Closed Bug 24193 Opened 25 years ago Closed 25 years ago

crash closing window in nsURILoader::DispatchContent

Categories

(Core :: XUL, defect, P3)

x86
Windows NT
defect

Tracking

()

RESOLVED FIXED

People

(Reporter: warrensomebody, Assigned: mscott)

Details

(Keywords: crash, Whiteboard: haven't been able to reproduce this yet.)

I clicked the close box on a window and got the following crash: nsURILoader::DispatchContent(nsURILoader * const 0x012e8de0, const char * 0x02a4ef30, int 0x00000000, const char * 0x100782d0 gCommonEmptyBuffer, nsIChannel * 0x02a4a8d0, nsISupports * 0x00000000, nsIURIContentListener * 0x0290b6dc, char * * 0x0012c998, nsIURIContentListener * * 0x0012c9a0) line 539 + 29 bytes nsDocumentOpenInfo::DispatchContent(nsIChannel * 0x02a4a8d0, nsISupports * 0x00000000) line 273 + 146 bytes nsDocumentOpenInfo::OnStartRequest(nsDocumentOpenInfo * const 0x0283f5c0, nsIChannel * 0x02a4a8d0, nsISupports * 0x00000000) line 221 + 16 bytes nsCachedChromeChannel::AsyncRead(nsCachedChromeChannel * const 0x02a4a8d0, unsigned int 0x00000000, int 0xffffffff, nsISupports * 0x00000000, nsIStreamListener * 0x0283f5c0) line 170 + 20 bytes nsDocumentOpenInfo::Open(nsIURI * 0x02c4bbe0, int 0x00000000, const char * 0x00000000, nsISupports * 0x0290b6c0, nsIURI * 0x00000000, nsIInputStream * 0x00000000, nsISupports * 0x029089e0, nsISupports * * 0x0012cba4) line 212 + 42 bytes nsURILoader::OpenURIWithPostDataVia(nsURILoader * const 0x012e8de4, nsIURI * 0x02c4bbe0, int 0x00000000, const char * 0x00000000, nsISupports * 0x0290b6c0, nsIURI * 0x00000000, nsIInputStream * 0x00000000, nsISupports * 0x029089e0, nsISupports * * 0x0012cba4, unsigned int 0x00000000) line 500 + 40 bytes nsURILoader::OpenURIVia(nsURILoader * const 0x012e8de0, nsIURI * 0x02c4bbe0, int 0x00000000, const char * 0x00000000, nsISupports * 0x0290b6c0, nsIURI * 0x00000000, nsISupports * 0x029089e0, nsISupports * * 0x0012cba4, unsigned int 0x00000000) line 458 nsURILoader::OpenURI(nsURILoader * const 0x012e8de0, nsIURI * 0x02c4bbe0, int 0x00000000, const char * 0x00000000, nsISupports * 0x0290b6c0, nsIURI * 0x00000000, nsISupports * 0x029089e0, nsISupports * * 0x0012cba4) line 444 nsDocLoaderImpl::LoadDocument(nsDocLoaderImpl * const 0x0290b0e0, nsIURI * 0x02c4bbe0, const char * 0x00380684, nsISupports * 0x0290b6c0, nsIInputStream * 0x00000000, nsISupports * 0x00000000, unsigned int 0x00000000, const unsigned int 0x00000000, const unsigned short * 0x00000000) line 384 + 75 bytes nsWebShell::DoLoadURL(nsIURI * 0x02c4bbe0, const char * 0x00380684, nsIInputStream * 0x00000000, unsigned int 0x00000000, const unsigned int 0x00000000, const unsigned short * 0x00000000, int 0x00000001) line 1677 + 101 bytes nsWebShell::LoadURI(nsWebShell * const 0x0290b6c0, nsIURI * 0x02c4bbe0, const char * 0x00380684, nsIInputStream * 0x00000000, int 0x00000001, unsigned int 0x00000000, const unsigned int 0x00000000, nsISupports * 0x00000000, const unsigned short * 0x00000000) line 1949 + 40 bytes nsWebShell::LoadURL(nsWebShell * const 0x0290b6c0, const unsigned short * 0x02c42980, const char * 0x00380684, nsIInputStream * 0x00000000, int 