Closed Bug 82926 Opened 23 years ago Closed 23 years ago

[PATCH] crash [@ gklayout::NS_NewFrameManager]

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla0.9.2

People

(Reporter: hharris, Assigned: attinasi)

References

(
URL
)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(4 files)

Testcase
327 bytes, text/html
Details
Dr. Watson log for this crash on Win2k
31.86 KB, text/plain
Details
stack trace crash in CSSFrameConstructor
9.68 KB, text/plain
Details
patch to prevent notifying img request proxy when it is being cancelled
605 bytes, patch
Details | Diff | Splinter Review 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (OS/2; U; Warp 4.5; en-US; rv:0.9+) Gecko/20010525
BuildID:    2001052506

JavaScript popup window remains blank for a few seconds
and then browser crashes, leaving following in
popuplog.os2

05-27-2001  10:16:09  SYS3175  PID 001b  TID 0001  Slot 0052
D:\WARPZILLA\BIN\MOZILLA.EXE
c0000005
00000000
P1=00000001  P2=00000000  P3=XXXXXXXX  P4=XXXXXXXX  
EAX=024d60ec  EBX=024d66b4  ECX=00000000  EDX=0103cc5c
ESI=00000000  EDI=00000000  
DS=0053  DSACC=f0f3  DSLIM=ffffffff  
ES=0053  ESACC=f0f3  ESLIM=ffffffff  
FS=150b  FSACC=00f3  FSLIM=00000030
GS=0000  GSACC=****  GSLIM=********
CS:EIP=005b:00000000  CSACC=f0df  CSLIM=ffffffff
SS:ESP=0053:0103cacc  SSACC=f0f3  SSLIM=ffffffff
EBP=0103cc70  FLG=00012202


Reproducible: Always
Steps to Reproduce:
1. connect to http://www.novatech.co.uk/NOVATECH/Home.html
2. wait for page to load
3. wait for popup window to appear

Actual Results:  Mozilla crashed leaving the following entry in popuplog.os2

05-27-2001  10:16:09  SYS3175  PID 001b  TID 0001  Slot 0052
D:\WARPZILLA\BIN\MOZILLA.EXE
c0000005
00000000
P1=00000001  P2=00000000  P3=XXXXXXXX  P4=XXXXXXXX  
EAX=024d60ec  EBX=024d66b4  ECX=00000000  EDX=0103cc5c
ESI=00000000  EDI=00000000  
DS=0053  DSACC=f0f3  DSLIM=ffffffff  
ES=0053  ESACC=f0f3  ESLIM=ffffffff  
FS=150b  FSACC=00f3  FSLIM=00000030
GS=0000  GSACC=****  GSLIM=********
CS:EIP=005b:00000000  CSACC=f0df  CSLIM=ffffffff
SS:ESP=0053:0103cacc  SSACC=f0f3  SSLIM=ffffffff
EBP=0103cc70  FLG=00012202


Expected Results:  Display contents of popup window
Attached file Testcase 

    
    

    
  
The testcase is reduced from the URL of the pop-up:
http://www.novatech.co.uk/NOVATECH/CompetitionEntry2.html

Crashed on Win32 build 2001052608.
Status: UNCONFIRMED → NEW
Ever confirmed: true

    
    

    
  
Changing summary from "Bad: JavaScript popup window crashes Mozilla" to "crash
[@ gklayout::NS_NewFrameManager]", adding crash keyword, setting OS=All.
Keywords: crash
OS: OS/2 → All
Summary: Bad: JavaScript popup window crashes Mozilla → crash [@ gklayout::NS_NewFrameManager]

    
    

    
  
Over to Layout.
Assignee: rogerl → karnaze
Component: Javascript Engine → Layout
QA Contact: pschwartau → petersen

    
    

    
  
confirming crash under linux (2001052621) for the test case.

    
    

    
  
It crashed already with 2001-04-20 and does not crash with 2001-04-09.

    
  
Keywords: regression

    
    

    
  
probably a dupe of bug 77713

    
    

    
  
Nope, I get a completely different stack trace with 77713 with a crash in
nsGetInterface::operator= .

    
    

    
  
Moving to m0.9.2.
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla0.9.2

    
    

    
  
Reassigning to attinasi, since he came up with the patch.
Assignee: karnaze → attinasi
Status: ASSIGNED → NEW

    
  
Keywords: patch

    
    

    
  
Pavlov, the change is to null out the listener before removing the proxy because
if we do not, then we can get called back into the frame that is trying to
cancel the notifications! This results in a crash because the frames are only
partly destroyed, and the DOMEvent winds up walking over the partially torn-down
frames.

I think that it is very wrong to notify an observer while they are canceling
their notification registration...

review please?
Status: NEW → ASSIGNED
Keywords: patch

    
    

    
  
sr=waterson

    
    

    
  
I'm looking at this to see if it will break anything.

    
    

    
  
*** Bug 77713 has been marked as a duplicate of this bug. ***

    
    

    
  
Graffiti tagging
Keywords: patch
Summary: crash [@ gklayout::NS_NewFrameManager] → [PATCH] crash [@ gklayout::NS_NewFrameManager]
Whiteboard: have sr, need r

    
    

    
  
r=pavlov

    
  
Blocks: 83989

    
    

    
  
waiting on approval for 0.9.2 landing
Whiteboard: have sr, need r → have r and sr, need a

    
    

    
  
a= asa@mozilla.org for checkin to the trunk.
(on behalf of drivers)

    
    

    
  
Checking in imgRequestProxy.cpp;
/cvsroot/mozilla/modules/libpr0n/src/imgRequestProxy.cpp,v  <--  imgRequestProxy
.cpp
new revision: 1.25; previous revision: 1.24
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Whiteboard: have r and sr, need a

    
    

    
  
Marking verified in the June 27th branch build.
Status: RESOLVED → VERIFIED
Crash Signature: [@ gklayout::NS_NewFrameManager]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: