This is probably my fault. steps: induce some randomness: start browser, open prefs, walk around, cancel start mail, open prefs. crash (gdb) up 10000 #5008 0x08056ead in _start () #4967 0x287d6914 in nsWindowWatcher::OpenWindowJS (this=0x82281c0, aParent=0x8a75304, aUrl=0x9385540 "chrome://communicator/content/pref/pref.xul", aName=0x93da540 "PrefWindow", aFeatures=0x9395ac0 "chrome,titlebar,resizable=no", aDialog=1, argc=3, argv=0x947c100, _retval=0xbfbfc4d8) at /home/timeless/mozilla/embedding/components/windowwatcher/src/nsWindowWatcher.cpp:544 544 getter_AddRefs(newDocShellItem)); (gdb) l 539 the code that keeps an old docshell alive but disconnected while 540 we load a new one). not much to do but open the new window 541 without a parent. */ 542 if (parentTreeOwner) 543 parentTreeOwner->FindItemWithName(name.get(), nsnull, 544 getter_AddRefs(newDocShellItem)); 545 } 546 } else 547 FindItemWithName(name.get(), getter_AddRefs(newDocShellItem)); 548 } (gdb) down #4966 0x295818bd in nsContentTreeOwner::FindItemWithName (this=0x8b3dd00, aName=0xbfbfc144, aRequestor=0x0, aFoundItem=0xbfbfc118) at /home/timeless/mozilla/xpfe/appshell/src/nsContentTreeOwner.cpp:214 214 shellAsTreeItem->FindItemWithName(aName, shellOwnerSupports, aFoundItem); (gdb) l 209 // to call back up. 210 nsCOMPtr<nsIDocShellTreeOwner> shellOwner; 211 shellAsTreeItem->GetTreeOwner(getter_AddRefs(shellOwner)); 212 nsCOMPtr<nsISupports> shellOwnerSupports(do_QueryInterface(shellOwner)); 213 214 shellAsTreeItem->FindItemWithName(aName, shellOwnerSupports, aFoundItem); 215 } 216 if(*aFoundItem) 217 return NS_OK; 218 } (gdb) down #4965 0x297953f4 in nsDocShell::FindItemWithName (this=0x90ccc00, aName=0xbfbfc144, aRequestor=0x8b3dd00, _retval=0xbfbfc118) at /home/timeless/mozilla/docshell/base/nsDocShell.cpp:1709 1709 (nsIDocShellTreeItem *, (gdb) l 1704 PRInt32 parentType; 1705 mParent->GetItemType(&parentType); 1706 if (parentType == mItemType) { 1707 NS_ENSURE_SUCCESS(mParent->FindItemWithName(aName, 1708 NS_STATIC_CAST 1709 (nsIDocShellTreeItem *, 1710 this), _retval), 1711 NS_ERROR_FAILURE); 1712 return NS_OK; 1713 } (gdb) down #4964 0x29795500 in nsDocShell::FindItemWithName (this=0x8b52000, aName=0xbfbfc144, aRequestor=0x90ccc04, _retval=0xbfbfc118) at /home/timeless/mozilla/docshell/base/nsDocShell.cpp:1724 1724 (nsIDocShellTreeItem *, (gdb) l 1719 reqAsTreeOwner(do_QueryInterface(aRequestor)); 1720 1721 if (mTreeOwner && (mTreeOwner != reqAsTreeOwner.get())) { 1722 NS_ENSURE_SUCCESS(mTreeOwner->FindItemWithName(aName, 1723 NS_STATIC_CAST 1724 (nsIDocShellTreeItem *, 1725 this), _retval), 1726 NS_ERROR_FAILURE); 1727 } 1728 the rest of the stack is just these three functions looping around to themselves. A list of my cores from today: -rw------- 1 root wheel 13197312 Apr 5 13:05 /root/coredumps/mozilla-bin.1551.core -rw------- 1 timeless wheel 19820544 Apr 5 13:38 /root/coredumps/mozilla-bin.1852.core -rw------- 1 timeless wheel 33202176 Apr 5 16:44 /root/coredumps/mozilla-bin.2492.core -rw------- 1 timeless wheel 14573568 Apr 5 17:04 /root/coredumps/mozilla-bin.2822.core -rw------- 1 timeless wheel 26177536 Apr 5 17:31 /root/coredumps/mozilla-bin.2917.core <- this one is for this bug -rw------- 1 root wheel 14012416 Apr 5 12:29 /root/coredumps/mozilla-bin.96195.core I think one of the others is too. The top of the stack #0 0x287048c1 in _spinlock_debug () from /usr/lib/libc_r.so.4 (gdb) up #1 0x28708726 in pthread_mutex_lock () from /usr/lib/libc_r.so.4 (gdb) #2 0x283bd5fd in _MD_ATOMIC_INCREMENT (val=0x80c4020) at /home/timeless/mozilla/nsprpub/pr/src/misc/pratom.c:166 166 pthread_mutex_lock(&atomic_locks[idx]); (gdb) #3 0x283bd867 in PR_AtomicIncrement (val=0x80c4020) at /home/timeless/mozilla/nsprpub/pr/src/misc/pratom.c:301 301 return _PR_MD_ATOMIC_INCREMENT(val); (gdb) #4 0x282beb2c in nsComponentManagerImpl::AddRef (this=0x80c4000) at /home/timeless/mozilla/xpcom/components/nsComponentManager.cpp:839 839 NS_IMPL_THREADSAFE_ISUPPORTS7(nsComponentManagerImpl, Current language: auto; currently c++ (gdb) #5 0x28338376 in unsigned int ns_if_addref<nsIServiceManager *> (expr=0x80c4004) at ../../dist/include/xpcom/nsISupportsUtils.h:122 122 return expr ? expr->AddRef() : 0; (gdb) #6 0x282c6d72 in NS_GetServiceManager (result=0xbfb00214) at /home/timeless/mozilla/xpcom/components/nsComponentManager.cpp:3520 3520 NS_IF_ADDREF(*result); (gdb) #7 0x2831e68b in nsGetServiceByCID::operator() (this=0xbfb00374, aIID=@0x806b94c, aInstancePtr=0xbfb00258) at /home/timeless/mozilla/xpcom/glue/nsComponentManagerUtils.cpp:99 99 NS_GetServiceManager(getter_AddRefs(mgr)); (gdb) #8 0x08062923 in nsCOMPtr<nsIWindowMediator>::assign_from_helper (this=0xbfb00384, helper=@0xbfb00374, aIID=@0x806b94c) at ../../dist/include/xpcom/nsCOMPtr.h:922 922 if ( NS_FAILED( helper(aIID, NS_REINTERPRET_CAST(void**, &newRawPtr)) ) ) (gdb) #9 0x08065bc7 in nsCOMPtr<nsIWindowMediator>::nsCOMPtr (this=0xbfb00384, helper=@0xbfb00374) at ../../dist/include/xpcom/nsCOMPtr.h:553 553 assign_from_helper(helper, NS_GET_IID(T)); (gdb) #10 0x295811db in nsContentTreeOwner::FindItemWithName (this=0x8b3dd00, aName=0xbfbfc144, aRequestor=0x8b52004, aFoundItem=0xbfbfc118) at /home/timeless/mozilla/xpfe/appshell/src/nsContentTreeOwner.cpp:179 179 nsCOMPtr<nsIWindowMediator> windowMediator(do_GetService(kWindowMediatorCID)); (gdb) #11 0x29795500 in nsDocShell::FindItemWithName (this=0x8b52000, aName=0xbfbfc144, aRequestor=0x90ccc04, _retval=0xbfbfc118) at /home/timeless/mozilla/docshell/base/nsDocShell.cpp:1724 1724 (nsIDocShellTreeItem *, Note: i do have a custom windowmediator sitting around somewhere so this is probably my fault, but it is interesting.