0x00000001, unsigned int 0x00000000, const unsigned int 0x00000000, nsISupports * 0x00000000, const unsigned short * 0x00000000) line 2180 + 52 bytes nsWebShell::LoadURL(nsWebShell * const 0x0290b6c0, const unsigned short * 0x02c42980, nsIInputStream * 0x00000000, int 0x00000001, unsigned int 0x00000000, const unsigned int 0x00000000, nsISupports * 0x00000000, const unsigned short * 0x00000000) line 1485 nsHTMLFrameInnerFrame::ReloadURL() line 951 + 66 bytes nsHTMLFrameOuterFrame::AttributeChanged(nsHTMLFrameOuterFrame * const 0x020a0498, nsIPresContext * 0x02b204a0, nsIContent * 0x02c42cbc, int 0x00000000, nsIAtom * 0x015e5ed0 {"src"}, int 0x00000002) line 414 nsCSSFrameConstructor::AttributeChanged(nsCSSFrameConstructor * const 0x02b9a9b0, nsIPresContext * 0x02b204a0, nsIContent * 0x02c42cbc, int 0x00000000, nsIAtom * 0x015e5ed0 {"src"}, int 0x00000002) line 7615 + 35 bytes StyleSetImpl::AttributeChanged(StyleSetImpl * const 0x02b9aa50, nsIPresContext * 0x02b204a0, nsIContent * 0x02c42cbc, int 0x00000000, nsIAtom * 0x015e5ed0 {"src"}, int 0xffffffff) line 996 PresShell::AttributeChanged(PresShell * const 0x02b9a7b8, nsIDocument * 0x02b21ad0, nsIContent * 0x02c42cbc, int 0x00000000, nsIAtom * 0x015e5ed0 {"src"}, int 0xffffffff) line 2385 + 57 bytes nsXULDocument::AttributeChanged(nsXULDocument * const 0x02b21ad0, nsIContent * 0x02c42cbc, int 0x00000000, nsIAtom * 0x015e5ed0 {"src"}, int 0xffffffff) line 1394 nsGenericHTMLElement::SetAttribute(int 0x00000000, nsIAtom * 0x015e5ed0 {"src"}, const nsString & {"chrome://related/content/related-panel.xul"}, int 0x00000001) line 734 nsHTMLIFrameElement::SetAttribute(nsHTMLIFrameElement * const 0x02c42cbc, int 0x00000000, nsIAtom * 0x015e5ed0 {"src"}, const nsString & {"chrome://related/content/related-panel.xul"}, int 0x00000001) line 89 + 30 bytes nsGenericElement::SetAttribute(const nsString & {"src"}, const nsString & {"chrome://related/content/related-panel.xul"}) line 426 + 32 bytes nsGenericHTMLElement::SetAttribute(const nsString & {"src"}, const nsString & {"chrome://related/content/related-panel.xul"}) line 80 nsHTMLIFrameElement::SetAttribute(nsHTMLIFrameElement * const 0x02c42cb0, const nsString & {"src"}, const nsString & {"chrome://related/content/related-panel.xul"}) line 55 + 22 bytes ElementSetAttribute(JSContext * 0x02b26e90, JSObject * 0x0205e5e0, unsigned int 0x00000002, long * 0x0201b014, long * 0x0012db68) line 263 + 26 bytes js_Invoke(JSContext * 0x02b26e90, unsigned int 0x00000002, unsigned int 0x00000000) line 665 + 26 bytes js_Interpret(JSContext * 0x02b26e90, long * 0x0012e3d8) line 2226 + 15 bytes js_Invoke(JSContext * 0x02b26e90, unsigned int 0x00000002, unsigned int 0x00000000) line 681 + 13 bytes js_Interpret(JSContext * 0x02b26e90, long * 0x0012ec04) line 2226 + 15 bytes js_Invoke(JSContext * 0x02b26e90, unsigned int 0x00000001, unsigned int 0x00000002) line 681 + 13 bytes js_InternalCall(JSContext * 0x02b26e90, JSObject * 0x01ff8780, long 0x00da2940, unsigned int 0x00000001, long * 0x0012ed78, long * 0x0012ed34) line 758 + 15 bytes JS_CallFunctionValue(JSContext * 0x02b26e90, JSObject * 0x01ff8780, long 