Closed Bug 230283 Opened 21 years ago Closed 21 years ago

crashes when aborting pageload of another site [@nsHTMLDocument::RegisterNamedItems]

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: volkmar, Assigned: jst)

References

(
URL
)

Details

(Keywords: crash)

Crash Data

Attachments

(2 files)

Stacktrace
1.93 KB, text/plain
Details
Don't notify about a null document element being inserted into the document.
2.33 KB, patch
sicking
: review+
dbaron
: superreview+
dbaron
: approval1.6+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6b) Gecko/20040106 Firebird/0.7+
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6b) Gecko/20040106 Firebird/0.7+

Following the first link "schemas" on "http://schneegans.de/sv/" and stopping
loading of that new page by using the Esc button during loading crashes Firebird.

Reproducible: Always

Steps to Reproduce:
1. view http://schneegans.de/sv/
2. klick first link "schemas"
3. while new page loads, press Esc button
Actual Results:  
Firebird crashed

Expected Results:  
Continue viewing http://schneegans.de/sv/
Flags: blocking0.8?
also reproducable on Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7a)
Gecko/20040101 Firebird/0.7+ (aebrahim), 
note that this can be best reproduces with a slow connection and when the status
bar displays "transfering data..."
OS: Linux → All
Hardware: PC → All
Also occurs on Seamonkey 2004010122.

Confirming, reassigning, upping priority to Critical, adding crash keyword,
moving to Browser/Browser-General, removing Firebird blocking0.8?, adding
Seamonkey blocking1.6?. (*phew*)
Assignee: blake → general
Severity: normal → critical
Status: UNCONFIRMED → NEW
Component: General → Browser-General
Ever confirmed: true
Flags: blocking0.8?
Keywords: crash
Product: Firebird → Browser
QA Contact: general
Version: unspecified → Trunk
Flags: blocking1.6?
Component: Browser-General → DOM: Level 0
Summary: Firebird crashes when changing to another site is stopped by using the ESC button → Firebird crashes when aborting pageload of another site [@nsHTMLDocument::RegisterNamedItems]
Attached file Stacktrace 
stacktrace from a win2k trunk opt build with symbols
Assignee: general → general
QA Contact: general → ian
Getting 2 assertions here before crash:
###!!! ASSERTION: mDocElement not in doc?: 'mDocument->IndexOf(mDocElement) != -
1', file e:/mozilla/tree6/mozilla/content/xml/document/src/nsXMLContentSink.cpp,
 line 269

###!!! ASSERTION: Null content!: 'aContent', file e:/mozilla/tree6/mozilla/conte
nt/html/document/src/nsHTMLDocument.cpp, line 1369
would need a patch quickly to get this into 1.6.   does anyone know if this is a
recent regression?
Summary: Firebird crashes when aborting pageload of another site [@nsHTMLDocument::RegisterNamedItems] → crashes when aborting pageload of another site [@nsHTMLDocument::RegisterNamedItems]
can't get 1.4 to crash...
1.5 also doesn't seem to crash
caillon, jst, dbaron...  any ideas on this one?
Flags: blocking1.6? → blocking1.6+
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6b) Gecko/20031201  did
crash  but it seemed a bit harder to make the timimg line up to make the crash
happen.
> Getting 2 assertions here before crash:
> ###!!! ASSERTION: mDocElement not in doc?: 'mDocument->IndexOf(mDocElement) != -
> 1', file e:/mozilla/tree6/mozilla/content/xml/document/src/nsXMLContentSink.cpp,
> line 269

code around this changed in Oct.

1.293 <bzbarsky@mit.edu> 10 Oct 2003 17:27
Make sure to notify document observers even about content that gets added to
the document before StartLayout(). Block those notifications from getting
passed on to the frame constructor before StartLayout(), though. Bug 220930,
r=peterv, sr=jst
looks like 1.5 branched on Aug 29. so it looks like maybe sometime between Aug.
29 and Dec 1.  Narrowing the window is going to be touger since nightly builds
only go back to Dec 1.

bunch of decomtamination work going on since then too..
http://bonsai.mozilla.org/cvslog.cgi?file=mozilla/content/xml/document/src/nsXMLContentSink.cpp

Older nightlys exist at http://archive.mozilla.org/pub/mozilla/nightly/ :) (i
didn't even know we had such an archive, but it's quite useful)
The crash is caused by mDocElement being null in
nsXMLContentSink::DidBuildModel().  This calls ContentInserted with aContainer
and aContent being null, which calls RegisterNamedItems, which dereferences the
null pointer.
Attachment #138720 - Flags: superreview?(dbaron)
Attachment #138720 - Flags: review?(bugmail)
Attachment #138720 - Flags: approval1.6?
Attachment #138720 - Flags: superreview?(dbaron) → superreview+
Taking.
Assignee: general → jst
Fix checked in on trunk and 1.6 branch.
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Comment on attachment 138720 [details] [diff] [review]
Don't notify about a null document element being inserted into the document.

>+      mDocument->BeginUpdate(UPDATE_CONTENT_MODEL);
>+      mDocument->ContentInserted(nsnull, mDocElement,
>+                                 // XXXbz is this last arg relevant if
>+                                 // the container is null?
>+                                 mDocument->IndexOf(mDocElement));
>+      mDocument->EndUpdate(UPDATE_CONTENT_MODEL);


How about using mozAutoDocUpdate?
Side-note:

In the same code block, what about:
255      nsIScriptLoader *loader = mDocument->GetScriptLoader();
and
291      mDocument->EndLoad();
when mDocument is null ?
mDocument can't be null at that point.  (we ensure that the content sink gets
created with a document).  Besides, we'd crash much sooner if there wasn't one.
My mistake:
I looked for |mDocument| while the issue was on |mDocElement| :-<
This code now uses mozAutoDocUpdate.
Crash Signature: [@nsHTMLDocument::RegisterNamedItems]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: