From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux 2.2.16-3 i686; en-US; 0.8.1) BuildID: 2001041005 Attempting to use either Open Web Location or Open File more than once causes a segfault. Reproducible: Always Steps to Reproduce: 1. Pick File|Open Web Location. 2. Either cancel, or actually open a page. 3. Repeat step one. Actual Results: Crash. Expected Results: Dialog box should be come up as normal. Same behavior with File|Open File. The two are not interlinked -- either dialog can be accessed exactly once.

I see this in 2001-04-10-05 on linux also.

I have another way to reproduce this also: 1) Make sure that the "warn before sending form data to an insecure site" option is on in PSM Application prefs 2) Submit an insecure form (the "Find" button at the bottom of Bugzilla pages will do nicely) 3) Submit an insecure form again. Watch Mozilla crash.

Over to Pav based on the libimg2 in the first stack trace and the more detailed stack trace I'm about to attach. ccing saari since he touched libpr0n yesterday. This is a regression -- this works fine in the 2001-04-09 morning builds. I just tried this in a debug build from this morning. I had to open the "Open File" dialog 4 times to get the crash, but it did crash. Also crashed using the form+alert method. Same trace in both cases: #0 0x41e4f945 in nsImageBoxFrame::OnStartContainer (this=0x89e2764, request=0x89e5558, aPresContext=0x8a71b38, image=0x0) at nsImageBoxFrame.cpp:642 #1 0x41e4ffbc in nsImageBoxListener::OnStartContainer (this=0x89e5540, request=0x89e5558, cx=0x8a71b38, image=0x0) at nsImageBoxFrame.cpp:743 #2 0x42050ee2 in imgRequestProxy::OnStartContainer (this=0x89e5558, request=0x0, cx=0x0, image=0x0) at imgRequestProxy.cpp:254 #3 0x4204d7f9 in imgRequest::AddObserver (this=0x8a60e00, observer=0x89e555c) at imgRequest.cpp:103 #4 0x42050920 in imgRequestProxy::Init (this=0x89e5558, request=0x8a60e00, aLoadGroup=0x8a94770, aObserver=0x89e5540, cx=0x8a71b38) at imgRequestProxy.cpp:95 (gdb) frame 0 #0 0x41e4f945 in nsImageBoxFrame::OnStartContainer (this=0x89e2764, request=0x89e5558, aPresContext=0x8a71b38, image=0x0) at nsImageBoxFrame.cpp:642 642 image->GetWidth(&w); (gdb) p image $1 = (imgIContainer *) 0x0 (gdb) frame 1 #1 0x41e4ffbc in nsImageBoxListener::OnStartContainer (this=0x89e5540, request=0x89e5558, cx=0x8a71b38, image=0x0) at nsImageBoxFrame.cpp:743 743 return mFrame->OnStartContainer(request, pc, image); (gdb) p image $2 = (imgIContainer *) 0x0 (gdb) frame 2 #2 0x42050ee2 in imgRequestProxy::OnStartContainer (this=0x89e5558, request=0x0, cx=0x0, image=0x0) at imgRequestProxy.cpp:254 254 mObserver->OnStartContainer(this, mContext, image); (gdb) frame 3 #3 0x4204d7f9 in imgRequest::AddObserver (this=0x8a60e00, observer=0x89e555c) at imgRequest.cpp:103 103 observer->OnStartContainer(nsnull, nsnull, mImage); (gdb) p mImage $3 = {mRawPtr = 0x0}

reassign for real....

*** Bug 75395 has been marked as a duplicate of this bug. ***

Bug 75395 has the same stack trace but is reported on Windows, so OS -> all. This gives us another way to reproduce: 1. go to http://www.mozilla.org/projects/xslt/index.html#bins 2. Click "Install" 3. Select transformiix, click OK

In fact this crashes on an attempt to install any XPI (I just tried jre.xpi and got the same crash)

i run into this the 1st time i bring up the file picker or the Open Web Location dialog. echoing comments from bug 75299 [console output from 9:30am linux debug build]: ###!!! ASSERTION: imgRequest::OnStopRequest -- received multiple OnStopRequest: 'mChannel && mLoading', file imgRequest.cpp, line 642 ###!!! Break: at file imgRequest.cpp, line 642 WARNING: imgRequest::RemoveFromCache -- no entry!, file imgRequest.cpp, line 227 shouldn't this be marked a blocker? or, would a repull workaround this?

is this likely fixed by sspitzer's checkin?

seth's checkin does not fix this for me.... Still crash on XPI install, form submission, and open location with both his patch for bug 75407 and bug 75416

*** Bug 75419 has been marked as a duplicate of this bug. ***

We need this patch in nsImageBoxFrame also: Index: mozilla/layout/xul/base/src/nsImageBoxFrame.cpp =================================================================== RCS file: /cvsroot/mozilla/layout/xul/base/src/nsImageBoxFrame.cpp,v retrieving revision 1.8 diff -b -u -2 -r1.8 nsImageBoxFrame.cpp --- nsImageBoxFrame.cpp 2001/04/10 17:44:53 1.8 +++ nsImageBoxFrame.cpp 2001/04/10 20:18:45 @@ -640,4 +640,6 @@ aPresContext->GetShell(getter_AddRefs(presShell)); + NS_ENSURE_ARG(image); + mHasImage = PR_TRUE; mSizeFrozen = PR_FALSE;

nsImageBoxFrame fix checked in.

Is this an actual fix or a band-aid until underlying problems are dealt with? That is, should this bug actually be resolved?

This bug is a topcrasher, added topcrash keyword. Added [@ nsImageBoxFrame::OnStartContainer] for tracking. Here are some URLs & Comments that might help repro this crash: (29010926) URL: http://developer.java.sun.com/servlet/SessionServlet?url=http://developer.java.s un.com/developer/earlyAccess/j2sdk131/ (28931521) URL: www.hotmail.com (28924897) URL: http://paypal.com/ (28922534) URL: http://home.netscape.com/themes/index.html?cp=dtyccfea2a (28922487) URL: http://home.netscape.com/themes/index.html?cp=dtyccfea2a (28922446) URL: http://home.netscape.com/themes/index.html?cp=dtyccfea2a (28922199) URL: x.themes.com (28918671) URL: http://paypal.com/ (28916844) URL: http://www.amazon.co.jp/ (28916575) URL: http://www.amazon.co.jp/ (28916410) URL: http://www.amazon.co.jp/ (28916335) URL: http://www.netgol.com/shopping/ (28916267) URL: http://www.netgol.com/shopping/ (28916242) URL: http://www.netgol.com/shopping/ (28916189) URL: http://www.pp.iij4u.or.jp/~sailor-1/Yamauchi_Mihoko/thum_frame4.html (28915683) URL: http://www.mozilla.org/projects/xslt/index.html#bins (28915645) URL: http://divx.euro.ru/ (28914553) URL: http://divx.euro.ru/ (28914235) URL: http://www.pp.iij4u.or.jp/~sailor-1/Yamauchi_Mihoko/thum_frame4.html (28913771) URL: http://www.ff.iij4u.or.jp/~i300/main.html (28912004) Comments: crash on startup build 2001041006 (28911791) Comments: crash on start of jrgm's load tester (28911787) Comments: crash starting jrgms loadtime tester (28911783) Comments: crash on first launch (28911782) Comments: crash on launch Here is a recent stack trace: nsImageBoxFrame::OnStartContainer [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsImageBoxFrame.cpp line 647] nsImageBoxListener::OnStartContainer [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsImageBoxFrame.cpp line 748] imgRequestProxy::OnStartContainer [d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgRequestProxy.cpp line 256] imgRequest::AddObserver [d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgRequest.cpp line 107] imgRequestProxy::Init [d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgRequestProxy.cpp line 97] imgLoader::LoadImage [d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgLoader.cpp line 169] nsImageBoxFrame::UpdateImage [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsImageBoxFrame.cpp line 362] nsImageBoxFrame::DidSetStyleContext [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsImageBoxFrame.cpp line 474] nsFrame::SetStyleContext [d:\builds\seamonkey\mozilla\layout\html\base\src\nsFrame.cpp line 478] nsFrame::Init [d:\builds\seamonkey\mozilla\layout\html\base\src\nsFrame.cpp line 329] nsLeafBoxFrame::Init [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsLeafBoxFrame.cpp line 95] nsImageBoxFrame::Init [d:\builds\seamonkey\mozilla\layout\xul\base\src\nsImageBoxFrame.cpp line 211] nsCSSFrameConstructor::InitAndRestoreFrame [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp line 6671] nsCSSFrameConstructor::ConstructXULFrame [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp line 5798] nsCSSFrameConstructor::ConstructFrameInternal [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp line 7198] nsCSSFrameConstructor::ConstructFrame [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp line 7100] nsCSSFrameConstructor::ProcessChildren [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp line 11232] nsCSSFrameConstructor::ConstructXULFrame [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp line 5825] nsCSSFrameConstructor::ConstructFrameInternal [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp line 7198] nsCSSFrameConstructor::ConstructFrame [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp line 7100] nsCSSFrameConstructor::ProcessChildren [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp line 11232] nsCSSFrameConstructor::ConstructXULFrame [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp line 5825] nsCSSFrameConstructor::ConstructFrameInternal [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp line 7198] nsCSSFrameConstructor::ConstructFrame [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp line 7100] nsCSSFrameConstructor::ProcessChildren [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp line 11232] nsCSSFrameConstructor::ConstructDocElementFrame [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp line 3539] nsCSSFrameConstructor::ContentInserted [d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp line 8410] StyleSetImpl::ContentInserted [d:\builds\seamonkey\mozilla\content\base\src\nsStyleSet.cpp line 1224] PresShell::InitialReflow [d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp line 2468] nsXULDocument::StartLayout [d:\builds\seamonkey\mozilla\content\xul\document\src\nsXULDocument.cpp line 3920] nsXULDocument::ResumeWalk [d:\builds\seamonkey\mozilla\content\xul\document\src\nsXULDocument.cpp line 5025] nsXULDocument::CachedChromeStreamListener::OnStopRequest [d:\builds\seamonkey\mozilla\content\xul\document\src\nsXULDocument.cpp line 6157] nsDocumentOpenInfo::OnStopRequest [d:\builds\seamonkey\mozilla\uriloader\base\nsURILoader.cpp line 277] nsCachedChromeChannel::HandleStopLoadEvent [d:\builds\seamonkey\mozilla\rdf\chrome\src\nsChromeProtocolHandler.cpp line 439] PL_HandleEvent [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c line 589] _md_EventReceiverProc [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c line 1070] SETUPAPI.DLL + 0x30c24 (0x778b0c24)

From the Talkback data, this looks like a crash that was only reported for builds 20010410xx. Since the fix also went in that same day and Talkback has not reported any crashes for builds newer than 2001041013, marking this resolved fixed. Can QA just verify this with the latest trunk build and mark it so?

Verified fixed Win XP build 2001120303, linux build 2001120308 and Mac OS X build 20001120308