0x00da2940, unsigned int 0x00000001, long * 0x0012ed78, long * 0x0012ed34) line 2758 + 29 bytes nsJSContext::CallEventHandler(nsJSContext * const 0x02b201a0, void * 0x01ff8780, void * 0x00da2940, unsigned int 0x00000001, void * 0x0012ed78, int * 0x0012ed74) line 564 + 33 bytes nsJSDOMEventListener::HandleEvent(nsIDOMEvent * 0x02c13944) line 94 + 47 bytes nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x02c43a80, nsIDOMEvent * 0x02c13944, unsigned int 0x00000001) line 640 + 19 bytes nsEventListenerManager::HandleEvent(nsIPresContext * 0x02b204a0, nsEvent * 0x0012f574, nsIDOMEvent * * 0x0012f0d8, unsigned int 0x00000007, nsEventStatus * 0x0012f5b4) line 1191 + 31 bytes GlobalWindowImpl::HandleDOMEvent(GlobalWindowImpl * const 0x02b20204, nsIPresContext * 0x02b204a0, nsEvent * 0x0012f574, nsIDOMEvent * * 0x0012f0d8, unsigned int 0x00000001, nsEventStatus * 0x0012f5b4) line 3251 nsWebShell::OnEndDocumentLoad(nsWebShell * const 0x02b25590, nsIDocumentLoader * 0x02b22c70, nsIChannel * 0x02b27cb0, unsigned int 0x804b0002) line 3089 + 34 bytes nsDocLoaderImpl::FireOnEndDocumentLoad(nsDocLoaderImpl * 0x02b22c70, nsIChannel * 0x02b27cb0, unsigned int 0x804b0002) line 822 nsDocLoaderImpl::DocLoaderIsEmpty(unsigned int 0x804b0002) line 713 nsDocLoaderImpl::OnStopRequest(nsDocLoaderImpl * const 0x02b22c74, nsIChannel * 0x02b27cb0, nsISupports * 0x00000000, unsigned int 0x804b0002, const unsigned short * 0x00000000) line 657 nsLoadGroup::RemoveChannel(nsLoadGroup * const 0x02b22b60, nsIChannel * 0x02b27cb0, nsISupports * 0x00000000, unsigned int 0x804b0002, const unsigned short * 0x00000000) line 535 + 42 bytes nsLoadGroup::Cancel(nsLoadGroup * const 0x02b22b60) line 218 nsDocLoaderImpl::Stop(nsDocLoaderImpl * const 0x02b22c70) line 420 + 26 bytes nsWebShell::Stop(nsWebShell * const 0x02b25580) line 2202 nsWebShell::Destroy(nsWebShell * const 0x02b254dc) line 3745 nsWebShellWindow::Close(nsWebShellWindow * const 0x02b22a10) line 440 nsWebShellWindow::HandleEvent(nsGUIEvent * 0x0012f8d8) line 505 nsWindow::DispatchEvent(nsWindow * const 0x02b24b14, nsGUIEvent * 0x0012f8d8, nsEventStatus & nsEventStatus_eIgnore) line 502 + 10 bytes nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012f8d8) line 523 nsWindow::DispatchStandardEvent(unsigned int 0x00000065) line 543 + 15 bytes nsWindow::ProcessMessage(unsigned int 0x00000010, unsigned int 0x00000000, long 0x00000000, long * 0x0012faf4) line 2597 nsWindow::WindowProc(HWND__ * 0x033e06b2, unsigned int 0x00000010, unsigned int 0x00000000, long 0x00000000) line 689 + 27 bytes USER32! 77e719d0() USER32! 77e71982() NTDLL! 77f763a3() USER32! 77e718d2() nsWindow::DefaultWindowProc(HWND__ * 0x033e06b2, unsigned int 0x00000112, unsigned int 0x0000f060, long 0x005c042c) line 716 USER32! 77e727fe() USER32! 77e72889() nsWindow::WindowProc(HWND__ * 0x033e06b2, unsigned int 0x00000112, unsigned int 0x0000f060, long 0x005c042c) line 696 + 31 bytes USER32! 77e719d0() USER32! 77e71982() NTDLL! 77f763a3() USER32! 77e718d2() nsWindow::DefaultWindowProc(HWND__ * 0x033e06b2, unsigned int 0x000000a1, unsigned int 0x00000014, long 0x005c042c) line 716 USER32! 77e727fe() USER32! 77e72889() nsWindow::WindowProc(HWND__ * 0x033e06b2, unsigned int 0x000000a1, unsigned int 0x00000014, long 0x005c042c) line 696 + 31 bytes USER32! 77e71820() rv = listener->CanHandleContent(aContentType, aCommand, aWindowTarget, aContentTypeToUse, &canHandleContent); I think listener is bad. It's vtable ptr is 0x80000001. Must be a bad assumption about its lifetime w.r.t. window destruction.
Warren is this a browser chrome window you are closing or like a JS pop up window? I can't seem to reproduce this from my debug build from today...
Severity: normal → critical
It was a browser window with chrome. I was trying to reproduce Bug#20604 (without any luck) -- clicking on the menu items pops up new windows (although the content it's looking for can't be found). I either clicked the close box on the new window, or typed Ctrl-W (I forget) and I got the crash.
Component: Browser-General → XUL
QA Contact: nobody → paulmac
Updating QA Contact.
BULK MOVE: Changing component from XUL to XP Toolkit/Widgets: XUL. XUL component will be deleted.
Component: XUL → XP Toolkit/Widgets: XUL
I'm still trying to get this to happen on my machine.
Whiteboard: haven't been able to reproduce this yet.
Adding "crash" keyword to all known open crasher bugs.
Keywords: crash
waterson saw a similar crash Saturday but he hasn't been able to reproduce it again. I have a theory. Right now, the browser window and the mail window register themselves as nsIURIContentListeners with the uriloader when they are first created. The method for registration on the loader looks like: RegisterContentListener(nsIURIContentListener * aContentListener) and it adds the content listener to a void array. When I call regiserContentListener, I am passing in the this ptr for the window instead of QI (or casting it) explicitly to a nsIURIContentListener. In the destructor for the browser instance / msg window, we unregister ourselves, again passing in the this ptr for the content listener. The uri loader then calls removeElement on the void array. I wonder if by not explicitly casting to a nsIURIContentListener before registering and unregistering the listener, the void array is failing to find the element when it goes to remove it. I'm adding some code to my build to detect this condition in case this is indeed what's going on. Although it's difficult because we haven't been able to reliably reproduce the crash.
Status: NEW → ASSIGNED
Target Milestone: M14
I found a scenario I could reproduce where the mail window registered itself twice with the uri loader. And when you dismissed the mail window, it of course only gets removed once. I fixed the problem where it registered twice. Since making that change, I hven't been able to generate any crashes in DispatchContent due to deleted content listeners.
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
please ignore, massive spam giving jrgm@netscape.com backlog of XPToolkits resolved fixed bugs to verify
QA Contact: paulmac → jrgm
Component: XP Toolkit/Widgets: XUL → XUL
QA Contact: jrgmorrison → xptoolkit.widgets
You need to log in before you can comment on or make changes to this bug.