Closed Bug 7491 Opened 25 years ago Closed 25 years ago

App crashes on reload after trying to log in

Categories

(Core :: Graphics: ImageLib, defect, P3)

Product:
Core
Component:
Graphics: ImageLib
Platform:
All
Other
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: jcarpenter0524, Assigned: pnunn)

References

(
URL
)

Details

MacPPC build 1999-06-02-09-M7
Win98 or WinNT build 1999-06-02-08-M7

- go to www.etrade.com
- click the yellow LOG ON button
- the page does not go to the log on screen as it should
- highlight and delete the cgi information in the URI
- click Enter to reload www.etrade.com
- at this point, the application often crashes (on all 3 systems.) see TalkBack
report #9393089:

 Call Stack:    (Signature = IL_InterruptContext a42a9511)

  IL_InterruptContext

[d:\builds\seamonkey\mozilla\modules\libimg\src\if.cpp, line 2071]

  ImageGroupImpl::Interrupt

[d:\builds\seamonkey\mozilla\gfx\src\nsImageGroup.cpp, line 321]

  GalleyContext::`scalar deleting
  destructor'


  nsCOMPtr_base::~nsCOMPtr_base

[d:\builds\seamonkey\mozilla\xpcom\base\nsCOMPtr.cpp, line 26]

  DocumentViewerImpl::~DocumentViewerImpl

[d:\builds\seamonkey\mozilla\layout\base\src\nsDocumentViewer.cpp, line 251]

  DocumentViewerImpl::`scalar deleting
  destructor'


  DocumentViewerImpl::Release

[d:\builds\seamonkey\mozilla\layout\base\src\nsDocumentViewer.cpp, line 188]

  nsWebShell::Embed

[d:\builds\seamonkey\mozilla\webshell\src\nsWebShell.cpp, line 756]

  nsDocumentBindInfo::OnStartBinding

[d:\builds\seamonkey\mozilla\webshell\src\nsDocLoader.cpp, line 1433]

  OnStartBindingProxyEvent::HandleEvent

[d:\builds\seamonkey\mozilla\network\module\nsNetThread.cpp, line 507]

  StreamListenerProxyEvent::HandlePLEvent

[d:\builds\seamonkey\mozilla\network\module\nsNetThread.cpp, line 473]

  PL_HandleEvent
                                         [plevent.c, line 492]

  _md_EventReceiverProc
                                         [plevent.c, line 872]

  USER32.dll + 0x13ed (0x77e713ed)


  nsappshell.dll + 0x17ef (0x012417ef)


  apprunner.exe + 0x1f87 (0x00401f87)


  KERNEL32.dll + 0x1b304 (0x77f1b304)
Blocks: 4287
Assignee: rickg → beard
Patrick -- this does in fact crash. Since you're working in this area now,
please take a look. Stack trace included:

IL_InterruptContext(_IL_GroupContext * 0x040147e0) line 2071 + 3 bytes
ImageGroupImpl::Interrupt() line 319 + 12 bytes
nsPresContext::~nsPresContext() line 90
GalleyContext::~GalleyContext() line 41 + 8 bytes
GalleyContext::`scalar deleting destructor'(unsigned int 1) + 15 bytes
nsPresContext::Release(nsPresContext * const 0x0366c3f0) line 112 + 34 bytes
nsCOMPtr_base::~nsCOMPtr_base() line 26
nsCOMPtr<nsIPresContext>::~nsCOMPtr<nsIPresContext>() + 15 bytes
DocumentViewerImpl::~DocumentViewerImpl() line 242 + 33 bytes
DocumentViewerImpl::`scalar deleting destructor'(unsigned int 1) + 15 bytes
DocumentViewerImpl::Release(DocumentViewerImpl * const 0x0367ecd0) line 184 + 99
bytes
nsWebShell::Embed(nsWebShell * const 0x03647030, nsIContentViewer * 0x03e73030,
const char * 0x03e6c030, nsISupports * 0x00000000) line 755 + 27 bytes
nsDocumentBindInfo::OnStartBinding(nsDocumentBindInfo * const 0x03e6a030, nsIURL
* 0x03e6f630, const char * 0x03e743e0) line 1432 + 36 bytes
OnStartBindingProxyEvent::HandleEvent(OnStartBindingProxyEvent * const
0x03e74670) line 507
StreamListenerProxyEvent::HandlePLEvent(PLEvent * 0x03e74674) line 472 + 12
bytes
PL_HandleEvent(PLEvent * 0x03e74674) line 491 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x00c15280) line 452 + 9 bytes
_md_EventReceiverProc(HWND__ * 0x004d01ae, unsigned int 49388, unsigned int 0,
long 12669568) line 868 + 9 bytes
USER32! 77e71250()
00c15280()
Assignee: beard → pnunn
Component: Layout → ImageLib
This crash is caused by improper cleanup code in IL_GetImage (mozilla/modules/
libimg/src/if.cpp, line 1977). If the CreateURL call fails, the image request is
destroyed, but a dangling pointer to is retained by the il_container, by a call
to il_add_client (line 1900). Later, when the call to IL_InterruptContext() is
made, when the page is exited, the dangling pointer is traversed, and a crash
ensues.
The <IMG> tag which causes this to fail may be incorrectly parsed. Here's the
tag itself:

<IMG SRC="/cgi-bin/gx.cgi/AppLogic+PUChart?prodid=SPX:US:INDX&date=9956144540""
ALT="NASDAQ Combo Chart" WIDTH=210 HEIGHT=223 BORDER=0 ALIGN="BOTTOM">

The exact URL seems to be getting passed to IL_GetImage(), rather than being
prefixed with "http://www.etrade.com/", which is the document's URL.
Status: NEW → ASSIGNED
Target Milestone: M7
I believe my fix for bugz#6045 should fix this bug too. That is, it should
fix the crashing part. I want to look a little more at the url string passed
to the imglib.
-pnunn
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
I declare the crashes fixed.
The url name passed in is wacky, but that is what
is passed to the image lib. I'll close this bug so
it can be tested and reopen one for the url problem.
-pn
Status: RESOLVED → VERIFIED
Crash nolonger occurs in the the June 14th Build.
You need to log in before you can comment on or make changes to this bug.