Closed Bug 33245 Opened 25 years ago Closed 25 years ago

crash in reference counting History layout Object

Categories

(Core :: Layout, defect, P3)

x86
All
defect

Tracking

()

VERIFIED WORKSFORME

People

(Reporter: sitsofe, Assigned: radha)

References

()

Details

(Keywords: crash)

Attachments

(1 file)

Steps to reproduce: 1. Visit http://www.wired.com/news/ 2. Select a link 3. Click back 4. Select another link Expected: Page to load Result: Crash. This may be related to bug 32201... Build: 032409 Linux
Crash on Win32: MOZILLA caused an invalid page fault in module <unknown> at 0000:00a700fd. Registers: EAX=00a70050 CS=014f EIP=00a700fd EFLGS=00010206 EBX=00000000 SS=0157 ESP=0068f528 EBP=0068f55c ECX=00a7007c DS=0157 ESI=00a5ee10 FS=0e9f EDX=0068f610 ES=0157 EDI=80000000 GS=0000 Bytes at CS:EIP: 00 a7 00 c4 26 a7 00 0c e3 b5 00 31 00 00 00 21 Stack dump: 80000000 00a5ee10 0068f55c 0068f548 00000000 0068f610 00a7007c 00a70050 6019c253 00a70050 00a5a8ac 00000000 00000000 0068f5dc 601d8e5a 00a5ee10 Changing OS to All, adding crash keyword, upgrading to Critical (because it's a crash). This isn't bug 32201. :-) Gerv
Severity: normal → critical
Keywords: crash
OS: Linux → All
This also shows up in my Solaris 2.6 build of M14. Can someone change platform to All? (stacktrace coming..)
Attached file Stack trace from gdb on Solaris 2.6 (deleted) —
hi troy ns_if_addref(nsILayoutHistoryState * 0x03e30030) line 1090 + 15 bytes PresShell::CaptureHistoryState(PresShell * const 0x04491cd0, nsILayoutHistoryState * * 0x04491f90) line 2485 + 21 bytes nsCSSFrameConstructor::ConstructDocElementFrame(nsIPresShell * 0x04491cd0, nsIPresContext * 0x044b8950, nsFrameConstructorState & {...}, nsIContent * 0x044b7a68, nsIFrame * 0x03a20ff4, nsIStyleContext * 0x044a9490, nsIFrame * & 0x038d3ee0) line 2552 + 48 bytes nsCSSFrameConstructor::ContentInserted(nsCSSFrameConstructor * const 0x04491f60, nsIPresContext * 0x044b8950, nsIContent * 0x00000000, nsIContent * 0x044b7a68, int 0, nsILayoutHistoryState * 0x00000000) line 7060 StyleSetImpl::ContentInserted(StyleSetImpl * const 0x04495060, nsIPresContext * 0x044b8950, nsIContent * 0x00000000, nsIContent * 0x044b7a68, int 0) line 966 PresShell::InitialReflow(PresShell * const 0x04491cd0, int 10425, int 12045) line 1242 HTMLContentSink::StartLayout() line 3217 HTMLContentSink::OpenBody(HTMLContentSink * const 0x044b7c60, const nsIParserNode & {...}) line 2701 CNavDTD::OpenBody(const nsIParserNode * 0x04492a30) line 2678 + 31 bytes CNavDTD::OpenContainer(const nsIParserNode * 0x04492a30, nsHTMLTag eHTMLTag_body, int 1, nsEntryStack * 0x00000000) line 2931 + 12 bytes CNavDTD::HandleDefaultStartToken(CToken * 0x02e09980, nsHTMLTag eHTMLTag_body, nsIParserNode * 0x04492a30) line 1091 + 20 bytes CNavDTD::HandleStartToken(CToken * 0x02e09980) line 1429 + 22 bytes CNavDTD::HandleToken(CNavDTD * const 0x04492d80, CToken * 0x02e09980, nsIParser * 0x044b61c0) line 776 + 12 bytes CNavDTD::BuildModel(CNavDTD * const 0x04492d80, nsIParser * 0x044b61c0, nsITokenizer * 0x04491410, nsITokenObserver * 0x00000000, nsIContentSink * 0x044b7c60) line 514 + 20 bytes nsParser::BuildModel() line 1297 + 34 bytes nsParser::ResumeParse(int 1, int 1) line 1181 + 11 bytes nsParser::OnStopRequest(nsParser * const 0x044b61c4, nsIChannel * 0x044b1b40, nsISupports * 0x00000000, unsigned int 2152398850, const unsigned short * 0x00000000) line 1643 + 19 bytes nsDocumentOpenInfo::OnStopRequest(nsDocumentOpenInfo * const 0x044b1a80, nsIChannel * 0x044b1b40, nsISupports * 0x00000000, unsigned int 2152398850, const unsigned short * 0x00000000) line 278 InterceptStreamListener::OnStopRequest(InterceptStreamListener * const 0x044b4bf0, nsIChannel * 0x044b1b40, nsISupports * 0x00000000, unsigned int 2152398850, const unsigned short * 0x00000000) line 1120 nsHTTPChunkConv::OnStopRequest(nsHTTPChunkConv * const 0x04491330, nsIChannel * 0x044b1b40, nsISupports * 0x00000000, unsigned int 2152398850, const unsigned short * 0x00000000) line 97 nsHTTPChannel::ResponseCompleted(nsIStreamListener * 0x04491330, unsigned int 2152398850, const unsigned short * 0x00000000) line 1448 + 36 bytes nsHTTPServerListener::OnStopRequest(nsHTTPServerListener * const 0x044b4150, nsIChannel * 0x044b4854, nsISupports * 0x044b1b40, unsigned int 2152398850, const unsigned short * 0x00000000) line 497 nsOnStopRequestEvent::HandleEvent(nsOnStopRequestEvent * const 0x03f16510) line 286 nsStreamListenerEvent::HandlePLEvent(PLEvent * 0x03f16150) line 97 + 12 bytes PL_HandleEvent(PLEvent * 0x03f16150) line 563 + 10 bytes PL_ProcessPendingEvents(PLEventQueue * 0x0100a700) line 508 + 9 bytes _md_EventReceiverProc(HWND__ * 0x05e30144, unsigned int 49317, unsigned int 0, long 16819968) line 1018 + 9 bytes USER32! 77e71268() 0100a700()
Assignee: cbegle → troy
Component: Browser-General → Layout
QA Contact: asadotzler → petersen
Nisheeth, I think the CaptureHistoryState() code is you
Assignee: troy → nisheeth
Radha, this is a problem with reference counting on the history state, so passing over to you.
Assignee: nisheeth → radha
Not sure. I'm crashing right when I get out of wired.com to load another page.
Status: NEW → ASSIGNED
Target Milestone: --- → M16
re-summarised.
Summary: Select link, go back, select another link causes crash → crash in reference counting History layout Object
Going forward and back reading Wired news, using links and the [Back] button, using the 2000-04-13-08-M16 build, everything seems stable... no crashes after roughly 2 dozen forward-and-back navigations.
Back is currently broken a bit, but there's no crash. Marking WORKSFORME. Gerv
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → WORKSFORME
Marking verified per last comments.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: