Closed
Bug 267804
Opened 20 years ago
Closed 20 years ago
FF10RC1 crash blocking iframes with AdBlock extension [@ nsDocShell::GetVisibility]
Categories
(Core :: Layout, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: jay, Assigned: dbaron)
Details
(Keywords: crash, topcrash)
Crash Data
Attachments
(1 file)
|
1.45 KB,
patch
|
jst
:
review+
jst
:
superreview+
dbaron
:
approval-aviary+
dbaron
:
approval1.7.5+
|
Details | Diff | Splinter Review |
This is a topcrash for Firefox 1.0 RC1 and is clearly related to the AdBlock
extension. Comments suggest it's more directly a result of blocking iframes:
Count Offset Real Signature
[ 25 nsDocShell::GetVisibility d3962dc2 - nsDocShell::GetVisibility ]
Crash date range: 01-NOV-04 to 31-OCT-04
Min/Max Seconds since last crash: 17 - 385701
Min/Max Runtime: 4077 - 396191
Count Platform List
25 Windows XP [Windows NT 5.1 build 2600]
Count Build Id List
25 2004102622
No of Unique Users 22
Stack trace(Frame)
nsDocShell::GetVisibility
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/docshell/base/nsDocShell.cpp
line 3363]
PresShell::IsVisible
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp
line 6158]
IsViewVisible
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp
line 416]
nsViewManager::SetWindowDimensions
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp
line 684]
DocumentViewerImpl::InitPresentationStuff
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/base/src/nsDocumentViewer.cpp
line 690]
DocumentViewerImpl::InitInternal
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/base/src/nsDocumentViewer.cpp
line 876]
DocumentViewerImpl::Init
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/base/src/nsDocumentViewer.cpp
line 639]
nsDocShell::Embed
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/docshell/base/nsDocShell.cpp
line 4235]
nsDocShell::CreateAboutBlankContentViewer
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/docshell/base/nsDocShell.cpp
line 4549]
nsDocShell::EnsureContentViewer
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/docshell/base/nsDocShell.cpp
line 4478]
nsWebShell::GetInterface
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/docshell/base/nsWebShell.cpp
line 313]
nsGetInterface::operator()
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/xpcom/glue/nsIInterfaceRequestorUtils.cpp
line 53]
nsCOMPtr_base::assign_from_helper
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/xpcom/glue/nsCOMPtr.cpp
line 114]
GlobalWindowImpl::GetDocument
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/dom/src/base/nsGlobalWindow.cpp
line 1108]
nsWindowSH::OnDocumentChanged
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/dom/src/base/nsDOMClassInfo.cpp
line 4391]
nsWindowSH::NewResolve
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/dom/src/base/nsDOMClassInfo.cpp
line 4661]
XPC_WN_Helper_NewResolve
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp
line 929]
js_LookupPropertyWithFlags
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsobj.c line
2489]
js_LookupProperty
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsobj.c line
2587]
js_GetProperty
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsobj.c line
2693]
js_Interpret
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c
line 2801]
js_Invoke
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c
line 958]
js_InternalInvoke
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c
line 1035]
JS_CallFunctionValue
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsapi.c line
3698]
nsJSContext::CallEventHandler
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/dom/src/base/nsJSEnvironment.cpp
line 1297]
GlobalWindowImpl::RunTimeout
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/dom/src/base/nsGlobalWindow.cpp
line 5309]
GlobalWindowImpl::TimerCallback
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/dom/src/base/nsGlobalWindow.cpp
line 5671]
nsXULWindow::ShowModal
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/xpfe/appshell/src/nsXULWindow.cpp
line 362]
nsContentTreeOwner::ShowAsModal
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/xpfe/appshell/src/nsContentTreeOwner.cpp
line 443]
GlobalWindowImpl::OpenInternal
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/dom/src/base/nsGlobalWindow.cpp
line 4903]
GlobalWindowImpl::OpenDialog
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/dom/src/base/nsGlobalWindow.cpp
line 3448]
XPTC_InvokeByIndex
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp
line 102]
XPCWrappedNative::CallMethod
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp
line 2034]
XPC_WN_CallMethod
