Closed
Bug 33325
Opened 25 years ago
Closed 25 years ago
Framed page -> unframed page(?) -> back crashes browser
Categories
(Core :: JavaScript Engine, defect, P3)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: hume, Assigned: rogerl)
References
()
Details
(Keywords: crash)
Consistent crash with the following procedure:
1) Go to http://den.bofh.halifax.ns.ca/index2.html
2) Click on the "flaming hick" link
3) Keep your comments to yourself. :)
4) Let the new page load.
5) Hit the back button on the button bar.
6) Die.
'The instruction at "0x6003ba43" referenced memory at "0x00000000"
The memory could not be "read".'
Reproducible with nightly fetched 2000/03/25 on W2K.
Comment 2•25 years ago
|
||
More of bug 18798?
hume@bofh.halifax.ns.ca or gstoll@rice.edu can either of you provide a stack
trace?
Reporter | ||
Comment 3•25 years ago
|
||
I'd be glad to provide a stack trace. Does anyone know how to wrangle a trace
out of the Borland C++ debugger? This is actually something I've been trying to
figure out for some time, for the other couple of crashers I've posted.
Comment 4•25 years ago
|
||
following instructions I crash in
MOZILLA caused an invalid page fault in
module APPSHELL.DLL at 014f:6003bbcf.
Registers:
EAX=0068ed00 CS=014f EIP=6003bbcf EFLGS=00010246
EBX=60c66ece SS=0157 ESP=0068eba4 EBP=0068ed20
ECX=00000000 DS=0157 ESI=00000000 FS=1247
EDX=0068ed28 ES=0157 EDI=80000000 GS=0000
Bytes at CS:EIP:
8b 11 ff 52 0c 85 c7 75 14 8d 4d dc ff 15 70 21
Stack dump:
00000000 0068ed00 00000001 00000000 00000002 60c8cdfc 00000000 0000003f 00000001
00000000 0068ebd0 00740000 00700074 002f003a 0064002f 006e0065
marking confirmed...
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 5•25 years ago
|
||
Tested with win32 2000032308 build under windows98 and I crashed as well. After
hitting the back button I can see in the console that Webshell+ = goes up about
11 rapidly, followed by "Mozilla caused an invalid page fault in module
Kernel32.dll at .... Stack Dump:"
Comment 6•25 years ago
|
||
downloading M14 with talkback now to try to reproduce.
Comment 7•25 years ago
|
||
I just finished my build 21:45 GMT and loaded the page and crashed in JS_realloc
, which seems to be an example of optimistic programming
But this may be not the described bug:
the stack trace:
_realloc_base(void * 0x0410f4c0, unsigned int 108) line 108 + 13 bytes
realloc_help(void * 0x0410f4e0, unsigned int 72, int 1, const char * 0x00000000,
int 0, int 1) line 649 + 16 bytes
_realloc_dbg(void * 0x0410f4e0, unsigned int 72, int 1, const char * 0x00000000,
int 0) line 824 + 27 bytes
realloc(void * 0x0410f4e0, unsigned int 72) line 768 + 19 bytes
JS_realloc(JSContext * 0x0404ee90, void * 0x0410f4e0, unsigned int 72) line 1027
+ 14 bytes
js_AllocSlot(JSContext * 0x0404ee90, JSObject * 0x031ccd90, unsigned long *
0x0095f234) line 1505 + 20 bytes
js_NewScopeProperty(JSContext * 0x0404ee90, JSScope * 0x0410fa10, long 48583280,
int (JSContext *, JSObject *, long, long *)* 0x004e1235 _JS_PropertyStub, int
(JSContext *, JSObject *, long, long *)* 0x004e1235 _JS_PropertyStub, unsigned
int 0) line 477 + 20 bytes
js_DefineProperty(JSContext * 0x0404ee90, JSObject * 0x031ccd90, long 48583280,
long 52219352, int (JSContext *, JSObject *, long, long *)* 0x004e1235
_JS_PropertyStub, int (JSContext *, JSObject *, long, long *)* 0x004e1235
_JS_PropertyStub, unsigned int 0, JSProperty * * 0x00000000) line 1660 + 29
bytes
js_DefineFunction(JSContext * 0x0404ee90, JSObject * 0x031ccd90, JSAtom *
0x02e55270, int (JSContext *, JSObject *, unsigned int, long *, long *)*
0x019e7567 InstallTriggerGlobalStartSoftwareUpdate(JSContext *, JSObject *,
unsigned int, long *, long *), unsigned int 2, unsigned int 0) line 1646 + 40
bytes
