Closed Bug 7344 Opened 26 years ago Closed 26 years ago

second mail message viewed causes crash

Categories

(Core :: Layout, defect, P3)

defect

Tracking

()

VERIFIED FIXED

People

(Reporter: sspitzer, Assigned: joki)

Details

something landed between may 28 - may 29 that makes it so the second message I click to view in messenger crashes. this happens for mail and news messages. This is on linux and windows, I haven't tried the mac. Here's the linux stack trace: #0 0x40f4f422 in nsDocument::HandleDOMEvent (this=0x86807c0, aPresContext=@0x829fa88, aEvent=0xbfffef54, aDOMEvent=0xbfffef20, aFlags=4, aEventStatus=@0xbfffef80) at nsDocument.cpp:2271 #1 0x4038cc7a in GlobalWindowImpl::HandleDOMEvent (this=0x830e958, aPresContext=@0x829fa88, aEvent=0xbfffef54, aDOMEvent=0xbfffef20, aFla gs=1, aEventStatus=@0xbfffef80) at nsGlobalWindow.cpp:2036 #2 0x402e69a8 in nsWebShell::Destroy (this=0x82cb468) at nsWebShell.cpp:929 #3 0x40e89e24 in nsHTMLFrameInnerFrame::~nsHTMLFrameInnerFrame (this=0x82cb350, __in_chrg=3) at nsFrameFrame.cpp:464 #4 0x40dc1452 in nsFrame::DeleteFrame (this=0x82cb350, aPresContext=@0x8144570) at nsFrame.cpp:390 #5 0x40f58053 in nsFrameList::DeleteFrames (this=0x82f7fe8, aPresContext=@0x8144570) at nsFrameList.cpp:28 #6 0x40dbed29 in nsContainerFrame::DeleteFrame (this=0x82f7fb0, aPresContext=@0x8144570) at nsContainerFrame.cpp:79 #7 0x40f58053 in nsFrameList::DeleteFrames (this=0x829f630, aPresContext=@0x8144570) at nsFrameList.cpp:28 #8 0x40dbed29 in nsContainerFrame::DeleteFrame (this=0x829f5f8, aPresContext=@0x8144570) at nsContainerFrame.cpp:79 #9 0x40dd8707 in nsLineBox::DeleteLineList (aPresContext=@0x8144570, aLine=0x829f6d0) at nsLineBox.cpp:157 #10 0x40db2b13 in nsBlockFrame::DeleteFrame (this=0x829f2b8, aPresContext=@0x8144570) at nsBlockFrame.cpp:806 #11 0x40db0c26 in nsAreaFrame::DeleteFrame (this=0x829f2b8, aPresContext=@0x8144570) at nsAreaFrame.cpp:105 #12 0x40f58053 in nsFrameList::DeleteFrames (this=0x829f010, aPresContext=@0x8144570) at nsFrameList.cpp:28 #13 0x40dbed29 in nsContainerFrame::DeleteFrame (this=0x829efd8, aPresContext=@0x8144570) at nsContainerFrame.cpp:79 #14 0x40f58053 in nsFrameList::DeleteFrames (this=0x82f8350, aPresContext=@0x8144570) at nsFrameList.cpp:28 #15 0x40dbed29 in nsContainerFrame::DeleteFrame (this=0x82f8318, aPresContext=@0x8144570) at nsContainerFrame.cpp:79 #16 0x40df60ca in ViewportFrame::DeleteFrame (this=0x82f8318, aPresContext=@0x8144570) at nsViewportFrame.cpp:115 #17 0x40de2be2 in PresShell::~PresShell (this=0x8380cb8, __in_chrg=3) at nsPresShell.cpp:548 #18 0x40de2948 in PresShell::Release (this=0x8380cb8) at nsPresShell.cpp:485 #19 0x40069e1c in nsCOMPtr_base::~nsCOMPtr_base (this=0x83778ac, __in_chrg=2) at nsCOMPtr.cpp:25 #20 0x40033457 in nsCOMPtr<nsIPresShell>::~nsCOMPtr (this=0x83778ac, __in_chrg=2) at nsWebShellWindow.cpp:738 #21 0x40f53362 in DocumentViewerImpl::~DocumentViewerImpl (this=0x8377888, __in_chrg=3) at nsDocumentViewer.cpp:240 #22 0x40f53075 in DocumentViewerImpl::Release (this=0x8377888) at nsDocumentViewer.cpp:184 #23 0x402e63c3 in nsWebShell::Embed (this=0x82db018, aContentViewer=0x8388850, aCommand=0x834d358 "view", aExtraInfo=0x0) at nsWebShell.cp p:755 #24 0x402e3c01 in nsDocumentBindInfo::OnStartBinding (this=0x834d328, aURL=0x834d368, aContentType=0x833bb48 "text/html") at nsDocLoader.c pp:1432 #25 0x402c9d6b in NET_NGLayoutConverter (format_out=38, converter_obj=0x0, URL_s=0x834d460, context=0x834d658) at nsStubContext.cpp:949 #26 0x402a1f85 in NET_StreamBuilder (format_out=38, URL_s=0x834d460, context=0x834d658) at mkstream.c:237 #27 0x4027a197 in NET_PluginStream (fmt=38, data_obj=0x0, URL_s=0x834d460, w=0x834d658) at cvplugin.cpp:222 #28 0x402a1f85 in NET_StreamBuilder (format_out=38, URL_s=0x834d460, context=0x834d658) at mkstream.c:237 #29 0x401e373f in net_setup_file_stream (cur_entry=0x834d7a0) at mkfile.c:783 #30 0x401e4511 in net_ProcessFile (cur_entry=0x834d7a0) at mkfile.c:1319 #31 0x40298f17 in NET_ProcessNet (ready_fd=0x0, fd_type=1) at mkgeturl.c:3355 #32 0x402a0df9 in NET_PollSockets () at mkselect.c:298 #33 0x402c2f1a in nsNetlibService::NetPollSocketsCallback (aTimer=0x85fd088, aClosure=0x805f178) at nsNetService.cpp:1276 #34 0x4013f9d5 in ?? () from /builds/sspitzer/MOZILLA/05.29.1999/04.30/mozilla/dist/bin/libgfxgtk.so #35 0x4013febe in ?? () from /builds/sspitzer/MOZILLA/05.29.1999/04.30/mozilla/dist/bin/libgfxgtk.so #36 0x406b1c11 in ?? () from /usr/lib/libglib-1.2.so.0 #37 0x406b0dd2 in ?? () from /usr/lib/libglib-1.2.so.0 #38 0x406b13bb in ?? () from /usr/lib/libglib-1.2.so.0 #39 0x406b1571 in ?? () from /usr/lib/libglib-1.2.so.0 #40 0x405d715b in ?? () from /usr/lib/libgtk-1.2.so.0 #41 0x400e50ed in ?? () from /builds/sspitzer/MOZILLA/05.29.1999/04.30/mozilla/dist/bin/libwidgetgtk.so #42 0x400212c9 in nsAppShellService::Run (this=0x8079250) at nsAppShellService.cpp:402 #43 0x804bb48 in main (argc=2, argv=0xbffffa04) at nsAppRunner.cpp:483
here's the window's stack trace. nsDocument::HandleDOMEvent(nsDocument * const 0x03d3e200, nsIPresContext & {...}, nsEvent * 0x0012fb5c, nsIDOMEvent * * 0x0012fb30, unsigned int 4, nsEventStatus & nsEventStatus_eIgnore) line 2271 + 22 bytes GlobalWindowImpl::HandleDOMEvent(GlobalWindowImpl * const 0x03cb29b4, nsIPresContext & {...}, nsEvent * 0x0012fb5c, nsIDOMEvent * * 0x0012fb30, unsigned int 1, nsEventStatus & nsEventStatus_eIgnore) line 2040 nsWebShell::Destroy(nsWebShell * const 0x03cb5e10) line 929 + 34 bytes nsHTMLFrameInnerFrame::~nsHTMLFrameInnerFrame() line 465 nsHTMLFrameInnerFrame::`scalar deleting destructor'(unsigned int 1) + 15 bytes nsFrame::DeleteFrame(nsFrame * const 0x03cb41d0, nsIPresContext & {...}) line 390 + 34 bytes nsFrameList::DeleteFrames(nsIPresContext & {...}) line 29 nsContainerFrame::DeleteFrame(nsContainerFrame * const 0x03cb4600, nsIPresContext & {...}) line 82 nsFrameList::DeleteFrames(nsIPresContext & {...}) line 29 nsContainerFrame::DeleteFrame(nsContainerFrame * const 0x03cb1040, nsIPresContext & {...}) line 82 nsLineBox::DeleteLineList(nsIPresContext & {...}, nsLineBox * 0x03cb4f60) line 158 nsBlockFrame::DeleteFrame(nsBlockFrame * const 0x03cb14e0, nsIPresContext & {...}) line 806 + 16 bytes nsAreaFrame::DeleteFrame(nsAreaFrame * const 0x03cb14e0, nsIPresContext & {...}) line 106 nsFrameList::DeleteFrames(nsIPresContext & {...}) line 29 nsContainerFrame::DeleteFrame(nsContainerFrame * const 0x03cb1870, nsIPresContext & {...}) line 82 nsFrameList::DeleteFrames(nsIPresContext & {...}) line 29 nsContainerFrame::DeleteFrame(nsContainerFrame * const 0x03cb1c50, nsIPresContext & {...}) line 82 ViewportFrame::DeleteFrame(ViewportFrame * const 0x03cb1c50, nsIPresContext & {...}) line 116 PresShell::~PresShell() line 549 PresShell::`scalar deleting destructor'(unsigned int 1) + 15 bytes PresShell::Release(PresShell * const 0x039af900) line 485 + 34 bytes nsCOMPtr_base::~nsCOMPtr_base() line 26 nsCOMPtr<nsIPresShell>::~nsCOMPtr<nsIPresShell>() + 15 bytes DocumentViewerImpl::~DocumentViewerImpl() line 242 + 22 bytes DocumentViewerImpl::`scalar deleting destructor'(unsigned int 1) + 15 bytes DocumentViewerImpl::Release(DocumentViewerImpl * const 0x03d3d0f0) line 184 + 99 bytes nsWebShell::Embed(nsWebShell * const 0x0393fbf0, nsIContentViewer * 0x0437b6f0, const char * 0x0437a820, nsISupports * 0x00000000) line 755 + 27 bytes nsDocumentBindInfo::OnStartBinding(nsDocumentBindInfo * const 0x0437a860, nsIURL * 0x0437a7a0, const char * 0x0437bed0) line 1432 + 36 bytes OnStartBindingProxyEvent::HandleEvent(OnStartBindingProxyEvent * const 0x0437aa50) line 507 StreamListenerProxyEvent::HandlePLEvent(PLEvent * 0x0437aa54) line 472 + 12 bytes PL_HandleEvent(PLEvent * 0x0437aa54) line 491 + 10 bytes PL_ProcessPendingEvents(PLEventQueue * 0x00c050b0) line 452 + 9 bytes _md_EventReceiverProc(HWND__ * 0x00a40142, unsigned int 49381, unsigned int 0, long 12603568) line 868 + 9 bytes USER32! 77e71250() 00c050b0()
adding lisa to the cc list
I've checked in the following fix. It prevents the crash, and allows me to use messenger again. I'm not marking this fixed until the owner of the code reviews what I did. sspitzer:/builds/sspitzer/MOZILLA/05.29.1999/04.30/mozilla/layout > cvs diff -c base/src/nsDocument.cpp Index: base/src/nsDocument.cpp =================================================================== RCS file: /cvsroot/mozilla/layout/base/src/nsDocument.cpp,v retrieving revision 3.113 diff -c -r3.113 nsDocument.cpp *** nsDocument.cpp 1999/05/28 00:22:47 3.113 --- nsDocument.cpp 1999/05/29 20:52:50 *************** *** 2268,2276 **** //Capturing stage if (NS_EVENT_FLAG_BUBBLE != aFlags) { nsIScriptGlobalObject* mGlobal; ! if (NS_OK == mScriptContextOwner->GetScriptGlobalObject(&mGlobal)) { ! mGlobal->HandleDOMEvent(aPresContext, aEvent, aDOMEvent, NS_EVENT_FLAG_CAPTURE, aEventStatus); ! NS_RELEASE(mGlobal); } } --- 2268,2278 ---- //Capturing stage if (NS_EVENT_FLAG_BUBBLE != aFlags) { nsIScriptGlobalObject* mGlobal; ! if (mScriptContextOwner != nsnull) { ! if (NS_OK == mScriptContextOwner->GetScriptGlobalObject(&mGlobal)) { ! mGlobal->HandleDOMEvent(aPresContext, aEvent, aDOMEvent, NS_EVENT_FLAG_CAPTURE, aEventStatus); ! NS_RELEASE(mGlobal); ! } } }
Severity: normal → critical
(We didn't see this on the 5/28 build on the Mac due to bug http://bugzilla.mozilla.org/show_bug.cgi?id=7329) Changing severity to critical since this is a crash and it's easy to get. Thanks, Seth, for fixing this. Rick - pls review Seth's changes to make sure that it's a safe fix and doesn't affect your other areas. Thanks.
patrick beard re-did my fix to follow the coding convention of that file. rickg, please review patrick's change, not mine. (his is right after mine.)
Assignee: rickg → vidur
Vidur -- This also crashed for me on NT.
Assignee: vidur → joki
Tom, this should be a quick one for you...
Status: NEW → RESOLVED
Closed: 26 years ago
Resolution: --- → FIXED
Yeah, I'll sign off on this. I would have thought that mScriptContextOwner would never be null but apparently (probably during doc destruction or something) it can so this is a good fix. Marking fixed.
QA Contact: petersen → pmock
Status: RESOLVED → VERIFIED
Verified in the June 9 optimized Seamonkey builds. I was not able to reproduce the crash under POP3, IMAP, or News. I tried in on the following builds: June 9 Win32 (1999060909) build installed on Gateway P200 running Win98 June 9 Linux (1999060908) build installed on Compaq P200 running Redhat 5.2 June 9 PPC (1999060909) build installed on PPC 9600/300 running Mac OS 8.5.1
You need to log in before you can comment on or make changes to this bug.