Closed Bug 85822 Opened 20 years ago Closed 20 years ago

crash in [@ nsHttpTransaction::Cancel] [@ nsHttpConnection::ReportProgress] [cancelation not thread-safe]

Categories

(Core :: Networking: HTTP, defect, P1)

defect

Tracking

()

VERIFIED FIXED
mozilla0.9.2

People

(Reporter: jrgmorrison, Assigned: darin.moz)

References

()

Details

(4 keywords)

Crash Data

Attachments

(3 files)

I get a crash in an abbreviated ibench test, using a build I pulled
in the past couple of hours.

Go to http://cowtools.mcom.com/minibench/standard/
Click on the link 'Go for a ride'.

Crash is here; mConnection is null.

http://lxr.mozilla.org/seamonkey/source/netwerk/protocol/http/src/nsHttpTransac
tion.cpp

    PRInt32 priorVal = PR_AtomicSet(&mTransactionDone, 1);
    if (priorVal == 0) {
        mConnection->OnTransactionComplete(status);
        NS_RELEASE(mConnection);
    }


Stack is :

nsHttpTransaction::Cancel(nsHttpTransaction * const 0x0212ed20, unsigned int 
2152398850) line 647 + 4 bytes
nsHttpChannel::Cancel(nsHttpChannel * const 0x01f99e68, unsigned int 
2152398850) line 1592
nsLoadGroup::Cancel(nsLoadGroup * const 0x00000000, unsigned int 2152398850) 
line 242
nsDocLoaderImpl::Stop(nsDocLoaderImpl * const 0x00000000) line 278 + 14 bytes
nsURILoader::Stop(nsURILoader * const 0x00c01de8, nsISupports * 0x00000000) 
line 536 + 6 bytes
nsDocShell::Stop(nsDocShell * const 0x00c01de8) line 2211
nsWebShell::StopDocumentLoad(nsWebShell * const 0x01f5cb2c) line 647
nsObserverBase::NotifyWebShell(nsObserverBase * const 0x00b82b80, nsISupports * 
0x00000000, const char * 0x0012f5e4, nsCharsetSource kCharsetFromMetaTag) line 
91 + 11 bytes
nsMetaCharsetObserver::Notify(nsMetaCharsetObserver * const 0x00b82b78, 
nsISupports * 0x01fb5220, const nsStringArray * 0x00000000, const nsStringArray 
* 0x01000009) line 247 + 42 bytes
nsMetaCharsetObserver::Notify(nsMetaCharsetObserver * const 0x00b82b78, 
nsISupports * 0x01fb5220, const unsigned short * 0x0012f944, const 
nsStringArray * 0x0012f9d4, const nsStringArray * 0x0012f9dc) line 136
nsObserverTopic::Notify(nsObserverTopic * const 0x02f69248, nsHTMLTag 
eHTMLTag_meta, nsIParserNode & {...}, void * 0x01fb5220, nsIParser * 
0x00000002) line 1576
CObserverService::Notify(CObserverService * const 0x02f69248, nsHTMLTag 
eHTMLTag_meta, nsIParserNode & {...}, void * 0x01fb5220, const nsString & 
{...}, nsIParser * 0x02fb41e8) line 1733 + 19 bytes
CNavDTD::WillHandleStartTag(CNavDTD * const 0x02f69248, CToken * 0x02f7b258, 
nsHTMLTag eHTMLTag_meta, nsIParserNode & {...}) line 1387 + 28 bytes
CNavDTD::HandleStartToken(CNavDTD * const 0x02f69248, CToken * 0x00000000) line 
1635
CNavDTD::HandleToken(CNavDTD * const 0x00000001, CToken * 0x02f7b258, nsIParser 
* 0x02fb41e8) line 887 + 10 bytes
CNavDTD::BuildModel(CNavDTD * const 0x02192b58, nsIParser * 0x02fb41e8, 
nsITokenizer * 0x02176db0, nsITokenObserver * 0x00000000, nsIContentSink * 
0x020bc5e8) line 539 + 8 bytes
nsParser::BuildModel(nsParser * const 0x02f69248) line 1994
nsParser::ResumeParse(nsParser * const 0x02f69248, int 1, int 0) line 1871 + 10 
bytes
nsParser::OnDataAvailable(nsParser * const 0x00004000, nsIRequest * 0x01f99e68, 
nsISupports * 0x00000000, nsIInputStream * 0x020b3418, unsigned int 0, unsigned 
int 16384) line 2325 + 11 bytes
nsDocumentOpenInfo::OnDataAvailable(nsDocumentOpenInfo * const 0x0212d6b8, 
nsIRequest * 0x01f99e68, nsISupports * 0x00000000, nsIInputStream * 0x020b3418, 
unsigned int 0, unsigned int 16384) line 237 + 21 bytes
nsStreamListenerTee::OnDataAvailable(nsStreamListenerTee * const 0x020b3418, 
nsIRequest * 0x01f99e68, nsISupports * 0x00000000, nsIInputStream * 0x00000000, 
unsigned int 0, unsigned int 16384) line 56 + 24 bytes
nsHttpChannel::OnDataAvailable(nsHttpChannel * const 0x01f99e6c, nsIRequest * 
0x0212ed20, nsISupports * 0x00000000, nsIInputStream * 0x02f68894, unsigned int 
0, unsigned int 16384) line 2134 + 23 bytes
nsOnDataAvailableEvent::HandleEvent(nsOnDataAvailableEvent * const 0x02f69248) 
line 175 + 24 bytes
PL_HandleEvent(PLEvent * 0x02f56874) line 591
PL_ProcessPendingEvents(PLEventQueue * 0x1002aa55) line 520 + 6 bytes
_md_EventReceiverProc(HWND__ * 0x00bd0e18, unsigned int 4200147, unsigned int 
12663256, long 0) line 1071 + 10 bytes
nsAppShellService::Run(nsAppShellService * const 0x00c139d8) line 418
main1(int 1, char * * 0x003226d0, nsISupports * 0x00322718) line 1110 + 9 bytes
main(int 1, char * * 0x003226d0) line 1408 + 25 bytes
WinMain(HINSTANCE__ * 0x00400000, HINSTANCE__ * 0x00400000, char * 0x0013349f, 
HINSTANCE__ * 0x00400000) line 1426 + 21 bytes
MOZILLA! WinMainCRTStartup + 308 bytes
KERNEL32! 77e87903()
One thing to note: the page pointed to by that link, is a very short document
that run an onload handler to set a cookie and then redirect to another page.
Keywords: crash
Ooops. I get a similar (almost identical) crash when running the 'official'
ibench test. 