JS_DefineFunction(JSContext * 0x0404ee90, JSObject * 0x031ccd90, const char *
0x01a14194, int (JSContext *, JSObject *, unsigned int, long *, long *)*
0x019e7567 InstallTriggerGlobalStartSoftwareUpdate(JSContext *, JSObject *,
unsigned int, long *, long *), unsigned int 2, unsigned int 0) line 2256 + 29
bytes
JS_DefineFunctions(JSContext * 0x0404ee90, JSObject * 0x031ccd90, JSFunctionSpec
* 0x01a14068) line 2238 + 44 bytes
JS_InitClass(JSContext * 0x0404ee90, JSObject * 0x03256328, JSObject *
0x00000000, JSClass * 0x01a13fc0 struct JSClass InstallTriggerGlobalClass, int
(JSContext *, JSObject *, unsigned int, long *, long *)* 0x00000000, unsigned
int 0, JSPropertySpec * 0x00000000, JSFunctionSpec * 0x00000000, JSPropertySpec
* 0x00000000, JSFunctionSpec * ...) line 1336 + 113 bytes
InitInstallTriggerGlobalClass(JSContext * 0x0404ee90, JSObject * 0x03256328,
void * * 0x0095f3c4) line 619 + 36 bytes
NS_InitInstallTriggerGlobalClass(nsIScriptContext * 0x0404a8a0, void * *
0x00000000) line 652 + 17 bytes
nsSoftwareUpdateNameSet::InitializeClasses(nsSoftwareUpdateNameSet * const
0x027f4310, nsIScriptContext * 0x0404a8a0) line 515 + 11 bytes
nsScriptNameSetRegistry::InitializeClasses(nsScriptNameSetRegistry * const
0x02858de0, nsIScriptContext * 0x0404a8a0) line 81 + 16 bytes
nsJSContext::InitializeExternalClasses() line 653 + 27 bytes
nsJSContext::InitClasses(nsJSContext * const 0x0404a8a0) line 696 + 209 bytes
nsJSContext::InitContext(nsJSContext * const 0x0404a8a0, nsIScriptGlobalObject *
0x0404a900) line 635 + 12 bytes
NS_CreateScriptContext(nsIScriptGlobalObject * 0x0404a900, nsIScriptContext * *
0x040e1660) line 909
nsDocShell::EnsureScriptEnvironment(nsDocShell * const 0x040e15c0) line 2491 +
50 bytes
nsDocShell::GetScriptGlobalObject(nsDocShell * const 0x040e15e8,
nsIScriptGlobalObject * * 0x0095f5a0) line 1852 + 19 bytes
DocumentViewerImpl::Init(DocumentViewerImpl * const 0x040e7250, nsIWidget *
0x040e1344, nsIDeviceContext * 0x0404e2f0, const nsRect & {...}) line 458 + 56
bytes
nsDocShell::SetupNewViewer(nsDocShell * const 0x040e15c0, nsIContentViewer *
0x040e7250) line 2175 + 63 bytes
nsWebShell::SetupNewViewer(nsWebShell * const 0x040e15c0, nsIContentViewer *
0x040e7250) line 759 + 13 bytes
nsDocShell::CreateContentViewer(nsDocShell * const 0x040e15c0, const char *
0x0095f8d0, int 0, nsIChannel * 0x040e23e0, nsIStreamListener * * 0x0095f910)
line 2052 + 24 bytes
nsWebShell::DoContent(nsWebShell * const 0x040e16c8, const char * 0x0095f8d0,
int 0, const char * 0x10084590 gCommonEmptyBuffer, nsIChannel * 0x040e23e0,
nsIStreamListener * * 0x0095f910, int * 0x0095f8b4) line 1407 + 38 bytes
nsDocumentOpenInfo::DispatchContent(nsIChannel * 0x040e23e0, nsISupports *
0x00000000) line 392 + 109 bytes
nsDocumentOpenInfo::OnStartRequest(nsDocumentOpenInfo * const 0x040e2560,
nsIChannel * 0x040e23e0, nsISupports * 0x00000000) line 253 + 16 bytes
InterceptStreamListener::OnStartRequest(InterceptStreamListener * const
0x040e7c90, nsIChannel * 0x040e23e0, nsISupports * 0x00000000) line 1105
nsHTTPServerListener::FinishedResponseHeaders() line 774 + 48 bytes
nsHTTPServerListener::OnDataAvailable(nsHTTPServerListener * const 0x040e58b0,
nsIChannel * 0x040e3504, nsISupports * 0x040e23e0, nsIInputStream * 0x040e3d4c,
unsigned int 0, unsigned int 304) line 310 + 8 bytes
nsOnDataAvailableEvent::HandleEvent(nsOnDataAvailableEvent * const 0x040e6af0)
line 384 + 47 bytes
nsStreamListenerEvent::HandlePLEvent(PLEvent * 0x040e2d80) line 97 + 12 bytes
PL_HandleEvent(PLEvent * 0x040e2d80) line 563 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x019884c0) line 508 + 9 bytes
_md_EventReceiverProc(HWND__ * 0x000008b8, unsigned int 55534, unsigned int 0,
long 26772672) line 1018 + 9 bytes
Comment 8•25 years ago
|
||
And now comes the real bug with a NULL Pointer deref.
You can't dereference a NULL nsComPtr with operator->().
stack trace
KERNEL32! bff768a0()
nsDebug::Assertion(const char * 0x01abedcc `string', const char * 0x01abee10
`string', const char * 0x01abee20 `string', int 621) line 189 + 13 bytes
nsDebug::PreCondition(const char * 0x01abedcc `string', const char * 0x01abee10
`string', const char * 0x01abee20 `string', int 621) line 282 + 21 bytes
nsCOMPtr<nsIURI>::operator->() line 621 + 34 bytes
nsHistoryEntry::Compare(nsIWebShell * 0x04022f1c, int 0) line 691 + 42 bytes
nsHistoryEntry::Compare(nsIWebShell * 0x03faa89c, int 0) line 741 + 25 bytes
nsHistoryEntry::Compare(nsIWebShell * 0x03ebe9ac, int 0) line 741 + 25 bytes
nsHistoryEntry::Compare(nsIWebShell * 0x03da8a4c, int 0) line 741 + 25 bytes
nsHistoryEntry::Compare(nsIWebShell * 0x03bd66fc, int 0) line 741 + 25 bytes
nsSessionHistory::UpdateStatus(nsSessionHistory * const 0x03bda250, nsIWebShell
* 0x03bd66fc, int 0) line 1058 + 17 bytes
nsBrowserInstance::OnEndDocumentLoad(nsBrowserInstance * const 0x03bda2b4,
nsIDocumentLoader * 0x03bd7c30, nsIChannel * 0x03cd0640, unsigned int 0) line
1534
nsSecureBrowserUIImpl::OnEndDocumentLoad(nsSecureBrowserUIImpl * const
0x03c73b00, nsIDocumentLoader * 0x03bd7c30, nsIChannel * 0x03cd0640, unsigned
int 0) line 301 + 47 bytes
nsWebShell::OnEndDocumentLoad(nsWebShell * const 0x03bd670c, nsIDocumentLoader *
0x03bd7c30, nsIChannel * 0x03cd0640, unsigned int 0) line 2467
nsDocLoaderImpl::FireOnEndDocumentLoad(nsDocLoaderImpl * 0x03bd7c30, nsIChannel
* 0x03cd0640, unsigned int 0) line 620
nsDocLoaderImpl::DocLoaderIsEmpty(unsigned int 0) line 511
nsDocLoaderImpl::DocLoaderIsEmpty(unsigned int 0) line 483
nsDocLoaderImpl::DocLoaderIsEmpty(unsigned int 0) line 483
nsDocLoaderImpl::DocLoaderIsEmpty(unsigned int 0) line 483
nsDocLoaderImpl::DocLoaderIsEmpty(unsigned int 0) line 483
nsDocLoaderImpl::DocLoaderIsEmpty(unsigned int 0) line 483
nsDocLoaderImpl::OnStopRequest(nsDocLoaderImpl * const 0x03e9e4b4, nsIChannel *
0x03e9fc40, nsISupports * 0x00000000, unsigned int 0, const unsigned short *
0x00000000) line 455
nsLoadGroup::RemoveChannel(nsLoadGroup * const 0x03e9e450, nsIChannel *
0x03e9fc40, nsISupports * 0x00000000, unsigned int 0, const unsigned short *
0x00000000) line 537 + 39 bytes
nsHTTPChannel::ResponseCompleted(nsIStreamListener * 0x0402ab30, unsigned int 0,
const unsigned short * 0x00000000) line 1377
nsHTTPServerListener::OnStopRequest(nsHTTPServerListener * const 0x04028930,
nsIChannel * 0x04028094, nsISupports * 0x03e9fc40, unsigned int 0, const
unsigned short * 0x00000000) line 478
nsOnStopRequestEvent::HandleEvent(nsOnStopRequestEvent * const 0x03edd100) line
288
nsStreamListenerEvent::HandlePLEvent(PLEvent * 0x03edd0b0) line 97 + 12 bytes
PL_HandleEvent(PLEvent * 0x03edd0b0) line 563 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x0197ec50) line 508 + 9 bytes
_md_EventReceiverProc(HWND__ * 0x00000c64, unsigned int 55534, unsigned int 0,
long 26733648) line 1018 + 9 bytes
KERNEL32! bff7363b()
KERNEL32! bff94407()
00958b82()
Comment 9•25 years ago
|
||
Unable to crash with these steps in M14 TalkBack build :(
Comment 10•25 years ago
|
||
updating component and owner... sorry, roger!
Assignee: cbegle → rogerl
Component: Browser-General → Javascript Engine
QA Contact: asadotzler → rginda
Comment 11•25 years ago
|
||
adding crash keyword and bumping severity.
Severity: normal → critical
Keywords: crash
Comment 12•25 years ago
|
||
I don't crash anymore (60208 winME/win2k), though the wrong page does load upon
pressing back (well known bug). marking wfm, pls reopen if you still are
experiencing this.
Status: NEW → RESOLVED
Closed: 25 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•