Closed
Bug 230283
Opened 21 years ago
Closed 21 years ago
crashes when aborting pageload of another site [@nsHTMLDocument::RegisterNamedItems]
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
People
(Reporter: volkmar, Assigned: jst)
References
()
Details
(Keywords: crash)
Crash Data
Attachments
(2 files)
1.93 KB,
text/plain
|
Details | |
2.33 KB,
patch
|
sicking
:
review+
dbaron
:
superreview+
dbaron
:
approval1.6+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6b) Gecko/20040106 Firebird/0.7+ Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6b) Gecko/20040106 Firebird/0.7+ Following the first link "schemas" on "http://schneegans.de/sv/" and stopping loading of that new page by using the Esc button during loading crashes Firebird. Reproducible: Always Steps to Reproduce: 1. view http://schneegans.de/sv/ 2. klick first link "schemas" 3. while new page loads, press Esc button Actual Results: Firebird crashed Expected Results: Continue viewing http://schneegans.de/sv/
Reporter | ||
Updated•21 years ago
|
Flags: blocking0.8?
Comment 1•21 years ago
|
||
also reproducable on Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7a) Gecko/20040101 Firebird/0.7+ (aebrahim), note that this can be best reproduces with a slow connection and when the status bar displays "transfering data..."
OS: Linux → All
Hardware: PC → All
Comment 2•21 years ago
|
||
Also occurs on Seamonkey 2004010122. Confirming, reassigning, upping priority to Critical, adding crash keyword, moving to Browser/Browser-General, removing Firebird blocking0.8?, adding Seamonkey blocking1.6?. (*phew*)
Assignee: blake → general
Severity: normal → critical
Status: UNCONFIRMED → NEW
Component: General → Browser-General
Ever confirmed: true
Flags: blocking0.8?
Keywords: crash
Product: Firebird → Browser
QA Contact: general
Version: unspecified → Trunk
Updated•21 years ago
|
Flags: blocking1.6?
Updated•21 years ago
|
Component: Browser-General → DOM: Level 0
Summary: Firebird crashes when changing to another site is stopped by using the ESC button → Firebird crashes when aborting pageload of another site [@nsHTMLDocument::RegisterNamedItems]
Comment 3•21 years ago
|
||
stacktrace from a win2k trunk opt build with symbols
Updated•21 years ago
|
Assignee: general → general
QA Contact: general → ian
Comment 4•21 years ago
|
||
Getting 2 assertions here before crash: ###!!! ASSERTION: mDocElement not in doc?: 'mDocument->IndexOf(mDocElement) != - 1', file e:/mozilla/tree6/mozilla/content/xml/document/src/nsXMLContentSink.cpp, line 269 ###!!! ASSERTION: Null content!: 'aContent', file e:/mozilla/tree6/mozilla/conte nt/html/document/src/nsHTMLDocument.cpp, line 1369
Comment 5•21 years ago
|
||
would need a patch quickly to get this into 1.6. does anyone know if this is a recent regression?
Summary: Firebird crashes when aborting pageload of another site [@nsHTMLDocument::RegisterNamedItems] → crashes when aborting pageload of another site [@nsHTMLDocument::RegisterNamedItems]
Comment 6•21 years ago
|
||
can't get 1.4 to crash...
Comment 7•21 years ago
|
||
1.5 also doesn't seem to crash
Comment 8•21 years ago
|
||
caillon, jst, dbaron... any ideas on this one?
Flags: blocking1.6? → blocking1.6+
Comment 9•21 years ago
|
||
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6b) Gecko/20031201 did crash but it seemed a bit harder to make the timimg line up to make the crash happen.
Comment 10•21 years ago
|
||
> Getting 2 assertions here before crash: > ###!!! ASSERTION: mDocElement not in doc?: 'mDocument->IndexOf(mDocElement) != - > 1', file e:/mozilla/tree6/mozilla/content/xml/document/src/nsXMLContentSink.cpp, > line 269 code around this changed in Oct. 1.293 <bzbarsky@mit.edu> 10 Oct 2003 17:27 Make sure to notify document observers even about content that gets added to the document before StartLayout(). Block those notifications from getting passed on to the frame constructor before StartLayout(), though. Bug 220930, r=peterv, sr=jst
Comment 11•21 years ago
|
||
looks like 1.5 branched on Aug 29. so it looks like maybe sometime between Aug. 29 and Dec 1. Narrowing the window is going to be touger since nightly builds only go back to Dec 1. bunch of decomtamination work going on since then too.. http://bonsai.mozilla.org/cvslog.cgi?file=mozilla/content/xml/document/src/nsXMLContentSink.cpp
Comment 12•21 years ago
|
||
Older nightlys exist at http://archive.mozilla.org/pub/mozilla/nightly/ :) (i didn't even know we had such an archive, but it's quite useful)
The crash is caused by mDocElement being null in nsXMLContentSink::DidBuildModel(). This calls ContentInserted with aContainer and aContent being null, which calls RegisterNamedItems, which dereferences the null pointer.
Assignee | ||
Comment 14•21 years ago
|
||
Assignee | ||
Updated•21 years ago
|
Attachment #138720 -
Flags: superreview?(dbaron)
Attachment #138720 -
Flags: review?(bugmail)
Assignee | ||
Updated•21 years ago
|
Attachment #138720 -
Flags: approval1.6?
Attachment #138720 -
Flags: review?(bugmail) → review+
Attachment #138720 -
Flags: superreview?(dbaron) → superreview+
Attachment #138720 -
Flags: approval1.6? → approval1.6+
Assignee | ||
Comment 16•21 years ago
|
||
Fix checked in on trunk and 1.6 branch.
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Comment 17•21 years ago
|
||
Comment on attachment 138720 [details] [diff] [review] Don't notify about a null document element being inserted into the document. >+ mDocument->BeginUpdate(UPDATE_CONTENT_MODEL); >+ mDocument->ContentInserted(nsnull, mDocElement, >+ // XXXbz is this last arg relevant if >+ // the container is null? >+ mDocument->IndexOf(mDocElement)); >+ mDocument->EndUpdate(UPDATE_CONTENT_MODEL); How about using mozAutoDocUpdate?
Comment 18•21 years ago
|
||
Side-note: In the same code block, what about: 255 nsIScriptLoader *loader = mDocument->GetScriptLoader(); and 291 mDocument->EndLoad(); when mDocument is null ?
Comment 19•21 years ago
|
||
mDocument can't be null at that point. (we ensure that the content sink gets created with a document). Besides, we'd crash much sooner if there wasn't one.
Comment 20•21 years ago
|
||
My mistake: I looked for |mDocument| while the issue was on |mDocElement| :-<
Assignee | ||
Comment 21•21 years ago
|
||
This code now uses mozAutoDocUpdate.
Updated•13 years ago
|
Crash Signature: [@nsHTMLDocument::RegisterNamedItems]
You need to log in
before you can comment on or make changes to this bug.
Description
•