00000000()
nsHttpConnection::OnTransactionComplete(nsHttpConnection * const 0x03065100, 
unsigned int 2152398850) line 221
nsHttpTransaction::Cancel(nsHttpTransaction * const 0x0311f708, unsigned int 
2152398850) line 647
nsHttpChannel::Cancel(nsHttpChannel * const 0x0237f988, unsigned int 
2152398850) line 1592
nsLoadGroup::Cancel(nsLoadGroup * const 0x00000000, unsigned int 2152398850) 
line 242
nsDocLoaderImpl::Stop(nsDocLoaderImpl * const 0x00000000) line 278 + 14 bytes
nsURILoader::Stop(nsURILoader * const 0x00c01de8, nsISupports * 0x00000000) 
line 536 + 6 bytes
nsDocShell::Stop(nsDocShell * const 0x00c01de8) line 2211
nsWebShell::StopDocumentLoad(nsWebShell * const 0x0218c184) line 647
nsObserverBase::NotifyWebShell(nsObserverBase * const 0x00b82b80, nsISupports * 
0x00000000, const char * 0x0012f5e4, nsCharsetSource kCharsetFromMetaTag) line 
91 + 11 bytes
nsMetaCharsetObserver::Notify(nsMetaCharsetObserver * const 0x00b82b78, 
nsISupports * 0x0312e1c8, const nsStringArray * 0x00000000, const nsStringArray 
* 0x01000009) line 247 + 42 bytes
nsMetaCharsetObserver::Notify(nsMetaCharsetObserver * const 0x00b82b78, 
nsISupports * 0x0312e1c8, const unsigned short * 0x0012f944, const 
nsStringArray * 0x0012f9d4, const nsStringArray * 0x0012f9dc) line 136
nsObserverTopic::Notify(nsObserverTopic * const 0x03065100, nsHTMLTag 
eHTMLTag_meta, nsIParserNode & {...}, void * 0x0312e1c8, nsIParser * 
0x00000002) line 1576
CObserverService::Notify(CObserverService * const 0x03065100, nsHTMLTag 
eHTMLTag_meta, nsIParserNode & {...}, void * 0x0312e1c8, const nsString & 
{...}, nsIParser * 0x031336b0) line 1733 + 19 bytes
CNavDTD::WillHandleStartTag(CNavDTD * const 0x03065100, CToken * 0x03169250, 
nsHTMLTag eHTMLTag_meta, nsIParserNode & {...}) line 1387 + 28 bytes
CNavDTD::HandleStartToken(CNavDTD * const 0x03065100, CToken * 0x00000000) line 
1635
CNavDTD::HandleToken(CNavDTD * const 0x00000001, CToken * 0x03169250, nsIParser 
* 0x031336b0) line 887 + 10 bytes
CNavDTD::BuildModel(CNavDTD * const 0x0217bcd0, nsIParser * 0x031336b0, 
nsITokenizer * 0x0208b8e8, nsITokenObserver * 0x00000000, nsIContentSink * 
0x022e3318) line 539 + 8 bytes
nsParser::BuildModel(nsParser * const 0x03065100) line 1994
nsParser::ResumeParse(nsParser * const 0x03065100, int 1, int 0) line 1871 + 10 
bytes
nsParser::OnDataAvailable(nsParser * const 0x00004000, nsIRequest * 0x0237f988, 
nsISupports * 0x00000000, nsIInputStream * 0x023b4a50, unsigned int 0, unsigned 
int 16384) line 2325 + 11 bytes
nsDocumentOpenInfo::OnDataAvailable(nsDocumentOpenInfo * const 0x02191fa8, 
nsIRequest * 0x0237f988, nsISupports * 0x00000000, nsIInputStream * 0x023b4a50, 
unsigned int 0, unsigned int 16384) line 237 + 21 bytes
nsStreamListenerTee::OnDataAvailable(nsStreamListenerTee * const 0x023b4a50, 
nsIRequest * 0x0237f988, nsISupports * 0x00000000, nsIInputStream * 0x00000000, 
unsigned int 0, unsigned int 16384) line 56 + 24 bytes
nsHttpChannel::OnDataAvailable(nsHttpChannel * const 0x0237f98c, nsIRequest * 
0x0311f708, nsISupports * 0x00000000, nsIInputStream * 0x0236798c, unsigned int 
0, unsigned int 16384) line 2134 + 23 bytes
nsOnDataAvailableEvent::HandleEvent(nsOnDataAvailableEvent * const 0x03065100) 
line 175 + 24 bytes
PL_HandleEvent(PLEvent * 0x021669d4) line 591
PL_ProcessPendingEvents(PLEventQueue * 0x1002aa55) line 520 + 6 bytes
_md_EventReceiverProc(HWND__ * 0x00bd0e78, unsigned int 4200147, unsigned int 
12663256, long 0) line 1071 + 10 bytes
nsAppShellService::Run(nsAppShellService * const 0x00c139d8) line 418
main1(int 1, char * * 0x003226d0, nsISupports * 0x00322718) line 1110 + 9 bytes
main(int 1, char * * 0x003226d0) line 1408 + 25 bytes
WinMain(HINSTANCE__ * 0x00400000, HINSTANCE__ * 0x00400000, char * 0x0013349f, 
HINSTANCE__ * 0x00400000) line 1426 + 21 bytes
MOZILLA! WinMainCRTStartup + 308 bytes
KERNEL32! 77e87903()

I see the same crash as your first stack when having to click a link a second
time because the first fails/hangs.
Second stack is the one from recent bug 85806
OK.. patch in hand.
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla0.9.2
Different stack, same endpoint (on linux):

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1024 (LWP 22172)]
0x63656c62 in ?? ()
(gdb) where
#0  0x63656c62 in ?? ()
#1  0x4086f0bd in nsHttpTransaction::Cancel ()
   from /home/tor/mopt/dist/bin/components/libnecko.so
#2  0x40871a1a in nsHttpChannel::ProcessRedirection ()
   from /home/tor/mopt/dist/bin/components/libnecko.so
#3  0x408701e0 in nsHttpChannel::ProcessResponse ()
   from /home/tor/mopt/dist/bin/components/libnecko.so
#4  0x408747ec in nsHttpChannel::OnStartRequest ()
   from /home/tor/mopt/dist/bin/components/libnecko.so
#5  0x40886497 in nsOnStartRequestEvent::HandleEvent ()
   from /home/tor/mopt/dist/bin/components/libnecko.so
#6  0x40842243 in nsARequestObserverEvent::HandlePLEvent ()
   from /home/tor/mopt/dist/bin/components/libnecko.so
#7  0x400cca7b in PL_HandleEvent () at eval.c:41
#8  0x400cc989 in PL_ProcessPendingEvents () at eval.c:41
#9  0x400cdaeb in nsEventQueueImpl::ProcessPendingEvents () at eval.c:41
#10 0x4074f166 in event_processor_callback ()
   from /home/tor/mopt/dist/bin/components/libwidget_gtk.so
#11 0x4074eeb5 in our_gdk_io_invoke ()
   from /home/tor/mopt/dist/bin/components/libwidget_gtk.so
#12 0x4037001e in g_io_unix_dispatch () from /usr/lib/libglib-1.2.so.0
#13 0x403717f3 in g_main_dispatch () from /usr/lib/libglib-1.2.so.0
#14 0x40371dd9 in g_main_iterate () from /usr/lib/libglib-1.2.so.0
#15 0x40371f8c in g_main_run () from /usr/lib/libglib-1.2.so.0
#16 0x40286803 in gtk_main () from /usr/lib/libgtk-1.2.so.0
#17 0x4074f696 in nsAppShell::Run ()
   from /home/tor/mopt/dist/bin/components/libwidget_gtk.so
#18 0x40733ad6 in nsAppShellService::Run ()
   from /home/tor/mopt/dist/bin/components/libnsappshell.so
#19 0x0804fa8f in main1 () at eval.c:41
#20 0x0805032f in main () at eval.c:41
#21 0x404bc177 in __libc_start_main (main=0x80501e0 <main>, argc=1, 
    ubp_av=0xbffff8bc, init=0x804bd88 <_init>, fini=0x805209c <_fini>, 
    rtld_fini=0x4000e184 <_dl_fini>, stack_end=0xbffff8ac)
    at ../sysdeps/generic/libc-start.c:129
Severity: normal → blocker
OS: Windows 2000 → All
Priority: -- → P1
Hardware: PC → All
Summary: crash in nsHttpTransaction::Cancel, clicking on link → crash in nsHttpTransaction::Cancel [cancelation not thread-safe]
*** Bug 85901 has been marked as a duplicate of this bug. ***
*** Bug 85806 has been marked as a duplicate of this bug. ***
Is bug 85937 related to this one?  I reported it and included a talkback id so 
someone can check the stack trace.

jake
*** Bug 85937 has been marked as a duplicate of this bug. ***
adding smoketest and regression keywords...this is crashing with today's linux
builds.   Here is the Talkback data for a couple of my crashes:

Incident ID 31726090
Stack Signature 0x00000000 a01523ae
Bug ID
Trigger Time 2001-06-14 12:07:29
User Comments netscape japan site i think...just clicked bookmark and boom!
Build ID 2001061411
Product ID MozillaTrunk
Platform ID LinuxIntel
Stack Trace
0x00000000
nsHttpTransaction::Cancel()
nsHttpChannel::Cancel()
nsLoadGroup::Cancel()
nsDocLoaderImpl::Stop()
nsURILoader::Stop()
nsDocShell::Stop()
nsWebShell::StopDocumentLoad()
nsObserverBase::NotifyWebShell()
nsMetaCharsetObserver::Notify()
nsMetaCharsetObserver::Notify()
nsObserverTopic::Notify()
CObserverService::Notify()
CNavDTD::WillHandleStartTag()
CNavDTD::HandleStartToken()
CNavDTD::HandleToken()
CNavDTD::BuildModel()
nsParser::BuildModel()
nsParser::ResumeParse()
nsParser::OnDataAvailable()
nsDocumentOpenInfo::OnDataAvailable()
nsStreamListenerTee::OnDataAvailable()
nsHttpChannel::OnDataAvailable()
nsOnDataAvailableEvent::HandleEvent()
nsARequestObserverEvent::HandlePLEvent()
PL_HandleEvent()
PL_ProcessPendingEvents()
nsEventQueueImpl::ProcessPendingEvents()
event_processor_callback()
our_gdk_io_invoke()
libglib-1.2.so.0 + 0xe52a (0x4033e52a)
libglib-1.2.so.0 + 0xfbe6 (0x4033fbe6)
libglib-1.2.so.0 + 0x101a1 (0x403401a1)
libglib-1.2.so.0 + 0x10341 (0x40340341)
libgtk-1.2.so.0 + 0x8c209 (0x40267209)
nsAppShell::Run()
nsAppShellService::Run()
main1()
main()
libc.so.6 + 0x181eb (0x404371eb) 

and 

Incident ID 31726299
Stack Signature 0x4050c1bf ffb85f5f
Bug ID
Trigger Time 2001-06-14 12:12:35
User Comments set homepage to netscape.com with new profile while offline, went
online and reloaded page and boom!
Build ID 2001061411
Product ID MozillaTrunk
Platform ID LinuxIntel
Stack Trace
0x4050c1bf
nsHttpTransaction::Cancel()
nsHttpChannel::Cancel()
imgRequest::Cancel()
imgRequest::RemoveProxy()
imgRequestProxy::Cancel()
nsImageFrame::Destroy()
nsFrameList::DestroyFrames()
nsContainerFrame::Destroy()
nsLineBox::DeleteLineList()
nsBlockFrame::Destroy()
nsFrameList::DestroyFrames()
nsContainerFrame::Destroy()
nsFrameList::DestroyFrames()
nsContainerFrame::Destroy()
nsFrameList::DestroyFrames()
nsContainerFrame::Destroy()
nsFrameList::DestroyFrames()
nsContainerFrame::Destroy()
nsTableFrame::Destroy()
nsFrameList::DestroyFrames()
nsContainerFrame::Destroy()
nsTableOuterFrame::Destroy()
nsFrameList::DestroyFrames()
nsCSSFrameConstructor::WipeContainingBlock()
nsCSSFrameConstructor::ContentAppended()
StyleSetImpl::ContentAppended()
PresShell::ContentAppended()
nsDocument::ContentAppended()
nsHTMLDocument::ContentAppended()
HTMLContentSink::NotifyAppend()
SinkContext::CloseContainer()
HTMLContentSink::CloseContainer()
CNavDTD::CloseContainer()
CNavDTD::CloseContainersTo()
CNavDTD::CloseContainersTo()
CNavDTD::DidBuildModel()
nsParser::DidBuildModel()
nsParser::ResumeParse()
nsParser::ContinueParsing()
HTMLContentSink::ScriptEvaluated()
nsScriptLoader::FireScriptEvaluated()
nsScriptLoader::ProcessRequest()
nsScriptLoader::OnStreamComplete()
nsStreamLoader::OnStopRequest()
nsStreamListenerTee::OnStopRequest()
nsHttpChannel::OnStopRequest()
nsOnStopRequestEvent::HandleEvent()
nsARequestObserverEvent::HandlePLEvent()
PL_HandleEvent()
PL_ProcessEventsBeforeID()
processQueue()
nsVoidArray::EnumerateForwards()
nsAppShell::ProcessBeforeID()
handle_gdk_event()
libgdk-1.2.so.0 + 0x1700b (0x4031200b)
libglib-1.2.so.0 + 0xfbe6 (0x4033fbe6)
libglib-1.2.so.0 + 0x101a1 (0x403401a1)
libglib-1.2.so.0 + 0x10341 (0x40340341)
libgtk-1.2.so.0 + 0x8c209 (0x40267209)
nsAppShell::Run()
nsAppShellService::Run()
main1()
main()
libc.so.6 + 0x181eb (0x404371eb) 

This is a smoketest blocker.
Is anyone seeing this on win32 or mac?  I didn't crash at all with today's
builds for those platforms...just linux.  Just wanted to be sure because the
platform and os are set to all.
Summary: crash in nsHttpTransaction::Cancel [cancelation not thread-safe] → crash in [@ nsHttpTransaction::Cancel] [cancelation not thread-safe]
Attached patch patch for httpSplinter Review
any help i could get testing these patches would be greatly appreciated.
Linux was the only platform that crashed for me. Mac and Win32 today were OK.
These patches seem to really help the stability of my build.
The patches fix the crash for me (for the two ways that I could force the 
crash previously). 

[To answer Jay's question: this is an all platform crash. It was initially 
reported for win2k].
after darin clarified some things on irc r/sr=blizzard on both patches
*** Bug 85926 has been marked as a duplicate of this bug. ***
dougt says: r/rs=
a=blizzard
*** Bug 85206 has been marked as a duplicate of this bug. ***
fix checked in.
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
*** Bug 85823 has been marked as a duplicate of this bug. ***
This crash is no longer occurring for me with the latest Linux build 2001061414.
 I was never crashing here with my Win98 or Mac machines, so someone else will
need to verify this fix on those platforms if they were seeing this crash.  I
know somebody mentioned there were crashes on Win2k, but I don't have a machine,
so help veifying that would be good too.
jpatel@netscape.com: 
I crashed on win2k with this bug (3x in 5min). 
After I updated my build with the fix I cannot reproduce this crash (opt and 
debug)
This seems to be working now, yesterdays build (2001061304) crashed frequently,
but since I got the latest build (2001061404), I've been running for an hour
with no crashes.  I'm also using Win2k.
Good work!

*** Bug 86444 has been marked as a duplicate of this bug. ***
Adding topcrash for talkback tracking
Keywords: topcrash
Adding [@ nsHttpConnection::ReportProgress] to summary for future reference.
Summary: crash in [@ nsHttpTransaction::Cancel] [cancelation not thread-safe] → crash in [@ nsHttpTransaction::Cancel] [[@ nsHttpConnection::ReportProgress] [cancelation not thread-safe]
Summary: crash in [@ nsHttpTransaction::Cancel] [[@ nsHttpConnection::ReportProgress] [cancelation not thread-safe] → crash in [@ nsHttpTransaction::Cancel] [@ nsHttpConnection::ReportProgress] [cancelation not thread-safe]
QA Contact: benc → bbaetz
Verified on:

Win2K:  2001-07-27-00-0.9.2
        2001-07-27-12-trunk
Mac:    2001-07-26-21-0.9.2
Linux:  2001-07-26-23-0.9.2

Status: RESOLVED → VERIFIED
Crash Signature: [@ nsHttpTransaction::Cancel] [@ nsHttpConnection::ReportProgress]
You need to log in before you can comment on or make changes to this bug.