Closed Bug 267249 Opened 21 years ago Closed 21 years ago

FF10RC1 Crash when clicking on link in pop-up window [@ nsDocShell::InternalLoad]

Categories

(Core :: DOM: Navigation, defect)

Product:
Core
Component:
DOM: Navigation
Version:
Other Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: dan, Assigned: jst)

References

(
URL
)

Details

(4 keywords)

Crash Data

Attachments

(1 file)

Don't null out mPrefs in ::Destroy()
917 bytes, patch
dbaron
: review+
brendan
: superreview+
brendan
: approval-aviary+
brendan
: approval1.7.5+
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.3) Gecko/20041026 Firefox/1.0RC1 Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.3) Gecko/20041026 Firefox/1.0RC1 In my example it crashes after javascript opens a window and then closes it again. (Or while trying to load a page in original window.) Reproducible: Always Steps to Reproduce: 1.Go to http://www.habasit.se/industry/6143.html?Industry&IndustryBS=0&IndustryPL=0 (the page reloades a few times to get frames etc) 2. Select "Primary packaging (solids / granulates)" in pop-up menu 3. In the new window click on "Blister packing machine" (Other, but not all, choices crashes also (doesn't contain links etc). If bypassing step 1 and 2 crash do not occur) Actual Results: Firefox crashes (SIGBUS: Bus Error: (signal 10) ) Expected Results: Show the link in a frame in the original window, and close the new window. Talkback IDs: TB1663712 (2004110106), TB1664240 (2004102621, PowerBook G3), TB1663615 (2004102621, PowerMac G4) Stack Signature: nsDocShell::InternalLoad() 49c73115 I traced this bug in old nightleys and last version it doesn't occur is in PR1 (2004-10-01) (neither in nightly 2004-09-30). In the nigthly build 2004-10-02 it crashes. Still exists in latest nigthly (2004-11-01). Probably not connected to bug 255372 since this one surfaces before that one got fixed. (And after it occured) (Not to mention different stack traces)
Stack trace: nsDocShell::InternalLoad() [/builds/tinderbox/firefox-1.0/Darwin_7.4.0_Clobber/mozilla/docshell/base/nsDocShell.cpp, line 710] nsDocShell::InternalLoad() [/builds/tinderbox/firefox-1.0/Darwin_7.4.0_Clobber/mozilla/docshell/base/nsDocShell.cpp, line 692] HandlePLEvent() [/builds/tinderbox/firefox-1.0/Darwin_7.4.0_Clobber/mozilla/docshell/base/nsWebShell.cpp, line 692] PL_HandleEvent() [/builds/tinderbox/firefox-1.0/Darwin_7.4.0_Clobber/mozilla/xpcom/threads/plevent.c, line 674] PL_ProcessPendingEvents() [/builds/tinderbox/firefox-1.0/Darwin_7.4.0_Clobber/mozilla/xpcom/threads/plevent.c, line 608] _md_EventReceiverProc() [/builds/tinderbox/firefox-1.0/Darwin_7.4.0_Clobber/mozilla/xpcom/threads/plevent.c, line 1578] HIToolbox.145.0.0 + 0x1fc8 (0x927d1fc8) HIToolbox.145.0.0 + 0x223c (0x927d223c) HIToolbox.145.0.0 + 0x66bc (0x927d66bc) HIToolbox.145.0.0 + 0x12d54 (0x927e2d54) HIToolbox.145.0.0 + 0x2084 (0x927d2084) HIToolbox.145.0.0 + 0x223c (0x927d223c) HIToolbox.145.0.0 + 0x146e4 (0x927e46e4) HIToolbox.145.0.0 + 0x18600 (0x927e8600) HIToolbox.145.0.0 + 0x28740 (0x927f8740) HIToolbox.145.0.0 + 0x8db0 (0x927d8db0) HIToolbox.145.0.0 + 0x8f64 (0x927d8f64) HIToolbox.145.0.0 + 0x1ca18 (0x927eca18) HIToolbox.145.0.0 + 0x2d730 (0x927fd730) nsMacMessagePump::GetEvent() [/builds/tinderbox/firefox-1.0/Darwin_7.4.0_Clobber/mozilla/widget/src/mac/nsMacMessagePump.cpp, line 407] nsMacMessagePump::DoMessagePump() [/builds/tinderbox/firefox-1.0/Darwin_7.4.0_Clobber/mozilla/widget/src/mac/nsMacMessagePump.cpp, line 312] nsAppShell::Run() [/builds/tinderbox/firefox-1.0/Darwin_7.4.0_Clobber/mozilla/widget/src/mac/nsAppShell.cpp, line 114] xre_main() [/builds/tinderbox/firefox-1.0/Darwin_7.4.0_Clobber/mozilla/toolkit/xre/nsAppRunner.cpp, line 710] _start() start()
This is a topcrasher for Firefox 1.0 RC1 and RC2. It appears to be happening on all platforms according to Talkback data. Here are a couple of sets of crashes from RC1: ==================================================================================================== Count Offset Real Signature [ 13 nsDocShell::InternalLoad() 49c73115 - nsDocShell::InternalLoad() ] Crash date range: 01-NOV-04 to 30-OCT-04 Min/Max Seconds since last crash: 33 - 21041 Min/Max Runtime: 178 - 200487 Count Platform List 13 [Darwin 7.5.0] Count Build Id List 13 2004102621 No of Unique Users 7 Stack trace(Frame) nsDocShell::InternalLoad() [/builds/tinderbox/firefox-1.0/Darwin_7.4.0_Clobber/mozilla/docshell/base/nsDocShell.cpp line 710] nsDocShell::InternalLoad() [/builds/tinderbox/firefox-1.0/Darwin_7.4.0_Clobber/mozilla/docshell/base/nsDocShell.cpp line 692] HandlePLEvent() [/builds/tinderbox/firefox-1.0/Darwin_7.4.0_Clobber/mozilla/docshell/base/nsWebShell.cpp line 692] PL_HandleEvent() [/builds/tinderbox/firefox-1.0/Darwin_7.4.0_Clobber/mozilla/xpcom/threads/plevent.c line 674] PL_ProcessPendingEvents() [/builds/tinderbox/firefox-1.0/Darwin_7.4.0_Clobber/mozilla/xpcom/threads/plevent.c line 608] _md_EventReceiverProc() [/builds/tinderbox/firefox-1.0/Darwin_7.4.0_Clobber/mozilla/xpcom/threads/plevent.c line 1578] HIToolbox.145.0.0 + 0x1fc8 (0x927d1fc8) HIToolbox.145.0.0 + 0x223c (0x927d223c) HIToolbox.145.0.0 + 0x66bc (0x927d66bc) HIToolbox.145.0.0 + 0x12d54 (0x927e2d54) HIToolbox.145.0.0 + 0x2084 (0x927d2084) HIToolbox.145.0.0 + 0x223c (0x927d223c) HIToolbox.145.0.0 + 0x146e4 (0x927e46e4) HIToolbox.145.0.0 + 0x18600 (0x927e8600) HIToolbox.145.0.0 + 0x28740 (0x927f8740) HIToolbox.145.0.0 + 0x8db0 (0x927d8db0) HIToolbox.145.0.0 + 0x8f64 (0x927d8f64) HIToolbox.145.0.0 + 0x1ca18 (0x927eca18) HIToolbox.145.0.0 + 0x2d730 (0x927fd730) nsMacMessagePump::GetEvent() [/builds/tinderbox/firefox-1.0/Darwin_7.4.0_Clobber/mozilla/widget/src/mac/nsMacMessagePump.cpp line 407] nsMacMessagePump::DoMessagePump() [/builds/tinderbox/firefox-1.0/Darwin_7.4.0_Clobber/mozilla/widget/src/mac/nsMacMessagePump.cpp line 312] nsAppShell::Run() [/builds/tinderbox/firefox-1.0/Darwin_7.4.0_Clobber/mozilla/widget/src/mac/nsAppShell.cpp line 114] xre_main() [/builds/tinderbox/firefox-1.0/Darwin_7.4.0_Clobber/mozilla/toolkit/xre/nsAppRunner.cpp line 710] _start() [/SourceCache/Csu/Csu-45//SourceCache/Csu/Csu-45/crt.c line 267] start() (1585731) Comments: closing tab ==================================================================================================== Count Offset Real Signature [ 7 nsDocShell::InternalLoad 1583d64a - nsDocShell::InternalLoad ] [ 1 nsDocShell::InternalLoad e10f4f4e - nsDocShell::InternalLoad ] [ 1 nsDocShell::InternalLoad a602f8be - nsDocShell::InternalLoad ] Crash date range: 01-NOV-04 to 31-OCT-04 Min/Max Seconds since last crash: 65 - 418011 Min/Max Runtime: 814 - 422626 Count Platform List 9 Windows XP [Windows NT 5.1 build 2600] Count Build Id List 9 2004102622 No of Unique Users 8 Stack trace(Frame) nsDocShell::InternalLoad [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/docshell/base/nsDocShell.cpp line 5197] nsWebShell::OnLinkClickSync [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/docshell/base/nsWebShell.cpp line 645] OnLinkClickEvent::HandleEvent [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/docshell/base/nsWebShell.cpp line 438] PL_HandleEvent [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/xpcom/threads/plevent.c line 674] 0x778b0c24 nsXMLStylesheetPI::`scalar deleting destructor' 0x74c44d8d (1666233) URL: http://www.habasit.se (1666233) Comments: testing crashing for bug 267249 (yeah it works) (1665686) URL: www.candystand.com (1665675) URL: www.candystand.com (1592872) Comments: nothing unusual clicking on links
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash, topcrash
OS: MacOS X → All
Hardware: Macintosh → All
Summary: Crash when clicking on link in pop-up window (crashes in nsDocShell::InternalLoad() ) → FF10RC1 Crash when clicking on link in pop-up window [@ nsDocShell::InternalLoad]
Component: General → Embedding: Docshell
Product: Firefox → Browser
Version: unspecified → Other Branch
Marking topcrash+ since the testcase in this bug is reproducible and also nominating for aviary1.0. We should probably find the right owner for this bug as well.
Assignee: firefox → adamlock
Flags: blocking-aviary1.0?
Keywords: topcrashtopcrash+
QA Contact: firefox.general → adamlock
if we come up with a super-low risk patch we might consider approving that but not going to block.
Flags: blocking-aviary1.0? → blocking-aviary1.0-
We crash trying to handle a link click in a closed window, the crash is due to mPrefs being null since nsDocShell::Destroy() nulls out the pointer, for no reason (it's a service!).
Re-requesting blocing status.
Assignee: adamlock → jst
Flags: blocking-aviary1.0- → blocking-aviary1.0?
Attachment #164807 - Flags: superreview?(brendan)
Attachment #164807 - Flags: review?(dbaron)
Comment on attachment 164807 [details] [diff] [review] Don't null out mPrefs in ::Destroy() sr+a=me. Go fast, thanks. /be
Attachment #164807 - Flags: superreview?(brendan)
Attachment #164807 - Flags: superreview+
Attachment #164807 - Flags: approval1.7.x+
Attachment #164807 - Flags: approval-aviary+
Fixed on the aviary branch.
Flags: blocking-aviary1.0? → blocking-aviary1.0+
Keywords: fixed-aviary1.0
Depends on: 172962
Fixed on trunk and 1.7 branch now too.
Status: NEW → RESOLVED
Closed: 21 years ago
Keywords: fixed1.7.x
Resolution: --- → FIXED
Crash Signature: [@ nsDocShell::InternalLoad]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: