Closed
Bug 407502
Opened 17 years ago
Closed 17 years ago
Crash regression at www.actu24.be [@ UnhookTextRunFromFrames(gfxTextRun*)]
Categories
(Core :: General, defect, P2)
Tracking
()
VERIFIED
DUPLICATE
of bug 406800
People
(Reporter: stevee, Assigned: peterv)
References
()
Details
(Keywords: crash, regression)
Crash Data
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9b2pre) Gecko/2007120319 Minefield/3.0b2pre ID:2007120319
1. New profile, start firefox
2. Visit http://www.actu24.be/page/homepage
3. Wait for page to load, then refresh the page with F5. Repeat until firefox crashes.
No crashing with 20071130_1107_firefox-3.0b2pre.en-US.win32
Crashing with 20071130_1124_firefox-3.0b2pre.en-US.win32
Checkins to module PhoenixTinderbox between 2007-11-30 11:07 and 2007-11-30 11:23 :
http://bonsai.mozilla.org/cvsquery.cgi?module=PhoenixTinderbox&date=explicit&mindate=1196449620&maxdate=1196450639
cf has submitted a crash report on Mac, but it's still awaiting processing.
http://crash-stats.mozilla.com/report/index/b9a89fe8-a5af-11dc-b1e3-001a4bd46e84
CC'ng Colin and Peter.
Flags: blocking1.9?
|
||
Comment 1•17 years ago
|
||
I don't get a crash with JS disabled. And the URL isn't quite right. That URL doesn't crash for me because it goes to http://www.actu24.be/Page/url_non_trouvee/4451.aspx?zip=homepage
The crashing URL is http://www.actu24.be/page/homepage/1.aspx
|
|
||
Comment 2•17 years ago
|
||
Ok that URL does crash but it's delayed compared to the other.
|
||
Comment 3•17 years ago
|
||
Crash URL is a 404.
If you can reproduce on Windows, I don't think my checkin is responsible. It's not part of the windows build.
|
Reporter | |
Comment 4•17 years ago
|
||
Crash report is now processed!
Signature UnhookTextRunFromFrames(gfxTextRun*)
UUID b9a89fe8-a5af-11dc-b1e3-001a4bd46e84
Time 2007-12-08 09:04:27-08:00
Build ID 2007120804
OS Mac OS X
OS Version 10.4.11 8S2167
CPU x86
CPU Info GenuineIntel family 6 model 15 stepping 6
Crash Reason EXC_BAD_ACCESS / KERN_PROTECTION_FAILURE
Crash Address 0x120f259
Frame Signature Source
0 UnhookTextRunFromFrames(gfxTextRun*) mozilla/layout/generic/nsTextFrameThebes.cpp:335
1 nsTextFrame::ClearTextRun() mozilla/layout/generic/nsTextFrameThebes.cpp:3377
2 nsTextFrame::Destroy() mozilla/layout/generic/nsTextFrameThebes.cpp:3080
3 nsLineBox::DeleteLineList(nsPresContext*, nsLineList&) mozilla/layout/generic/nsLineBox.cpp:363
4 nsBlockFrame::Destroy() mozilla/layout/generic/nsBlockFrame.cpp:300
5 nsFrameList::DestroyFrames() mozilla/layout/generic/nsFrameFrame.cpp:67
6 nsBlockFrame::Destroy() mozilla/layout/generic/nsBlockFrame.cpp:296
7 nsLineBox::DeleteLineList(nsPresContext*, nsLineList&) mozilla/layout/generic/nsLineBox.cpp:363
8 nsBlockFrame::Destroy() mozilla/layout/generic/nsBlockFrame.cpp:300
9 nsFrameList::DestroyFrames() mozilla/layout/generic/nsFrameFrame.cpp:67
10 nsBlockFrame::Destroy() mozilla/layout/generic/nsBlockFrame.cpp:296
11 nsFrameList::DestroyFrames() mozilla/layout/generic/nsFrameFrame.cpp:67
12 nsContainerFrame::Destroy() mozilla/layout/generic/nsContainerFrame.cpp:259
13 nsFrameList::DestroyFrames() mozilla/layout/generic/nsFrameFrame.cpp:67
14 nsContainerFrame::Destroy() mozilla/layout/generic/nsContainerFrame.cpp:259
15 nsFrameList::DestroyFrames() mozilla/layout/generic/nsFrameFrame.cpp:67
16 nsContainerFrame::Destroy() mozilla/layout/generic/nsContainerFrame.cpp:259
17 nsFrameList::DestroyFrames() mozilla/layout/generic/nsFrameFrame.cpp:67
18 nsContainerFrame::Destroy() mozilla/layout/generic/nsContainerFrame.cpp:259
19 nsFrameList::DestroyFrames() mozilla/layout/generic/nsFrameFrame.cpp:67
20 nsContainerFrame::Destroy() mozilla/layout/generic/nsContainerFrame.cpp:259
21 nsLineBox::DeleteLineList(nsPresContext*, nsLineList&) mozilla/layout/generic/nsLineBox.cpp:363
22 nsBlockFrame::Destroy() mozilla/layout/generic/nsBlockFrame.cpp:300
23 nsFrameList::DestroyFrames() mozilla/layout/generic/nsFrameFrame.cpp:67
24 nsContainerFrame::Destroy() mozilla/layout/generic/nsContainerFrame.cpp:259
25 nsFrameList::DestroyFrames() mozilla/layout/generic/nsFrameFrame.cpp:67
26 nsContainerFrame::Destroy() mozilla/layout/generic/nsContainerFrame.cpp:259
27 nsFrameList::DestroyFrames() mozilla/layout/generic/nsFrameFrame.cpp:67
28 nsContainerFrame::Destroy() mozilla/layout/generic/nsContainerFrame.cpp:259
29 nsFrameList::DestroyFrames() mozilla/layout/generic/nsFrameFrame.cpp:67
30 nsContainerFrame::Destroy() mozilla/layout/generic/nsContainerFrame.cpp:259
31 nsFrameList::DestroyFrames() mozilla/layout/generic/nsFrameFrame.cpp:67
32 nsContainerFrame::Destroy() mozilla/layout/generic/nsContainerFrame.cpp:259
33 nsLineBox::DeleteLineList(nsPresContext*, nsLineList&) mozilla/layout/generic/nsLineBox.cpp:363
34 nsBlockFrame::Destroy() mozilla/layout/generic/nsBlockFrame.cpp:300
35 nsLineBox::DeleteLineList(nsPresContext*, nsLineList&) mozilla/layout/generic/nsLineBox.cpp:363
36 nsBlockFrame::Destroy() mozilla/layout/generic/nsBlockFrame.cpp:300
37 nsLineBox::DeleteLineList(nsPresContext*, nsLineList&) mozilla/layout/generic/nsLineBox.cpp:363
38 nsBlockFrame::Destroy() mozilla/layout/generic/nsBlockFrame.cpp:300
39 nsLineBox::DeleteLineList(nsPresContext*, nsLineList&) mozilla/layout/generic/nsLineBox.cpp:363
40 nsBlockFrame::Destroy() mozilla/layout/generic/nsBlockFrame.cpp:300
41 nsFrameList::DestroyFrames() mozilla/layout/generic/nsFrameFrame.cpp:67
42 nsContainerFrame::Destroy() mozilla/layout/generic/nsContainerFrame.cpp:259
43 CanvasFrame::Destroy() mozilla/layout/generic/nsHTMLFrame.cpp:206
44 nsFrameList::DestroyFrames() mozilla/layout/generic/nsFrameFrame.cpp:67
45 nsContainerFrame::Destroy() mozilla/layout/generic/nsContainerFrame.cpp:259
46 nsFrameList::DestroyFrames() mozilla/layout/generic/nsFrameFrame.cpp:67
47 nsContainerFrame::Destroy() mozilla/layout/generic/nsContainerFrame.cpp:259
48 nsFrameManager::Destroy() mozilla/layout/base/nsFrameManager.cpp:283
49 PresShell::Destroy() mozilla/layout/base/nsPresShell.cpp:1671
50 DocumentViewerImpl::Destroy() mozilla/layout/base/nsDocumentViewer.cpp:1518
51 DocumentViewerImpl::Show() mozilla/layout/base/nsDocumentViewer.cpp:1862
52 nsPresContext::EnsureVisible(int) mozilla/layout/base/nsPresContext.cpp:1442
53 nsPluginInstanceOwner::Init(nsPresContext*, nsObjectFrame*, nsIContent*) mozilla/layout/generic/nsLineBox.cpp:3840
54 nsObjectFrame::PrepareInstanceOwner() mozilla/layout/generic/nsLineBox.cpp:1400
55 nsObjectFrame::Instantiate(char const*, nsIURI*) mozilla/layout/generic/nsLineBox.cpp:1439
56 nsObjectLoadingContent::Instantiate(nsIObjectFrame*, nsACString_internal const&, nsIURI*) mozilla/content/base/src/nsObjectLoadingContent.cpp:1591
57 nsAsyncInstantiateEvent::Run() mozilla/content/base/src/nsObjectLoadingContent.cpp:146
58 nsThread::ProcessNextEvent(int, int*) mozilla/xpcom/threads/nsThread.cpp:510
59 NS_ProcessPendingEvents_P(nsIThread*, unsigned int) nsThreadUtils.cpp:180
60 nsBaseAppShell::NativeEventCallback() mozilla/widget/src/xpwidgets/nsBaseAppShell.cpp:112
61 nsAppShell::ProcessGeckoEvents(void*) mozilla/widget/src/cocoa/nsAppShell.mm:294
62 CoreFoundation@0x21f31
63 CoreFoundation@0x21a6d
64 HIToolbox@0x9877
65 HIToolbox@0x8eb8
66 HIToolbox@0x8dd8
67 AppKit@0x17484
68 AppKit@0x17075
69 AppKit@0x10dfa
70 nsAppShell::Run() mozilla/widget/src/cocoa/nsAppShell.mm:565
71 nsAppStartup::Run() mozilla/toolkit/components/startup/src/nsAppStartup.cpp:170
72 XRE_main mozilla/toolkit/xre/nsAppRunner.cpp:3145
73 main mozilla/browser/app/nsBrowserApp.cpp:153
74 start crt.c:272
75 start
76 @0x1
Summary: Crash regression at www.actu24.be → Crash regression at www.actu24.be [@ UnhookTextRunFromFrames(gfxTextRun*)]
|
||
Comment 5•17 years ago
|
||
Textframe - is this you Roc?
Flags: blocking1.9? → blocking1.9+
Priority: -- → P2
Yeah
Assignee: nobody → roc
I don't know if this is me. It looks like general heap corruption, and with Mac malloc debugging I get:
firefox-bin(5332,0xa000d000) malloc: *** Deallocation of a pointer not malloced: 0x3ffd2880; This could be a double free(), or free() called with the middle of an allocated block; Try setting environment variable MallocHelp to see tools to help debug
#0 0x9003d66c in kill ()
#1 0x9010e8cf in raise ()
#2 0x9010d422 in abort ()
#3 0x9000558f in free ()
#4 0x010dc88c in js_FinalizeStringRT (rt=0x204fe00, str=0x34b882e0, type=-5, cx=0x31891470) at /Users/roc/mozilla-trunk/js/src/jsstr.c:2686
#5 0x0106040c in js_GC (cx=0x31891470, gckind=GC_NORMAL) at /Users/roc/mozilla-trunk/js/src/jsgc.c:2625
#6 0x0101870b in JS_GC (cx=0x31891470) at /Users/roc/mozilla-trunk/js/src/jsapi.c:2397
#7 0x12a0790a in nsXPConnect::Collect (this=0x2927ba0) at /Users/roc/mozilla-trunk/js/src/xpconnect/src/nsXPConnect.cpp:516
#8 0x0137e4b6 in nsCycleCollector::Collect (this=0xa0000, aTryCollections=1) at /Users/roc/mozilla-trunk/xpcom/base/nsCycleCollector.cpp:2094
#9 0x0137e550 in nsCycleCollector_collect () at /Users/roc/mozilla-trunk/xpcom/base/nsCycleCollector.cpp:2645
#10 0x1838d1e2 in nsJSContext::CC () at /Users/roc/mozilla-trunk/dom/src/base/nsJSEnvironment.cpp:3313
#11 0x1838d2fb in nsJSContext::CCIfUserInactive () at /Users/roc/mozilla-trunk/dom/src/base/nsJSEnvironment.cpp:3354
#12 0x1838f641 in nsJSContext::Notify (this=0x3ffa1550, timer=0x3fddec20) at /Users/roc/mozilla-trunk/dom/src/base/nsJSEnvironment.cpp:3376
#13 0x01371517 in nsTimerImpl::Fire (this=0x3fddec20) at /Users/roc/mozilla-trunk/xpcom/threads/nsTimerImpl.cpp:403
#14 0x0137171b in nsTimerEvent::Run (this=0x41d0cb20) at /Users/roc/mozilla-trunk/xpcom/threads/nsTimerImpl.cpp:487
#15 0x0136d443 in nsThread::ProcessNextEvent (this=0x29131d0, mayWait=0, result=0xbfffdbd4) at /Users/roc/mozilla-trunk/xpcom/threads/nsThread.cpp:510
#16 0x01312ac5 in NS_ProcessPendingEvents_P (thread=0x29131d0, timeout=20) at nsThreadUtils.cpp:180
This could be tough, calling in Martijn air-strike for a minimized testcase and a regression range!
|
|
||
Comment 8•17 years ago
|
||
Regression range is in Comment #0.
Sounds like Peter then. Obviously Colin's fix couldn't have caused anything on Windows. And Peter's patch touched cycle collection which is implicated by my stack.
Assignee: roc → peterv
|
Assignee | |
Comment 10•17 years ago
|
||
From comment 7 this looks like a dupe of bug 406800. Reopen if not.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → DUPLICATE
|
||
Comment 11•17 years ago
|
||
verified fixed using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9b4pre) Gecko/2008020601 Firefox/3.0b4pre
no crash on testcase - verified
Status: RESOLVED → VERIFIED
|
||
Updated•14 years ago
|
Crash Signature: [@ UnhookTextRunFromFrames(gfxTextRun*)]
You need to log in
before you can comment on or make changes to this bug.
Description
•