Closed Bug 230283 Opened 21 years ago Closed 21 years ago

crashes when aborting pageload of another site [@nsHTMLDocument::RegisterNamedItems]

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: volkmar, Assigned: jst)

References

(
URL
)

Details

(Keywords: crash)

Crash Data

Attachments

(2 files)

Stacktrace
1.93 KB, text/plain
Details
Don't notify about a null document element being inserted into the document.
2.33 KB, patch
sicking
: review+
dbaron
: superreview+
dbaron
: approval1.6+
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6b) Gecko/20040106 Firebird/0.7+ Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6b) Gecko/20040106 Firebird/0.7+ Following the first link "schemas" on "http://schneegans.de/sv/" and stopping loading of that new page by using the Esc button during loading crashes Firebird. Reproducible: Always Steps to Reproduce: 1. view http://schneegans.de/sv/ 2. klick first link "schemas" 3. while new page loads, press Esc button Actual Results: Firebird crashed Expected Results: Continue viewing http://schneegans.de/sv/
Flags: blocking0.8?
also reproducable on Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7a) Gecko/20040101 Firebird/0.7+ (aebrahim), note that this can be best reproduces with a slow connection and when the status bar displays "transfering data..."
OS: Linux → All
Hardware: PC → All
Also occurs on Seamonkey 2004010122. Confirming, reassigning, upping priority to Critical, adding crash keyword, moving to Browser/Browser-General, removing Firebird blocking0.8?, adding Seamonkey blocking1.6?. (*phew*)
Assignee: blake → general
Severity: normal → critical
Status: UNCONFIRMED → NEW
Component: General → Browser-General
Ever confirmed: true
Flags: blocking0.8?
Keywords: crash
Product: Firebird → Browser
QA Contact: general
Version: unspecified → Trunk
Flags: blocking1.6?
Component: Browser-General → DOM: Level 0
Summary: Firebird crashes when changing to another site is stopped by using the ESC button → Firebird crashes when aborting pageload of another site [@nsHTMLDocument::RegisterNamedItems]
Attached file Stacktrace
stacktrace from a win2k trunk opt build with symbols
Assignee: general → general
QA Contact: general → ian
Getting 2 assertions here before crash: ###!!! ASSERTION: mDocElement not in doc?: 'mDocument->IndexOf(mDocElement) != - 1', file e:/mozilla/tree6/mozilla/content/xml/document/src/nsXMLContentSink.cpp, line 269 ###!!! ASSERTION: Null content!: 'aContent', file e:/mozilla/tree6/mozilla/conte nt/html/document/src/nsHTMLDocument.cpp, line 1369
would need a patch quickly to get this into 1.6. does anyone know if this is a recent regression?
Summary: Firebird crashes when aborting pageload of another site [@nsHTMLDocument::RegisterNamedItems] → crashes when aborting pageload of another site [@nsHTMLDocument::RegisterNamedItems]
can't get 1.4 to crash...
1.5 also doesn't seem to crash
caillon, jst, dbaron... any ideas on this one?
Flags: blocking1.6? → blocking1.6+
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6b) Gecko/20031201 did crash but it seemed a bit harder to make the timimg line up to make the crash happen.
> Getting 2 assertions here before crash: > ###!!! ASSERTION: mDocElement not in doc?: 'mDocument->IndexOf(mDocElement) != - > 1', file e:/mozilla/tree6/mozilla/content/xml/document/src/nsXMLContentSink.cpp, > line 269 code around this changed in Oct. 1.293 <bzbarsky@mit.edu> 10 Oct 2003 17:27 Make sure to notify document observers even about content that gets added to the document before StartLayout(). Block those notifications from getting passed on to the frame constructor before StartLayout(), though. Bug 220930, r=peterv, sr=jst
looks like 1.5 branched on Aug 29. so it looks like maybe sometime between Aug. 29 and Dec 1. Narrowing the window is going to be touger since nightly builds only go back to Dec 1. bunch of decomtamination work going on since then too.. http://bonsai.mozilla.org/cvslog.cgi?file=mozilla/content/xml/document/src/nsXMLContentSink.cpp
Older nightlys exist at http://archive.mozilla.org/pub/mozilla/nightly/ :) (i didn't even know we had such an archive, but it's quite useful)
The crash is caused by mDocElement being null in nsXMLContentSink::DidBuildModel(). This calls ContentInserted with aContainer and aContent being null, which calls RegisterNamedItems, which dereferences the null pointer.
Attachment #138720 - Flags: superreview?(dbaron)
Attachment #138720 - Flags: review?(bugmail)
Attachment #138720 - Flags: approval1.6?
Attachment #138720 - Flags: superreview?(dbaron) → superreview+
Taking.
Assignee: general → jst
Fix checked in on trunk and 1.6 branch.
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Comment on attachment 138720 [details] [diff] [review] Don't notify about a null document element being inserted into the document. >+ mDocument->BeginUpdate(UPDATE_CONTENT_MODEL); >+ mDocument->ContentInserted(nsnull, mDocElement, >+ // XXXbz is this last arg relevant if >+ // the container is null? >+ mDocument->IndexOf(mDocElement)); >+ mDocument->EndUpdate(UPDATE_CONTENT_MODEL); How about using mozAutoDocUpdate?
Side-note: In the same code block, what about: 255 nsIScriptLoader *loader = mDocument->GetScriptLoader(); and 291 mDocument->EndLoad(); when mDocument is null ?
mDocument can't be null at that point. (we ensure that the content sink gets created with a document). Besides, we'd crash much sooner if there wasn't one.
My mistake: I looked for |mDocument| while the issue was on |mDocElement| :-<
This code now uses mozAutoDocUpdate.
Crash Signature: [@nsHTMLDocument::RegisterNamedItems]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: