Closed Bug 75388 Opened 24 years ago Closed 24 years ago

Open Web Location 2x or Open File 2x or submit insecure form 2x or install XPI = Trunk crash [@ nsImageBoxFrame::OnStartContainer]

Categories

(Core :: Graphics: ImageLib, defect)

x86
All
defect
Not set
blocker

Tracking

()

VERIFIED FIXED

People

(Reporter: mattdm, Assigned: pavlov)

References

Details

(4 keywords, Whiteboard: [imagelib])

Crash Data

Attachments

(2 files)

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux 2.2.16-3 i686; en-US; 0.8.1)
BuildID:    2001041005

Attempting to use either Open Web Location or Open File more than once causes a
segfault.

Reproducible: Always

Steps to Reproduce:
1. Pick File|Open Web Location.
2. Either cancel, or actually open a page.
3. Repeat step one.

Actual Results:  Crash.

Expected Results:  Dialog box should be come up as normal.

Same behavior with File|Open File. The two are not interlinked -- either dialog
can be accessed exactly once.
I see this in 2001-04-10-05 on linux also.
Severity: normal → critical
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash
Attached file stack trace
I have another way to reproduce this also:

1)  Make sure that the "warn before sending form data to an insecure site"
    option is on in PSM Application prefs
2)  Submit an insecure form (the "Find" button at the bottom of Bugzilla pages
    will do nicely)
3)  Submit an insecure form again.  Watch Mozilla crash.
Over to Pav based on the libimg2 in the first stack trace and the more detailed
stack trace I'm about to attach.  ccing saari since he touched libpr0n
yesterday.  This is a regression -- this works fine in the 2001-04-09 morning
builds.

I just tried this in a debug build from this morning.  I had to open the "Open
File" dialog 4 times to get the crash, but it did crash.  Also crashed using the
form+alert method.  Same trace in both cases:

#0  0x41e4f945 in nsImageBoxFrame::OnStartContainer (this=0x89e2764,
request=0x89e5558, 
    aPresContext=0x8a71b38, image=0x0) at nsImageBoxFrame.cpp:642
#1  0x41e4ffbc in nsImageBoxListener::OnStartContainer (this=0x89e5540, 
    request=0x89e5558, cx=0x8a71b38, image=0x0) at nsImageBoxFrame.cpp:743
#2  0x42050ee2 in imgRequestProxy::OnStartContainer (this=0x89e5558, request=0x0, 
    cx=0x0, image=0x0) at imgRequestProxy.cpp:254
#3  0x4204d7f9 in imgRequest::AddObserver (this=0x8a60e00, observer=0x89e555c)
    at imgRequest.cpp:103
#4  0x42050920 in imgRequestProxy::Init (this=0x89e5558, request=0x8a60e00, 
    aLoadGroup=0x8a94770, aObserver=0x89e5540, cx=0x8a71b38) at
imgRequestProxy.cpp:95

(gdb) frame 0
#0  0x41e4f945 in nsImageBoxFrame::OnStartContainer (this=0x89e2764,
request=0x89e5558, 
    aPresContext=0x8a71b38, image=0x0) at nsImageBoxFrame.cpp:642
642       image->GetWidth(&w);
(gdb) p image
$1 = (imgIContainer *) 0x0
(gdb) frame 1
#1  0x41e4ffbc in nsImageBoxListener::OnStartContainer (this=0x89e5540, 
    request=0x89e5558, cx=0x8a71b38, image=0x0) at nsImageBoxFrame.cpp:743
743       return mFrame->OnStartContainer(request, pc, image);
(gdb) p image
$2 = (imgIContainer *) 0x0
(gdb) frame 2
#2  0x42050ee2 in imgRequestProxy::OnStartContainer (this=0x89e5558, request=0x0, 
    cx=0x0, image=0x0) at imgRequestProxy.cpp:254
254         mObserver->OnStartContainer(this, mContext, image);
(gdb) frame 3
#3  0x4204d7f9 in imgRequest::AddObserver (this=0x8a60e00, observer=0x89e555c)
    at imgRequest.cpp:103
103         observer->OnStartContainer(nsnull, nsnull, mImage);
(gdb) p mImage
$3 = {mRawPtr = 0x0}
Blocks: 66967
Component: XP Apps: GUI Features → ImageLib
Keywords: regression
Summary: Open Web Location or Open File 2x = crash → Open Web Location 2x or Open File 2x or submit insecure forme 2x = crash
Whiteboard: [imagelib]
reassign for real....
Assignee: ben → pavlov
QA Contact: sairuh → tpreston
*** Bug 75395 has been marked as a duplicate of this bug. ***
Bug 75395 has the same stack trace but is reported on Windows, so OS -> all.

This gives us another way to reproduce: 
1. go to http://www.mozilla.org/projects/xslt/index.html#bins
2. Click "Install"
3. Select transformiix, click OK
OS: Linux → All
In fact this crashes on an attempt to install any XPI (I just tried jre.xpi and
got the same crash)
Summary: Open Web Location 2x or Open File 2x or submit insecure forme 2x = crash → Open Web Location 2x or Open File 2x or submit insecure form 2x or install XPI = crash
Keywords: smoketest
i run into this the 1st time i bring up the file picker or the Open Web Location
dialog. echoing comments from bug 75299 [console output from 9:30am linux debug
build]:

###!!! ASSERTION: imgRequest::OnStopRequest -- received multiple OnStopRequest:
'mChannel && mLoading', file imgRequest.cpp, line 642
###!!! Break: at file imgRequest.cpp, line 642
WARNING: imgRequest::RemoveFromCache -- no entry!, file imgRequest.cpp, line 227

shouldn't this be marked a blocker? or, would a repull workaround this?
is this likely fixed by sspitzer's checkin?
seth's checkin does not fix this for me.... Still crash on XPI install, form
submission, and open location with both his patch for bug 75407 and bug 75416
Severity: critical → blocker
*** Bug 75419 has been marked as a duplicate of this bug. ***
We need this patch in nsImageBoxFrame also:

Index: mozilla/layout/xul/base/src/nsImageBoxFrame.cpp
===================================================================
RCS file: /cvsroot/mozilla/layout/xul/base/src/nsImageBoxFrame.cpp,v
retrieving revision 1.8
diff -b -u -2 -r1.8 nsImageBoxFrame.cpp
--- nsImageBoxFrame.cpp	2001/04/10 17:44:53	1.8
+++ nsImageBoxFrame.cpp	2001/04/10 20:18:45
@@ -640,4 +640,6 @@
   aPresContext->GetShell(getter_AddRefs(presShell));
 
+  NS_ENSURE_ARG(image);
+	
   mHasImage = PR_TRUE;
   mSizeFrozen = PR_FALSE;
nsImageBoxFrame fix checked in.
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Is this an actual fix or a band-aid until underlying problems are dealt with? 
That is, should this bug actually be resolved?
This bug is a topcrasher, added topcrash keyword.  
Added [@ nsImageBoxFrame::OnStartContainer] for tracking.  

Here are some URLs & Comments that might help repro this crash:
     (29010926) URL: 
http://developer.java.sun.com/servlet/SessionServlet?url=http://developer.java.s
un.com/developer/earlyAccess/j2sdk131/
     (28931521) URL: www.hotmail.com
     (28924897) URL: http://paypal.com/
     (28922534) URL: http://home.netscape.com/themes/index.html?cp=dtyccfea2a
     (28922487) URL: http://home.netscape.com/themes/index.html?cp=dtyccfea2a
     (28922446) URL: http://home.netscape.com/themes/index.html?cp=dtyccfea2a
     (28922199) URL: x.themes.com
     (28918671) URL: http://paypal.com/
     (28916844) URL: http://www.amazon.co.jp/
     (28916575) URL: http://www.amazon.co.jp/
     (28916410) URL: http://www.amazon.co.jp/
     (28916335) URL: http://www.netgol.com/shopping/
     (28916267) URL: http://www.netgol.com/shopping/
     (28916242) URL: http://www.netgol.com/shopping/
     (28916189) URL: 
http://www.pp.iij4u.or.jp/~sailor-1/Yamauchi_Mihoko/thum_frame4.html
     (28915683) URL: http://www.mozilla.org/projects/xslt/index.html#bins
     (28915645) URL: http://divx.euro.ru/
     (28914553) URL: http://divx.euro.ru/
     (28914235) URL: 
http://www.pp.iij4u.or.jp/~sailor-1/Yamauchi_Mihoko/thum_frame4.html
     (28913771) URL: http://www.ff.iij4u.or.jp/~i300/main.html
     (28912004) Comments: crash on startup build 2001041006
     (28911791) Comments: crash on start of jrgm's load tester
     (28911787) Comments: crash starting jrgms loadtime tester
     (28911783) Comments: crash on first launch
     (28911782) Comments: crash on launch


Here is a recent stack trace:
         nsImageBoxFrame::OnStartContainer
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsImageBoxFrame.cpp  line 647] 
         nsImageBoxListener::OnStartContainer
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsImageBoxFrame.cpp  line 748] 
         imgRequestProxy::OnStartContainer
[d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgRequestProxy.cpp  line 256] 
         imgRequest::AddObserver
[d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgRequest.cpp  line 107] 
         imgRequestProxy::Init
[d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgRequestProxy.cpp  line 97] 
         imgLoader::LoadImage   
[d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgLoader.cpp
line 169] 
         nsImageBoxFrame::UpdateImage
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsImageBoxFrame.cpp  line 362] 
         nsImageBoxFrame::DidSetStyleContext
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsImageBoxFrame.cpp  line 474] 
         nsFrame::SetStyleContext
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsFrame.cpp  line 478] 
         nsFrame::Init  
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsFrame.cpp  line 329] 
         nsLeafBoxFrame::Init
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsLeafBoxFrame.cpp  line 95] 
         nsImageBoxFrame::Init
[d:\builds\seamonkey\mozilla\layout\xul\base\src\nsImageBoxFrame.cpp  line 211] 
         nsCSSFrameConstructor::InitAndRestoreFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp  
line 6671] 
         nsCSSFrameConstructor::ConstructXULFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp  
line 5798] 
         nsCSSFrameConstructor::ConstructFrameInternal
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp  
line 7198] 
         nsCSSFrameConstructor::ConstructFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp  
line 7100] 
         nsCSSFrameConstructor::ProcessChildren
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp  
line 11232] 
         nsCSSFrameConstructor::ConstructXULFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp  
line 5825] 
         nsCSSFrameConstructor::ConstructFrameInternal
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp  
line 7198] 
         nsCSSFrameConstructor::ConstructFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp  
line 7100] 
         nsCSSFrameConstructor::ProcessChildren
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp  
line 11232] 
         nsCSSFrameConstructor::ConstructXULFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp  
line 5825] 
         nsCSSFrameConstructor::ConstructFrameInternal
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp  
line 7198] 
         nsCSSFrameConstructor::ConstructFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp  
line 7100] 
         nsCSSFrameConstructor::ProcessChildren
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp  
line 11232] 
         nsCSSFrameConstructor::ConstructDocElementFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp  
line 3539] 
         nsCSSFrameConstructor::ContentInserted
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp  
line 8410] 
         StyleSetImpl::ContentInserted
[d:\builds\seamonkey\mozilla\content\base\src\nsStyleSet.cpp  line 1224] 
         PresShell::InitialReflow
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp  line 2468] 
         nsXULDocument::StartLayout
[d:\builds\seamonkey\mozilla\content\xul\document\src\nsXULDocument.cpp  line 
3920] 
         nsXULDocument::ResumeWalk
[d:\builds\seamonkey\mozilla\content\xul\document\src\nsXULDocument.cpp  line 
5025] 
         nsXULDocument::CachedChromeStreamListener::OnStopRequest
[d:\builds\seamonkey\mozilla\content\xul\document\src\nsXULDocument.cpp  line 
6157] 
         nsDocumentOpenInfo::OnStopRequest
[d:\builds\seamonkey\mozilla\uriloader\base\nsURILoader.cpp  line 277] 
         nsCachedChromeChannel::HandleStopLoadEvent
[d:\builds\seamonkey\mozilla\rdf\chrome\src\nsChromeProtocolHandler.cpp  line 
439] 
         PL_HandleEvent [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c  
line 589] 
         _md_EventReceiverProc  
[d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c  line 1070] 
         SETUPAPI.DLL + 0x30c24 (0x778b0c24)  
 
Status: RESOLVED → REOPENED
Keywords: topcrash
Resolution: FIXED → ---
Summary: Open Web Location 2x or Open File 2x or submit insecure form 2x or install XPI = crash → Open Web Location 2x or Open File 2x or submit insecure form 2x or install XPI = crash [@ nsImageBoxFrame::OnStartContainer]
From the Talkback data, this looks like a crash that was only reported for 
builds 20010410xx.  Since the fix also went in that same day and Talkback has 
not reported any crashes for builds newer than 2001041013, marking this resolved 
fixed.  Can QA just verify this with the latest trunk build and mark it so?
Status: REOPENED → RESOLVED
Closed: 24 years ago24 years ago
Resolution: --- → FIXED
Summary: Open Web Location 2x or Open File 2x or submit insecure form 2x or install XPI = crash [@ nsImageBoxFrame::OnStartContainer] → Open Web Location 2x or Open File 2x or submit insecure form 2x or install XPI = Trunk crash [@ nsImageBoxFrame::OnStartContainer]
Verified fixed Win XP build 2001120303, linux build 2001120308 and Mac OS X
build 20001120308
Status: RESOLVED → VERIFIED
Crash Signature: [@ nsImageBoxFrame::OnStartContainer]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: