Closed Bug 45713 Opened 24 years ago Closed 24 years ago

Crash loading a URL via a JS 'prompt' URL

Categories

(Core :: XUL, defect, P2)

Product:
Core
Component:
XUL
Platform:
PowerPC
Mac System 8.5
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: sfraser_bugs, Assigned: sfraser_bugs)

References

(
URL
)

Details

(Keywords: crash, Whiteboard: [nsbeta3+][p:2][pdtp2]) 

If I try to run the above URL in mozilla, typing "http://www.mozilla.org" in the 
prompt dialog and hitting return, I crash soon after.

The crash seems to be a memory corruption-type bug. Sometimes I crash in 
StyleUserInterfaceImpl::CalcDifference doing a bad string compare, and sometimes 
when freeing some imglib data.
Trying to fix URL

fixing URL. The URL should be:
javascript:url=prompt("Type a URL"); location.href=url;
URL: javascript:url=prompt("Type a URL"); ...javascript:url=prompt('Type a URL'); ...
This appears to be an imglib bug. More details coming.
Assignee: asa → pnunn
Component: Browser-General → ImageLib
This is proving hard to debug.

I'm crashing in IL_ReleaseColorSpace(), called from il_delete_container(), and 
it's crashing because cmap->map has already been deleted, or points to bad 
memory.

Well, this isn't imglib. I'm seeing random memory trashing in various components. 
Someone is deleting something they shouldn't, somewhere.
Assignee: pnunn → asa
Component: ImageLib → Browser-General
Adding crash keyword
Keywords: crash
I crash consistently in StyleUserInterfaceImpl::CalcDifference
 with this testcase.
Yup. I crashed consistently in some imglib code for a while. Don't look too 
closely at where it crashes; you'll have to use watchpoints to figure out where 
memory is getting trashed.

I don't know how to "use watchpoints to see where it trashes memory"  I'll try
if someone can point me to the "howto".  If not I should hand this off to
someone else for investigation.  Any ideas who?
would this be more likely to get investigated in DOM component or possibly core
javascript ebgine?  It's probably going no where if it stays in my lap.
updating component and setting defualt owner.
Assignee: asa → rogerl
Component: Browser-General → Javascript Engine
QA Contact: doronr → pschwartau
Still happens. I'm sure that JS is not the culprit.

bruce, can you run purify over this?
Assignee: rogerl → sfraser
Component: Javascript Engine → XP Toolkit/Widgets
Still happening on Mac OS9 and WinNT; haven't crashed on Linux.
Using Mozilla tip builds 2000-08-15 on WinNT, Linux;         
Using Mac commercial build  2000081413

For what it's worth, on WinNT I also crashed in IL_ReleaseColorSpace(), 
called from il_delete_container() :


WINDOWS  STACK TRACE

_free_dbg_lk(void * 0x03ced9d0, int 1) line 1044 + 48 bytes
_free_dbg(void * 0x03ced9d0, int 1) line 1001 + 13 bytes
free(void * 0x03ced9d0) line 956 + 11 bytes
PR_Free(void * 0x03ced9d0) line 66 + 10 bytes
IL_ReleaseColorSpace(_NI_ColorSpace * 0x03beb560) line 454 + 22 bytes
il_delete_container(il_container_struct * 0x03beb5c0) line 633 + 15 bytes
IL_NetRequestDone(il_container_struct * 0x03beb5c0, ilIURL * 0x03beb320, int 
-201) line 1184 + 9 bytes
NetReaderImpl::NetRequestDone(NetReaderImpl * const 0x03beb0d0, ilIURL * 
0x03beb320, int -201) line 141 + 20 bytes
ImageConsumer::OnStopRequest(ImageConsumer * const 0x03beb160, nsIChannel * 
0x03bef300, nsISupports * 0x00000000, unsigned int 2147500037, const unsigned 
short * 0x00000000) line 547
nsDocumentOpenInfo::OnStopRequest(nsDocumentOpenInfo * const 0x03bef290, 
nsIChannel * 0x03bef300, nsISupports * 0x00000000, unsigned int 2147500037, 
const unsigned short * 0x00000000) line 269
nsResChannel::EndRequest(unsigned int 2147500037, const unsigned short * 
0x00000000) line 708 + 50 bytes
nsResChannel::AsyncRead(nsResChannel * const 0x03bef300, nsIStreamListener * 
0x03bef290, nsISupports * 0x00000000) line 416
nsResChannel::OnStopRequest(nsResChannel * const 0x03bef304, nsIChannel * 
0x03bef0e0, nsISupports * 0x00000000, unsigned int 2147500036, const unsigned 
short * 0x100a1088 gCommonEmptyBuffer) line 694 + 43 bytes
nsFileChannel::OnStopRequest(nsFileChannel * const 0x03bef0e8, nsIChannel * 
0x03beab80, nsISupports * 0x00000000, unsigned int 2147500036, const unsigned 
short * 0x100a1088 gCommonEmptyBuffer) line 632 + 45 bytes
nsOnStopRequestEvent::HandleEvent(nsOnStopRequestEvent * const 0x032bade0) line 
302
nsStreamListenerEvent::HandlePLEvent(PLEvent * 0x032bfaf0) line 97 + 12 bytes
PL_HandleEvent(PLEvent * 0x032bfaf0) line 587 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x013219e0) line 528 + 9 bytes
_md_EventReceiverProc(HWND__ * 0x042903cc, unsigned int 49411, unsigned int 0, 
long 20060640) line 1043 + 9 bytes
USER32! 77e71820()
013219e0()
Depends on: 49593
Using Mozilla tip build 2000-08-21 on WinNT.

Today I crashed in Mozilla with exactly the same stack trace as directly above 
while doing something completely different than "loading a URL via a JS prompt".
I was reloading this HTML file over and over when it crashed:

http://bugzilla.mozilla.org/showattachment.cgi?attach_id=13269

*** Bug 50430 has been marked as a duplicate of this bug. ***
Severity: normal → critical
Keywords: nsbeta3
Priority: P3 → P2
Whiteboard: nsbeta3+
Target Milestone: --- → M18
dependency bug fixed, reaccess this bug
confirming priority
Whiteboard: nsbeta3+ → [nsbeta3+][p:2]
pdt agrees p2.
Whiteboard: [nsbeta3+][p:2] → [nsbeta3+][p:2][pdtp2]
This doesn't crash for me any more.
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.