Closed Bug 284330 Opened 20 years ago Closed 20 years ago

Trunk crash [@ nsXULDocument::OverlayForwardReference::Merge] (remove and replace broken in XUL overlays)

Categories

(Core :: XUL, defect, P1)

Product:
Core
Component:
XUL
Platform:
x86
All
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.8beta2

People

(Reporter: mnyromyr, Assigned: bugs)

References

Details

(Keywords: crash, regression, topcrash+)

Crash Data

Attachments

(1 file, 1 obsolete file)

more complete patch
2.92 KB, patch
bzbarsky
: review+
bryner
: superreview+
brendan
: approval1.8b2+
Details | Diff | Splinter Review
[already 18 similar reports in SM/TB/FF since 2005-02-24: <http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=1&searchby=stacksig&match=contains&searchfor=nsXULDocument%3A%3AOverlayForwardReference%3A%3AMerge&vendor=All&product=All&platform=All&buildid=&sdate=&stime=&edate=&etime=&sortby=bbid>] Mozilla 1.8b2 [Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b2) Gecko/20050228] crashes when started by "mozilla -mail", e.g. with the Mnenhy extension is installed. I could debug the crash up to this piece of code where an <overlay> child is applied to the document tree [http://lxr.mozilla.org/mozilla/source/content/xul/document/src/nsXULDocument.cpp##3963]: 3963 nsCOMPtr<nsIDOMNode> nodeParent; 3964 rv = nodeInDocument->GetParentNode(getter_AddRefs(nodeParent)); 3965 if (NS_FAILED(rv)) return rv; 3966 nsCOMPtr<nsIDOMElement> elementParent(do_QueryInterface(nodeParent)); 3967 3968 nsAutoString parentID; 3969 elementParent->GetAttribute(NS_LITERAL_STRING("id"), parentID); GetParentNode in 3964 sets nodeParent to null, but does not set rv into an error state. QIing doesn't help, ergo BOOM in 3969... JFTR: In the case of Mnenhy, the triggering XUL code is this [http://www.mozdev.org/source/browse/mnenhy/src/bin/chrome/mnenhy/content/mnenhy/headers/mnenhy-headers-msgHdrViewOverlay.xul?rev=1.9&content-type=text/x-cvsweb-markup]: <overlay xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul" id ="mnenhyHeadersMsgHdrViewOverlay" > <script type="application/x-javascript" src="chrome://mnenhy/content/mnenhy-loader.js"/> <script type="application/x-javascript" src="chrome://mnenhy-headers/content/mnenhy-headers-msgHdrViewOverlay-loader.js"/> <script type="application/x-javascript"> <![CDATA[ [... skipped a formerly valid skript ...] ]]> </script> <!-- expanded view --> <hbox id="expandedHeaderView"> [... skipped more formerly valid XUL ...] </hbox> </overlay>
Wrt the example XUL code: the crash appears when checking the hbox wit id="expandedHeaderView".
> GetParentNode in 3964 sets nodeParent to null, but does not set rv into an > error state That's the right behavior for GetParentNode. It looks like the only crash on 2005-02-24 was with a Firefox 1.0 build. All the other crashes with this stack are from builds with bug 282103 fixed... Karsten can you confirm that the crash starts when that patch is checked in? Or was it something else?
Assignee: nobody → bugs
The nightly Mozilla 1.8b2 [Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050225; BuildID=2005022504] does *not* crash, but BuildID=2005022605 does. This period does indeed contain the checkins to bug 282103: <http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2005-02-24+05%3A00%3A00&maxdate=2005-02-25+07%3A00%3A00&cvsroot=%2Fcvsroot> Backing out attachment 175054 [details] [diff] [review] fixes the crash.
Blocks: 282103
Keywords: topcrash
Fixing summary and adding a few sets of recent Trunk Talkback data for future reference: Count Offset Real Signature [ 17 nsXULDocument::OverlayForwardReference::Merge 27de07fa - nsXULDocument::OverlayForwardReference::Merge ] Crash date range: 01-MAR-05 to 28-FEB-05 Min/Max Seconds since last crash: 1 - 4953 Min/Max Runtime: 3 - 5008 Count Platform List 13 Windows XP [Windows NT 5.1 build 2600] 4 Windows 2K [Windows NT 5.0 build 2195] Count Build Id List 7 2005022705 3 2005030305 3 2005030105 2 2005022805 1 2005030405 1 2005022504 No of Unique Users 6 Stack trace(Frame) nsXULDocument::OverlayForwardReference::Merge [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/xul/document/src/nsXULDocument.cpp line 3969] nsXULDocument::OverlayForwardReference::Resolve [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/xul/document/src/nsXULDocument.cpp line 3831] nsXULDocument::ResolveForwardReferences [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/xul/document/src/nsXULDocument.cpp line 1352] nsXULDocument::ResumeWalk [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/xul/document/src/nsXULDocument.cpp line 3155] nsXULDocument::EndLoad [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/xul/document/src/nsXULDocument.cpp line 742] XULContentSinkImpl::DidBuildModel [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/xul/document/src/nsXULContentSink.cpp line 407] (4101645) Comments: Start MailNews after installing mnenhy-0.7.1.10005.xpi. (4045178) Comments: mnenhy + mail news (4044933) Comments: mnenhy + mail news (4035880) Comments: try to open mail/news (4035772) Comments: Crashed while try to open mail/news (4016548) Comments: -mail +mnenhy (3934753) Comments: Swtch from browser to mailnews (mnenhy installed as sole extension) ==================================================================================================== Count Offset Real Signature [ 2 nsXULDocument::OverlayForwardReference::Merge() 90c92935 - nsXULDocument::OverlayForwardReference::Merge() ] Crash date range: 01-MAR-05 to 01-MAR-05 Min/Max Seconds since last crash: 0 - 0 Min/Max Runtime: 1 - 1 Count Platform List 2 [Linux 2.6.8.1-10mdk] Count Build Id List 2 2005022801 No of Unique Users 1 Stack trace(Frame) nsXULDocument::OverlayForwardReference::Merge() [/builds/tinderbox/SeaMonkey-Release/Linux_2.4.20-28.8_Depend/mozilla/content/xul/document/src/nsXULDocument.cpp line 848] nsXULDocument::OverlayForwardReference::Resolve() [/builds/tinderbox/SeaMonkey-Release/Linux_2.4.20-28.8_Depend/mozilla/content/xul/document/src/nsXULDocument.cpp line 3831] nsXULDocument::ResolveForwardReferences() [/builds/tinderbox/SeaMonkey-Release/Linux_2.4.20-28.8_Depend/mozilla/content/xul/document/src/nsXULDocument.cpp line 1352] nsXULDocument::ResumeWalk() [/builds/tinderbox/SeaMonkey-Release/Linux_2.4.20-28.8_Depend/mozilla/content/xul/document/src/nsXULDocument.cpp line 3154] nsXULDocument::OnPrototypeLoadDone() [/builds/tinderbox/SeaMonkey-Release/Linux_2.4.20-28.8_Depend/mozilla/content/xul/document/src/nsXULDocument.cpp line 768] nsXULPrototypeDocument::NotifyLoadDone() [/builds/tinderbox/SeaMonkey-Release/Linux_2.4.20-28.8_Depend/mozilla/content/xul/document/src/nsXULPrototypeDocument.cpp line 752] nsXULDocument::EndLoad() [/builds/tinderbox/SeaMonkey-Release/Linux_2.4.20-28.8_Depend/mozilla/content/xul/document/src/nsXULDocument.cpp line 733] XULContentSinkImpl::DidBuildModel() [/builds/tinderbox/SeaMonkey-Release/Linux_2.4.20-28.8_Depend/mozilla/content/xul/document/src/nsXULContentSink.cpp line 713] nsExpatDriver::DidBuildModel() [/builds/tinderbox/SeaMonkey-Release/Linux_2.4.20-28.8_Depend/mozilla/parser/htmlparser/src/nsExpatDriver.cpp line 713] nsParser::DidBuildModel() [/builds/tinderbox/SeaMonkey-Release/Linux_2.4.20-28.8_Depend/mozilla/parser/htmlparser/src/nsParser.cpp line 842] nsParser::ResumeParse() [/builds/tinderbox/SeaMonkey-Release/Linux_2.4.20-28.8_Depend/mozilla/parser/htmlparser/src/nsParser.cpp line 1994] nsParser::OnStopRequest() [/builds/tinderbox/SeaMonkey-Release/Linux_2.4.20-28.8_Depend/mozilla/parser/htmlparser/src/nsParser.cpp line 830] nsJARChannel::OnStopRequest() [/builds/tinderbox/SeaMonkey-Release/Linux_2.4.20-28.8_Depend/mozilla/modules/libjar/nsJARChannel.cpp line 713] nsInputStreamPump::OnStateStop() [/builds/tinderbox/SeaMonkey-Release/Linux_2.4.20-28.8_Depend/mozilla/netwerk/base/src/nsInputStreamPump.cpp line 713] nsInputStreamPump::OnInputStreamReady() [/builds/tinderbox/SeaMonkey-Release/Linux_2.4.20-28.8_Depend/mozilla/netwerk/base/src/nsInputStreamPump.cpp line 343] nsInputStreamReadyEvent::EventHandler() PL_HandleEvent() [/builds/tinderbox/SeaMonkey-Release/Linux_2.4.20-28.8_Depend/mozilla/xpcom/threads/plevent.c line 698] PL_ProcessPendingEvents() [/builds/tinderbox/SeaMonkey-Release/Linux_2.4.20-28.8_Depend/mozilla/xpcom/threads/plevent.c line 633] nsEventQueueImpl::ProcessPendingEvents() [/builds/tinderbox/SeaMonkey-Release/Linux_2.4.20-28.8_Depend/mozilla/xpcom/threads/nsEventQueue.cpp line 417] event_processor_callback() [/builds/tinderbox/SeaMonkey-Release/Linux_2.4.20-28.8_Depend/mozilla/widget/src/gtk2/nsAppShell.cpp line 71] This is a topcrasher for both Mozilla and Thunderbird Trunks. Here is a link to all current Talkback data for this crash: http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=1&searchby=stacksig&match=contains&searchfor=nsXULDocument%3A%3AOverlayForwardReference%3A%3AMerge&vendor=All&product=All&platform=All&buildid=&sdate=&stime=&edate=&etime=&sortby=bbid Looks like a regression that happened around 2/25-2/27...adding regression and zt4newcrash keywords. Ben had a checkin around the area of the crash on 2/25: 1.647 <ben@bengoodger.com> 2005-02-25 01:06 282103 - dynamic overlays: implement "loadOverlay" method on nsIDOMXULDocument which loads and merges an overlay into a XUL document. r=jst sr=bryner
Keywords: regression, zt4newcrash
Summary: Crash in nsXULDocument::OverlayForwardReference::Merge [@27de07fa] → Trunk crash [@ nsXULDocument::OverlayForwardReference::Merge]
I'm building my current nightlys applying the patch from http://www.triffids.de/pub/mozilla/patch/patch-mnenh_crash which reverts https://bugzilla.mozilla.org/attachment.cgi?id=175054. The crash is gone. Couldn't wait longer because mozilla without mnenhy is, eh, ... urks. ;)
Flags: blocking-aviary1.1?
Keywords: topcrashtopcrash+
So its seems, that we all have to wait until you're back in town... Is there nobody else 'in town' how can fix this bug?
After some more digging down, it seems that the "killing factor" here is this now broken XUL construction in the overlay: <hbox id="expandedHeaderView"> <!-- exchange the expandedHeaders vbox to avoid mismatching item types --> <vbox id="expandedHeaders" removeelement="true"/> <vbox id="expandedHeaders" persist="MnenhyState" flex="1" position="2"> ... The nodeInDocument (= the element to be removed in the actual document) in line 3964 does not have a parent... If I remove the "removeelement" attribute, no crash appears (here, but at the next "removeelement" attribute :-/)... tbc...
So, I guess I found what's causing the problem: The changes if (attr == nsXULAtoms::removeelement && value.EqualsLiteral("true")) { - rv = RemoveElement(aTargetNode->GetParent(), aTargetNode); + rv = RemoveElement(aTargetNode->GetParent(), aTargetNode, aNotify); if (NS_FAILED(rv)) return rv; and -nsXULDocument::RemoveElement(nsIContent* aParent, nsIContent* aChild) +nsXULDocument::RemoveElement(nsIContent* aParent, nsIContent* aChild, PRBool aNotify) { PRInt32 nodeOffset = aParent->IndexOf(aChild); - return aParent->RemoveChildAt(nodeOffset, PR_TRUE); + return aParent->RemoveChildAt(nodeOffset, aNotify); remove an element with 'removeelement' attribute just from the childNodes, but not from the mElementMap: aNotify is false, resulting in ContentRemoved *not* to be called by nsXULElement::RemoveChildAt [nsXULElement.cpp(1176)]: if (aNotify && doc) { doc->ContentRemoved(this, oldKid, aIndex); } Then GetElementById still finds the node in its map, but the node itself has no parent anymore ==> BOOM!
A possible solution.
Attachment #177957 - Flags: superreview?(bryner)
Attachment #177957 - Flags: review?(bugs)
Assignee: bugs → nobody
Assignee: nobody → bugs
Status: NEW → ASSIGNED
Flags: blocking-aviary1.1? → blocking-aviary1.1+
Priority: -- → P1
Um... We're doing RemoveElementAt() while the DOM is in an inconsistent state (some content has been added, but not notified on yet)? And using DOM methods while we're in that state? Both sound like really bad ideas to me... (that is, all the code involved looks really suspect; while this patch probably fixes the immediate crash, the code in general probably has other issues).
Be it as it may (I'm really absolutely no expert in this area of code), crashing on basic XUL overlay features like deleting and replacing elements for four weeks now is just intolerable. So we either should get at least the crash fixed or the patch of bug 282103 backed out, IMO. Blocking aviary 1.1 doesn't really help, because that may leave the trunk broken for some more months... Ben?
Summary: Trunk crash [@ nsXULDocument::OverlayForwardReference::Merge] → Trunk crash [@ nsXULDocument::OverlayForwardReference::Merge] (remove and replace broken in XUL overlays)
This needs to block 1.8b2, actually...
Flags: blocking1.8b2?
Actually if i look at the policy for the zt4newcrash keyword (this crash here is #2 on topcrasher list), the checkin from Bug 282103 needs to be backed out now.
I'll look at this this week.
ben is working on this today
I believe the solution to be pretty much what Karsten posted. The reason why is that the change to using aNotify for RemoveElement was probably a mistake. When implementing the Dynamic Overlay patch, I used aNotify to allow the various sections of code that would otherwise not notify the FE of their creation to do so so that when overlays were loaded after the document was displayed that the dynamic modifications would be shown. Basically, aNotify was used to allow PR_TRUE to be passed in some cases, where PR_FALSE had been supplied exclusively in the past. With RemoveElement, PR_TRUE was the only value ever passed. An alternative is to do the RemoveSubtreeFromDocument call manually in OverlayForwardReference::Resolve when aNotify is PR_FALSE. That may be more desirable in the pre-construction case where we may not want to notify (bz? -- the implementation of "removeelement" has worked like this for years...) At any rate, rolling back the use of aNotify in this instance seems to fix the bug.
Attachment #177957 - Attachment is obsolete: true
Attachment #179224 - Flags: superreview?(bryner)
Attachment #179224 - Flags: review?(bzbarsky)
> bz? -- the implementation of "removeelement" has worked like this for years... Arguably, so has XUL in general, and I can probably point you to a half-dozen crashers in core XUL without any effort. Just because people usually don't do something, doesn't mean assuming they never will is a good idea.... I'd definitely like to see a followup bug on reconciling what this code is trying to do (which then needs documenting) with what invariants need to be maintained to keep the DOM from crashing.
Comment on attachment 179224 [details] [diff] [review] more complete patch r=bzbarsky, I guess....
Attachment #179224 - Flags: review?(bzbarsky) → review+
Attachment #179224 - Flags: superreview?(bryner) → superreview+
Attachment #177957 - Flags: superreview?(bryner)
Attachment #177957 - Flags: review?(bugs)
So this topcrasher has sufficient review flags to be checked in for a halfweek now - anything else missing to get the trunk usable again? ;-)
I can confirm the crash with current trunk builds of Thunderbird (Linux). OS => ALL.
OS: Windows 2000 → All
(In reply to comment #21) > I can confirm the crash with current trunk builds of Thunderbird (Linux). No wonder, cause nobody check in the existing patch. Do we realy need to wait until Ben do that? Rue -just asking- diger
Attachment #179224 - Flags: approval1.8b2?
Comment on attachment 179224 [details] [diff] [review] more complete patch Approved for 1.8b2 trunk landing -- Ben, please do this ASAP. /be
Attachment #179224 - Flags: approval1.8b2? → approval1.8b2+
checked in.
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Flags: blocking1.8b2?
Status: RESOLVED → VERIFIED
Target Milestone: --- → mozilla1.8beta2
Component: XP Toolkit/Widgets: XUL → XUL
QA Contact: xptoolkit.widgets
Crash Signature: [@ nsXULDocument::OverlayForwardReference::Merge]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: