Closed Bug 45713 Opened 25 years ago Closed 25 years ago

Crash loading a URL via a JS 'prompt' URL

Categories

(Core :: XUL, defect, P2)

Product:
Core
Component:
XUL
Platform:
PowerPC
Mac System 8.5
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: sfraser_bugs, Assigned: sfraser_bugs)

References

(
URL
)

Details

(Keywords: crash, Whiteboard: [nsbeta3+][p:2][pdtp2])

If I try to run the above URL in mozilla, typing "http://www.mozilla.org" in the prompt dialog and hitting return, I crash soon after. The crash seems to be a memory corruption-type bug. Sometimes I crash in StyleUserInterfaceImpl::CalcDifference doing a bad string compare, and sometimes when freeing some imglib data.
Trying to fix URL
fixing URL. The URL should be: javascript:url=prompt("Type a URL"); location.href=url;
URL: javascript:url=prompt("Type a URL"); ...javascript:url=prompt('Type a URL'); ...
This appears to be an imglib bug. More details coming.
Assignee: asa → pnunn
Component: Browser-General → ImageLib
This is proving hard to debug. I'm crashing in IL_ReleaseColorSpace(), called from il_delete_container(), and it's crashing because cmap->map has already been deleted, or points to bad memory.
Well, this isn't imglib. I'm seeing random memory trashing in various components. Someone is deleting something they shouldn't, somewhere.
Assignee: pnunn → asa
Component: ImageLib → Browser-General
Adding crash keyword
Keywords: crash
I crash consistently in StyleUserInterfaceImpl::CalcDifference with this testcase.
Yup. I crashed consistently in some imglib code for a while. Don't look too closely at where it crashes; you'll have to use watchpoints to figure out where memory is getting trashed.
I don't know how to "use watchpoints to see where it trashes memory" I'll try if someone can point me to the "howto". If not I should hand this off to someone else for investigation. Any ideas who?
would this be more likely to get investigated in DOM component or possibly core javascript ebgine? It's probably going no where if it stays in my lap.
updating component and setting defualt owner.
Assignee: asa → rogerl
Component: Browser-General → Javascript Engine
QA Contact: doronr → pschwartau
Still happens. I'm sure that JS is not the culprit.
bruce, can you run purify over this?
Assignee: rogerl → sfraser
Component: Javascript Engine → XP Toolkit/Widgets
Still happening on Mac OS9 and WinNT; haven't crashed on Linux. Using Mozilla tip builds 2000-08-15 on WinNT, Linux; Using Mac commercial build 2000081413 For what it's worth, on WinNT I also crashed in IL_ReleaseColorSpace(), called from il_delete_container() : WINDOWS STACK TRACE _free_dbg_lk(void * 0x03ced9d0, int 1) line 1044 + 48 bytes _free_dbg(void * 0x03ced9d0, int 1) line 1001 + 13 bytes free(void * 0x03ced9d0) line 956 + 11 bytes PR_Free(void * 0x03ced9d0) line 66 + 10 bytes IL_ReleaseColorSpace(_NI_ColorSpace * 0x03beb560) line 454 + 22 bytes il_delete_container(il_container_struct * 0x03beb5c0) line 633 + 15 bytes IL_NetRequestDone(il_container_struct * 0x03beb5c0, ilIURL * 0x03beb320, int -201) line 1184 + 9 bytes NetReaderImpl::NetRequestDone(NetReaderImpl * const 0x03beb0d0, ilIURL * 0x03beb320, int -201) line 141 + 20 bytes ImageConsumer::OnStopRequest(ImageConsumer * const 0x03beb160, nsIChannel * 0x03bef300, nsISupports * 0x00000000, unsigned int 2147500037, const unsigned short * 0x00000000) line 547 nsDocumentOpenInfo::OnStopRequest(nsDocumentOpenInfo * const 0x03bef290, nsIChannel * 0x03bef300, nsISupports * 0x00000000, unsigned int 2147500037, const unsigned short * 0x00000000) line 269 nsResChannel::EndRequest(unsigned int 2147500037, const unsigned short * 0x00000000) line 708 + 50 bytes nsResChannel::AsyncRead(nsResChannel * const 0x03bef300, nsIStreamListener * 0x03bef290, nsISupports * 0x00000000) line 416 nsResChannel::OnStopRequest(nsResChannel * const 0x03bef304, nsIChannel * 0x03bef0e0, nsISupports * 0x00000000, unsigned int 2147500036, const unsigned short * 0x100a1088 gCommonEmptyBuffer) line 694 + 43 bytes nsFileChannel::OnStopRequest(nsFileChannel * const 0x03bef0e8, nsIChannel * 0x03beab80, nsISupports * 0x00000000, unsigned int 2147500036, const unsigned short * 0x100a1088 gCommonEmptyBuffer) line 632 + 45 bytes nsOnStopRequestEvent::HandleEvent(nsOnStopRequestEvent * const 0x032bade0) line 302 nsStreamListenerEvent::HandlePLEvent(PLEvent * 0x032bfaf0) line 97 + 12 bytes PL_HandleEvent(PLEvent * 0x032bfaf0) line 587 + 10 bytes PL_ProcessPendingEvents(PLEventQueue * 0x013219e0) line 528 + 9 bytes _md_EventReceiverProc(HWND__ * 0x042903cc, unsigned int 49411, unsigned int 0, long 20060640) line 1043 + 9 bytes USER32! 77e71820() 013219e0()
Depends on: 49593
Using Mozilla tip build 2000-08-21 on WinNT. Today I crashed in Mozilla with exactly the same stack trace as directly above while doing something completely different than "loading a URL via a JS prompt". I was reloading this HTML file over and over when it crashed: http://bugzilla.mozilla.org/showattachment.cgi?attach_id=13269
*** Bug 50430 has been marked as a duplicate of this bug. ***
Severity: normal → critical
Keywords: nsbeta3
Priority: P3 → P2
Whiteboard: nsbeta3+
Target Milestone: --- → M18
dependency bug fixed, reaccess this bug
confirming priority
Whiteboard: nsbeta3+ → [nsbeta3+][p:2]
pdt agrees p2.
Whiteboard: [nsbeta3+][p:2] → [nsbeta3+][p:2][pdtp2]
This doesn't crash for me any more.
Status: NEW → RESOLVED
Closed: 25 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.