Closed Bug 18191 Opened 25 years ago Closed 25 years ago

apprunner crashed in xpcom/ds/nsVoidArray.cpp

Categories

(Core :: Layout: Form Controls, defect, P3)

x86
Linux
defect

Tracking

()

VERIFIED WORKSFORME

People

(Reporter: dejong, Assigned: pollmann)

Details

I was doing some surfing and I clicked on a URL when mozilla core dumped on me. I have a RedHat 5.2 system (Linux-Intel). I was using Mozilla from the CVS (Sat Nov 6). Here is the method that it crashed in. (xpcom/ds/nsVoidArray.cpp line 185) 180 PRBool nsVoidArray::RemoveElement(void* aElement) 181 { 182 void** ep = mArray; 183 void** end = ep + mCount; 184 while (ep < end) { 185 void* e = *ep++; 186 if (e == aElement) { 187 ep--; 188 return RemoveElementAt(PRInt32(ep - mArray)); 189 } #0 0x4012ab47 in nsVoidArray::RemoveElement (this=0x8d44df4, aElement=0x89ece20) at ../../../xpcom/ds/nsVoidArray.cpp:185 #1 0x40e5c36d in nsFormFrame::RemoveFormControlFrame (this=0x8d44da8, aFrame=@0x89ece20) at ../../../../../layout/html/forms/src/nsFormFrame.cpp:326 #2 0x40e71363 in nsHTMLButtonControlFrame::~nsHTMLButtonControlFrame ( this=0x89ecde8, __in_chrg=0) at ../../../../../layout/html/forms/src/nsHTMLButtonControlFrame.cpp:90 #3 0x40e62034 in nsGfxButtonControlFrame::~nsGfxButtonControlFrame ( this=0x89ecde8, __in_chrg=3) at ../../../../../layout/html/forms/src/nsGfxButtonControlFrame.cpp:231 #4 0x40d5a4bf in nsFrame::Destroy (this=0x89ecde8, aPresContext=@0x8978dd0) at ../../../../../layout/html/base/src/nsFrame.cpp:374 #5 0x40d56576 in nsContainerFrame::Destroy (this=0x89ecde8, aPresContext=@0x8978dd0) at ../../../../../layout/html/base/src/nsContainerFrame.cpp:96 #6 0x40d797fb in nsLineBox::DeleteLineList (aPresContext=0x8978dd0, aLine=0x89f07f0) at ../../../../../layout/html/base/src/nsLineBox.cpp:232 #7 0x40d48f8f in nsBlockFrame::Destroy (this=0x89ec590, aPresContext=@0x8978dd0) at ../../../../../layout/html/base/src/nsBlockFrame.cpp:1122 #8 0x40d797fb in nsLineBox::DeleteLineList (aPresContext=0x8978dd0, aLine=0x89f0c88) at ../../../../../layout/html/base/src/nsLineBox.cpp:232 #9 0x40d48f8f in nsBlockFrame::Destroy (this=0x89f0840, aPresContext=@0x8978dd0) at ../../../../../layout/html/base/src/nsBlockFrame.cpp:1122 #10 0x40d797fb in nsLineBox::DeleteLineList (aPresContext=0x8978dd0, aLine=0x89f0d08) at ../../../../../layout/html/base/src/nsLineBox.cpp:232 #11 0x40d48f8f in nsBlockFrame::Destroy (this=0x89eb910, aPresContext=@0x8978dd0) at ../../../../../layout/html/base/src/nsBlockFrame.cpp:1122 #12 0x40d4fb98 in nsBlockFrame::DoRemoveFrame (this=0x8c139d8, aPresContext=0x8978dd0, aDeletedFrame=0x89eb910) at ../../../../../layout/html/base/src/nsBlockFrame.cpp:4709 #13 0x40d4f816 in nsBlockFrame::RemoveFrame (this=0x8c139d8, aPresContext=@0x8978dd0, aPresShell=@0x8d0d878, aListName=0x0, aOldFrame=0x89eb910) at ../../../../../layout/html/base/src/nsBlockFrame.cpp:4601 #14 0x40d626c9 in FrameManager::RemoveFrame (this=0x89e1370, aPresContext=@0x8978dd0, aPresShell=@0x8d0d878, aParentFrame=0x8c139d8, aListName=0x0, aOldFrame=0x89eb910) at ../../../../../layout/html/base/src/nsFrameManager.cpp:629 #15 0x40ea6059 in nsCSSFrameConstructor::ContentRemoved (this=0x89e00f8, aPresContext=0x8978dd0, aContainer=0x8cf6b64, aChild=0x8d3fd0c, aIndexInContainer=8) at ../../../../../layout/html/style/src/nsCSSFrameConstructor.cpp:6362 #16 0x40ea49e6 in nsCSSFrameConstructor::ContentReplaced (this=0x89e00f8, aPresContext=0x8978dd0, aContainer=0x8cf6b64, aOldChild=0x8d3fd0c, aNewChild=0x8d3fd0c, aIndexInContainer=8) at ../../../../../layout/html/style/src/nsCSSFrameConstructor.cpp:5966 #17 0x40eae420 in nsCSSFrameConstructor::ReframeContainingBlock ( this=0x89e00f8, aPresContext=0x8978dd0, aFrame=0x89ebd70) at ../../../../../layout/html/style/src/nsCSSFrameConstructor.cpp:9532 #18 0x40ea2911 in nsCSSFrameConstructor::ContentAppended (this=0x89e00f8, aPresContext=0x8978dd0, aContainer=0x8d3fdb4, aNewIndexInContainer=2) at ../../../../../layout/html/style/src/nsCSSFrameConstructor.cpp:5321 #19 0x40f96889 in StyleSetImpl::ContentAppended (this=0x89e00d0, aPresContext=0x8978dd0, aContainer=0x8d3fdb4, aNewIndexInContainer=2) at ../../../../layout/base/src/nsStyleSet.cpp:938 #20 0x40d8a2cc in PresShell::ContentAppended (this=0x8d0d878, aDocument=0x8cf13f0, aContainer=0x8d3fdb4, aNewIndexInContainer=2) at ../../../../../layout/html/base/src/nsPresShell.cpp:1879 #21 0x40f59987 in nsDocument::ContentAppended (this=0x8cf13f0, aContainer=0x8d3fdb4, aNewIndexInContainer=2) at ../../../../layout/base/src/nsDocument.cpp:1511 #22 0x40e3e346 in nsHTMLDocument::ContentAppended (this=0x8cf13f0, aContainer=0x8d3fdb4, aNewIndexInContainer=2) at ../../../../../layout/html/document/src/nsHTMLDocument.cpp:997 #23 0x40da9e61 in nsGenericHTMLContainerElement::AppendChildTo ( this=0x8d3fdc0, aKid=0x8cf9544, aNotify=1) at ../../../../../layout/html/content/src/nsGenericHTMLElement.cpp:2954 #24 0x40dac9be in nsHTMLAnchorElement::AppendChildTo (this=0x8d3fda8, aKid=0x8cf9544, aNotify=1) at ../../../../../layout/html/content/src/nsHTMLAnchorElement.cpp:111 #25 0x40e3102f in SinkContext::DemoteContainer (this=0x8cf2630, aNode=@0xbffff118) at ../../../../../layout/html/document/src/nsHTMLContentSink.cpp:1381 #26 0x40e3421d in HTMLContentSink::CloseForm (this=0x8922eb0, aNode=@0xbffff118) at ../../../../../layout/html/document/src/nsHTMLContentSink.cpp:2435 #27 0x410ee24c in CNavDTD::CloseForm (this=0x8d33650, aNode=@0xbffff118) at ../../../htmlparser/src/CNavDTD.cpp:2474 #28 0x410eeb26 in CNavDTD::CloseContainer (this=0x8d33650, aNode=@0xbffff118, aTag=eHTMLTag_form, aClosedByStartTag=0) at ../../../htmlparser/src/CNavDTD.cpp:2726 #29 0x410ec403 in CNavDTD::HandleEndToken (this=0x8d33650, aToken=0x82f2c60) at ../../../htmlparser/src/CNavDTD.cpp:1448 #30 0x410eac2a in CNavDTD::HandleToken (this=0x8d33650, aToken=0x82f2c60, aParser=0x8d5d018) at ../../../htmlparser/src/CNavDTD.cpp:660 #31 0x410ea5fc in CNavDTD::BuildModel (this=0x8d33650, aParser=0x8d5d018, aTokenizer=0x8cccfc0, anObserver=0x0, aSink=0x8922eb0) at ../../../htmlparser/src/CNavDTD.cpp:462 #32 0x410f917c in nsParser::BuildModel (this=0x8d5d018) at ../../../htmlparser/src/nsParser.cpp:1052 #33 0x410f903c in nsParser::ResumeParse (this=0x8d5d018, aDefaultDTD=0x0, aIsFinalChunk=0) at ../../../htmlparser/src/nsParser.cpp:963 #34 0x410f9b32 in nsParser::OnDataAvailable (this=0x8d5d018, channel=0x8cf1798, aContext=0x0, pIStream=0x8c01238, sourceOffset=0, aLength=1176) at ../../../htmlparser/src/nsParser.cpp:1339 #35 0x408e0cbb in nsDocumentBindInfo::OnDataAvailable (this=0x88e3cf8, channel=0x8cf1798, ctxt=0x0, aStream=0x8c01238, sourceOffset=0, aLength=1176) at ../../../webshell/src/nsDocLoader.cpp:1219 #36 0x408e1938 in nsChannelListener::OnDataAvailable (this=0x8957f28, aChannel=0x8cf1798, aContext=0x0, aInStream=0x8c01238, aOffset=0, aCount=1176) at ../../../webshell/src/nsDocLoader.cpp:1404 #37 0x408e1938 in nsChannelListener::OnDataAvailable (this=0x8957b68, aChannel=0x8cf1798, aContext=0x0, aInStream=0x8c01238, aOffset=0, aCount=1176) at ../../../webshell/src/nsDocLoader.cpp:1404 #38 0x4129dd81 in nsHTTPResponseListener::OnDataAvailable (this=0x8cf1fb8, channel=0x89590c0, context=0x8cf1798, i_pStream=0x8c01238, i_SourceOffset=5106, i_Length=1176) at ../../../../../netwerk/protocol/http/src/nsHTTPResponseListener.cpp:175 #39 0x40877dea in nsOnDataAvailableEvent::HandleEvent (this=0x41404860) at ../../../../netwerk/base/src/nsAsyncStreamListener.cpp:416 #40 0x40877392 in nsStreamListenerEvent::HandlePLEvent (aEvent=0x41403528) at ../../../../netwerk/base/src/nsAsyncStreamListener.cpp:173 #41 0x401872fb in PL_HandleEvent (self=0x41403528) at plevent.c:537 #42 0x4018720d in PL_ProcessPendingEvents (self=0x80a0118) at plevent.c:498 #43 0x4014a915 in nsEventQueueImpl::ProcessPendingEvents (this=0x80a00f0) at ../../../xpcom/threads/nsEventQueue.cpp:193 #44 0x4049d2fc in event_processor_callback (data=0x80a00f0, source=8, condition=GDK_INPUT_READ) at ../../../../widget/src/gtk/nsAppShell.cpp:232 #45 0x4049cc03 in our_gdk_io_invoke (source=0x8191f20, condition=G_IO_IN, data=0x81afe18) at ../../../../widget/src/gtk/nsAppShell.cpp:53 #46 0x4062c72e in g_io_unix_dispatch (source_data=0x8191f38, current_time=0xbffff620, user_data=0x81afe18) at giounix.c:135 #47 0x4062dc8f in g_main_dispatch (current_time=0xbffff620) at gmain.c:652 #48 0x4062e277 in g_main_iterate (block=1, dispatch=1) at gmain.c:870 #49 0x4062e3f9 in g_main_run (loop=0x81ad860) at gmain.c:928 #50 0x4055eedf in gtk_main () at gtkmain.c:475 #51 0x4049d80f in nsAppShell::Run (this=0x80a1f48) at ../../../../widget/src/gtk/nsAppShell.cpp:399 #52 0x4032a031 in nsAppShellService::Run (this=0x809fda0) at ../../../../xpfe/appshell/src/nsAppShellService.cpp:483 #53 0x804c85c in main1 (argc=1, argv=0xbffff834) at ../../../xpfe/bootstrap/nsAppRunner.cpp:580 #54 0x804cae9 in main (argc=1, argv=0xbffff834) at ../../../xpfe/bootstrap/nsAppRunner.cpp:670
Assignee: leger → karnaze
Component: Browser-General → HTML Form Controls
Assignee: karnaze → kmcclusk
Reassigning to Kevin.
Assignee: kmcclusk → pollmann
Eric, I think this is yours.
Status: NEW → ASSIGNED
Target Milestone: M12
Yes, this looks like it may be related to the mFormElements cleanup I did recently. It would be extrememely helpful if you could add a reproducible test case (which sites did you visit in what order to cause the crash?) Thanks!
Perhaps this would be a good time to ask why mozilla does not save a log of each URL that it tries to load. If each and every URL loaded was saved into a log file, it would be really easy to attach that log file to a bug report so you developers would know what steps to take to reproduce the problem.I have no idea what URLs I was looking at when it crashed, how would i? The only place such a list exists is in the browser, and it just crashed. If I knew how to get this info out of the core file, it might help, but why not make it easy for bug reporters and developers by having a simple logging system. This could be removed with a --without-urllog switch to the configure script.
QA Contact: leger → cpratt
Updating QA contact.
QA Contact update.
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → WORKSFORME
I still am unable to reproduce this bug, so I'm marking it WORKSFORME. If you can find a reproducible test case, please reopen this bug. Thanks!
Blocks: 21564
Marking VERIFIED WORKSFORME on: - Linux6 2000-02-01-10 Commercial build - Win98 2000-02-01-08 Commercial build - MacOS86 2000-02-01-09 Commercial build
Status: RESOLVED → VERIFIED
No longer blocks: 21564
You need to log in before you can comment on or make changes to this bug.