Closed Bug 59674 Opened 24 years ago Closed 24 years ago

crash at stack: nsFrameImageLoader::NotifyFrames

Categories

(Core :: Layout, defect, P3)

x86
Linux
defect

Tracking

()

VERIFIED FIXED
mozilla0.9

People

(Reporter: bzbarsky, Assigned: pavlov)

References

()

Details

(Keywords: crash)

I got to that URL and crash. I see this on Linux trunk build 2000110908 and it also appears in the Oct 27 build according to jens-uwe@idealo.de Stack: #0 nsFrameImageLoader::NotifyFrames (this=0x8675e40, aIsSizeUpdate=0) at nsFrameImageLoader.cpp:570 #1 0x414ce276 in nsFrameImageLoader::Notify (this=0x8675e40, aImageRequest=0x85dc2c8, aImage=0x867a7d8, aNotificationType=nsImageNotification_kImageComplete, aParam1=0, aParam2=0, aParam3=0x0) at nsFrameImageLoader.cpp:540 #2 0x40032f98 in ns_observer_proc (aSource=0x8676420, aMsg=7, aMsgData=0xbffff2e8, aClosure=0x85dc2c8) at nsImageRequest.cpp:134 #3 0x400406e5 in XP_NotifyObservers (inObserverList=0x8678878, inMessage=7, ioData=0xbffff2e8) at obs.c:259 #4 0x4003989e in il_image_complete_notify (ic=0x8674f40) at if.cpp:327 #5 0x4003b37a in il_image_complete (ic=0x8674f40) at if.cpp:1644 #6 0x400395a1 in ImgDCallbk::ImgDCBHaveImageAll (this=0x8651850) at if.cpp:189 #7 0x41e78b79 in il_jpeg_complete (ic=0x8674f40) at jpeg.cpp:1001 #8 0x41e78ee9 in JPGDecoder::ImgDComplete (this=0x8675c98) at nsJPGDecoder.cpp:117 #9 0x4003ae37 in IL_StreamComplete (ic=0x8674f40, is_multipart=0) at if.cpp:1347 #10 0x400376ef in NetReaderImpl::StreamComplete (this=0x8674ad0, is_multipart=0) at ilNetReader.cpp:131 #11 0x4002d4b4 in ImageConsumer::OnStopRequest (this=0x8674a30, channel=0x8683ff8, aContext=0x0, status=0, aMsg=0x401392a8) at nsImageNetContextAsync.cpp:545 #12 0x40e4bb2f in nsDocumentOpenInfo::OnStopRequest (this=0x8674d38, aChannel=0x8683ff8, aCtxt=0x0, aStatus=0, errorMsg=0x401392a8) at nsURILoader.cpp:274 #13 0x40cb6849 in nsHTTPFinalListener::OnStopRequest (this=0x8674d78, aChannel=0x8683ff8, aContext=0x0, aStatus=0, aStatusArg=0x401392a8) at nsHTTPResponseListener.cpp:1159 #14 0x40c7c065 in InterceptStreamListener::OnStopRequest (this=0x8675458, channel=0x8683ff8, ctxt=0x0, aStatus=0, aStatusArg=0x401392a8) at nsCachedNetData.cpp:1211 #15 0x40ca8d19 in nsHTTPChannel::ResponseCompleted (this=0x8683ff8, aListener=0x8675458, aStatus=0, aStatusArg=0x401392a8) at nsHTTPChannel.cpp:1923 #16 0x40cb58da in nsHTTPServerListener::OnStopRequest (this=0x8684208, channel=0x8533be4, i_pContext=0x8683ff8, i_Status=0, aStatusArg=0x401392a8) at nsHTTPResponseListener.cpp:729 #17 0x40c3c62d in nsOnStopRequestEvent::HandleEvent (this=0x867cd38) at nsAsyncStreamListener.cpp:301#18 0x40c3ba86 in nsStreamListenerEvent::HandlePLEvent (aEvent=0x8674c28) at nsAsyncStreamListener.cpp:97 #19 0x400f0f5e in PL_HandleEvent (self=0x8674c28) at plevent.c:576 #20 0x400f0df9 in PL_ProcessPendingEvents (self=0x80a5878) at plevent.c:509 #21 0x400f2a50 in nsEventQueueImpl::ProcessPendingEvents (this=0x80a5850) at nsEventQueue.cpp:356 #22 0x406b4daf in event_processor_callback (data=0x80a5850, source=8, condition=GDK_INPUT_READ) at nsAppShell.cpp:158 #23 0x406b4a6d in our_gdk_io_invoke (source=0x81c4e08, condition=G_IO_IN, data=0x81f0668) at nsAppShell.cpp:58 #24 0x4086eaca in g_io_unix_dispatch () from /usr/lib/libglib-1.2.so.0 #25 0x40870186 in g_main_dispatch () from /usr/lib/libglib-1.2.so.0 #26 0x40870751 in g_main_iterate () from /usr/lib/libglib-1.2.so.0 #27 0x408708f1 in g_main_run () from /usr/lib/libglib-1.2.so.0 #28 0x40798c69 in gtk_main () from /usr/lib/libgtk-1.2.so.0 #29 0x406b5984 in nsAppShell::Run (this=0x80aeef0) at nsAppShell.cpp:335 #30 0x405d4fb5 in nsAppShellService::Run (this=0x80ac3f8) at nsAppShellService.cpp:407 #31 0x80523fb in main1 (argc=1, argv=0xbffff8c4, nativeApp=0x0) at nsAppRunner.cpp:1015 #32 0x8052d26 in main (argc=1, argv=0xbffff8c4) at nsAppRunner.cpp:1255 #33 0x403009cb in __libc_start_main (main=0x8052ba0 <main>, argc=1, argv=0xbffff8c4, init=0x804c244 <_init>, fini=0x805edcc <_fini>, rtld_fini=0x4000ae60 <_dl_fini>, stack_end=0xbffff8bc) at ../sysdeps/generic/libc-start.c:92
Ugh. Adding url. sorry for the spam...
layout?
Assignee: asa → clayton
Status: UNCONFIRMED → NEW
Component: Browser-General → Layout
Ever confirmed: true
Keywords: crash
QA Contact: doronr → petersen
Confirmed! I'm using: ftp://ftp.mozilla.org/pub/mozilla/nightly/2000-11-06-08-Mtrunk/mozilla-i686-pc-linux-gnu-sea.tar.gz Netscape 4.76 (Linux) seems to have no problems with the above URL. /richard
Please triage.
Assignee: clayton → jst
The crash happens because a frame image loader is destroyed while it's notifying its frames and after it's destroyed and the code rolls back to nsFrameImageLoader::NotifyFrames() we crash trying to dereference mCurNotifiedFrame (or rather we crash when we access members of it but it's value is 0xdddddddd). To fix this problem I added a kungFuDeathGrip in nsFrameImageLoader::Notify() and that fixes that crash, here's the patch: But even with this fix we still crash deep down in image lib while again trying to access a 0xdddddddd pointer. Here's the stack for that crash: il_image_complete_notify(il_container_struct * 0x04bd0640) line 327 + 9 bytes il_image_complete(il_container_struct * 0x04bd0640) line 1644 + 9 bytes ImgDCallbk::ImgDCBHaveImageAll(ImgDCallbk * const 0x04bd0030) line 189 + 12 bytes il_jpeg_complete(il_container_struct * 0x04bd0640) line 1002 JPGDecoder::ImgDComplete(JPGDecoder * const 0x04bf0650) line 117 + 12 bytes IL_StreamComplete(il_container_struct * 0x04bd0640, int 0) line 1348 NetReaderImpl::StreamComplete(NetReaderImpl * const 0x04b79de0, int 0) line 129 + 16 bytes ImageConsumer::OnStopRequest(ImageConsumer * const 0x04b79bd0, nsIChannel * 0x04bc1080, nsISupports * 0x00000000, unsigned int 0, const unsigned short * 0x100a9bc0 gCommonEmptyBuffer) line 547 nsDocumentOpenInfo::OnStopRequest(nsDocumentOpenInfo * const 0x04b64c40, nsIChannel * 0x04bc1080, nsISupports * 0x00000000, unsigned int 0, const unsigned short * 0x100a9bc0 gCommonEmptyBuffer) line 277 nsHTTPFinalListener::OnStopRequest(nsHTTPFinalListener * const 0x04b64be0, nsIChannel * 0x04bc1080, nsISupports * 0x00000000, unsigned int 0, const unsigned short * 0x100a9bc0 gCommonEmptyBuffer) line 1159 + 42 bytes InterceptStreamListener::OnStopRequest(InterceptStreamListener * const 0x04bf0690, nsIChannel * 0x04bc1080, nsISupports * 0x00000000, unsigned int 0, const unsigned short * 0x100a9bc0 gCommonEmptyBuffer) line 1212 nsHTTPChannel::ResponseCompleted(nsIStreamListener * 0x04bf0690, unsigned int 0, const unsigned short * 0x100a9bc0 gCommonEmptyBuffer) line 1923 + 42 bytes nsHTTPServerListener::OnStopRequest(nsHTTPServerListener * const 0x04bf4310, nsIChannel * 0x04b8d1f4, nsISupports * 0x04bc1080, unsigned int 0, const unsigned short * 0x100a9bc0 gCommonEmptyBuffer) line 730 ... We crash when trying to execute: XP_NotifyObservers(image_req->obs_list, IL_IMAGE_COMPLETE, &message_data); inside the for loop and image_req is the 0xdddddddd pointer. Reassigning to pnunn.
Assignee: jst → pnunn
Status: NEW → ASSIGNED
Summary: crash at http://acw.activate.net/streetfusion/amd/slides/preloader.htm → crash at stack: nsFrameImageLoader::NotifyFrames
Keywords: nsbeta1
Target Milestone: --- → mozilla0.9
I can not reproduce this bug anymore with recent builds (2001030121, Linux). Everything works fine now, so I guess this can be marked as fixed?
All pnunn bugs reassigned to Pav, who is taking over the imglib.
Assignee: pnunn → pavlov
Status: ASSIGNED → NEW
the code in question isn't used anymore. marking fixed by the new imagelib. tested in todays build.
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Marking verfied per last comments
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.