Closed Bug 267249 Opened 19 years ago Closed 19 years ago

FF10RC1 Crash when clicking on link in pop-up window [@ nsDocShell::InternalLoad]

Categories

(Core :: DOM: Navigation, defect)

Product:
Core
Component:
DOM: Navigation
Version:
Other Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: dan, Assigned: jst)

References

(
URL
)

Details

(4 keywords)

Crash Data

Attachments

(1 file)

Don't null out mPrefs in ::Destroy()
917 bytes, patch
dbaron
: review+
brendan
: superreview+
brendan
: approval-aviary+
brendan
: approval1.7.5+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.3) Gecko/20041026 Firefox/1.0RC1
Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.3) Gecko/20041026 Firefox/1.0RC1

In my example it crashes after javascript opens a window and then closes it
again. (Or while trying to load a page in original window.)

Reproducible: Always
Steps to Reproduce:
1.Go to
http://www.habasit.se/industry/6143.html?Industry&IndustryBS=0&IndustryPL=0 (the
page reloades a few times to get frames etc)
2. Select "Primary packaging (solids / granulates)" in pop-up menu
3. In the new window click on "Blister packing machine"

(Other, but not all, choices crashes also (doesn't contain links etc). If
bypassing step 1 and 2 crash do not occur)
Actual Results:  
Firefox crashes (SIGBUS: Bus Error: (signal 10) )

Expected Results:  
Show the link in a frame in the original window, and close the new window.

Talkback IDs: TB1663712 (2004110106), TB1664240 (2004102621, PowerBook G3),
TB1663615 (2004102621, PowerMac G4)
Stack Signature: nsDocShell::InternalLoad() 49c73115

I traced this bug in old nightleys and last version it doesn't occur is in PR1
(2004-10-01) (neither in nightly 2004-09-30). In the nigthly build 2004-10-02 it
crashes. Still exists in latest nigthly (2004-11-01).

Probably not connected to bug 255372 since this one surfaces before that one got
fixed. (And after it occured) (Not to mention different stack traces)
Stack trace:

nsDocShell::InternalLoad() 
[/builds/tinderbox/firefox-1.0/Darwin_7.4.0_Clobber/mozilla/docshell/base/nsDocShell.cpp,
line 710]
nsDocShell::InternalLoad() 
[/builds/tinderbox/firefox-1.0/Darwin_7.4.0_Clobber/mozilla/docshell/base/nsDocShell.cpp,
line 692]
HandlePLEvent() 
[/builds/tinderbox/firefox-1.0/Darwin_7.4.0_Clobber/mozilla/docshell/base/nsWebShell.cpp,
line 692]
PL_HandleEvent() 
[/builds/tinderbox/firefox-1.0/Darwin_7.4.0_Clobber/mozilla/xpcom/threads/plevent.c,
line 674]
PL_ProcessPendingEvents() 
[/builds/tinderbox/firefox-1.0/Darwin_7.4.0_Clobber/mozilla/xpcom/threads/plevent.c,
line 608]
_md_EventReceiverProc() 
[/builds/tinderbox/firefox-1.0/Darwin_7.4.0_Clobber/mozilla/xpcom/threads/plevent.c,
line 1578]
HIToolbox.145.0.0 + 0x1fc8 (0x927d1fc8)
HIToolbox.145.0.0 + 0x223c (0x927d223c)
HIToolbox.145.0.0 + 0x66bc (0x927d66bc)
HIToolbox.145.0.0 + 0x12d54 (0x927e2d54)
HIToolbox.145.0.0 + 0x2084 (0x927d2084)
HIToolbox.145.0.0 + 0x223c (0x927d223c)
HIToolbox.145.0.0 + 0x146e4 (0x927e46e4)
HIToolbox.145.0.0 + 0x18600 (0x927e8600)
HIToolbox.145.0.0 + 0x28740 (0x927f8740)
HIToolbox.145.0.0 + 0x8db0 (0x927d8db0)
HIToolbox.145.0.0 + 0x8f64 (0x927d8f64)
HIToolbox.145.0.0 + 0x1ca18 (0x927eca18)
HIToolbox.145.0.0 + 0x2d730 (0x927fd730)
nsMacMessagePump::GetEvent() 
[/builds/tinderbox/firefox-1.0/Darwin_7.4.0_Clobber/mozilla/widget/src/mac/nsMacMessagePump.cpp,
line 407]
nsMacMessagePump::DoMessagePump() 
[/builds/tinderbox/firefox-1.0/Darwin_7.4.0_Clobber/mozilla/widget/src/mac/nsMacMessagePump.cpp,
line 312]
nsAppShell::Run() 
[/builds/tinderbox/firefox-1.0/Darwin_7.4.0_Clobber/mozilla/widget/src/mac/nsAppShell.cpp,
line 114]
xre_main() 
[/builds/tinderbox/firefox-1.0/Darwin_7.4.0_Clobber/mozilla/toolkit/xre/nsAppRunner.cpp,
line 710]
_start()   start()
This is a topcrasher for Firefox 1.0 RC1 and RC2. It appears to be happening on
all platforms according to Talkback data.   Here are a couple of sets of crashes
from RC1:

====================================================================================================
     Count   Offset    Real Signature
[ 13   nsDocShell::InternalLoad() 49c73115 - nsDocShell::InternalLoad() ]
 
     Crash date range: 01-NOV-04 to 30-OCT-04
     Min/Max Seconds since last crash: 33 - 21041
     Min/Max Runtime: 178 - 200487
 
     Count   Platform List 
     13   [Darwin 7.5.0]      
 
     Count   Build Id List 
     13   2004102621
 
     No of Unique Users         7
 
 Stack trace(Frame) 

	 nsDocShell::InternalLoad()
[/builds/tinderbox/firefox-1.0/Darwin_7.4.0_Clobber/mozilla/docshell/base/nsDocShell.cpp
 line 710] 
	 nsDocShell::InternalLoad()
[/builds/tinderbox/firefox-1.0/Darwin_7.4.0_Clobber/mozilla/docshell/base/nsDocShell.cpp
 line 692] 
	 HandlePLEvent()
[/builds/tinderbox/firefox-1.0/Darwin_7.4.0_Clobber/mozilla/docshell/base/nsWebShell.cpp
 line 692] 
	 PL_HandleEvent()
[/builds/tinderbox/firefox-1.0/Darwin_7.4.0_Clobber/mozilla/xpcom/threads/plevent.c
 line 674] 
	 PL_ProcessPendingEvents()
[/builds/tinderbox/firefox-1.0/Darwin_7.4.0_Clobber/mozilla/xpcom/threads/plevent.c
 line 608] 
	 _md_EventReceiverProc()
[/builds/tinderbox/firefox-1.0/Darwin_7.4.0_Clobber/mozilla/xpcom/threads/plevent.c
 line 1578] 
	 HIToolbox.145.0.0 + 0x1fc8 (0x927d1fc8)  
	 HIToolbox.145.0.0 + 0x223c (0x927d223c)  
	 HIToolbox.145.0.0 + 0x66bc (0x927d66bc)  
	 HIToolbox.145.0.0 + 0x12d54 (0x927e2d54)  
	 HIToolbox.145.0.0 + 0x2084 (0x927d2084)  
	 HIToolbox.145.0.0 + 0x223c (0x927d223c)  
	 HIToolbox.145.0.0 + 0x146e4 (0x927e46e4)  
	 HIToolbox.145.0.0 + 0x18600 (0x927e8600)  
	 HIToolbox.145.0.0 + 0x28740 (0x927f8740)  
	 HIToolbox.145.0.0 + 0x8db0 (0x927d8db0)  
	 HIToolbox.145.0.0 + 0x8f64 (0x927d8f64)  
	 HIToolbox.145.0.0 + 0x1ca18 (0x927eca18)  
	 HIToolbox.145.0.0 + 0x2d730 (0x927fd730)  
	 nsMacMessagePump::GetEvent()
[/builds/tinderbox/firefox-1.0/Darwin_7.4.0_Clobber/mozilla/widget/src/mac/nsMacMessagePump.cpp
 line 407] 
	 nsMacMessagePump::DoMessagePump()
[/builds/tinderbox/firefox-1.0/Darwin_7.4.0_Clobber/mozilla/widget/src/mac/nsMacMessagePump.cpp
 line 312] 
	 nsAppShell::Run()
[/builds/tinderbox/firefox-1.0/Darwin_7.4.0_Clobber/mozilla/widget/src/mac/nsAppShell.cpp
 line 114] 
	 xre_main()
[/builds/tinderbox/firefox-1.0/Darwin_7.4.0_Clobber/mozilla/toolkit/xre/nsAppRunner.cpp
 line 710] 
	 _start()	[/SourceCache/Csu/Csu-45//SourceCache/Csu/Csu-45/crt.c  line 267] 
	 start()   
 
     (1585731)	Comments: closing tab
 
====================================================================================================
     Count   Offset    Real Signature
[ 7   nsDocShell::InternalLoad 1583d64a - nsDocShell::InternalLoad ]
[ 1   nsDocShell::InternalLoad e10f4f4e - nsDocShell::InternalLoad ]
[ 1   nsDocShell::InternalLoad a602f8be - nsDocShell::InternalLoad ]
 
     Crash date range: 01-NOV-04 to 31-OCT-04
     Min/Max Seconds since last crash: 65 - 418011
     Min/Max Runtime: 814 - 422626
 
     Count   Platform List 
     9   Windows XP [Windows NT 5.1 build 2600] 
 
     Count   Build Id List 
     9   2004102622
 
     No of Unique Users         8
 
 Stack trace(Frame) 

	 nsDocShell::InternalLoad
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/docshell/base/nsDocShell.cpp
 line 5197] 
	 nsWebShell::OnLinkClickSync
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/docshell/base/nsWebShell.cpp
 line 645] 
	 OnLinkClickEvent::HandleEvent
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/docshell/base/nsWebShell.cpp
 line 438] 
	 PL_HandleEvent
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/xpcom/threads/plevent.c
 line 674] 
	 0x778b0c24  
	 nsXMLStylesheetPI::`scalar deleting destructor'  
	 0x74c44d8d   
 
     (1666233)	URL: http://www.habasit.se
     (1666233)	Comments: testing crashing for bug 267249 (yeah  it works)
     (1665686)	URL: www.candystand.com
     (1665675)	URL: www.candystand.com
     (1592872)	Comments: nothing unusual  clicking on links
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash, topcrash
OS: MacOS X → All
Hardware: Macintosh → All
Summary: Crash when clicking on link in pop-up window (crashes in nsDocShell::InternalLoad() ) → FF10RC1 Crash when clicking on link in pop-up window [@ nsDocShell::InternalLoad]
Component: General → Embedding: Docshell
Product: Firefox → Browser
Version: unspecified → Other Branch
Marking topcrash+ since the testcase in this bug is reproducible and also
nominating for aviary1.0.

We should probably find the right owner for this bug as well.
Assignee: firefox → adamlock
Flags: blocking-aviary1.0?
Keywords: topcrashtopcrash+
QA Contact: firefox.general → adamlock
if we come up with a super-low risk patch we might consider approving that but
not going to block.
Flags: blocking-aviary1.0? → blocking-aviary1.0-
We crash trying to handle a link click in a closed window, the crash is due to
mPrefs being null since nsDocShell::Destroy() nulls out the pointer, for no
reason (it's a service!).
Re-requesting blocing status.
Assignee: adamlock → jst
Flags: blocking-aviary1.0- → blocking-aviary1.0?
Attachment #164807 - Flags: superreview?(brendan)
Attachment #164807 - Flags: review?(dbaron)
Attachment #164807 - Flags: review?(dbaron) → review+
Comment on attachment 164807 [details] [diff] [review]
Don't null out mPrefs in ::Destroy()

sr+a=me.  Go fast, thanks.

/be
Attachment #164807 - Flags: superreview?(brendan)
Attachment #164807 - Flags: superreview+
Attachment #164807 - Flags: approval1.7.x+
Attachment #164807 - Flags: approval-aviary+
Fixed on the aviary branch.
Flags: blocking-aviary1.0? → blocking-aviary1.0+
Keywords: fixed-aviary1.0
Depends on: 172962
Fixed on trunk and 1.7 branch now too.
Status: NEW → RESOLVED
Closed: 19 years ago
Keywords: fixed1.7.x
Resolution: --- → FIXED
Crash Signature: [@ nsDocShell::InternalLoad]
You need to log in before you can comment on or make changes to this bug.