Closed Bug 89536 Opened 23 years ago Closed 23 years ago

DOM test crashes mozilla

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: Deinst, Assigned: jst)

References

(
URL
)

Details

(Keywords: crash, Whiteboard: PDT+)

Attachments

(9 files, 1 obsolete file)

stacktrace
5.25 KB, text/plain
Details
Simplified testcase
507 bytes, text/html
Details
this will stop the crash
566 bytes, patch
Details | Diff | Splinter Review
slightly modified test case
472 bytes, text/html
Details
This patch fixes the crash but it introduces some asserts
846 bytes, patch
Details | Diff | Splinter Review
proposed fix
1.11 KB, patch
Details | Diff | Splinter Review
sorry, had an extra semicolon after "NS_OK"
1.11 KB, patch
Details | Diff | Splinter Review
updated patch as to jst's comments
1.08 KB, patch
Details | Diff | Splinter Review
minimized testcase - now with the right mimetype
206 bytes, text/html
Details 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.2+)
Gecko/20010704
BuildID:    2001070404

David Baron's test for bug 17390 now crashes mozilla.

Reproducible: Always
Steps to Reproduce:
1.Load the indicated page.
2.DON'T PRESS THE RED BUTTON. Press the grey one. There is no red button.
3.

Actual Results:  Kablooie

Expected Results:  I don't know, but not kablooie.

Looking at the description of bug 17390 mozilla used to leak webshells.  Now it
eats them.

Talkback ID's
TB32576907K     - w2k
TB32576982K     - w2k
TB32577624K     - Linux

I haven't looked at the javascript (I keep pressing the button) but I will
attempt to simplify if necessary.
Attached file stacktrace 

    
  
Keywords: crash

    
    

    
  

      
      
      
      

        Attached file
          
        Simplified testcase
      

    


  

    
    

    
  
This line is causing the crash.

http://lxr.mozilla.org/seamonkey/source/content/base/src/nsDocument.cpp#2772

  if (content.get() == mRootContent)
    mRootContent = nsnull;

If i comment it out, we don't crash.
I'm still investigating.

--pete



    
    

    
  
If you apply patch #41524, you will stop the crash.
However, append child will not work in the test case.

Attaching slightly modified testcase.

--pete

    
    

    
  
If i apply this patch my dump output is as follows.

Document file:///tmp/crash.html loaded successfully
Root: [object HTMLHtmlElement @ 0x8823c80]
document: [object HTMLDocument @ 0x8823c40]
JavaScript error: 
 line 0: uncaught exception: [Exception... "Component returned failure code:
0x80530003 [nsIDOMHTMLDocument.appendChild]"  nsresult: "0x80530003 (<unknown>)"
 location: "JS frame :: file:///tmp/crash.html :: testX :: line 11"  data: no]

The js exception happens on the "document.appendChild(root)" call.

--pete


    
    

    
  
OK, the creasher is right at this call:

http://lxr.mozilla.org/seamonkey/source/content/html/document/src/nsHTMLDocument.cpp#3400

We call the method:

 FindNamedItems(aName, mRootContent, *list);

mRootContent == nsnull here.

So if we look at method FindNamedItems()

We get to here: 

http://lxr.mozilla.org/seamonkey/source/content/html/document/src/nsHTMLDocument.cpp#3335

aContent->GetTag(*getter_AddRefs(tag));

Which is really: 

nsnull->GetTag(*getter_AddRefs(tag));

So what should we be doing here when mRootContent == nsnull???

--pete











    
    

    
  
New asserts:

###!!! ASSERTION: content doc != frame ctor doc: 'doc.get() == aDocument', file
nsCSSFrameConstructor.cpp, line 854
###!!! ASSERTION: content doc != frame ctor doc: 'doc.get() == aDocument', file
nsCSSFrameConstructor.cpp, line 854
###!!! ASSERTION: content doc != frame ctor doc: 'doc.get() == aDocument', file
nsCSSFrameConstructor.cpp, line 854


--pete

    
    

    
  
This patch is not complete. It fixes this particular situation however, if i use
other DOM calls such as getElementById() we core dump, BOOM!.

I just added a check to that call to test for mRootContent and fixed that as
well, but i will need to go and fix any other methods that may die.

I'll post a fully tested and complete patch when i'm finished.

jst, you can assign this bug to me if you want.

--pete

    
    

    
  

      
      
      
      

        Attached patch
          
          
        proposed fixSplinter Review
      

    


  

    
    

    
  
Johnny can you look at this patch and see if everything is ok?

Thanks

--pete

    
    

    
  
As far as the assertion goes in nsCSSFrameConstructor.cpp, i think we are ok.
It is if def'd in there for debug builds only. If i undef DEBUG and test
everything works as expected.

So maybe we can review this patch now and get the fix in?

Thanks

--pete

    
    

    
  
Put the changes in nsHTMLDocument::GetElementById() *after*
NS_ENSURE_ARG_POINTER(), replace "if (nsnull==mRootContent)" with "if
(!mRootContent)" and "if (nsnull != mRootContent)" with "if (mRootContent)" and
add curly braces around the if expression in the later part of the changes and
you'll have my sr=jst.

Thanks alot for fixing this bug!

    
    

    
  
confirmed on windows 2000

    
    

    
  
sivakiran do i have an r=  from you?

If so, then i will check this sucker in.

--pete

    
    

    
  
I've reviewed this fix, and it looks good to me. r=pollmann@netscape.com

    
    

    
  
Checked in this morning.

--pete

    
    

    
  
jst, this looks like a harmless enough patch; is it worth taking on the branch?

    
    

    
  

      
      
      
      

        Attached file
          
        minimized testcase (obsolete)
        — 
      

    


  

    
    

    
  
Maybe, this should move off of the "new" radar?

--pete

    
    

    
  
PDT+.  We *love* null check crash fixes!  Please check in before the morning's
builds if you're still around.
Whiteboard: PDT+

    
    

    
  
post-checkin comment: ew on the difference in
space-between-if-and-opening-parenthesis with the surrounding code.

Checked in on the branch.

    
    

    
  
And it was already checked in on the trunk, right?
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED

    
    

    
  
Yup, this is already on the trunk, thanks jag for checking this in on the branch.

    
    

    
  
does not crash anymore ----but hangs 
Status: RESOLVED → REOPENED
Resolution: FIXED → ---

    
    

    
  
Works for me...

    
    

    
  
Works fine for me off the trunk on unix. No crashes, hangs. Behaves exacly as it
should.

What platform ands build are you seeing this on?

--pete



    
    

    
  
linux 07-18-04...

    
    

    
  
Sivakiran, please open a new bug on the hang you're seeing, markign this fixed
again.

Status: REOPENED → RESOLVED
Closed: 23 years ago23 years ago
Resolution: --- → FIXED

    
    

    
  
verified
Status: RESOLVED → VERIFIED

    
  

        Attachment #42666 -
        Attachment is obsolete: true

        Attachment #42666 -
        Attachment is patch: false

        Attachment #42666 -
        Attachment mime type: text/plain → text/html

    
  
Component: DOM: HTML → DOM: Core & HTML
QA Contact: stummala → general

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: