative::CALL_METHOD) at xpcwrappednative.cpp:2027
#24 0x28c07131 in XPC_WN_CallMethod (cx=0x8509a00, obj=0x8c8a220, argc=2,
argv=0xbfbf9f68, vp=0xbfbfa0a8) at xpcwrappednativejsops.cpp:1287
#25 0x280e351f in js_Invoke (cx=0x8509a00, argc=2, flags=0) at jsinterp.c:941
#26 0x280ee5ab in js_Interpret (cx=0x8509a00, result=0xbfbfa344) at jsinterp.c:2972
#27 0x280e3587 in js_Invoke (cx=0x8509a00, argc=1, flags=2) at jsinterp.c:958
#28 0x280e37ed in js_InternalInvoke (cx=0x8509a00, obj=0x80727b0,
fval=134686640, flags=0, argc=1, argv=0xbfbfa67c, rval=0x80727b0) at jsinterp.c:1035
#29 0x280e39ca in js_InternalGetOrSet (cx=0x8509a00, obj=0x8c8a248,
id=136531392, fval=147366536, mode=JSACC_WRITE, argc=1, argv=0xbfbfa67c,
rval=0xbfbfa67c) at jsinterp.c:1078
#30 0x280fcf4b in js_SetProperty (cx=0x8509a00, obj=0x8c8a248, id=136531392,
vp=0xbfbfa67c) at jsobj.c:2849
#31 0x280ed4c8 in js_Interpret (cx=0x8509a00, result=0xbfbfa744) at jsinterp.c:2813
#32 0x280e3587 in js_Invoke (cx=0x8509a00, argc=2, flags=2) at jsinterp.c:958
#33 0x280e37ed in js_InternalInvoke (cx=0x8509a00, obj=0x80727b0,
fval=134686640, flags=0, argc=2, argv=0x8bd9b00, rval=0x80727b0) at jsinterp.c:1035
#34 0x280bda0e in JS_CallFunctionValue (cx=0x8509a00, obj=0x8920ba8,
fval=147846552, argc=2, argv=0x8bd9b00, rval=0xbfbfa970) at jsapi.c:3698
#35 0x29873b84 in nsJSContext::CallEventHandler (this=0x899dfc0,
aTarget=0x8920ba8, aHandler=0x8cff598, argc=2, argv=0x8bd9b00, rval=0xbfbfa970)
at nsJSEnvironment.cpp:1296
#36 0x2988a825 in GlobalWindowImpl::RunTimeout (this=0x89f0400,
aTimeout=0x8bf2680) at nsGlobalWindow.cpp:5079
#37 0x2988b1f4 in GlobalWindowImpl::TimerCallback (aTimer=0x8bf33c0,
aClosure=0x8bf2680) at nsGlobalWindow.cpp:5442
#38 0x281f64c1 in nsTimerImpl::Fire (this=0x8bf33c0) at nsTimerImpl.cpp:382
#39 0x281f6651 in handleTimerEvent (event=0x8bfea00) at nsTimerImpl.cpp:447
#40 0x281ef481 in PL_HandleEvent (self=0x8bfea00) at plevent.c:673
#41 0x281ef34d in PL_ProcessPendingEvents (self=0x899d780) at plevent.c:608
#42 0x281f21d7 in nsEventQueueImpl::ProcessPendingEvents (this=0x899d740) at
nsEventQueue.cpp:391
#43 0x28d370fe in event_processor_callback (source=0x899d800, condition=G_IO_IN,
data=0xdddddddd) at nsAppShell.cpp:67
#44 0x288f65ad in g_io_unix_dispatch () from /usr/local/lib/libglib-2.0.so.400
#45 0x288d308f in g_main_dispatch () from /usr/local/lib/libglib-2.0.so.400
#46 0x288d3f5b in g_main_context_dispatch () from /usr/local/lib/libglib-2.0.so.400
#47 0x288d433a in g_main_context_iterate () from /usr/local/lib/libglib-2.0.so.400
#48 0x288d44c6 in g_main_context_iteration () from /usr/local/lib/libglib-2.0.so.400
#49 0x28d37c03 in nsAppShell::DispatchNativeEvent (this=0x8a76a40, aRealEvent=0,
aEvent=0x0) at nsAppShell.cpp:277
#50 0x28c4c847 in nsXULWindow::CreateNewContentWindow (this=0x8215a00,
aChromeFlags=1166, _retval=0xdddddddd) at nsXULWindow.cpp:1832
#51 0x28c4bbe2 in nsXULWindow::CreateNewWindow (this=0x8215a00,
aChromeFlags=-1077967216, _retval=0xdddddddd) at nsXULWindow.cpp:1715
#52 0x08069510 in nsWindowCreator::CreateChromeWindow2 (this=0x80bc5b0,
aParent=0xbfbfaf88, aChromeFlags=1166, aContextFlags=0, aURI=0x89d6f00,
aCancel=0x80727b0, _retval=0xbfbfb228) at nsWindowCreator.cpp:120
#53 0x28d8d599 in nsWindowWatcher::OpenWindowJS (this=0x80c42c0,
aParent=0x86c2704, aUrl=0x89d7608
"http://rozmowy.onet.pl/_loinc/sonda/wyniki.html?ITEM=4530&MIEJSCE=WIADOMOSCI",
aName=0x0, aFeatures=0x89d6e08
"toolbar=no,directories=no,width=495,height=240,status=no,scrollbars=no,resizable=yes,menubar=no",
aDialog=0, argc=0, argv=0x0, _retval=0xbfbfb5f8) at nsWindowWatcher.cpp:618
#54 0x28d8caa1 in nsWindowWatcher::OpenWindow (this=0x80c42c0,
aParent=0x86c2704, aUrl=0x89d7608
"http://rozmowy.onet.pl/_loinc/sonda/wyniki.html?ITEM=4530&MIEJSCE=WIADOMOSCI",
aName=0x0, aFeatures=0x89d6e08
"toolbar=no,directories=no,width=495,height=240,status=no,scrollbars=no,resizable=yes,menubar=no",
aArguments=0x0, _retval=0xbfbfb5f8) at nsWindowWatcher.cpp:457
#55 0x29889755 in GlobalWindowImpl::OpenInternal (this=0x86c2700,
aUrl=@0xbfbfb4f8, aName=@0xbfbfb7a8, aOptions=@0xbfbfb708, aDialog=0, argv=0x0,
argc=0, aExtraArgument=0x0, aReturn=0xbfbfbb50) at nsTString.h:631
#56 0x298848a7 in GlobalWindowImpl::Open (this=0x86c2700, _retval=0xbfbfbb50) at
nsGlobalWindow.cpp:3278
#57 0x282194d4 in XPTC_InvokeByIndex (that=0x86c2708, methodIndex=15,
paramCount=3217000080, params=0xbfbfbb50) at xptcinvoke_unixish_x86.cpp:130
#58 0x28bfd6fd in XPCWrappedNative::CallMethod (ccx=@0xbfbfbc10,
mode=XPCWrappedNative::CALL_METHOD) at xpcwrappednative.cpp:2027
#59 0x28c07131 in XPC_WN_CallMethod (cx=0x86a7c00, obj=0x86506b8, argc=3,
argv=0xbfbfbc10, vp=0xbfbfbd50) at xpcwrappednativejsops.cpp:1287
#60 0x280e351f in js_Invoke (cx=0x86a7c00, argc=3, flags=0) at jsinterp.c:941
#61 0x280ee5ab in js_Interpret (cx=0x86a7c00, result=0xbfbfbfec) at jsinterp.c:2972
#62 0x280e3587 in js_Invoke (cx=0x86a7c00, argc=3, flags=0) at jsinterp.c:958
#63 0x280ee5ab in js_Interpret (cx=0x86a7c00, result=0xbfbfc2ac) at jsinterp.c:2972
#64 0x280e3587 in js_Invoke (cx=0x86a7c00, argc=1, flags=2) at jsinterp.c:958
#65 0x280e37ed in js_InternalInvoke (cx=0x86a7c00, obj=0x80727b0,
fval=134686640, flags=0, argc=1, argv=0xbfbfc51c, rval=0x80727b0) at jsinterp.c:1035
#66 0x280bda0e in JS_CallFunctionValue (cx=0x86a7c00, obj=0x891f638,
fval=143788296, argc=1, argv=0xbfbfc51c, rval=0xbfbfc504) at jsapi.c:3698
#67 0x29873b84 in nsJSContext::CallEventHandler (this=0x86b2c80,
aTarget=0x891f638, aHandler=0x8920908, argc=1, argv=0xbfbfc51c, rval=0xbfbfc504)
at nsJSEnvironment.cpp:1296
#68 0x298c5f09 in nsJSEventListener::HandleEvent (this=0x8caf240,
aEvent=0x89d7088) at nsJSEventListener.cpp:174
#69 0x296bdd7a in nsEventListenerManager::HandleEventSubType (this=0x8b5ba80,
aListenerStruct=0x8c53790, aDOMEvent=0x89d7088, aCurrentTarget=0x8a28a00,
aSubType=1, aPhaseFlags=134686640) at nsEventListenerManager.cpp:1436
#70 0x296be0f0 in nsEventListenerManager::HandleEvent (this=0x8b5ba80,
aPresContext=0x8946c00, aEvent=0xbfbfcb00, aDOMEvent=0xbfbfc8dc,
aCurrentTarget=0x8a28a00, aFlags=7, aEventStatus=0xbfbfcae4) at
nsEventListenerManager.cpp:1529
#71 0x296471a7 in nsGenericElement::HandleDOMEvent (this=0x89fa680,
aPresContext=0x8946c00, aEvent=0xbfbfcb00, aDOMEvent=0xbfbfc8dc, aFlags=7,
aEventStatus=0xbfbfcae4) at nsGenericElement.cpp:1957
#72 0x297024d2 in nsHTMLFormElement::HandleDOMEvent (this=0x89fa680,
aPresContext=0x8946c00, aEvent=0xbfbfcb00, aDOMEvent=0x0, aFlags=1,
aEventStatus=0xbfbfcae4) at nsHTMLFormElement.cpp:727
#73 0x294b965e in PresShell::HandleDOMEventWithTarget (this=0x8274c00,
aTargetContent=0x89fa680, aEvent=0xbfbfcb00, aStatus=0xbfbfcae4) at
nsPresShell.cpp:6133
#74 0x29718957 in nsHTMLInputElement::HandleDOMEvent (this=0x8cb5200,
aPresContext=0x8946c00, aEvent=0xbfbfcde0, aDOMEvent=0x0, aFlags=1,
aEventStatus=0xbfbfd41c) at nsHTMLInputElement.cpp:1594
#75 0x294b930f in PresShell::HandleEventInternal (this=0x8274c00,
aEvent=0xbfbfcde0, aView=0x0, aFlags=1, aStatus=0xbfbfd41c) at nsPresShell.cpp:6056
#76 0x294b8ff3 in PresShell::HandleEventWithTarget (this=0x8274c00,
aEvent=0xbfbfcde0, aFrame=0x8a725f8, aContent=0x8cb5200, aFlags=1,
aStatus=0xbfbfd41c) at nsPresShell.cpp:5981
#77 0x296c7c2d in nsEventStateManager::CheckForAndDispatchClick (this=0x87e3f00,
aPresContext=0x8946c00, aEvent=0xbfbfd620, aStatus=0xbfbfd41c) at
nsEventStateManager.cpp:2920
#78 0x296c586b in nsEventStateManager::PostHandleEvent (this=0x87e3f00,
aPresContext=0x8946c00, aEvent=0xbfbfd620, aTargetFrame=0x8a725f8,
aStatus=0xbfbfd41c, aView=0x8880c00) at nsEventStateManager.cpp:1921
#79 0x294b959d in PresShell::HandleEventInternal (this=0x8274c00,
aEvent=0xbfbfd620, aView=0x8880c00, aFlags=1, aStatus=0xbfbfd41c) at
nsPresShell.cpp:6108
#80 0x294b8d18 in PresShell::HandleEvent (this=0x8274c00, aView=0x8880c00,
aEvent=0xbfbfd620, aEventStatus=0xbfbfd41c, aForceHandle=0,
aHandled=@0xbfbfd420) at nsPresShell.cpp:5918
#81 0x2986874b in nsViewManager::HandleEvent (this=0x8846000, aView=0x8880280,
aEvent=0xbfbfd620, aCaptured=0) at nsVoidArray.h:61
#82 0x29867aa6 in nsViewManager::DispatchEvent (this=0x8846000,
aEvent=0xbfbfd620, aStatus=0xbfbfd5cc) at nsViewManager.cpp:2030
#83 0x2985d83e in HandleEvent (aEvent=0xbfbfd620) at nsView.h:243
#84 0x28d3990e in nsCommonWidget::DispatchEvent (this=0x895c700,
aEvent=0xbfbfd620, aStatus=@0xbfbfd61c) at nsCommonWidget.cpp:215
#85 0x28d2dd1f in nsWindow::OnButtonReleaseEvent (this=0x895c700,
aWidget=0x8239300, aEvent=0xbfbf8690) at nsWindow.cpp:1449
#86 0x28d31f8c in button_release_event_cb (widget=0x8239300, event=0x8253018) at
nsWindow.cpp:3274
#87 0x2847081c in gtk_marshal_VOID__UINT_STRING () from
/usr/X11R6/lib/libgtk-x11-2.0.so.400
#88 0x2887b3dc in g_closure_invoke () from /usr/local/lib/libgobject-2.0.so.400
#89 0x28891645 in signal_emit_unlocked_R () from
/usr/local/lib/libgobject-2.0.so.400
#90 0x288904c3 in g_signal_emit_valist () from /usr/local/lib/libgobject-2.0.so.400
#91 0x288906cd in g_signal_emit () from /usr/local/lib/libgobject-2.0.so.400
#92 0x28554ec0 in gtk_widget_send_expose () from
/usr/X11R6/lib/libgtk-x11-2.0.so.400
#93 0x28554af0 in gtk_widget_event () from /usr/X11R6/lib/libgtk-x11-2.0.so.400
#94 0x2846f1e8 in gtk_propagate_event () from /usr/X11R6/lib/libgtk-x11-2.0.so.400
#95 0x2846e114 in gtk_main_do_event () from
/usr/X11R6/lib/libgtk-x11-2.0.so.400#96 0x2863f8b3 in
gdk_x11_register_standard_event_type () from /usr/X11R6/lib/libgdk-x11-2.0.so.400
#97 0x288d308f in g_main_dispatch () from /usr/local/lib/libglib-2.0.so.400
#98 0x288d3f5b in g_main_context_dispatch () from /usr/local/lib/libglib-2.0.so.400
#99 0x288d433a in g_main_context_iterate () from /usr/local/lib/libglib-2.0.so.400
#100 0x288d49a6 in g_main_loop_run () from /usr/local/lib/libglib-2.0.so.400
#101 0x2846d9c2 in gtk_main () from /usr/X11R6/lib/libgtk-x11-2.0.so.400
#102 0x28d376a5 in nsAppShell::Run (this=0x80bc3e0) at nsAppShell.cpp:142
#103 0x28c5465f in nsAppShellService::Run (this=0x809ffc0) at
nsAppShellService.cpp:494
#104 0x0805bbd8 in xre_main (argc=1, argv=0xbfbfe454, aAppData=0x806e3cc) at
nsAppRunner.cpp:1908
#105 0x08055a07 in main (argc=1, argv=0xbfbfe454) at nsBrowserApp.cpp:58
This seems to be related to JavaScript pop-up windows (see the code for
xxx.html). Specifically, with the window properties. That is, the following
will cause the crash:
javascript:window.open("xxx1.html", "MyWin",
"directories=no,height=565,location=no,menubar=no,resizable=no,scrollbars=no,status=no,toolbar=no,width=562");
Where as, the following will not cause the crash:
javascript:window.open("xxx1.html", "MyWin");
Reproducible: Sometimes
Steps to Reproduce:
1. See the description above.
2.
3.
Actual Results:
The browser crashed with either an abort or a bus error.
Expected Results:
A new window should have popped up, and the browser should not have crashed.
|
||
Comment 1•20 years ago
|
||
Can not reproduce this in Linux with Firefox aviary. Reporter, just to confirm,
you were crashing with Firefox and not Galeon (which it looks like you filed
this bug with), correct?
|
Reporter | |
Comment 2•20 years ago
|
||
I do not have access to any Linux machines, however I was using Firefox 0.10.1
(with no plug-ins, themes, or extensions) on FreeBSD 5.3 to reproduce this
crash. Other users were on FreeBSD 5.2.1 or 4.10, and encountered the same crash.
|
|
Reporter | |
Comment 3•20 years ago
|
||
As another note, this was not reproduceable in Firefox 0.9.3 on the same OS
versions.
|
|
Reporter | |
Comment 4•20 years ago
|
||
Here is the agent string from the browser that can reproduce the crash:
Mozilla/5.0 (X11; U; FreeBSD i386; rv:1.7.3) Gecko/20041015 Firefox/0.10.1
|
|
Reporter | |
Comment 5•20 years ago
|
||
I have a feeling this is very similar to bugs 260032, 258943, 257296, and
255372. It is definitely intermitent on FreeBSD. Some users report seeing this
only after Firefox has been running for a while. Also, certain pop-up crashes
result in the following being displayed on stderr pointing to a malloc/free problem:
firefox-bin in free(): error: chunk is already free
firefox-bin in free(): error: chunk is already free
Depends on: 255372
|
||
Comment 6•20 years ago
|
||
*** This bug has been marked as a duplicate of 255372 ***
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
No longer depends on: 255372
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•