Closed Bug 289292 Opened 20 years ago Closed 20 years ago

[FIXr]crash while loading the page [@ nsContentList::IsContentAnonymous]

Categories

(Core :: DOM: Core & HTML, defect, P1)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
All
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.8beta2

People

(Reporter: ludovic, Assigned: bzbarsky)

References

(
URL
)

Details

(Keywords: crash, regression, testcase)

Crash Data

Attachments

(3 files, 2 obsolete files)

win2k3 stack trace from 20050404 debug
2.44 KB, text/plain
Details
Testcase, zipped
5.84 KB, application/zip
Details
Fix the hangs
15.68 KB, patch
sicking
: review+
jst
: superreview+
chofmann
: approval1.8b2+
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050406 Firefox/1.0+ Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050406 Firefox/1.0+ Firefox frequently crash or freeze while loading http://www.phoenixjp.net/news/fr/. This bug has been present for approximately 2 months (maybe more, I don't remember) in the trunk builds. It should load the page whithout crashing or freezing. Sometimes the page load well, sometimes I have to retry 5 or more times to succesfully load it. When it freezes, I have to kill Firefox's process in the task manager. Reproducible: Sometimes Steps to Reproduce: 1. Navigate to http://www.phoenixjp.net/news/fr Actual Results: Firefox crash or freeze while opening the page Expected Results: Open the page without crashing or hanging Error when it crashes : FIREFOX.EXE - Application Error The instruction at "0x..." referenced memory at "0x...". The memory could not be "read". Click on OK to terminate the program Click on CANCEL to debug the program
Version: unspecified → Trunk
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b2) Gecko/20050406 Firefox/1.0+ Crashed for me on second load, new profile. TB4884417Z
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-GB; rv:1.7.6) Gecko/20050321 Firefox/1.0.2 Doesn't crash with ff v1.02 +kw regression
Keywords: regression
Another talkback id TB4884560W
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b) Gecko/20050119 Firefox/1.0+ Crashes in this (old) version too.
Note: I get many (10+) assertions (see the attachment) before the crash in my debug build. The stack in attachment 179843 [details] is from the crash and not from the assertion above and the crash is different from the Talkback stacks. BTW: it's not the best idea to confirm such a bug in FF:General. Moving to layout...
Assignee: firefox → nobody
Component: General → Layout
Product: Firefox → Core
QA Contact: general → layout
got some one-liners and one longer Talkback: http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=TB4887509E found it not crashing if JS was disabled. working: 1.8a Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8a) Gecko/20040418 crashing: BuildId 2004062123, 2004081709 Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8a2) Gecko/20040621 Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8a3) Gecko/20040817 Talkback:TB4887509E
crashing: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8a1) Gecko/20040520-09 Timeframe for regression: 1.8a 2004041809 working 1.8a1 2004052009 crashing was looking shortly into http://archive.mozilla.org/pub/mozilla/nightly/, seems all 1.8 based nightlys are deleted (didn´t check all)
Seeing this on current Linux debug build, so am changing OS to 'All'. I get lots of ###!!! ASSERTION: Shallow unbind won't clear document and binding parent on kids!: 'aDeep || (!GetCurrentDoc() && !GetBindingParent())', file /home/clfenwi/moz/mozilla/content/base/src/nsGenericElement.cpp, line 1872 before Program ./mozilla-bin (pid = 23298) received signal 11. subsequent bt matches stacktrace in comment 5.
OS: Windows XP → All
Summary: crash while loading the page → crash while loading the page [@ nsContentList::IsContentAnonymous]
Attached file Testcase, zipped
Ok, this is sort of a minimal testcase. - Unzip testcase - Open the file named "U RL.htm" Result: crash
Assignee: nobody → general
Component: Layout → DOM: Load and Save
Keywords: testcase
QA Contact: layout → ian
Attached patch Patch (obsolete) — Splinter Review
So the problem is that the site calls document.load() a bunch of times in a row on the same document (in a loop). This starts of multiple loads, which then race to complete, all parsing into the same document. They clobber each other's content in the document (via SetRootContent), which causes nodes to be removed from the document (refs to them dropped) without UnbindFromTree being called on them and without relevant nsIDocumentObserver notifications happening. The result is that content lists that think they're up to date are holding pointers to deleted nodes; if they try to operate on them, they crash. What should be done if document.load() is called on an XML document that's in the middle of a load is an interesting question. I see three options: 1) Ignore the load() call. 2) Throw an exception. 3) Cancel the existing load and start the new one. Option 2 would break the page in the URL bar, as far as I can tell. Option 1 seems wrong in general. So I went with option 3.
Assignee: general → bzbarsky
Status: NEW → ASSIGNED
Attachment #180194 - Flags: superreview?(jst)
Attachment #180194 - Flags: review?(bugmail)
Priority: -- → P1
Summary: crash while loading the page [@ nsContentList::IsContentAnonymous] → [FIX]crash while loading the page [@ nsContentList::IsContentAnonymous]
Target Milestone: --- → mozilla1.8beta2
I'm not too exited about the inserted loadlistener. Is it just needed for the <parseerror> stuff? Couldn't we get hold of the sink instead and tell it to back off from the document?
Oh, and is this really xml specific?
> Is it just needed for the <parseerror> stuff? Yes. > Couldn't we get hold of the sink instead and tell it to back off from the > document? Maybe... I don't see a general way to do it, short of storing a pointer to the sink like the HTML document does. Perhaps we do want to just do that; we may need it later anyway to flush when we start doing incremental XML. > Oh, and is this really xml specific? So far, yes (can't call Load() on other document classes). document.open/write has a similar effect, but is sync and writing into a currently-being-parsed document has well-defined behavior (open() is ignored, write() inserts into the parse stream).
Yeah, I think adding a pointer to the sink is something we should do. Not sure even then how to tell the sink to back off though, is it enough to call cancle and set some flag indicating that it shouldn't create the <parseerror> stuff? Or is there a risk that there will be a few more OnDataAvailable calls from the stream even though it's cancled? An alternative solution might be to let the sink detect that the load was cancled and then not insert the parseerror?
> is it enough to call cancle and set some flag indicating that it shouldn't > create the <parseerror> stuff? Yes. > Or is there a risk that there will be a few more OnDataAvailable calls from > the stream even though it's cancled? If someone mis-implemented a necko channel, yes. But then there's risk of it completely ignoring cancel() too... ;) > An alternative solution might be to let the sink detect that the load was > cancled and then not insert the parseerror? That's a thought. I wonder what happens if I hit the stop button while we're parsing XML... Let me check on that.
Attached patch Without a listener (obsolete) — Splinter Review
Summary of changes: 1) Push mParser up from nsHTMLDocument to nsDocument. 2) Terminate the parser in nsXMLDocument if we're reset while we have a pending channel. 3) Fix nsParser::Terminate to work even if called before any data has been parsed. The change in nsDocument to where UnbindFromTree is called is just to make it match the nsIContent documentation better.
Attachment #180194 - Attachment is obsolete: true
Attachment #180376 - Flags: superreview?(jst)
Attachment #180376 - Flags: review?(bugmail)
Attachment #180194 - Attachment is obsolete: false
Attachment #180194 - Flags: superreview?(jst)
Attachment #180194 - Flags: review?(bugmail)
Comment on attachment 180376 [details] [diff] [review] Without a listener I take it calling terminate on the parser before cancling the stream is what stops us from creating the parseerror? r=me if i got that part right :)
Attachment #180376 - Flags: review?(bugmail) → review+
Yep, exactly. That Terminate() call shuts down expat on the stream (if we've started parsing already) and makes sure we don't call into expat when we get the OnStopRequest from necko.
Comment on attachment 180376 [details] [diff] [review] Without a listener This causes some nice hangs...
Attachment #180376 - Flags: superreview?(jst) → superreview-
Attached patch Fix the hangsSplinter Review
Jonas, the only difference is that this removes the mParser member of nsHTMLDocument in addition to adding an mParser to nsDocument... ;)
Attachment #180194 - Attachment is obsolete: true
Attachment #180376 - Attachment is obsolete: true
Attachment #180453 - Flags: superreview?(jst)
Attachment #180453 - Flags: review?(bugmail)
Comment on attachment 180453 [details] [diff] [review] Fix the hangs sr=jst
Attachment #180453 - Flags: superreview?(jst) → superreview+
Summary: [FIX]crash while loading the page [@ nsContentList::IsContentAnonymous] → [FIXr]crash while loading the page [@ nsContentList::IsContentAnonymous]
Comment on attachment 180453 [details] [diff] [review] Fix the hangs I think this is reasonably safe, for the sort of change it is, and this fixes crashes/hangs by making sure we don't access deleted DOM nodes...
Attachment #180453 - Flags: approval1.8b2?
Comment on attachment 180453 [details] [diff] [review] Fix the hangs a=chofmann
Attachment #180453 - Flags: approval1.8b2? → approval1.8b2+
Fixed
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
Crash Signature: [@ nsContentList::IsContentAnonymous]
Component: DOM: Other → DOM
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: