Closed Bug 305181 Opened 19 years ago Closed 19 years ago

[FIX]Crash when navigating between Gmail and another URL [@ nsXPConnect::ReleaseJSContext]

Categories

(Core :: DOM: Navigation, defect, P1)

Product:
Core
Component:
DOM: Navigation
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.8beta4

People

(Reporter: ria.klaassen, Assigned: bzbarsky)

References

Details

(Keywords: crash, fixed1.8, Whiteboard: [needs SR jst, review bryner])

Crash Data

Attachments

(2 files, 1 obsolete file)

Fix for the crash
2.09 KB, patch
bryner
: review+
jst
: superreview+
brendan
: approval1.8b4+
Details | Diff | Splinter Review
With issues fixed
3.96 KB, patch
darin.moz
: superreview+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050818 Firefox/1.0+
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050818 Firefox/1.0+

I get a crash when I navigate between my Gmail inbox and another URL.
Both with branch and trunk.

TB8513919M
TB8513834Q

TB8513943M






Reproducible: Always

Steps to Reproduce:
1. Go to Gmail Inbox.
2. Click the toolbar Home button or a bookmark.
3. Click Back (Firefox goes back to inbox)
4. Click Back (nothing happens)
5. Click Back (crash)

Actual Results:  
Firefox should go the the first page.

Expected Results:  
It crashed.
Incident ID: 8513919 
Stack Signature nsXPConnect::ReleaseJSContext b6fc7098 
Product ID Firefox15 
Build ID 2005081819 
Trigger Time 2005-08-19 01:29:04.0 
Platform Win32 
Operating System Windows NT 5.1 build 2600 
Module firefox.exe + (0000d8c3) 
URL visited gmail 
User Comments  
Since Last Crash 324 sec 
Total Uptime 4358 sec 
Trigger Reason Access violation 
Source File, Line No. c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/nsXPConnect.cpp, line 
1079 
Stack Trace  

nsXPConnect::ReleaseJSContext  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/nsXPConnect.cpp, line 
1079]
nsDocShell::Destroy  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/docshell/base/nsDocShell.cpp, line 3403]
nsFrameLoader::LoadFrame  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsFrameLoader.cpp, line 
103]
nsSubDocumentFrame::AttributeChanged  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsFrameFrame.cpp, line 500]
nsSVGInnerSVGFrame::QueryInterface
nsBoxFrame::GetMinSize  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 
1022]
nsBoxFrame::GetMinSize  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 
1022]
nsBoxFrame::GetMinSize  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 
1022]
nsBoxFrame::GetMinSize  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 
1022]
nsRootBoxFrame::AddTooltipSupport  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsRootBoxFrame.cpp, 
line 313]
DocumentViewerImpl::Destroy  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsDocumentViewer.cpp, line 1298]
nsDocShell::Destroy  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/docshell/base/nsDocShell.cpp, line 3397]
nsXULWindow::Destroy  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/xpfe/appshell/src/nsXULWindow.cpp, line 490]
nsWebShellWindow::Destroy  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/xpfe/appshell/src/nsWebShellWindow.cpp, 
line 834]
nsWebShellWindow::HandleEvent  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/xpfe/appshell/src/nsWebShellWindow.cpp, 
line 382]
nsWindow::InitEvent  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1193]
nsWindow::DispatchEvent  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1255]
nsWindow::ProcessMessage  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 4509]
nsWindow::SetNSWindowPtr  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1384]
USER32.dll + 0x27ad7 (0x77d37ad7)
USER32.dll + 0x2ccd4 (0x77d3ccd4)
USER32.dll + 0x45bd (0x77d145bd)
USER32.dll + 0x47d4 (0x77d147d4)
ntdll.dll + 0x25da3 (0x77f65da3)
USER32.dll + 0x2b8e2 (0x77d3b8e2)
uxtheme.dll + 0x1b48 (0x5b191b48)
nsWindow::WindowProc  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1420]
USER32.dll + 0x27ad7 (0x77d37ad7)
USER32.dll + 0x2ccd4 (0x77d3ccd4)
USER32.dll + 0x5cd6 (0x77d15cd6)
USER32.dll + 0x13346 (0x77d23346)
nsWindow::WindowProc  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1396]
USER32.dll + 0x27ad7 (0x77d37ad7)
USER32.dll + 0x2ccd4 (0x77d3ccd4)
USER32.dll + 0x45bd (0x77d145bd)
USER32.dll + 0x47d4 (0x77d147d4)
ntdll.dll + 0x25da3 (0x77f65da3)
USER32.dll + 0x6202 (0x77d16202)
uxtheme.dll + 0x1cc85 (0x5b1acc85)
uxtheme.dll + 0x1ae1 (0x5b191ae1)
uxtheme.dll + 0x1b48 (0x5b191b48)
nsWindow::WindowProc  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1420]
USER32.dll + 0x27ad7 (0x77d37ad7)
USER32.dll + 0x2ccd4 (0x77d3ccd4)
USER32.dll + 0x5cd6 (0x77d15cd6)
USER32.dll + 0x13346 (0x77d23346)
nsWindow::WindowProc  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1396]
USER32.dll + 0x27ad7 (0x77d37ad7)
USER32.dll + 0x2ccd4 (0x77d3ccd4)
USER32.dll + 0x4455 (0x77d14455)
USER32.dll + 0x95d5 (0x77d195d5)
nsAppStartup::QueryInterface  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.
cpp, line 124]
main  [c:/builds/tinderbox/Fx-
Mozilla1.8/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 61]
kernel32.dll + 0x214c7 (0x77e614c7)

Incident ID: 8513943 
Stack Signature JS_GetClass a1e25076 
Product ID FirefoxTrunk 
Build ID 2005081806 
Trigger Time 2005-08-19 01:30:37.0 
Platform Win32 
Operating System Windows NT 5.1 build 2600 
Module js3250.dll + (00002c8b) 
URL visited gmail 
User Comments  
Since Last Crash 5775 sec 
Total Uptime 5775 sec 
Trigger Reason Access violation 
Source File, Line No. c:/builds/tinderbox/Fx-
Trunk/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 2112 
Stack Trace  

JS_GetClass  [c:/builds/tinderbox/Fx-
Trunk/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 2112]
WrappedNativeShutdownEnumerator  [c:/builds/tinderbox/Fx-
Trunk/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednativescope.cpp, 
line 429]
nsXPConnect::InitClassesWithNewWrappedGlobal  [c:/builds/tinderbox/Fx-
Trunk/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/nsXPConnect.cpp, line 550]
nsDOMEvent::GetBubbles  [c:/builds/tinderbox/Fx-
Trunk/WINNT_5.2_Depend/mozilla/content/events/src/nsDOMEvent.cpp, line 325]
nsEventListenerManager::CompileEventHandlerInternal  [c:/builds/tinderbox/Fx-
Trunk/WINNT_5.2_Depend/mozilla/content/events/src/nsEventListenerManager.cpp, 
line 1504]
nsEventListenerManager::HandleEventSubType  [c:/builds/tinderbox/Fx-
Trunk/WINNT_5.2_Depend/mozilla/content/events/src/nsEventListenerManager.cpp, 
line 1597]
nsGlobalWindow::SetOpenerWindow  [c:/builds/tinderbox/Fx-
Trunk/WINNT_5.2_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp, line 1255]
DocumentViewerImpl::PermitUnload  [c:/builds/tinderbox/Fx-
Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsDocumentViewer.cpp, line 1094]
nsDocShell::LoadURI  [c:/builds/tinderbox/Fx-
Trunk/WINNT_5.2_Depend/mozilla/docshell/base/nsDocShell.cpp, line 622]
nsDocShell::LoadURI  [c:/builds/tinderbox/Fx-
Trunk/WINNT_5.2_Depend/mozilla/docshell/base/nsDocShell.cpp, line 624]
nsDocShell::LoadURI  [c:/builds/tinderbox/Fx-
Trunk/WINNT_5.2_Depend/mozilla/docshell/base/nsDocShell.cpp, line 624]
nsDocShell::Stop  [c:/builds/tinderbox/Fx-
Trunk/WINNT_5.2_Depend/mozilla/docshell/base/nsDocShell.cpp, line 3172]
nsXULWindow::SetZLevel  [c:/builds/tinderbox/Fx-
Trunk/WINNT_5.2_Depend/mozilla/xpfe/appshell/src/nsXULWindow.cpp, line 258]
nsWebShellWindow::SetPersistenceTimer  [c:/builds/tinderbox/Fx-
Trunk/WINNT_5.2_Depend/mozilla/xpfe/appshell/src/nsWebShellWindow.cpp, line 565]
nsWebShellWindow::Initialize  [c:/builds/tinderbox/Fx-
Trunk/WINNT_5.2_Depend/mozilla/xpfe/appshell/src/nsWebShellWindow.cpp, line 228]
nsWindow::WidgetToScreen  [c:/builds/tinderbox/Fx-
Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 924]
nsWindow::InitEvent  [c:/builds/tinderbox/Fx-
Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 984]
nsWindow::ProcessMessage  [c:/builds/tinderbox/Fx-
Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 4113]
nsWindow::CaptureRollupEvents  [c:/builds/tinderbox/Fx-
Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1138]
USER32.dll + 0x27ad7 (0x77d37ad7)
USER32.dll + 0x2ccd4 (0x77d3ccd4)
USER32.dll + 0x45bd (0x77d145bd)
USER32.dll + 0x47d4 (0x77d147d4)
ntdll.dll + 0x25da3 (0x77f65da3)
USER32.dll + 0x2b8e2 (0x77d3b8e2)
uxtheme.dll + 0x1b48 (0x5b191b48)
nsWindow::EventIsInsideWindow  [c:/builds/tinderbox/Fx-
Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1166]
USER32.dll + 0x27ad7 (0x77d37ad7)
USER32.dll + 0x2ccd4 (0x77d3ccd4)
USER32.dll + 0x5cd6 (0x77d15cd6)
USER32.dll + 0x13346 (0x77d23346)
nsWindow::CaptureRollupEvents  [c:/builds/tinderbox/Fx-
Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1141]
USER32.dll + 0x27ad7 (0x77d37ad7)
USER32.dll + 0x2ccd4 (0x77d3ccd4)
USER32.dll + 0x45bd (0x77d145bd)
USER32.dll + 0x47d4 (0x77d147d4)
ntdll.dll + 0x25da3 (0x77f65da3)
USER32.dll + 0x6202 (0x77d16202)
uxtheme.dll + 0x1cc85 (0x5b1acc85)
uxtheme.dll + 0x1ae1 (0x5b191ae1)
uxtheme.dll + 0x1b48 (0x5b191b48)
nsWindow::EventIsInsideWindow  [c:/builds/tinderbox/Fx-
Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1166]
USER32.dll + 0x27ad7 (0x77d37ad7)
USER32.dll + 0x2ccd4 (0x77d3ccd4)
USER32.dll + 0x5cd6 (0x77d15cd6)
USER32.dll + 0x13346 (0x77d23346)
nsWindow::CaptureRollupEvents  [c:/builds/tinderbox/Fx-
Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1141]
USER32.dll + 0x27ad7 (0x77d37ad7)
USER32.dll + 0x2ccd4 (0x77d3ccd4)
USER32.dll + 0x4455 (0x77d14455)
USER32.dll + 0x95d5 (0x77d195d5)
nsClassHashtable<nsCStringHashKey,nsPasswordManager::SignonHashEntry>::Get  
[../../../../dist/include/xpcom/nsClassHashtable.h, line 101]
main  [c:/builds/tinderbox/Fx-
Trunk/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 61]
kernel32.dll + 0x214c7 (0x77e614c7)

i believe JS_GetClass may be fixed
Severity: normal → critical
Keywords: crash
Summary: Crash when navigating between Gmail and another URL → Crash when navigating between Gmail and another URL [@ nsXPConnect::ReleaseJSContext]
This build WFM (no crash): 1.8b4_2005073013
And this one crashes: 1.8b4_2005073111  
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b4) Gecko/20050818
Firefox/1.0+ ID:2005081823

I reproduced the steps of comment #0, nothing happened, i could push back as
often as i wanted.
The Gmail page opened just showed the word "loading...." but nothing happened.

next I opened multiple tabs (from bookmarks) and crashed right away.
TB8515774G [@ nsQueryInterface::operator() afa0d513 ]
Tried it Peter's way, which is if I understand it right: Gmail > Home > Back >
Bookmarks > crash, and now I get TB8516387G.
Regression range is the same.
And Martijn had these steps: Gmail > Other site > Back: TB8333137G.
Could not reproduce this.
So now there are 4 different talkback signatures.  
Tried it also on another system: WinXP SP2.
Branch: TB8520828Y TB8520832E
Trunk: TB8521537M TB8521600E
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050819
Firefox/1.0+ ID:2005081921

Steps: Gmail -> Press Home button -> Press Back button -> Press Back button again

TB8543839Y

Can someone confirm this bug?

Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.9a1) Gecko/20050819 SeaMonkey/1.0a
TB8544333G, TB8544331Q, TB8544242M

gmail > Throbber > Back > Throbber

1st try I went from an open message to my programmed throbber URL (w3c), going
back didn't bring the message, but the inbox.

Back > Forward > Back > Forward ... has no action on gmail besides
activating/deactivating the button:

1. http://jigsaw.w3.org/css-validator/
2. click 'by URI' http://jigsaw.w3.org/css-validator/
3. http://mail.google.com/mail/
4. open message
5. Back activates Forward Button, message stays
6. Forward deactivates Forward Button, message stays
7. repeat steps 5 and 6, message stays


ravitca sediseb ,liamg)c2w( 
crashed when I closed the browser clicking on the top right [x]
TB8545278X
Stack signature is the same as in my last comment. So the crash seems to come
from some gmail activities, delayed about an hour.

When I wrote comment 10 some typing wasn't seen so I had to reposition the
cursor and retype.
Now I see at the end of my comment a text which seems to be written from right
to left. I never use RTL besides looking at a bug in a page, so I don't know how
to activate RTL modes, and I didn't have a RTL page open today.

the RTL text:
ravitca sediseb ,liamg)c2w( 
I can't reproduce the crash of comment #5 anymore.
And instead of the crash described in comment #0 I get an ugly freeze, leaving
firefox.exe as an idle process in the taskmanager after closing Firefox.

This behaviour changed between these two builds: 1.8b4_2005081915 and
1.8b4_2005081920
Status: UNCONFIRMED → NEW
Ever confirmed: true
I've seen both the hang and the crash with todays trunk builds, we need to make
sure to nail this for 1.8...
Flags: blocking1.8b4?
Following the steps in comment 0 when running in Purify I get the following when
I click back once I've gone back to my gmail inbox:

    [E] FMR: Free memory read in nsSHEntry::GetParent(nsISHEntry * *) {1 occurrence}
        Reading 4 bytes from 0x0b7b7310 (4 bytes at 0x0b7b7310 illegal)
        Address 0x0b7b7310 is at the beginning of a 148 byte block
        Address 0x0b7b7310 points to a C++ new block in heap 0x01c70000
    Thread ID: 0x4f0
    Error location
        nsSHEntry::GetParent(nsISHEntry * *)
[e:\tip\mozilla\docshell\shistory\src\nsshentry.cpp:399]
        GetRootSHEntry [e:\tip\mozilla\docshell\base\nsdocshell.cpp:7743]
        nsDocShell::SetHistoryEntry(nsCOMPtr<nsISHEntry> *,nsISHEntry *)
[e:\tip\mozilla\docshell\base\nsdocshell.cpp:7767]
        nsDocShell::Embed(nsIContentViewer *,char const*,nsISupports *)
[e:\tip\mozilla\docshell\base\nsdocshell.cpp:4469]
        nsDocShell::CreateContentViewer(char const*,nsIRequest
*,nsIStreamListener * *) [e:\tip\mozilla\docshell\base\nsdocshell.cpp:5538]
        nsDSURIContentListener::DoContent(char const*,int,nsIRequest
*,nsIStreamListener * *,int *)
[e:\tip\mozilla\docshell\base\nsdsuricontentlistener.cpp:130]
        nsDocumentOpenInfo::TryContentListener(nsIURIContentListener
*,nsIChannel *) [e:\tip\mozilla\uriloader\base\nsuriloader.cpp:774]
        nsDocumentOpenInfo::DispatchContent(nsIRequest *,nsISupports *)
[e:\tip\mozilla\uriloader\base\nsuriloader.cpp:500]
        nsDocumentOpenInfo::OnStartRequest(nsIRequest *,nsISupports *)
[e:\tip\mozilla\uriloader\base\nsuriloader.cpp:345]
        nsHttpChannel::CallOnStartRequest(void)
[e:\tip\mozilla\netwerk\protocol\http\src\nshttpchannel.cpp:752]
    Allocation location
        new(UINT)      [f:\vs70builds\3077\vc\crtbld\crt\src\newop.cpp:10]
        nsSHEntry::Clone(nsISHEntry * *)
[e:\tip\mozilla\docshell\shistory\src\nsshentry.cpp:387]
        nsDocShell::CloneAndReplaceChild(nsISHEntry *,nsDocShell *,int,void *)
[e:\tip\mozilla\docshell\base\nsdocshell.cpp:7631]
        nsDocShell::WalkHistoryEntries(nsISHEntry *,nsDocShell *,(*)(nsISHEntry
*,nsDocShell *,int,void *),void *)
[e:\tip\mozilla\docshell\base\nsdocshell.cpp:7589]
        nsDocShell::CloneAndReplaceChild(nsISHEntry *,nsDocShell *,int,void *)
[e:\tip\mozilla\docshell\base\nsdocshell.cpp:7641]
        nsDocShell::CloneAndReplace(nsISHEntry *,nsDocShell *,UINT,nsISHEntry
*,nsISHEntry * *) [e:\tip\mozilla\docshell\base\nsdocshell.cpp:7669]
        nsDocShell::AddChildSHEntry(nsISHEntry *,nsISHEntry *,int)
[e:\tip\mozilla\docshell\base\nsdocshell.cpp:2606]
        nsDocShell::AddChildSHEntry(nsISHEntry *,nsISHEntry *,int)
[e:\tip\mozilla\docshell\base\nsdocshell.cpp:2621]
        nsDocShell::DoAddChildSHEntry(nsISHEntry *,int)
[e:\tip\mozilla\docshell\base\nsdocshell.cpp:2641]
        nsDocShell::AddToSessionHistory(nsIURI *,nsIChannel *,nsISHEntry * *)
[e:\tip\mozilla\docshell\base\nsdocshell.cpp:7418]
    Free location
        strlen         [f:\vs70builds\3077\vc\crtbld\crt\src\crtdll.c]
        nsSHEntry::Release(void)
[e:\tip\mozilla\docshell\shistory\src\nsshentry.cpp:115]
        ReleaseObjects [e:\tip\mozilla\xpcom\ds\nscomarray.cpp:149]
        nsVoidArray::EnumerateForwards((*)(void *,void *),void *)
[e:\tip\mozilla\xpcom\ds\nsvoidarray.cpp:648]
        nsCOMArray_base::Clear(void) [e:\tip\mozilla\xpcom\ds\nscomarray.cpp:156]
        nsSHEntry::~nsSHEntry(void)
[e:\tip\mozilla\docshell\shistory\src\nsshentry.cpp:104]
        nsSHEntry::Release(void)
[e:\tip\mozilla\docshell\shistory\src\nsshentry.cpp:115]
        nsSHTransaction::~nsSHTransaction(void)
[e:\tip\mozilla\docshell\shistory\src\nsshtransaction.cpp:54]
        nsSHTransaction::`vector deleting destructor'(UINT)
[E:\tip\fb-prf\dist\bin\components\docshell.dll]
        nsSHTransaction::Release(void)
[e:\tip\mozilla\docshell\shistory\src\nsshtransaction.cpp:61]



[E] IPR: Invalid pointer read in nsSHEntry::GetParent(nsISHEntry * *) {1 occurrence}
        Reading 4 bytes from 0xaeaeaeb2 (4 bytes at 0xaeaeaeb2 illegal)
        Address 0xaeaeaeb2 points into a reserved VirtualAlloc'd block 
        Thread ID: 0x4f0
        Error location
            nsSHEntry::GetParent(nsISHEntry * *)
[e:\tip\mozilla\docshell\shistory\src\nsshentry.cpp:399]
            nsSHEntry::GetParent(nsISHEntry * *)
[e:\tip\mozilla\docshell\shistory\src\nsshentry.cpp:399]
            GetRootSHEntry [e:\tip\mozilla\docshell\base\nsdocshell.cpp:7743]
            nsDocShell::SetHistoryEntry(nsCOMPtr<nsISHEntry> *,nsISHEntry *)
[e:\tip\mozilla\docshell\base\nsdocshell.cpp:7767]
            nsDocShell::Embed(nsIContentViewer *,char const*,nsISupports *)
[e:\tip\mozilla\docshell\base\nsdocshell.cpp:4469]
            nsDocShell::CreateContentViewer(char const*,nsIRequest
*,nsIStreamListener * *) [e:\tip\mozilla\docshell\base\nsdocshell.cpp:5538]
            nsDSURIContentListener::DoContent(char const*,int,nsIRequest
*,nsIStreamListener * *,int *)
[e:\tip\mozilla\docshell\base\nsdsuricontentlistener.cpp:130]
            nsDocumentOpenInfo::TryContentListener(nsIURIContentListener
*,nsIChannel *) [e:\tip\mozilla\uriloader\base\nsuriloader.cpp:774]
            nsDocumentOpenInfo::DispatchContent(nsIRequest *,nsISupports *)
[e:\tip\mozilla\uriloader\base\nsuriloader.cpp:500]
            nsDocumentOpenInfo::OnStartRequest(nsIRequest *,nsISupports *)
[e:\tip\mozilla\uriloader\base\nsuriloader.cpp:345]

This looks like a problem with the shentry object ownership model. An nsSHEntry
has a weak mParent pointer, the docshell here ends up cloning one, and later on
the clone's parent points to deleted memory...
This doesn't make the history traversal happy, but at least it doesn't crash. 
As far as I can tell gmail actually does a load somehow during our history
traversal, which nukes the "next" SH transaction we used to have and kills its
shentry.  Why this shentry has kids at that point is a good question...
Attachment #193940 - Flags: superreview?(jst)
Attachment #193940 - Flags: review?(bryner)
This makes it possible to at least go back through gmail once (though it does
take two clicks).  Going forward after that and then back again breaks, most
likely because of the session history tree mismatches that assert when you go
back through it the first time.

I'm not sure whether we want to take this or just work on a better arch for
session history that deals with iframes....

If we do decide to take this, I could have also done this using
WalkHistoryEntries if I made the calls before I remove the child docshell, but
then that would mean walking all the kids looking for the one we have here
(which would be passed as aData), which seems gratuitous.
Attachment #193942 - Flags: review?(bryner)
Attachment #193940 - Flags: review?(bryner) → review+
Flags: blocking1.8b4? → blocking1.8b4+
Assignee: nobody → bzbarsky
Priority: -- → P1
Summary: Crash when navigating between Gmail and another URL [@ nsXPConnect::ReleaseJSContext] → [FIX]Crash when navigating between Gmail and another URL [@ nsXPConnect::ReleaseJSContext]
Target Milestone: --- → mozilla1.8beta4
Whiteboard: [needs SR jst, review bryner]
Comment on attachment 193940 [details] [diff] [review]
Fix for the crash

sr=jst for stopping this crash.
Attachment #193940 - Flags: superreview?(jst) → superreview+
Comment on attachment 193940 [details] [diff] [review]
Fix for the crash

Requesting 1.8b approval.  This is a very safe crash fix that just makes sure
we don't leave dangling pointers to deleted memory around.
Attachment #193940 - Flags: approval1.8b4?
Fixed on trunk.
Status: NEW → RESOLVED
Closed: 19 years ago
OS: Windows XP → All
Hardware: PC → All
Resolution: --- → FIXED
Comment on attachment 193940 [details] [diff] [review]
Fix for the crash

This is safe for 1.8b4.

/be
Attachment #193940 - Flags: approval1.8b4? → approval1.8b4+
Checked in the first diff on 1.8 branch.
Keywords: fixed1.8
I don't see the described problems anymore in trunk and branch.
bz, is this remaining patch necessary for the 1.8 branch or are we finished with
this for 1.8b5?
This is done for 1.8b5; the remaining patch is a nice-to-have for trunk.
per bz's comment, moving off the blocker list.
Flags: blocking1.8b5+
Blocks: 310456
Comment on attachment 193942 [details] [diff] [review]
Slight improvement on session history

>--- docshell/base/nsDocShell.cpp	25 Aug 2005 21:21:07 -0000	1.734
>+++ docshell/base/nsDocShell.cpp	26 Aug 2005 18:04:04 -0000
>+    // Make sure to remove the child's SHEntry from out SHEntry's child list

typo: s/out/our/

This should make things a little more consistent, thanks! (sorry the review took awhile)
Attachment #193942 - Flags: review?(bryner) → review+
Attachment #193942 - Flags: superreview?(darin)
Comment on attachment 193942 [details] [diff] [review]
Slight improvement on session history

>Index: docshell/base/nsDocShell.cpp

>+    PRInt32 childCount;
>+    container->GetChildCount(&childCount);
>+    for (PRInt32 i = 0; i < childCount; i++) {
>+        nsCOMPtr<nsISHEntry> childEntry;
>+        container->GetChildAt(i, getter_AddRefs(childEntry));
...
>+        container->RemoveChild(childEntry);
>+    }

You don't need to iterator over this list in reverse order?
Doesn't RemoveChild mess up your indexing?
Oh, man.  Good catch, Darin!  I'll post a patch with that fixed sometime tonight.
Attachment #193942 - Flags: superreview?(darin) → superreview-

        Attachment #193942 -
        Attachment is obsolete: true

        Attachment #212850 -
        Flags: superreview?(darin)

    
    

    
  
Comment on attachment 212850 [details] [diff] [review]
With issues fixed

sr=darin

        Attachment #212850 -
        Flags: superreview?(darin) → superreview+

    
    

    
  
Checked that patch in.

    
  
Depends on: 346259

    
  
Component: History: Session → Document Navigation
QA Contact: history.session → docshell
Crash Signature: [@ nsXPConnect::ReleaseJSContext]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: