Closed
Bug 305181
Opened 19 years ago
Closed 19 years ago
[FIX]Crash when navigating between Gmail and another URL [@ nsXPConnect::ReleaseJSContext]
Categories
(Core :: DOM: Navigation, defect, P1)
Core
DOM: Navigation
Tracking
()
RESOLVED
FIXED
mozilla1.8beta4
People
(Reporter: ria.klaassen, Assigned: bzbarsky)
References
Details
(Keywords: crash, fixed1.8, Whiteboard: [needs SR jst, review bryner])
Crash Data
Attachments
(2 files, 1 obsolete file)
2.09 KB,
patch
|
bryner
:
review+
jst
:
superreview+
brendan
:
approval1.8b4+
|
Details | Diff | Splinter Review |
3.96 KB,
patch
|
darin.moz
:
superreview+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050818 Firefox/1.0+ Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050818 Firefox/1.0+ I get a crash when I navigate between my Gmail inbox and another URL. Both with branch and trunk. TB8513919M TB8513834Q TB8513943M Reproducible: Always Steps to Reproduce: 1. Go to Gmail Inbox. 2. Click the toolbar Home button or a bookmark. 3. Click Back (Firefox goes back to inbox) 4. Click Back (nothing happens) 5. Click Back (crash) Actual Results: Firefox should go the the first page. Expected Results: It crashed.
Reporter | ||
Comment 1•19 years ago
|
||
See: http://forums.mozillazine.org/viewtopic.php?p=1671321#1671321
Incident ID: 8513919 Stack Signature nsXPConnect::ReleaseJSContext b6fc7098 Product ID Firefox15 Build ID 2005081819 Trigger Time 2005-08-19 01:29:04.0 Platform Win32 Operating System Windows NT 5.1 build 2600 Module firefox.exe + (0000d8c3) URL visited gmail User Comments Since Last Crash 324 sec Total Uptime 4358 sec Trigger Reason Access violation Source File, Line No. c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/nsXPConnect.cpp, line 1079 Stack Trace nsXPConnect::ReleaseJSContext [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/nsXPConnect.cpp, line 1079] nsDocShell::Destroy [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/docshell/base/nsDocShell.cpp, line 3403] nsFrameLoader::LoadFrame [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsFrameLoader.cpp, line 103] nsSubDocumentFrame::AttributeChanged [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsFrameFrame.cpp, line 500] nsSVGInnerSVGFrame::QueryInterface nsBoxFrame::GetMinSize [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 1022] nsBoxFrame::GetMinSize [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 1022] nsBoxFrame::GetMinSize [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 1022] nsBoxFrame::GetMinSize [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 1022] nsRootBoxFrame::AddTooltipSupport [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsRootBoxFrame.cpp, line 313] DocumentViewerImpl::Destroy [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsDocumentViewer.cpp, line 1298] nsDocShell::Destroy [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/docshell/base/nsDocShell.cpp, line 3397] nsXULWindow::Destroy [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/xpfe/appshell/src/nsXULWindow.cpp, line 490] nsWebShellWindow::Destroy [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/xpfe/appshell/src/nsWebShellWindow.cpp, line 834] nsWebShellWindow::HandleEvent [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/xpfe/appshell/src/nsWebShellWindow.cpp, line 382] nsWindow::InitEvent [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1193] nsWindow::DispatchEvent [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1255] nsWindow::ProcessMessage [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 4509] nsWindow::SetNSWindowPtr [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1384] USER32.dll + 0x27ad7 (0x77d37ad7) USER32.dll + 0x2ccd4 (0x77d3ccd4) USER32.dll + 0x45bd (0x77d145bd) USER32.dll + 0x47d4 (0x77d147d4) ntdll.dll + 0x25da3 (0x77f65da3) USER32.dll + 0x2b8e2 (0x77d3b8e2) uxtheme.dll + 0x1b48 (0x5b191b48) nsWindow::WindowProc [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1420] USER32.dll + 0x27ad7 (0x77d37ad7) USER32.dll + 0x2ccd4 (0x77d3ccd4) USER32.dll + 0x5cd6 (0x77d15cd6) USER32.dll + 0x13346 (0x77d23346) nsWindow::WindowProc [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1396] USER32.dll + 0x27ad7 (0x77d37ad7) USER32.dll + 0x2ccd4 (0x77d3ccd4) USER32.dll + 0x45bd (0x77d145bd) USER32.dll + 0x47d4 (0x77d147d4) ntdll.dll + 0x25da3 (0x77f65da3) USER32.dll + 0x6202 (0x77d16202) uxtheme.dll + 0x1cc85 (0x5b1acc85) uxtheme.dll + 0x1ae1 (0x5b191ae1) uxtheme.dll + 0x1b48 (0x5b191b48) nsWindow::WindowProc [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1420] USER32.dll + 0x27ad7 (0x77d37ad7) USER32.dll + 0x2ccd4 (0x77d3ccd4) USER32.dll + 0x5cd6 (0x77d15cd6) USER32.dll + 0x13346 (0x77d23346) nsWindow::WindowProc [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1396] USER32.dll + 0x27ad7 (0x77d37ad7) USER32.dll + 0x2ccd4 (0x77d3ccd4) USER32.dll + 0x4455 (0x77d14455) USER32.dll + 0x95d5 (0x77d195d5) nsAppStartup::QueryInterface [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup. cpp, line 124] main [c:/builds/tinderbox/Fx- Mozilla1.8/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 61] kernel32.dll + 0x214c7 (0x77e614c7) Incident ID: 8513943 Stack Signature JS_GetClass a1e25076 Product ID FirefoxTrunk Build ID 2005081806 Trigger Time 2005-08-19 01:30:37.0 Platform Win32 Operating System Windows NT 5.1 build 2600 Module js3250.dll + (00002c8b) URL visited gmail User Comments Since Last Crash 5775 sec Total Uptime 5775 sec Trigger Reason Access violation Source File, Line No. c:/builds/tinderbox/Fx- Trunk/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 2112 Stack Trace JS_GetClass [c:/builds/tinderbox/Fx- Trunk/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 2112] WrappedNativeShutdownEnumerator [c:/builds/tinderbox/Fx- Trunk/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednativescope.cpp, line 429] nsXPConnect::InitClassesWithNewWrappedGlobal [c:/builds/tinderbox/Fx- Trunk/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/nsXPConnect.cpp, line 550] nsDOMEvent::GetBubbles [c:/builds/tinderbox/Fx- Trunk/WINNT_5.2_Depend/mozilla/content/events/src/nsDOMEvent.cpp, line 325] nsEventListenerManager::CompileEventHandlerInternal [c:/builds/tinderbox/Fx- Trunk/WINNT_5.2_Depend/mozilla/content/events/src/nsEventListenerManager.cpp, line 1504] nsEventListenerManager::HandleEventSubType [c:/builds/tinderbox/Fx- Trunk/WINNT_5.2_Depend/mozilla/content/events/src/nsEventListenerManager.cpp, line 1597] nsGlobalWindow::SetOpenerWindow [c:/builds/tinderbox/Fx- Trunk/WINNT_5.2_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp, line 1255] DocumentViewerImpl::PermitUnload [c:/builds/tinderbox/Fx- Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsDocumentViewer.cpp, line 1094] nsDocShell::LoadURI [c:/builds/tinderbox/Fx- Trunk/WINNT_5.2_Depend/mozilla/docshell/base/nsDocShell.cpp, line 622] nsDocShell::LoadURI [c:/builds/tinderbox/Fx- Trunk/WINNT_5.2_Depend/mozilla/docshell/base/nsDocShell.cpp, line 624] nsDocShell::LoadURI [c:/builds/tinderbox/Fx- Trunk/WINNT_5.2_Depend/mozilla/docshell/base/nsDocShell.cpp, line 624] nsDocShell::Stop [c:/builds/tinderbox/Fx- Trunk/WINNT_5.2_Depend/mozilla/docshell/base/nsDocShell.cpp, line 3172] nsXULWindow::SetZLevel [c:/builds/tinderbox/Fx- Trunk/WINNT_5.2_Depend/mozilla/xpfe/appshell/src/nsXULWindow.cpp, line 258] nsWebShellWindow::SetPersistenceTimer [c:/builds/tinderbox/Fx- Trunk/WINNT_5.2_Depend/mozilla/xpfe/appshell/src/nsWebShellWindow.cpp, line 565] nsWebShellWindow::Initialize [c:/builds/tinderbox/Fx- Trunk/WINNT_5.2_Depend/mozilla/xpfe/appshell/src/nsWebShellWindow.cpp, line 228] nsWindow::WidgetToScreen [c:/builds/tinderbox/Fx- Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 924] nsWindow::InitEvent [c:/builds/tinderbox/Fx- Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 984] nsWindow::ProcessMessage [c:/builds/tinderbox/Fx- Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 4113] nsWindow::CaptureRollupEvents [c:/builds/tinderbox/Fx- Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1138] USER32.dll + 0x27ad7 (0x77d37ad7) USER32.dll + 0x2ccd4 (0x77d3ccd4) USER32.dll + 0x45bd (0x77d145bd) USER32.dll + 0x47d4 (0x77d147d4) ntdll.dll + 0x25da3 (0x77f65da3) USER32.dll + 0x2b8e2 (0x77d3b8e2) uxtheme.dll + 0x1b48 (0x5b191b48) nsWindow::EventIsInsideWindow [c:/builds/tinderbox/Fx- Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1166] USER32.dll + 0x27ad7 (0x77d37ad7) USER32.dll + 0x2ccd4 (0x77d3ccd4) USER32.dll + 0x5cd6 (0x77d15cd6) USER32.dll + 0x13346 (0x77d23346) nsWindow::CaptureRollupEvents [c:/builds/tinderbox/Fx- Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1141] USER32.dll + 0x27ad7 (0x77d37ad7) USER32.dll + 0x2ccd4 (0x77d3ccd4) USER32.dll + 0x45bd (0x77d145bd) USER32.dll + 0x47d4 (0x77d147d4) ntdll.dll + 0x25da3 (0x77f65da3) USER32.dll + 0x6202 (0x77d16202) uxtheme.dll + 0x1cc85 (0x5b1acc85) uxtheme.dll + 0x1ae1 (0x5b191ae1) uxtheme.dll + 0x1b48 (0x5b191b48) nsWindow::EventIsInsideWindow [c:/builds/tinderbox/Fx- Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1166] USER32.dll + 0x27ad7 (0x77d37ad7) USER32.dll + 0x2ccd4 (0x77d3ccd4) USER32.dll + 0x5cd6 (0x77d15cd6) USER32.dll + 0x13346 (0x77d23346) nsWindow::CaptureRollupEvents [c:/builds/tinderbox/Fx- Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1141] USER32.dll + 0x27ad7 (0x77d37ad7) USER32.dll + 0x2ccd4 (0x77d3ccd4) USER32.dll + 0x4455 (0x77d14455) USER32.dll + 0x95d5 (0x77d195d5) nsClassHashtable<nsCStringHashKey,nsPasswordManager::SignonHashEntry>::Get [../../../../dist/include/xpcom/nsClassHashtable.h, line 101] main [c:/builds/tinderbox/Fx- Trunk/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 61] kernel32.dll + 0x214c7 (0x77e614c7) i believe JS_GetClass may be fixed
Severity: normal → critical
Keywords: crash
Summary: Crash when navigating between Gmail and another URL → Crash when navigating between Gmail and another URL [@ nsXPConnect::ReleaseJSContext]
Reporter | ||
Comment 3•19 years ago
|
||
This build WFM (no crash): 1.8b4_2005073013 And this one crashes: 1.8b4_2005073111
Comment 4•19 years ago
|
||
regression window comment #3 http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=PhoenixTinderbox&branch=HEAD&branchtype=match&filetype=match&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2005-07-30+12%3A00%3A00&maxdate=2005-07-31+11%3A00%3A00&cvsroot=%2Fcvsroot
Comment 5•19 years ago
|
||
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b4) Gecko/20050818 Firefox/1.0+ ID:2005081823 I reproduced the steps of comment #0, nothing happened, i could push back as often as i wanted. The Gmail page opened just showed the word "loading...." but nothing happened. next I opened multiple tabs (from bookmarks) and crashed right away. TB8515774G [@ nsQueryInterface::operator() afa0d513 ]
Updated•19 years ago
|
Blocks: splitwindows
Reporter | ||
Comment 6•19 years ago
|
||
Tried it Peter's way, which is if I understand it right: Gmail > Home > Back > Bookmarks > crash, and now I get TB8516387G. Regression range is the same.
Reporter | ||
Comment 7•19 years ago
|
||
And Martijn had these steps: Gmail > Other site > Back: TB8333137G. Could not reproduce this. So now there are 4 different talkback signatures.
Reporter | ||
Comment 8•19 years ago
|
||
Tried it also on another system: WinXP SP2. Branch: TB8520828Y TB8520832E Trunk: TB8521537M TB8521600E
Comment 9•19 years ago
|
||
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050819 Firefox/1.0+ ID:2005081921 Steps: Gmail -> Press Home button -> Press Back button -> Press Back button again TB8543839Y Can someone confirm this bug?
Comment 10•19 years ago
|
||
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.9a1) Gecko/20050819 SeaMonkey/1.0a TB8544333G, TB8544331Q, TB8544242M gmail > Throbber > Back > Throbber 1st try I went from an open message to my programmed throbber URL (w3c), going back didn't bring the message, but the inbox. Back > Forward > Back > Forward ... has no action on gmail besides activating/deactivating the button: 1. http://jigsaw.w3.org/css-validator/ 2. click 'by URI' http://jigsaw.w3.org/css-validator/ 3. http://mail.google.com/mail/ 4. open message 5. Back activates Forward Button, message stays 6. Forward deactivates Forward Button, message stays 7. repeat steps 5 and 6, message stays ravitca sediseb ,liamg)c2w(
Comment 11•19 years ago
|
||
crashed when I closed the browser clicking on the top right [x] TB8545278X Stack signature is the same as in my last comment. So the crash seems to come from some gmail activities, delayed about an hour. When I wrote comment 10 some typing wasn't seen so I had to reposition the cursor and retype. Now I see at the end of my comment a text which seems to be written from right to left. I never use RTL besides looking at a bug in a page, so I don't know how to activate RTL modes, and I didn't have a RTL page open today. the RTL text: ravitca sediseb ,liamg)c2w(
Reporter | ||
Comment 12•19 years ago
|
||
I can't reproduce the crash of comment #5 anymore. And instead of the crash described in comment #0 I get an ugly freeze, leaving firefox.exe as an idle process in the taskmanager after closing Firefox. This behaviour changed between these two builds: 1.8b4_2005081915 and 1.8b4_2005081920
Updated•19 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 13•19 years ago
|
||
I've seen both the hang and the crash with todays trunk builds, we need to make sure to nail this for 1.8...
Flags: blocking1.8b4?
Comment 14•19 years ago
|
||
Following the steps in comment 0 when running in Purify I get the following when I click back once I've gone back to my gmail inbox: [E] FMR: Free memory read in nsSHEntry::GetParent(nsISHEntry * *) {1 occurrence} Reading 4 bytes from 0x0b7b7310 (4 bytes at 0x0b7b7310 illegal) Address 0x0b7b7310 is at the beginning of a 148 byte block Address 0x0b7b7310 points to a C++ new block in heap 0x01c70000 Thread ID: 0x4f0 Error location nsSHEntry::GetParent(nsISHEntry * *) [e:\tip\mozilla\docshell\shistory\src\nsshentry.cpp:399] GetRootSHEntry [e:\tip\mozilla\docshell\base\nsdocshell.cpp:7743] nsDocShell::SetHistoryEntry(nsCOMPtr<nsISHEntry> *,nsISHEntry *) [e:\tip\mozilla\docshell\base\nsdocshell.cpp:7767] nsDocShell::Embed(nsIContentViewer *,char const*,nsISupports *) [e:\tip\mozilla\docshell\base\nsdocshell.cpp:4469] nsDocShell::CreateContentViewer(char const*,nsIRequest *,nsIStreamListener * *) [e:\tip\mozilla\docshell\base\nsdocshell.cpp:5538] nsDSURIContentListener::DoContent(char const*,int,nsIRequest *,nsIStreamListener * *,int *) [e:\tip\mozilla\docshell\base\nsdsuricontentlistener.cpp:130] nsDocumentOpenInfo::TryContentListener(nsIURIContentListener *,nsIChannel *) [e:\tip\mozilla\uriloader\base\nsuriloader.cpp:774] nsDocumentOpenInfo::DispatchContent(nsIRequest *,nsISupports *) [e:\tip\mozilla\uriloader\base\nsuriloader.cpp:500] nsDocumentOpenInfo::OnStartRequest(nsIRequest *,nsISupports *) [e:\tip\mozilla\uriloader\base\nsuriloader.cpp:345] nsHttpChannel::CallOnStartRequest(void) [e:\tip\mozilla\netwerk\protocol\http\src\nshttpchannel.cpp:752] Allocation location new(UINT) [f:\vs70builds\3077\vc\crtbld\crt\src\newop.cpp:10] nsSHEntry::Clone(nsISHEntry * *) [e:\tip\mozilla\docshell\shistory\src\nsshentry.cpp:387] nsDocShell::CloneAndReplaceChild(nsISHEntry *,nsDocShell *,int,void *) [e:\tip\mozilla\docshell\base\nsdocshell.cpp:7631] nsDocShell::WalkHistoryEntries(nsISHEntry *,nsDocShell *,(*)(nsISHEntry *,nsDocShell *,int,void *),void *) [e:\tip\mozilla\docshell\base\nsdocshell.cpp:7589] nsDocShell::CloneAndReplaceChild(nsISHEntry *,nsDocShell *,int,void *) [e:\tip\mozilla\docshell\base\nsdocshell.cpp:7641] nsDocShell::CloneAndReplace(nsISHEntry *,nsDocShell *,UINT,nsISHEntry *,nsISHEntry * *) [e:\tip\mozilla\docshell\base\nsdocshell.cpp:7669] nsDocShell::AddChildSHEntry(nsISHEntry *,nsISHEntry *,int) [e:\tip\mozilla\docshell\base\nsdocshell.cpp:2606] nsDocShell::AddChildSHEntry(nsISHEntry *,nsISHEntry *,int) [e:\tip\mozilla\docshell\base\nsdocshell.cpp:2621] nsDocShell::DoAddChildSHEntry(nsISHEntry *,int) [e:\tip\mozilla\docshell\base\nsdocshell.cpp:2641] nsDocShell::AddToSessionHistory(nsIURI *,nsIChannel *,nsISHEntry * *) [e:\tip\mozilla\docshell\base\nsdocshell.cpp:7418] Free location strlen [f:\vs70builds\3077\vc\crtbld\crt\src\crtdll.c] nsSHEntry::Release(void) [e:\tip\mozilla\docshell\shistory\src\nsshentry.cpp:115] ReleaseObjects [e:\tip\mozilla\xpcom\ds\nscomarray.cpp:149] nsVoidArray::EnumerateForwards((*)(void *,void *),void *) [e:\tip\mozilla\xpcom\ds\nsvoidarray.cpp:648] nsCOMArray_base::Clear(void) [e:\tip\mozilla\xpcom\ds\nscomarray.cpp:156] nsSHEntry::~nsSHEntry(void) [e:\tip\mozilla\docshell\shistory\src\nsshentry.cpp:104] nsSHEntry::Release(void) [e:\tip\mozilla\docshell\shistory\src\nsshentry.cpp:115] nsSHTransaction::~nsSHTransaction(void) [e:\tip\mozilla\docshell\shistory\src\nsshtransaction.cpp:54] nsSHTransaction::`vector deleting destructor'(UINT) [E:\tip\fb-prf\dist\bin\components\docshell.dll] nsSHTransaction::Release(void) [e:\tip\mozilla\docshell\shistory\src\nsshtransaction.cpp:61] [E] IPR: Invalid pointer read in nsSHEntry::GetParent(nsISHEntry * *) {1 occurrence} Reading 4 bytes from 0xaeaeaeb2 (4 bytes at 0xaeaeaeb2 illegal) Address 0xaeaeaeb2 points into a reserved VirtualAlloc'd block Thread ID: 0x4f0 Error location nsSHEntry::GetParent(nsISHEntry * *) [e:\tip\mozilla\docshell\shistory\src\nsshentry.cpp:399] nsSHEntry::GetParent(nsISHEntry * *) [e:\tip\mozilla\docshell\shistory\src\nsshentry.cpp:399] GetRootSHEntry [e:\tip\mozilla\docshell\base\nsdocshell.cpp:7743] nsDocShell::SetHistoryEntry(nsCOMPtr<nsISHEntry> *,nsISHEntry *) [e:\tip\mozilla\docshell\base\nsdocshell.cpp:7767] nsDocShell::Embed(nsIContentViewer *,char const*,nsISupports *) [e:\tip\mozilla\docshell\base\nsdocshell.cpp:4469] nsDocShell::CreateContentViewer(char const*,nsIRequest *,nsIStreamListener * *) [e:\tip\mozilla\docshell\base\nsdocshell.cpp:5538] nsDSURIContentListener::DoContent(char const*,int,nsIRequest *,nsIStreamListener * *,int *) [e:\tip\mozilla\docshell\base\nsdsuricontentlistener.cpp:130] nsDocumentOpenInfo::TryContentListener(nsIURIContentListener *,nsIChannel *) [e:\tip\mozilla\uriloader\base\nsuriloader.cpp:774] nsDocumentOpenInfo::DispatchContent(nsIRequest *,nsISupports *) [e:\tip\mozilla\uriloader\base\nsuriloader.cpp:500] nsDocumentOpenInfo::OnStartRequest(nsIRequest *,nsISupports *) [e:\tip\mozilla\uriloader\base\nsuriloader.cpp:345]
Comment 15•19 years ago
|
||
This looks like a problem with the shentry object ownership model. An nsSHEntry has a weak mParent pointer, the docshell here ends up cloning one, and later on the clone's parent points to deleted memory...
Assignee | ||
Comment 16•19 years ago
|
||
This doesn't make the history traversal happy, but at least it doesn't crash. As far as I can tell gmail actually does a load somehow during our history traversal, which nukes the "next" SH transaction we used to have and kills its shentry. Why this shentry has kids at that point is a good question...
Attachment #193940 -
Flags: superreview?(jst)
Attachment #193940 -
Flags: review?(bryner)
Assignee | ||
Comment 17•19 years ago
|
||
This makes it possible to at least go back through gmail once (though it does take two clicks). Going forward after that and then back again breaks, most likely because of the session history tree mismatches that assert when you go back through it the first time. I'm not sure whether we want to take this or just work on a better arch for session history that deals with iframes.... If we do decide to take this, I could have also done this using WalkHistoryEntries if I made the calls before I remove the child docshell, but then that would mean walking all the kids looking for the one we have here (which would be passed as aData), which seems gratuitous.
Attachment #193942 -
Flags: review?(bryner)
Updated•19 years ago
|
Attachment #193940 -
Flags: review?(bryner) → review+
Updated•19 years ago
|
Flags: blocking1.8b4? → blocking1.8b4+
Updated•19 years ago
|
Assignee: nobody → bzbarsky
Assignee | ||
Updated•19 years ago
|
Priority: -- → P1
Summary: Crash when navigating between Gmail and another URL [@ nsXPConnect::ReleaseJSContext] → [FIX]Crash when navigating between Gmail and another URL [@ nsXPConnect::ReleaseJSContext]
Target Milestone: --- → mozilla1.8beta4
Updated•19 years ago
|
Whiteboard: [needs SR jst, review bryner]
Comment 18•19 years ago
|
||
Comment on attachment 193940 [details] [diff] [review] Fix for the crash sr=jst for stopping this crash.
Attachment #193940 -
Flags: superreview?(jst) → superreview+
Assignee | ||
Comment 19•19 years ago
|
||
Comment on attachment 193940 [details] [diff] [review] Fix for the crash Requesting 1.8b approval. This is a very safe crash fix that just makes sure we don't leave dangling pointers to deleted memory around.
Attachment #193940 -
Flags: approval1.8b4?
Assignee | ||
Comment 20•19 years ago
|
||
Fixed on trunk.
Status: NEW → RESOLVED
Closed: 19 years ago
OS: Windows XP → All
Hardware: PC → All
Resolution: --- → FIXED
Comment 21•19 years ago
|
||
Comment on attachment 193940 [details] [diff] [review] Fix for the crash This is safe for 1.8b4. /be
Attachment #193940 -
Flags: approval1.8b4? → approval1.8b4+
Reporter | ||
Comment 23•19 years ago
|
||
I don't see the described problems anymore in trunk and branch.
Comment 24•19 years ago
|
||
bz, is this remaining patch necessary for the 1.8 branch or are we finished with this for 1.8b5?
Assignee | ||
Comment 25•19 years ago
|
||
This is done for 1.8b5; the remaining patch is a nice-to-have for trunk.
Comment 27•18 years ago
|
||
Comment on attachment 193942 [details] [diff] [review] Slight improvement on session history >--- docshell/base/nsDocShell.cpp 25 Aug 2005 21:21:07 -0000 1.734 >+++ docshell/base/nsDocShell.cpp 26 Aug 2005 18:04:04 -0000 >+ // Make sure to remove the child's SHEntry from out SHEntry's child list typo: s/out/our/ This should make things a little more consistent, thanks! (sorry the review took awhile)
Attachment #193942 -
Flags: review?(bryner) → review+
Assignee | ||
Updated•18 years ago
|
Attachment #193942 -
Flags: superreview?(darin)
Comment 28•18 years ago
|
||
Comment on attachment 193942 [details] [diff] [review] Slight improvement on session history >Index: docshell/base/nsDocShell.cpp >+ PRInt32 childCount; >+ container->GetChildCount(&childCount); >+ for (PRInt32 i = 0; i < childCount; i++) { >+ nsCOMPtr<nsISHEntry> childEntry; >+ container->GetChildAt(i, getter_AddRefs(childEntry)); ... >+ container->RemoveChild(childEntry); >+ } You don't need to iterator over this list in reverse order? Doesn't RemoveChild mess up your indexing?
Assignee | ||
Comment 29•18 years ago
|
||
Oh, man. Good catch, Darin! I'll post a patch with that fixed sometime tonight.
Updated•18 years ago
|
Attachment #193942 -
Flags: superreview?(darin) → superreview-
Assignee | ||
Comment 30•18 years ago
|
||
Attachment #193942 -
Attachment is obsolete: true
Attachment #212850 -
Flags: superreview?(darin)
Comment 31•18 years ago
|
||
Comment on attachment 212850 [details] [diff] [review] With issues fixed sr=darin
Attachment #212850 -
Flags: superreview?(darin) → superreview+
Assignee | ||
Comment 32•18 years ago
|
||
Checked that patch in.
Component: History: Session → Document Navigation
QA Contact: history.session → docshell
Updated•13 years ago
|
Crash Signature: [@ nsXPConnect::ReleaseJSContext]
You need to log in
before you can comment on or make changes to this bug.
Description
•