note: i was not very awake, i have a custom windowwatcher, not a custom windowmediator, and i'm not even sure if that's present in this build. anyways, for infinite recursion, it probably makes sense to look at the beginning instead of the end, so here it is: #4982 0x29103334 in nsXULElement::HandleDOMEvent (this=0x909b6c0, aPresContext=0x8ba6400, aEvent=0xbfbfe9f8, aDOMEvent=0xbfbfe7d4, aFlags=1, aEventStatus=0xbfbfea40) at /home/timeless/mozilla/content/xul/content/src/nsXULElement.cpp:3415 3415 return NS_ERROR_FAILURE; (gdb) #4981 0x28f763dc in nsEventListenerManager::HandleEvent (this=0x909b080, aPresContext=0x8ba6400, aEvent=0xbfbfe9f8, aDOMEvent=0xbfbfe7d4, aCurrentTarget=0x909b6c8, aFlags=7, aEventStatus=0xbfbfea40) at /home/timeless/mozilla/content/events/src/nsEventListenerManager.cpp:2199 2199 break; (gdb) #4980 0x28f72351 in nsEventListenerManager::HandleEventSubType (this=0x909b080, aListenerStruct=0x90826f0, aDOMEvent=0x294c2cc8, aCurrentTarget=0x909b6c8, aSubType=8, aPhaseFlags=7) at /home/timeless/mozilla/content/events/src/nsEventListenerManager.cpp:1211 1211 aPrivDOMEvent->SetCurrentTarget(aCurrentTarget); (gdb) #4979 0x2989d17f in nsJSEventListener::HandleEvent (this=0x90859a0, aEvent=0x294c2cc8) at /home/timeless/mozilla/dom/src/events/nsJSEventListener.cpp:180 180 &jsBoolResult, returnResult); (gdb) #4978 0x29851338 in nsJSContext::CallEventHandler (this=0x8a741c0, aTarget=0x8fc5620, aHandler=0x928b8c8, argc=1, argv=0xbfbfda90, aBoolResult=0xbfbfd8b0, aReverseReturnResult=0) at /home/timeless/mozilla/dom/src/base/nsJSEnvironment.cpp:1015 1015 PRBool ok = ::JS_CallFunctionValue(mContext, (JSObject *)aTarget, funval, (gdb) #4977 0x28145d11 in JS_CallFunctionValue (cx=0x8b48a00, obj=0x8fc5620, fval=153663688, argc=1, argv=0xbfbfda90, rval=0xbfbfd774) at /home/timeless/mozilla/js/src/jsapi.c:3412 3412 if (!js_InternalCall(cx, obj, fval, argc, argv, rval)) { Current language: auto; currently c (gdb) #4976 0x28177507 in js_InternalInvoke (cx=0x8b48a00, obj=0x8fc5620, fval=153663688, flags=0, argc=1, argv=0xbfbfda90, rval=0xbfbfd774) at /home/timeless/mozilla/js/src/jsinterp.c:880 880 ok = js_Invoke(cx, argc, flags | JSINVOKE_INTERNAL); (gdb) #4975 0x28177190 in js_Invoke (cx=0x8b48a00, argc=1, flags=2) at /home/timeless/mozilla/js/src/jsinterp.c:805 805 ok = js_Interpret(cx, &v); (gdb) #4974 0x28186392 in js_Interpret (cx=0x8b48a00, result=0xbfbfd5ac) at /home/timeless/mozilla/js/src/jsinterp.c:2745 2745 ok = js_Invoke(cx, argc, 0); (gdb) #4973 0x28177112 in js_Invoke (cx=0x8b48a00, argc=6, flags=0) at /home/timeless/mozilla/js/src/jsinterp.c:788 788 ok = native(cx, frame.thisp, argc, frame.argv, &frame.rval); (gdb) #4972 0x289097ae in XPC_WN_Helper_DelProperty (cx=0x8b48a00, obj=0x8c75658, idval=6, vp=0x947c0f4) at /home/timeless/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp:778 778 } Current language: auto; currently c++ (gdb) #4971 0x28900565 in XPCWrappedNative::CallMethod (ccx=@0xbfbfca9c, mode=CALL_METHOD) at /home/timeless/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp:1769 1769 &src))) (gdb) #4970 0x282f921e in XPTC_InvokeByIndex (that=0x8a75308, methodIndex=16, paramCount=1, params=0xbfbfc9e4) at /home/timeless/mozilla/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_unixish_x86.cpp:130 130 ); (gdb) #4969 0x298636f3 in GlobalWindowImpl::OpenDialog (this=0x8a75300, _retval=0xbfbfc9e4) at /home/timeless/mozilla/dom/src/base/nsGlobalWindow.cpp:2743 2743 _retval); (gdb) #4968 0x29869570 in GlobalWindowImpl::OpenInternal (this=0x8a75300, aUrl=@0xbfbfc69c, aName=@0xbfbfc60c, aOptions=@0xbfbfc57c, aDialog=1, argv=0x947c0f4, argc=6, aExtraArgument=0x0, aReturn=0xbfbfc9e4) at /home/timeless/mozilla/dom/src/base/nsGlobalWindow.cpp:3867 3867 getter_AddRefs(domReturn)); (gdb) #4967 0x287d6914 in nsWindowWatcher::OpenWindowJS (this=0x82281c0, aParent=0x8a75304, aUrl=0x9385540 "chrome://communicator/content/pref/pref.xul", aName=0x93da540 "PrefWindow", aFeatures=0x9395ac0 "chrome,titlebar,resizable=no", aDialog=1, argc=3, argv=0x947c100, _retval=0xbfbfc4d8) at /home/timeless/mozilla/embedding/components/windowwatcher/src/nsWindowWatcher.cpp:544 544 getter_AddRefs(newDocShellItem)); (gdb) #4966 0x295818bd in nsContentTreeOwner::FindItemWithName (this=0x8b3dd00, aName=0xbfbfc144, aRequestor=0x0, aFoundItem=0xbfbfc118) at /home/timeless/mozilla/xpfe/appshell/src/nsContentTreeOwner.cpp:214 214 shellAsTreeItem->FindItemWithName(aName, shellOwnerSupports, aFoundItem); (gdb) #4965 0x297953f4 in nsDocShell::FindItemWithName (this=0x90ccc00, aName=0xbfbfc144, aRequestor=0x8b3dd00, _retval=0xbfbfc118) at /home/timeless/mozilla/docshell/base/nsDocShell.cpp:1709 1709 (nsIDocShellTreeItem *, (gdb) #4964 0x29795500 in nsDocShell::FindItemWithName (this=0x8b52000, aName=0xbfbfc144, aRequestor=0x90ccc04, _retval=0xbfbfc118) at /home/timeless/mozilla/docshell/base/nsDocShell.cpp:1724 1724 (nsIDocShellTreeItem *, (gdb) #4963 0x295818bd in nsContentTreeOwner::FindItemWithName (this=0x8b3dd00, aName=0xbfbfc144, aRequestor=0x8b52004, aFoundItem=0xbfbfc118) at /home/timeless/mozilla/xpfe/appshell/src/nsContentTreeOwner.cpp:214 214 shellAsTreeItem->FindItemWithName(aName, shellOwnerSupports, aFoundItem); (gdb) #4962 0x297953f4 in nsDocShell::FindItemWithName (this=0x90ccc00, aName=0xbfbfc144, aRequestor=0x8b3dd00, _retval=0xbfbfc118) at /home/timeless/mozilla/docshell/base/nsDocShell.cpp:1709 1709 (nsIDocShellTreeItem *, (gdb) #4961 0x29795500 in nsDocShell::FindItemWithName (this=0x8b52000, aName=0xbfbfc144, aRequestor=0x90ccc04, _retval=0xbfbfc118) at /home/timeless/mozilla/docshell/base/nsDocShell.cpp:1724 1724 (nsIDocShellTreeItem *, (gdb) #4960 0x295818bd in nsContentTreeOwner::FindItemWithName (this=0x8b3dd00, aName=0xbfbfc144, aRequestor=0x8b52004, aFoundItem=0xbfbfc118) at /home/timeless/mozilla/xpfe/appshell/src/nsContentTreeOwner.cpp:214 214 shellAsTreeItem->FindItemWithName(aName, shellOwnerSupports, aFoundItem); (gdb) #4959 0x297953f4 in nsDocShell::FindItemWithName (this=0x90ccc00, aName=0xbfbfc144, aRequestor=0x8b3dd00, _retval=0xbfbfc118) at /home/timeless/mozilla/docshell/base/nsDocShell.cpp:1709 1709 (nsIDocShellTreeItem *, (gdb)

Code implies that nsContentTreeOwner is calling docshell A, which calls docshell B which calls nsContentTreeOwner again and so on. I think A is a child of B, so this is occurring in the bit of nsDocShell::FindItemWithName where it calls it's parents implementation if it can't find the named item. I don't understand why the windows mediator would return an enumerator containing a docshell which has a parent docshell. Perhaps some impl of nsIXULWindow::GetPrimaryContentShell is returning the wrong docshell.

critical severity

I don't have FreeBSD so I am marking this future for now and appealing for volunteers / patches / analysis.

Marking NEW.

*** Bug 158002 has been marked as a duplicate of this bug. ***

i know i have crashed like this on w2k, but the dupe's a genuine talkback so ...

the steps are very simple. load a random chrome app (in navigator), i used chrome://editor/content/TextEditorAppShell.xul edit>preferences it's possible that the editor chrome passes into navigator chrome and can't find what it's looking for because it's in browser's content (editor). we need to fix this. it's already topcrash+, and the talkback team is probably angry at me.

cc'ing more folks to be angry with timeless.

greer: is this crash on the 1.0 branch?

1.0 crashes sent

The problem appears to occur when the chrome tries to throw up a new dialog window. The reason the messenger.xul triggers it for some people is that it launches that "New Account" wizard if there are no mail/news accounts set up on the machine. I have a patch that stops it crashing, though its more of a prevention of the infinite behaviour than a cure. I'll attach it.

Patch prevents the content tree owner spinning around forever by adding a simple sanity test. I suspect the issue is caused by nsDocShellTreeOwner::FindItemWithName. This iterates through a list of registered XUL windows calling FindItemWithName on each in turn to find named XUL windows. Nesting probably screws this list making it run recursively. A better patch might be to stop nested XUL windows from being enumerable.

Jaime, to clarify timeless' answer (comment #11) to your question (comment #10): Yes, this is happening on the branch. He has submitted three incidents this morning from the 7-21 branch build. (e.g TB incident #8560775)

Can people try this patch out? It fixes the aRequestor context supplied with FindItemWithName so hopefully docshell knows when to halt rather than spinning forever. The problem was that the aRequestor arg is used to know when to halt the FindItemWithName operation (i.e. don't call FindItemWithName on the parent class if it's the one who called us in the first place) but it was broken because the nsWebShell didn't implement nsIDocShellTreeOwner or know how to supply it. Thus it spun forever.

This patch is the same as before but removes a little bit of fluff from another bug that crept in. Please also note that the patch fixes the crash issue, not the any problems that messenger.xul susequently shows when loaded this way.

Adding Trunk M1BR [@ ntdll.dll - nsDocShell::FindItemWithName] to summary since this is crashing on the MozillaTrunk and Gecko 1.0 Branch under the ntdll.dll stack signature. Since this is a reproducible crash and we have a patch, nominating for nsbeta1 (any reason this wasn't nominated before?).

It looks like this crash is also happening under the MSVCRT.DLL stack signature: Count Offset Real Signature [ 2 MSVCRT.DLL + 0x30b8 (0x780030b8) d726968e - nsWritingIterator<unsigned short>::write ] Crash date range: 2002-07-22 to 2002-07-22 Min/Max Seconds since last crash: 243 - 922 Min/Max Runtime: 922 - 1165 Keyword List : Count Platform List 2 Windows NT 5.0 build 2195 Count Build Id List 2 2002072104 No of Unique Users 1 Stack trace(Frame) MSVCRT.DLL + 0x30b8 (0x780030b8) nsWritingIterator<unsigned short>::write [../../dist/include/string\nsStringIterator.h line 360] copy_string [../../dist/include/string\nsAlgorithm.h line 92] nsAString::UncheckedAppendFromReadable [c:/builds/seamonkey/mozilla/string/src/nsAString.cpp line 353] nsAString::do_AppendFromReadable [c:/builds/seamonkey/mozilla/string/src/nsAString.cpp line 328] nsAString::do_AppendFromElementPtr [c:/builds/seamonkey/mozilla/string/src/nsAString.cpp line 360] nsAutoString::nsAutoString [c:/builds/seamonkey/mozilla/string/obsolete/nsString2.cpp line 1211] nsContentTreeOwner::FindItemWithName [c:/builds/seamonkey/mozilla/xpfe/appshell/src/nsContentTreeOwner.cpp line 167] nsDocShell::FindItemWithName [c:/builds/seamonkey/mozilla/docshell/base/nsDocShell.cpp line 1762] nsDocShell::FindItemWithName [c:/builds/seamonkey/mozilla/docshell/base/nsDocShell.cpp line 1752] nsContentTreeOwner::FindItemWithName [c:/builds/seamonkey/mozilla/xpfe/appshell/src/nsContentTreeOwner.cpp line 215] nsDocShell::FindItemWithName [c:/builds/seamonkey/mozilla/docshell/base/nsDocShell.cpp line 1762] nsDocShell::FindItemWithName [c:/builds/seamonkey/mozilla/docshell/base/nsDocShell.cpp line 1752] nsContentTreeOwner::FindItemWithName [c:/builds/seamonkey/mozilla/xpfe/appshell/src/nsContentTreeOwner.cpp line 215] nsDocShell::FindItemWithName [c:/builds/seamonkey/mozilla/docshell/base/nsDocShell.cpp line 1762] nsDocShell::FindItemWithName [c:/builds/seamonkey/mozilla/docshell/base/nsDocShell.cpp line 1752] nsContentTreeOwner::FindItemWithName [c:/builds/seamonkey/mozilla/xpfe/appshell/src/nsContentTreeOwner.cpp line 215] nsDocShell::FindItemWithName [c:/builds/seamonkey/mozilla/docshell/base/nsDocShell.cpp line 1762] nsDocShell::FindItemWithName [c:/builds/seamonkey/mozilla/docshell/base/nsDocShell.cpp line 1752] nsContentTreeOwner::FindItemWithName [c:/builds/seamonkey/mozilla/xpfe/appshell/src/nsContentTreeOwner.cpp line 215] nsDocShell::FindItemWithName [c:/builds/seamonkey/mozilla/docshell/base/nsDocShell.cpp line 1762] nsDocShell::FindItemWithName [c:/builds/seamonkey/mozilla/docshell/base/nsDocShell.cpp line 1752] nsContentTreeOwner::FindItemWithName [c:/builds/seamonkey/mozilla/xpfe/appshell/src/nsContentTreeOwner.cpp line 215] nsDocShell::FindItemWithName [c:/builds/seamonkey/mozilla/docshell/base/nsDocShell.cpp line 1762] nsDocShell::FindItemWithName [c:/builds/seamonkey/mozilla/docshell/base/nsDocShell.cpp line 1752] nsContentTreeOwner::FindItemWithName [c:/builds/seamonkey/mozilla/xpfe/appshell/src/nsContentTreeOwner.cpp line 215] nsDocShell::FindItemWithName [c:/builds/seamonkey/mozilla/docshell/base/nsDocShell.cpp line 1762] nsDocShell::FindItemWithName [c:/builds/seamonkey/mozilla/docshell/base/nsDocShell.cpp line 1752] nsContentTreeOwner::FindItemWithName [c:/builds/seamonkey/mozilla/xpfe/appshell/src/nsContentTreeOwner.cpp line 215] nsDocShell::FindItemWithName [c:/builds/seamonkey/mozilla/docshell/base/nsDocShell.cpp line 1762] nsDocShell::FindItemWithName [c:/builds/seamonkey/mozilla/docshell/base/nsDocShell.cpp line 1752] nsContentTreeOwner::FindItemWithName [c:/builds/seamonkey/mozilla/xpfe/appshell/src/nsContentTreeOwner.cpp line 215] nsDocShell::FindItemWithName [c:/builds/seamonkey/mozilla/docshell/base/nsDocShell.cpp line 1762] nsDocShell::FindItemWithName [c:/builds/seamonkey/mozilla/docshell/base/nsDocShell.cpp line 1752] nsContentTreeOwner::FindItemWithName [c:/builds/seamonkey/mozilla/xpfe/appshell/src/nsContentTreeOwner.cpp line 215] nsDocShell::FindItemWithName [c:/builds/seamonkey/mozilla/docshell/base/nsDocShell.cpp line 1762] nsDocShell::FindItemWithName [c:/builds/seamonkey/mozilla/docshell/base/nsDocShell.cpp line 1752] nsContentTreeOwner::FindItemWithName [c:/builds/seamonkey/mozilla/xpfe/appshell/src/nsContentTreeOwner.cpp line 215] nsDocShell::FindItemWithName [c:/builds/seamonkey/mozilla/docshell/base/nsDocShell.cpp line 1762] nsDocShell::FindItemWithName [c:/builds/seamonkey/mozilla/docshell/base/nsDocShell.cpp line 1752] nsContentTreeOwner::FindItemWithName [c:/builds/seamonkey/mozilla/xpfe/appshell/src/nsContentTreeOwner.cpp line 215] nsDocShell::FindItemWithName [c:/builds/seamonkey/mozilla/docshell/base/nsDocShell.cpp line 1762] nsDocShell::FindItemWithName [c:/builds/seamonkey/mozilla/docshell/base/nsDocShell.cpp line 1752] nsContentTreeOwner::FindItemWithName [c:/builds/seamonkey/mozilla/xpfe/appshell/src/nsContentTreeOwner.cpp line 215] nsDocShell::FindItemWithName [c:/builds/seamonkey/mozilla/docshell/base/nsDocShell.cpp line 1762] nsDocShell::FindItemWithName [c:/builds/seamonkey/mozilla/docshell/base/nsDocShell.cpp line 1752] nsContentTreeOwner::FindItemWithName [c:/builds/seamonkey/mozilla/xpfe/appshell/src/nsContentTreeOwner.cpp line 215] nsDocShell::FindItemWithName [c:/builds/seamonkey/mozilla/docshell/base/nsDocShell.cpp line 1762] nsDocShell::FindItemWithName [c:/builds/seamonkey/mozilla/docshell/base/nsDocShell.cpp line 1752] nsContentTreeOwner::FindItemWithName [c:/builds/seamonkey/mozilla/xpfe/appshell/src/nsContentTreeOwner.cpp line 215] nsDocShell::FindItemWithName [c:/builds/seamonkey/mozilla/docshell/base/nsDocShell.cpp line 1762] nsDocShell::FindItemWithName [c:/builds/seamonkey/mozilla/docshell/base/nsDocShell.cpp line 1752] nsContentTreeOwner::FindItemWithName [c:/builds/seamonkey/mozilla/xpfe/appshell/src/nsContentTreeOwner.cpp line 215] nsDocShell::FindItemWithName [c:/builds/seamonkey/mozilla/docshell/base/nsDocShell.cpp line 1762] nsDocShell::FindItemWithName [c:/builds/seamonkey/mozilla/docshell/base/nsDocShell.cpp line 1752] nsContentTreeOwner::FindItemWithName [c:/builds/seamonkey/mozilla/xpfe/appshell/src/nsContentTreeOwner.cpp line 215] nsDocShell::FindItemWithName [c:/builds/seamonkey/mozilla/docshell/base/nsDocShell.cpp line 1762] nsDocShell::FindItemWithName [c:/builds/seamonkey/mozilla/docshell/base/nsDocShell.cpp line 1752] nsContentTreeOwner::FindItemWithName [c:/builds/seamonkey/mozilla/xpfe/appshell/src/nsContentTreeOwner.cpp line 215] nsDocShell::FindItemWithName [c:/builds/seamonkey/mozilla/docshell/base/nsDocShell.cpp line 1762] nsDocShell::FindItemWithName [c:/builds/seamonkey/mozilla/docshell/base/nsDocShell.cpp line 1752] nsContentTreeOwner::FindItemWithName [c:/builds/seamonkey/mozilla/xpfe/appshell/src/nsContentTreeOwner.cpp line 215] nsDocShell::FindItemWithName [c:/builds/seamonkey/mozilla/docshell/base/nsDocShell.cpp line 1762] nsDocShell::FindItemWithName [c:/builds/seamonkey/mozilla/docshell/base/nsDocShell.cpp line 1752]

what are the chances this is the right fix, and we can it reviewed in time to make 1.0.1?

mjudge, please review. i've actually started to understand what the patch does, but i'm about to take an extended weekend, and people would prefer your review anyway.

Comment on attachment 92286 [details] [diff] [review] Another patch mk II i am familiar with this code enough to see that it should work. I am not an owner of docshell so I can't really comment on the "correctness" of spoofing the getinterface call to get ahold of the tree owner. It looks good to me.

i've asked kin for sr, i intend to commit adamlock's patch (he's on vacation for two weeks)

Comment on attachment 92286 [details] [diff] [review] Another patch mk II sr=jst

trunk fixed, let's see about getting this onto some branches

Comment on attachment 92286 [details] [diff] [review] Another patch mk II a=rjesup@wgate.com for 1.0 branch Please change mozilla1.0.2+ to fixed1.0.2 when checked in

Adam can you please verifiy this fix on the branch

Perhaps someone else should since I wrote the patch. Any takers?

Please verify the bug. Once verified, change the keyword fixed1.0.2 to verified1.0.2

Verifying

The original summary for this bug was longer than 255 characters, and so it was truncated when Bugzilla was upgraded. The original summary was: Crash after infinite recursion: nsContentTreeOwner::FindItemWithName -> nsDocShell::FindItemWithName -> nsDocShell::FindItemWithName (loop back to nsContentTreeOwner) - Trunk M1BR [@ ntdll.dll - nsDocShell::FindItemWithName] [@ MSVCRT.DLL - nsWritingIterator<unsigned short>::write]