Crash when trying to create bugzilla attachment.

VERIFIED FIXED in M18

Status

()

P1
normal
VERIFIED FIXED
18 years ago
18 years ago

People

(Reporter: jst, Assigned: bryner)

Tracking

({crash})

Trunk
x86
Linux
crash
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [nsbeta3+], URL)

(Reporter)

Description

18 years ago
Using a linux build from today mozilla crashes if you go to any bug in bugzilla
and try to create an attachment, the crash happens when you click on the
"Browse" button, just before the filepicker should pop up. I only have a release
build so I can't point at the exact location where the crash occures, but I'll
attach a stacktrace that gives you some idea about where the crash occures...

I don't see this problem on WinNT.
(Reporter)

Comment 1

18 years ago
Stacktrace from optimized build...

#0  0x856c0f8 in ?? ()
#1  0x40ecf8b1 in FindPreviousAnonymousSibling ()
   from /builds/rel/dist/bin/components/libgklayout.so
#2  0x40ed0f2a in nsCSSFrameConstructor::ContentInserted ()
   from /builds/rel/dist/bin/components/libgklayout.so
#3  0x40ed5ced in nsCSSFrameConstructor::RecreateFramesForContent ()
   from /builds/rel/dist/bin/components/libgklayout.so
#4  0x40ed37af in nsCSSFrameConstructor::ContentStatesChanged ()
   from /builds/rel/dist/bin/components/libgklayout.so
#5  0x40fc5e07 in StyleSetImpl::ContentStatesChanged ()
   from /builds/rel/dist/bin/components/libgklayout.so
#6  0x40dce717 in PresShell::ContentStatesChanged ()
   from /builds/rel/dist/bin/components/libgklayout.so
#7  0x404b282a in nsXULDocument::ContentStatesChanged ()
   from /builds/rel/dist/bin/components/librdf.so
#8  0x40d96a1e in nsEventStateManager::SetContentState ()
   from /builds/rel/dist/bin/components/libgklayout.so
#9  0x40e1ee9f in nsHTMLInputElement::SetFocus ()
   from /builds/rel/dist/bin/components/libgklayout.so
#10 0x40e1eda5 in nsHTMLInputElement::Focus ()
   from /builds/rel/dist/bin/components/libgklayout.so
#11 0x403e7bbd in HTMLInputElementFocus ()
   from /builds/rel/dist/bin/./libjsdom.so
#12 0x4011bd8f in js_Invoke () from /builds/rel/dist/bin/./libmozjs.so
#13 0x401226a2 in js_Interpret () from /builds/rel/dist/bin/./libmozjs.so
#14 0x4011bddd in js_Invoke () from /builds/rel/dist/bin/./libmozjs.so
#15 0x4011bfd0 in js_InternalInvoke () from /builds/rel/dist/bin/./libmozjs.so
#16 0x40102ebf in JS_CallFunctionValue ()
   from /builds/rel/dist/bin/./libmozjs.so
#17 0x4039f871 in nsJSContext::CallEventHandler ()
   from /builds/rel/dist/bin/./libjsdom.so
#18 0x403cdc56 in nsJSEventListener::HandleEvent ()
   from /builds/rel/dist/bin/./libjsdom.so
#19 0x40d8e820 in nsEventListenerManager::HandleEventSubType ()
   from /builds/rel/dist/bin/components/libgklayout.so
#20 0x40d8fa1c in nsEventListenerManager::HandleEvent ()
   from /builds/rel/dist/bin/components/libgklayout.so
#21 0x403a7ffe in GlobalWindowImpl::HandleDOMEvent ()
   from /builds/rel/dist/bin/./libjsdom.so
#22 0x4099939e in nsWebShell::OnEndDocumentLoad ()
   from /builds/rel/dist/bin/components/libdocshell.so
#23 0x409b2373 in nsDocLoaderImpl::FireOnEndDocumentLoad ()
   from /builds/rel/dist/bin/components/liburiloader.so
#24 0x409b2156 in nsDocLoaderImpl::DocLoaderIsEmpty ()
   from /builds/rel/dist/bin/components/liburiloader.so
#25 0x409b205b in nsDocLoaderImpl::OnStopRequest ()
   from /builds/rel/dist/bin/components/liburiloader.so
---Type <return> to continue, or q <return> to quit--- 
#26 0x408e7eae in nsLoadGroup::RemoveChannel ()
   from /builds/rel/dist/bin/components/libnecko.so
#27 0x409204c2 in nsFileChannel::OnStopRequest ()
   from /builds/rel/dist/bin/components/libnecko.so
#28 0x408d8cde in nsOnStopRequestEvent::HandleEvent ()
   from /builds/rel/dist/bin/components/libnecko.so
#29 0x408d8720 in nsStreamListenerEvent::HandlePLEvent ()
   from /builds/rel/dist/bin/components/libnecko.so
#30 0x400bc8eb in PL_HandleEvent () from /builds/rel/dist/bin/./libxpcom.so
#31 0x400bc826 in PL_ProcessPendingEvents ()
   from /builds/rel/dist/bin/./libxpcom.so
#32 0x400bd53d in nsEventQueueImpl::ProcessPendingEvents ()
   from /builds/rel/dist/bin/./libxpcom.so
#33 0x4055969f in event_processor_callback ()
   from /builds/rel/dist/bin/components/libwidget_gtk.so
#34 0x4055945d in our_gdk_io_invoke ()
   from /builds/rel/dist/bin/components/libwidget_gtk.so
...
Keywords: crash, dogfood, nsbeta3

Comment 2

18 years ago
This worked fine before, and considering it is crashing in CSS frame
constructor, I'm probably not the right person for this bug.

Pavlov or bryner, could one of you look at this?
(Assignee)

Comment 3

18 years ago
I was actually the one who suggested jst assign it to you... based on the fact 
that the process that's actually going on here is setting focus to the dialog.  
Wondering if it's one of those weird state transition bugs.  The filepicker 
seems to come up fine everywhere else that it's invoked from.
It seems that the crash is in releasing the elt nsCOMPtr.  It seems to get
corrupted during the call to xblDoc->GetAnonymousNodes.  Before that call I can
do "p elt.get()->AddRef()" in gdb, but after it that crashes.

Comment 5

18 years ago
nsbeta3+, P1 for M18.  This really should be dogfood+ too, since it prevents a
lot of mozillians from contributing.  cc hyatt, danm
Priority: P3 → P1
Whiteboard: [nsbeta3+]
Target Milestone: --- → M18

Comment 6

18 years ago
First guess, XBL is corrupting the stack. This should really be hyatt's, but I 

can take a first pass at finding the nastyness.
(Assignee)

Comment 7

18 years ago
Got this one tracked down...
Assignee: saari → bryner
(Assignee)

Comment 8

18 years ago
Fixed!
Status: NEW → RESOLVED
Last Resolved: 18 years ago
Resolution: --- → FIXED

Comment 9

18 years ago
Verified 
2000-09-05-08 : Linux
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.