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp
line 1287]
js_Invoke
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c
line 941]
js_Interpret
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c
line 2972]
js_Invoke
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c
line 958]
js_Interpret
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c
line 2972]
js_Invoke
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c
line 958]
js_InternalInvoke
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c
line 1035]
JS_CallFunctionValue
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsapi.c line
3698]
nsJSContext::CallEventHandler
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/dom/src/base/nsJSEnvironment.cpp
line 1297]
nsJSEventListener::HandleEvent
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/dom/src/events/nsJSEventListener.cpp
line 184]
nsEventListenerManager::HandleEventSubType
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventListenerManager.cpp
line 1436]
nsEventListenerManager::HandleEvent
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventListenerManager.cpp
line 1516]
nsXULElement::HandleDOMEvent
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/xul/content/src/nsXULElement.cpp
line 2841]
PresShell::HandleDOMEventWithTarget
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp
line 6139]
nsMenuFrame::Execute
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/layout/xul/base/src/nsMenuFrame.cpp
line 1671]
nsMenuFrame::HandleEvent
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/layout/xul/base/src/nsMenuFrame.cpp
line 454]
PresShell::HandleEventInternal
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp
line 6103]
PresShell::HandleEvent
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp
line 5921]
nsViewManager::HandleEvent
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp
line 2326]
nsViewManager::DispatchEvent
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp
line 2066]
HandleEvent
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/view/src/nsView.cpp
line 77]
nsWindow::DispatchEvent
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp
line 1067]
nsWindow::DispatchMouseEvent
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp
line 5261]
ChildWindow::DispatchMouseEvent
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp
line 5511]
nsWindow::WindowProc
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp
line 1349]
USER32.dll + 0x8709 (0x77d48709)
USER32.dll + 0x87eb (0x77d487eb)
USER32.dll + 0x89a5 (0x77d489a5)
USER32.dll + 0x89e8 (0x77d489e8)
nsAppShell::Run
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsAppShell.cpp
line 159]
nsAppShellService::Run
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/xpfe/appshell/src/nsAppShellService.cpp
line 495]
(1708502) URL: www.bluesnews.com
(1708502) Comments: configuring adblock extension
(1689987) Comments: was adding an iframe to be blocked by 'adblock' firefox
extension.
(1680437) URL: http://www.nforce.nl
(1680437) Comments: NOTHING
(1675816) Comments: ad block iframe
(1655812) URL: http://www.bluesnews.com
(1655812) Comments: blocking an ad with adblocker extension
(1636632) Comments: edited an Adblock address removing only the
querystring from an url to a .php page
(1621567) URL: http://www.xbitlabs.com/articles/cpu/display/athlon64-fx55.html
(1621567) Comments: Twice this has happened so I think it may be
repeatable. I was blocking an iFrame using Adblock. The iFrame is about halfway
down the page and is in the middle of the content.
(1600439) URL: www.betanews.com
(1600439) Comments: adblocking without a * wildcard
(1583888) URL: http://www.rage3d.com/board
(1583888) Comments: Adblocking the banner ad.
(1578070) URL: http://www.wired.com/news/ebiz/0 1272 65503 00.html/wn_ascii
(1578070) Comments: Attempting to block an iframe with the adblock extension.
|
Reporter | |
Comment 1•20 years ago
|
||
This is happening on all platforms.
OS: Windows XP → All
Hardware: PC → All
|
|
Reporter | |
Comment 2•20 years ago
|
||
WFM using Firefox 1.0 RC2 build Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.7.5) Gecko/20041103 Firefox/1.0RC2
I was not able to crash at any of the urls found in Talkback data after
installing Adblock v.5 d2 * nightly 39. I tried blocking every iframe ad I
could find on those websites and things worked fine for me.
|
Assignee | |
Updated•20 years ago
|
Assignee: nobody → dbaron
|
|
Assignee | |
Comment 3•20 years ago
|
||
I've looked at the disassembly from talkback incident 1758597. The line number
in GetVisibility is completely bogus, and I can't see any good reason for it to
be that way.
However, the "code around the PC" section shows that slightly after the crash
point there are three function calls:
* 0x28 virtual function with 2 arguments (including this)
* 0x74 virtual function with 2 arguments (including this)
* 0x7c virtual function with 3 arguments (including this)
* 0xc4 virtual function with 1 arguments (including this)
The dissasembly seems to match the following code perfectly (in other respects
as well):
pPresShell->GetDocument(getter_AddRefs(pDoc));
nsIContent *shellContent = pDoc->FindContentForSubDocument(doc);
NS_ASSERTION(shellContent, "subshell not in the map");
nsIFrame* frame;
pPresShell->GetPrimaryFrameFor(shellContent, &frame);
if (frame && !frame->AreAncestorViewsVisible()) {
And if that's correct, the crash is because |pPresShell| is null.
|
|
Assignee | |
Comment 4•20 years ago
|
||
Dunno if this is enough to really fix the crash, since I can't reproduce, but
it's worth a try since this is pretty high on the topcrash list.
|
|
Assignee | |
Updated•20 years ago
|
Attachment #164819 -
Flags: superreview?(jst)
Attachment #164819 -
Flags: review?(jst)
Attachment #164819 -
Flags: approval1.7.x?
Attachment #164819 -
Flags: approval-aviary?
|
|
Assignee | |
Comment 5•20 years ago
|
||
I should add an NS_NOTREACHED as well.
|
||
Comment 6•20 years ago
|
||
Comment on attachment 164819 [details] [diff] [review]
proposed patch
r+sr=jst
Attachment #164819 -
Flags: superreview?(jst)
Attachment #164819 -
Flags: superreview+
Attachment #164819 -
Flags: review?(jst)
Attachment #164819 -
Flags: review+
|
|
Assignee | |
Updated•20 years ago
|
Attachment #164819 -
Flags: approval1.7.x?
Attachment #164819 -
Flags: approval1.7.x+
Attachment #164819 -
Flags: approval-aviary?
Attachment #164819 -
Flags: approval-aviary+
|
|
Assignee | |
Comment 7•20 years ago
|
||
Fix checked in to AVIARY_1_0_20040515_BRANCH, 2004-11-05 23:58 -0700.
Fix checked in to MOZILLA_1_7_BRANCH, 2004-11-05 23:58 -0700.
Fix checked in to trunk, 2004-11-05 23:59 -0700.
Not marking fixed because I don't know if this fully fixed the crash (although
it probably fixed this signature of the crash.)
|
||
Comment 8•20 years ago
|
||
Using today's FF branch Mac build 2004-11-06-06-0.11 - I tested going to a few
of these sites with the Adblock extension installed. Going to
http://www.nforce.nl and operating on the Adblock controls froze the browser
(and I did get the spinning wheel like it wanted to crash, but it didn't) - the
only way I could move forward was the Force-Quit. I then went back and
uninstalled the extension and had no problems navigating that site.
http://www.rage3d.com/board was also a problem.
|
||
Comment 9•20 years ago
|
||
I installed adblock on
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041106 Firefox/1.0 --
fedora core2 from u.m.o,
then went to http://www.nforce.nl
I didn't freeze, but I also had difficult in getting the extension to actually
block images. flash block seems to work ok. but image blocking didn't happen.
|
|
||
Comment 10•20 years ago
|
||
the adblock tabs were shown on http://www.rage3d.com/board and worked to block
the ads... no freeze or crash on linux on this site so far...
|
||
Comment 11•20 years ago
|
||
marcia@mozilla.org: can you
1. run "Activity Monitor"
2. double click "firefox"
3. click "sample"
4. copy the sample to a file and attach it here (or just show it to dbaron)
|
||
Comment 12•20 years ago
|
||
Using last night's trunk cvs on Windows XP I'm crashing while trying to block
the atdmt iframe in the middle of the right-hand column on
http://www.warp2search.net/. I'm getting the following stack often; I was only
able to reproduce the nsESM::PreHandleEvent stack in talkback once.
JS API usage error: the address passed to JS_AddNamedRoot currently holds an
invalid jsval. This is usually caused by a missing call to JS_RemoveRoot.
The root's name is "exn.report.root".
Assertion failure: root_points_to_gcArenaPool, at
c:/Mozilla/mozilla/js/src/jsgc.c:1335
ntdll.dll!7c901230()
>js3250.dll!JS_Assert(const char * s=0x100cb0a0, const char * file=0x100cb07c,
int ln=1335) Line 155 C
js3250.dll!gc_root_marker(JSDHashTable * table=0x00af8028, JSDHashEntryHdr *
hdr=0x02710264, unsigned long num=256, void * arg=0x02cf3c60) Line 1335 +
0x1c bytes C
js3250.dll!JS_DHashTableEnumerate(JSDHashTable * table=0x00af8028,
JSDHashOperator (JSDHashTable *, JSDHashEntryHdr *, unsigned long, void *)*
etor=0x10043980, void * arg=0x02cf3c60) Line 618 + 0x19 bytes C
js3250.dll!js_GC(JSContext * cx=0x02cf3c60, unsigned int gcflags=0) Line 1551
+ 0x15 bytes C
js3250.dll!js_ForceGC(JSContext * cx=0x02cf3c60, unsigned int gcflags=0) Line
1363 + 0xd bytes C
js3250.dll!JS_GC(JSContext * cx=0x02cf3c60) Line 1747 + 0xb bytes C
js3250.dll!JS_MaybeGC(JSContext * cx=0x02cf3c60) Line 1766 + 0x9 bytes C
gklayout.dll!nsJSContext::ScriptEvaluated(int aTerminated=0) Line 1876 + 0xd
bytes C++
gklayout.dll!nsJSContext::ScriptExecuted() Line 1947 C++
xpc3250.dll!AutoScriptEvaluate::~AutoScriptEvaluate() Line 107 C++
xpc3250.dll!nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS *
wrapper=0x01ffc248, unsigned short methodIndex=3, const nsXPTMethodInfo *
info=0x00ba4598, nsXPTCMiniVariant * nativeParams=0x0012b200) Line 1588 +
0x1f bytes C++
xpc3250.dll!nsXPCWrappedJS::CallMethod(unsigned short methodIndex=3, const
nsXPTMethodInfo * info=0x00ba4598, nsXPTCMiniVariant * params=0x0012b200)
Line 450 C++
xpcom_core.dll!PrepareAndDispatch(nsXPTCStubBase * self=0x01ffc248, unsigned
int methodIndex=3, unsigned int * args=0x0012b2c8, unsigned int *
stackBytesToPop=0x0012b2b8) Line 117 + 0x1e bytes C++
xpcom_core.dll!SharedStub() Line 147 C++
xpcom_core.dll!XPTC_InvokeByIndex(nsISupports * that=0x0012b3d8, unsigned int
methodIndex=1226172, unsigned int paramCount=12802554, nsXPTCVariant *
params=0x01ffc248) Line 102 C++
xpc3250.dll!AutoJSSuspendRequest::SuspendRequest() Line 3009 + 0xd bytes C++
js3250.dll!GetPropertyTreeChild(JSContext * cx=0x003e4aa0, JSScopeProperty *
parent=0x02e3cdf8, JSScopeProperty * child=0x02d302e8) Line 785 + 0x9 bytes C
00000001()
|
||
Comment 13•20 years ago
|
||
sdwalker: interesting report with good data, but a different bug, I think.
Could you file a new one on Core: JavaScript Engine with that last comment? Thanks.
|
||
Comment 14•20 years ago
|
||
(In reply to comment #13)
> sdwalker: interesting report with good data, but a different bug, I think.
> Could you file a new one on Core: JavaScript Engine with that last comment?
Was filed as Bug 274096 and it is fixed.
|
|
Reporter | |
Comment 15•20 years ago
|
||
I only see 6 incidents in Talkback data, which means this crash is long gone.
Marking this fixed. If we find other AdBlock related crashes under a different
stack signature, let's log a new bug.
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
|
||
Updated•14 years ago
|
Crash Signature: [@ nsDocShell::GetVisibility]
You need to log in
before you can comment on or make changes to this bug.
Description
•