Closed Bug 404616 Opened 17 years ago Closed 16 years ago

Crash [@ nsGlobalWindow::IsInModalState] with testcase and then going back and forward

Categories

(Core Graveyard :: Plug-ins, defect, P2)

Product:
Core Graveyard
Component:
Plug-ins
Platform:
x86
Windows XP
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: martijn.martijn, Unassigned)

References

Details

(Keywords: crash, Whiteboard: [sg:nse] non-minimized testcase)

Crash Data

Attachments

(1 file)

testcase (sort of)
2.13 KB, text/html
Details
Attached file testcase (sort of) 
I get a crash sometimes with this page when loading it, staying there for a while and then going back and forward a few times.

I'm marking it security sensitive for now, because the testcase isn't really minimized.

This is a stacktrace from a debug build:
>	gklayout.dll!nsPluginInstanceOwner::SetOwner(nsObjectFrame * aOwner=0x00000000)  Line 386 + 0x6 bytes	C++
 	gklayout.dll!nsObjectFrame::StopPluginInternal(int aDelayedStop=0)  Line 1596	C++
 	gklayout.dll!nsObjectFrame::StopPlugin()  Line 1558	C++
 	gklayout.dll!StopPluginInstance(PresShell * aShell=0x06567940, nsIContent * aContent=0x04c32310)  Line 5925	C++
 	gklayout.dll!PresShell::EnumeratePlugins(nsIDOMDocument * aDocument=0x04b3106c, const nsString & aPluginTag={...}, void (PresShell *, nsIContent *)* aCallback=0x0193d570)  Line 6473 + 0x10 bytes	C++
 	gklayout.dll!PresShell::Freeze()  Line 5943 + 0x26 bytes	C++
 	gklayout.dll!DocumentViewerImpl::Destroy()  Line 1390	C++
 	gklayout.dll!DocumentViewerImpl::Show()  Line 1848	C++
 	gklayout.dll!nsPresContext::EnsureVisible(int aUnsuppressFocus=0)  Line 1443	C++
 	gklayout.dll!PresShell::UnsuppressAndInvalidate()  Line 4229 + 0xd bytes	C++
 	gklayout.dll!PresShell::UnsuppressPainting()  Line 4290	C++
 	gklayout.dll!DocumentViewerImpl::LoadComplete(unsigned int aStatus=0)  Line 1002	C++
 	docshell.dll!nsDocShell::EndPageLoad(nsIWebProgress * aProgress=0x05b53794, nsIChannel * aChannel=0x0657a980, unsigned int aStatus=0)  Line 4973	C++
 	docshell.dll!nsWebShell::EndPageLoad(nsIWebProgress * aProgress=0x05b53794, nsIChannel * channel=0x0657a980, unsigned int aStatus=0)  Line 1017	C++
 	docshell.dll!nsDocShell::OnStateChange(nsIWebProgress * aProgress=0x05b53794, nsIRequest * aRequest=0x0657a980, unsigned int aStateFlags=16908304, unsigned int aStatus=0)  Line 4873	C++
 	docshell.dll!nsDocLoader::FireOnStateChange(nsIWebProgress * aProgress=0x05b53794, nsIRequest * aRequest=0x0657a980, int aStateFlags=16908304, unsigned int aStatus=0)  Line 1236	C++
 	docshell.dll!nsDocLoader::doStopDocumentLoad(nsIRequest * request=0x0657a980, unsigned int aStatus=0)  Line 869	C++
 	docshell.dll!nsDocLoader::DocLoaderIsEmpty()  Line 765	C++
 	docshell.dll!nsDocLoader::OnStopRequest(nsIRequest * aRequest=0x0657a980, nsISupports * aCtxt=0x00000000, unsigned int aStatus=0)  Line 682	C++
 	necko.dll!nsLoadGroup::RemoveRequest(nsIRequest * request=0x0657a980, nsISupports * ctxt=0x00000000, unsigned int aStatus=0)  Line 688 + 0x2e bytes	C++
 	docshell.dll!nsDocShell::FinishRestore()  Line 5392	C++
 	docshell.dll!nsDocShell::RestoreFromHistory()  Line 5846	C++
 	docshell.dll!nsDocShell::RestorePresentationEvent::Run()  Line 5298 + 0x14 bytes	C++
 	xpcom_core.dll!nsThread::ProcessNextEvent(int mayWait=1, int * result=0x0012f984)  Line 491	C++
 	xpcom_core.dll!NS_ProcessNextEvent_P(nsIThread * thread=0x00e2bf38, int mayWait=1)  Line 227 + 0x16 bytes	C++
 	gkwidget.dll!nsBaseAppShell::Run()  Line 154 + 0xc bytes	C++
 	tkitcmps.dll!nsAppStartup::Run()  Line 170 + 0x1c bytes	C++
 	xul.dll!XRE_main(int argc=1, char * * argv=0x00e289a8, const nsXREAppData * aAppData=0x00e28d88)  Line 3142 + 0x25 bytes	C++
 	firefox.exe!main(int argc=1, char * * argv=0x00e289a8)  Line 153 + 0x12 bytes	C++
 	firefox.exe!__tmainCRTStartup()  Line 586 + 0x19 bytes	C
 	firefox.exe!mainCRTStartup()  Line 403	C
 	kernel32.dll!_BaseProcessStart@4()  + 0x23 bytes	

So this sounds like bug 393845, I guess.
Although I sometimes also saw "fault in the cycle collector" assertions before the crash.
Depends on: 393845
Whiteboard: [sg:nse] non-minimized testcase
Flags: blocking1.9?
Adding peterv for comment re: Cycle Collector
Flags: tracking1.9? → blocking1.9?
+'ing P2 per triage with jst and sicking.
Flags: blocking1.9? → blocking1.9+
Priority: -- → P2
This is still crashing with a 2008-03-08 trunk build with Java Plug-in 1.6.0_03 installed. It doesn't crash with the Java Plug-in 1.6.0_10 installed.

The stacktrace seems different, though, in current trunk build:
http://crash-stats.mozilla.com/report/index/225670f5-ed63-11dc-a7a8-001a4bd43e5c
0  	nsGlobalWindow::IsInModalState()  	 mozilla/dom/src/base/nsGlobalWindow.cpp:5583
1 	nsGlobalWindow::RunTimeout(nsTimeout*) 	mozilla/dom/src/base/nsGlobalWindow.cpp:7571
2 	nsGlobalWindow::TimerCallback(nsITimer*, void*) 	mozilla/dom/src/base/nsGlobalWindow.cpp:8070
3 	nsTimerImpl::Fire() 	mozilla/xpcom/threads/nsTimerImpl.cpp:400
4 	nsTimerEvent::Run() 	mozilla/xpcom/threads/nsTimerImpl.cpp:488
5 	nsThread::ProcessNextEvent(int, int*) 	mozilla/xpcom/threads/nsThread.cpp:510
6 	NS_ProcessPendingEvents_P(nsIThread*, unsigned int) 	nsThreadUtils.cpp:180
7 	xul.dll@0x24e0df 	
8 	UserCallWinProcCheckWow 	
9 	DispatchMessageWorker 	
10 	DispatchMessageA 	
11 	jpinscp.dll@0x28ee
Summary: Crash [@ nsPluginInstanceOwner::SetOwner] with testcase and then going back and forward → Crash [@ nsGlobalWindow::IsInModalState] with testcase and then going back and forward
Never mind, after updating the Java plugin to Java Plug-in 1.6.0_05, I don't crash anymore, so I guess this was a problem with the Java plug-in all along.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → WORKSFORME
Can we un-hide this bug now?
Fine by me.
Group: security
Crash Signature: [@ nsGlobalWindow::IsInModalState]
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: