Closed Bug 33325 Opened 25 years ago Closed 25 years ago

Framed page -> unframed page(?) -> back crashes browser

Categories

(Core :: JavaScript Engine, defect, P3)

x86
Windows NT
defect

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: hume, Assigned: rogerl)

References

()

Details

(Keywords: crash)

Consistent crash with the following procedure: 1) Go to http://den.bofh.halifax.ns.ca/index2.html 2) Click on the "flaming hick" link 3) Keep your comments to yourself. :) 4) Let the new page load. 5) Hit the back button on the button bar. 6) Die. 'The instruction at "0x6003ba43" referenced memory at "0x00000000" The memory could not be "read".' Reproducible with nightly fetched 2000/03/25 on W2K.
This is also a problem on Linux Build ID 2000032409.
More of bug 18798? hume@bofh.halifax.ns.ca or gstoll@rice.edu can either of you provide a stack trace?
I'd be glad to provide a stack trace. Does anyone know how to wrangle a trace out of the Borland C++ debugger? This is actually something I've been trying to figure out for some time, for the other couple of crashers I've posted.
following instructions I crash in MOZILLA caused an invalid page fault in module APPSHELL.DLL at 014f:6003bbcf. Registers: EAX=0068ed00 CS=014f EIP=6003bbcf EFLGS=00010246 EBX=60c66ece SS=0157 ESP=0068eba4 EBP=0068ed20 ECX=00000000 DS=0157 ESI=00000000 FS=1247 EDX=0068ed28 ES=0157 EDI=80000000 GS=0000 Bytes at CS:EIP: 8b 11 ff 52 0c 85 c7 75 14 8d 4d dc ff 15 70 21 Stack dump: 00000000 0068ed00 00000001 00000000 00000002 60c8cdfc 00000000 0000003f 00000001 00000000 0068ebd0 00740000 00700074 002f003a 0064002f 006e0065 marking confirmed...
Status: UNCONFIRMED → NEW
Ever confirmed: true
Tested with win32 2000032308 build under windows98 and I crashed as well. After hitting the back button I can see in the console that Webshell+ = goes up about 11 rapidly, followed by "Mozilla caused an invalid page fault in module Kernel32.dll at .... Stack Dump:"
downloading M14 with talkback now to try to reproduce.
I just finished my build 21:45 GMT and loaded the page and crashed in JS_realloc , which seems to be an example of optimistic programming But this may be not the described bug: the stack trace: _realloc_base(void * 0x0410f4c0, unsigned int 108) line 108 + 13 bytes realloc_help(void * 0x0410f4e0, unsigned int 72, int 1, const char * 0x00000000, int 0, int 1) line 649 + 16 bytes _realloc_dbg(void * 0x0410f4e0, unsigned int 72, int 1, const char * 0x00000000, int 0) line 824 + 27 bytes realloc(void * 0x0410f4e0, unsigned int 72) line 768 + 19 bytes JS_realloc(JSContext * 0x0404ee90, void * 0x0410f4e0, unsigned int 72) line 1027 + 14 bytes js_AllocSlot(JSContext * 0x0404ee90, JSObject * 0x031ccd90, unsigned long * 0x0095f234) line 1505 + 20 bytes js_NewScopeProperty(JSContext * 0x0404ee90, JSScope * 0x0410fa10, long 48583280, int (JSContext *, JSObject *, long, long *)* 0x004e1235 _JS_PropertyStub, int (JSContext *, JSObject *, long, long *)* 0x004e1235 _JS_PropertyStub, unsigned int 0) line 477 + 20 bytes js_DefineProperty(JSContext * 0x0404ee90, JSObject * 0x031ccd90, long 48583280, long 52219352, int (JSContext *, JSObject *, long, long *)* 0x004e1235 _JS_PropertyStub, int (JSContext *, JSObject *, long, long *)* 0x004e1235 _JS_PropertyStub, unsigned int 0, JSProperty * * 0x00000000) line 1660 + 29 bytes js_DefineFunction(JSContext * 0x0404ee90, JSObject * 0x031ccd90, JSAtom * 0x02e55270, int (JSContext *, JSObject *, unsigned int, long *, long *)* 0x019e7567 InstallTriggerGlobalStartSoftwareUpdate(JSContext *, JSObject *, unsigned int, long *, long *), unsigned int 2, unsigned int 0) line 1646 + 40 bytes JS_DefineFunction(JSContext * 0x0404ee90, JSObject * 0x031ccd90, const char * 0x01a14194, int (JSContext *, JSObject *, unsigned int, long *, long *)* 0x019e7567 InstallTriggerGlobalStartSoftwareUpdate(JSContext *, JSObject *, unsigned int, long *, long *), unsigned int 2, unsigned int 0) line 2256 + 29 bytes JS_DefineFunctions(JSContext * 0x0404ee90, JSObject * 0x031ccd90, JSFunctionSpec * 0x01a14068) line 2238 + 44 bytes JS_InitClass(JSContext * 0x0404ee90, JSObject * 0x03256328, JSObject * 0x00000000, JSClass * 0x01a13fc0 struct JSClass InstallTriggerGlobalClass, int (JSContext *, JSObject *, unsigned int, long *, long *)* 0x00000000, unsigned int 0, JSPropertySpec * 0x00000000, JSFunctionSpec * 0x00000000, JSPropertySpec * 0x00000000, JSFunctionSpec * ...) line 1336 + 113 bytes InitInstallTriggerGlobalClass(JSContext * 0x0404ee90, JSObject * 0x03256328, void * * 0x0095f3c4) line 619 + 36 bytes NS_InitInstallTriggerGlobalClass(nsIScriptContext * 0x0404a8a0, void * * 0x00000000) line 652 + 17 bytes nsSoftwareUpdateNameSet::InitializeClasses(nsSoftwareUpdateNameSet * const 0x027f4310, nsIScriptContext * 0x0404a8a0) line 515 + 11 bytes nsScriptNameSetRegistry::InitializeClasses(nsScriptNameSetRegistry * const 0x02858de0, nsIScriptContext * 0x0404a8a0) line 81 + 16 bytes nsJSContext::InitializeExternalClasses() line 653 + 27 bytes nsJSContext::InitClasses(nsJSContext * const 0x0404a8a0) line 696 + 209 bytes nsJSContext::InitContext(nsJSContext * const 0x0404a8a0, nsIScriptGlobalObject * 0x0404a900) line 635 + 12 bytes NS_CreateScriptContext(nsIScriptGlobalObject * 0x0404a900, nsIScriptContext * * 0x040e1660) line 909 nsDocShell::EnsureScriptEnvironment(nsDocShell * const 0x040e15c0) line 2491 + 50 bytes nsDocShell::GetScriptGlobalObject(nsDocShell * const 0x040e15e8, nsIScriptGlobalObject * * 0x0095f5a0) line 1852 + 19 bytes DocumentViewerImpl::Init(DocumentViewerImpl * const 0x040e7250, nsIWidget * 0x040e1344, nsIDeviceContext * 0x0404e2f0, const nsRect & {...}) line 458 + 56 bytes nsDocShell::SetupNewViewer(nsDocShell * const 0x040e15c0, nsIContentViewer * 0x040e7250) line 2175 + 63 bytes nsWebShell::SetupNewViewer(nsWebShell * const 0x040e15c0, nsIContentViewer * 0x040e7250) line 759 + 13 bytes nsDocShell::CreateContentViewer(nsDocShell * const 0x040e15c0, const char * 0x0095f8d0, int 0, nsIChannel * 0x040e23e0, nsIStreamListener * * 0x0095f910) line 2052 + 24 bytes nsWebShell::DoContent(nsWebShell * const 0x040e16c8, const char * 0x0095f8d0, int 0, const char * 0x10084590 gCommonEmptyBuffer, nsIChannel * 0x040e23e0, nsIStreamListener * * 0x0095f910, int * 0x0095f8b4) line 1407 + 38 bytes nsDocumentOpenInfo::DispatchContent(nsIChannel * 0x040e23e0, nsISupports * 0x00000000) line 392 + 109 bytes nsDocumentOpenInfo::OnStartRequest(nsDocumentOpenInfo * const 0x040e2560, nsIChannel * 0x040e23e0, nsISupports * 0x00000000) line 253 + 16 bytes InterceptStreamListener::OnStartRequest(InterceptStreamListener * const 0x040e7c90, nsIChannel * 0x040e23e0, nsISupports * 0x00000000) line 1105 nsHTTPServerListener::FinishedResponseHeaders() line 774 + 48 bytes nsHTTPServerListener::OnDataAvailable(nsHTTPServerListener * const 0x040e58b0, nsIChannel * 0x040e3504, nsISupports * 0x040e23e0, nsIInputStream * 0x040e3d4c, unsigned int 0, unsigned int 304) line 310 + 8 bytes nsOnDataAvailableEvent::HandleEvent(nsOnDataAvailableEvent * const 0x040e6af0) line 384 + 47 bytes nsStreamListenerEvent::HandlePLEvent(PLEvent * 0x040e2d80) line 97 + 12 bytes PL_HandleEvent(PLEvent * 0x040e2d80) line 563 + 10 bytes PL_ProcessPendingEvents(PLEventQueue * 0x019884c0) line 508 + 9 bytes _md_EventReceiverProc(HWND__ * 0x000008b8, unsigned int 55534, unsigned int 0, long 26772672) line 1018 + 9 bytes
And now comes the real bug with a NULL Pointer deref. You can't dereference a NULL nsComPtr with operator->(). stack trace KERNEL32! bff768a0() nsDebug::Assertion(const char * 0x01abedcc `string', const char * 0x01abee10 `string', const char * 0x01abee20 `string', int 621) line 189 + 13 bytes nsDebug::PreCondition(const char * 0x01abedcc `string', const char * 0x01abee10 `string', const char * 0x01abee20 `string', int 621) line 282 + 21 bytes nsCOMPtr<nsIURI>::operator->() line 621 + 34 bytes nsHistoryEntry::Compare(nsIWebShell * 0x04022f1c, int 0) line 691 + 42 bytes nsHistoryEntry::Compare(nsIWebShell * 0x03faa89c, int 0) line 741 + 25 bytes nsHistoryEntry::Compare(nsIWebShell * 0x03ebe9ac, int 0) line 741 + 25 bytes nsHistoryEntry::Compare(nsIWebShell * 0x03da8a4c, int 0) line 741 + 25 bytes nsHistoryEntry::Compare(nsIWebShell * 0x03bd66fc, int 0) line 741 + 25 bytes nsSessionHistory::UpdateStatus(nsSessionHistory * const 0x03bda250, nsIWebShell * 0x03bd66fc, int 0) line 1058 + 17 bytes nsBrowserInstance::OnEndDocumentLoad(nsBrowserInstance * const 0x03bda2b4, nsIDocumentLoader * 0x03bd7c30, nsIChannel * 0x03cd0640, unsigned int 0) line 1534 nsSecureBrowserUIImpl::OnEndDocumentLoad(nsSecureBrowserUIImpl * const 0x03c73b00, nsIDocumentLoader * 0x03bd7c30, nsIChannel * 0x03cd0640, unsigned int 0) line 301 + 47 bytes nsWebShell::OnEndDocumentLoad(nsWebShell * const 0x03bd670c, nsIDocumentLoader * 0x03bd7c30, nsIChannel * 0x03cd0640, unsigned int 0) line 2467 nsDocLoaderImpl::FireOnEndDocumentLoad(nsDocLoaderImpl * 0x03bd7c30, nsIChannel * 0x03cd0640, unsigned int 0) line 620 nsDocLoaderImpl::DocLoaderIsEmpty(unsigned int 0) line 511 nsDocLoaderImpl::DocLoaderIsEmpty(unsigned int 0) line 483 nsDocLoaderImpl::DocLoaderIsEmpty(unsigned int 0) line 483 nsDocLoaderImpl::DocLoaderIsEmpty(unsigned int 0) line 483 nsDocLoaderImpl::DocLoaderIsEmpty(unsigned int 0) line 483 nsDocLoaderImpl::DocLoaderIsEmpty(unsigned int 0) line 483 nsDocLoaderImpl::OnStopRequest(nsDocLoaderImpl * const 0x03e9e4b4, nsIChannel * 0x03e9fc40, nsISupports * 0x00000000, unsigned int 0, const unsigned short * 0x00000000) line 455 nsLoadGroup::RemoveChannel(nsLoadGroup * const 0x03e9e450, nsIChannel * 0x03e9fc40, nsISupports * 0x00000000, unsigned int 0, const unsigned short * 0x00000000) line 537 + 39 bytes nsHTTPChannel::ResponseCompleted(nsIStreamListener * 0x0402ab30, unsigned int 0, const unsigned short * 0x00000000) line 1377 nsHTTPServerListener::OnStopRequest(nsHTTPServerListener * const 0x04028930, nsIChannel * 0x04028094, nsISupports * 0x03e9fc40, unsigned int 0, const unsigned short * 0x00000000) line 478 nsOnStopRequestEvent::HandleEvent(nsOnStopRequestEvent * const 0x03edd100) line 288 nsStreamListenerEvent::HandlePLEvent(PLEvent * 0x03edd0b0) line 97 + 12 bytes PL_HandleEvent(PLEvent * 0x03edd0b0) line 563 + 10 bytes PL_ProcessPendingEvents(PLEventQueue * 0x0197ec50) line 508 + 9 bytes _md_EventReceiverProc(HWND__ * 0x00000c64, unsigned int 55534, unsigned int 0, long 26733648) line 1018 + 9 bytes KERNEL32! bff7363b() KERNEL32! bff94407() 00958b82()
Unable to crash with these steps in M14 TalkBack build :(
updating component and owner... sorry, roger!
Assignee: cbegle → rogerl
Component: Browser-General → Javascript Engine
QA Contact: asadotzler → rginda
adding crash keyword and bumping severity.
Severity: normal → critical
Keywords: crash
I don't crash anymore (60208 winME/win2k), though the wrong page does load upon pressing back (well known bug). marking wfm, pls reopen if you still are experiencing this.
Status: NEW → RESOLVED
Closed: 25 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.