Closed Bug 115864 Opened 23 years ago Closed 23 years ago

invalid XUL crashes mozilla

Categories

(Core :: XUL, defect)

Product:
Core
Component:
XUL
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Future

People

(Reporter: vargaz, Assigned: hyatt)

Details

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:0.9.6+) Gecko/20011218
BuildID:    2001121803

The following invalid XUL crashes mozilla:

<?xml version="1.0"?>
<window

  xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
<window>
<window>

Reproducible: Always
Steps to Reproduce:
1.save the XUL fragment into a file
2. open it using mozilla.exe -chrome
3.

Actual Results:  mozilla crashed

Expected Results:  an error dialog should be displayed
Status: UNCONFIRMED → NEW
Ever confirmed: true
I actually do get a warning in my debug build shortly before the crash.
OS->All, sev->crit.

Stack (note this tree's a bit stale):

XML Error in file 'chrome://jtest/content/xulcrash.xul', Line Number: 7, Col
Number: 1, Description: no element found
Source Line:

Program received signal SIGSEGV, Segmentation fault.
0x40d485c7 in nsLoadGroup::RemoveRequest (this=0x812d578, request=0x0, 
    ctxt=0x0, aStatus=0) at nsLoadGroup.cpp:491
491             request->GetName(getter_Copies(nameStr));
(gdb) bt
#0  0x40d485c7 in nsLoadGroup::RemoveRequest (this=0x812d578, request=0x0, 
    ctxt=0x0, aStatus=0) at nsLoadGroup.cpp:491
#1  0x4142ec0e in nsXULDocument::ResumeWalk (this=0x81b3568)
    at nsXULDocument.cpp:5909
#2  0x4141bf9d in nsXULDocument::EndLoad (this=0x81b3568)
    at nsXULDocument.cpp:1658
#3  0x4140ff43 in XULContentSinkImpl::DidBuildModel (this=0x8245260, 
    aQualityLevel=1) at nsXULContentSink.cpp:535
#4  0x408e97d1 in CWellFormedDTD::DidBuildModel (this=0x8235170, 
    anErrorCode=0, aNotifySink=1, aParser=0x8234678, aSink=0x8245260)
    at nsWellFormedDTD.cpp:306
#5  0x408e0849 in nsParser::DidBuildModel (this=0x8234678, anErrorCode=0)
    at nsParser.cpp:1387
#6  0x408e16f9 in nsParser::ResumeParse (this=0x8234678, allowIteration=1, 
    aIsFinalChunk=1) at nsParser.cpp:1890
#7  0x408e3201 in nsParser::OnStopRequest (this=0x8234678, request=0x81bc050, 
    aContext=0x0, status=0) at nsParser.cpp:2538
#8  0x40efb7b4 in nsDocumentOpenInfo::OnStopRequest (this=0x81bc220, 
    request=0x81bc050, aCtxt=0x0, aStatus=0) at nsURILoader.cpp:252
#9  0x40dad284 in nsFileChannel::OnStopRequest (this=0x81bc050, 
    request=0x81bc244, context=0x0, aStatus=0) at nsFileChannel.cpp:481
#10 0x40dd582c in nsOnStopRequestEvent::HandleEvent (this=0x80a9448)
    at nsRequestObserverProxy.cpp:176
#11 0x40d4ea59 in nsARequestObserverEvent::HandlePLEvent (plev=0x80a9448)
    at nsRequestObserverProxy.cpp:79
#12 0x401eaaa1 in PL_HandleEvent (self=0x80a9448) at plevent.c:590
#13 0x401eb2cd in PL_ProcessEventsBeforeID (aSelf=0x8097270, aID=158)
    at plevent.c:1256
#14 0x409ec7fb in processQueue (aElement=0x8097270, aData=0x9e)
    at nsAppShell.cpp:479
#15 0x401a35b1 in nsVoidArray::EnumerateForwards (this=0x8078c00, 
    aFunc=0x409ec7cc <processQueue(void *, void *)>, aData=0x9e)
    at nsVoidArray.cpp:652
#16 0x409ec844 in nsAppShell::ProcessBeforeID (aID=158) at nsAppShell.cpp:487
#17 0x409f5ae7 in handle_gdk_event (event=0x81f1840, data=0x0)
    at nsGtkEventHandler.cpp:908
#18 0x40496d00 in gdk_event_free () from /usr/lib/libgdk-1.2.so.0
Severity: minor → critical
OS: Windows NT → All
Hyatt, could this be a side-effect of that bug that we sometimes mess up with
loadgroups and that we crash when removing an empty or wrong loadgroup here?
Hmm, so the spot I crashed in only happens in debug builds (inside a PR_LOGGING
block) -- ResumeWalk passes |nsnull| as an nsIRequest to
nsLoadGroup::RemoveRequest.  I commented out the logging code to see where it
would crash:


###!!! ASSERTION: NS_ENSURE_TRUE(window) failed: 'window', file
nsContentTreeOwner.cpp, line 584
###!!! Break: at file nsContentTreeOwner.cpp, line 584
###!!! ASSERTION: NS_ENSURE_TRUE(docShellElement) failed: 'docShellElement',
file nsXULWindow.cpp, line 956
###!!! Break: at file nsXULWindow.cpp, line 956
###!!! ASSERTION: NS_ENSURE_TRUE(windowElement) failed: 'windowElement', file
nsXULWindow.cpp, line 976
###!!! Break: at file nsXULWindow.cpp, line 976
###!!! ASSERTION: no xul:window: 'windowElement', file nsXULWindow.cpp, line
768
###!!! Break: at file nsXULWindow.cpp, line 768

Program received signal SIGSEGV, Segmentation fault.
0x406415fb in malloc () from /lib/libc.so.6
(gdb) bt
#0  0x406415fb in malloc () from /lib/libc.so.6
#1  0x40640d3e in malloc () from /lib/libc.so.6
#2  0x402ea11f in PR_Malloc (size=127) at prmem.c:54
#3  0x401f74f3 in nsMemoryImpl::Alloc (this=0x806d020, size=127)
    at nsMemoryImpl.cpp:320
#4  0x401f7d71 in nsMemory::Alloc (size=127) at nsMemoryImpl.cpp:556
#5  0x40228454 in nsStr::Alloc (aDest=@0xbfffeacc, aCount=126) at
nsStr.cpp:695
#6  0x40228544 in nsStr::Realloc (aDest=@0xbfffeb38, aCount=126)
    at nsStr.cpp:723
#7  0x402273d9 in nsStr::EnsureCapacity (aString=@0xbfffeb38, aNewLength=126)
    at nsStr.cpp:117
#8  0x402274a6 in nsStr::GrowCapacity (aDest=@0xbfffec7c, aNewLength=126)
    at nsStr.cpp:147
#9  0x40228cbd in nsCString::SetCapacity (this=0xbfffec78, aNewCapacity=70)
    at nsString.cpp:200
#10 0x4022ad39 in NS_ConvertUCS2toUTF8::Append (this=0xbfffec78,
    aString=0x82411a8, aLength=69) at nsString.cpp:1271
#11 0x4022ac3f in NS_ConvertUCS2toUTF8::NS_ConvertUCS2toUTF8 (this=0xbfffec78,
    aString=@0xbfffed00) at nsString.cpp:1240
#12 0x40223740 in ToNewUTF8String (aSource=@0xbfffed00)
    at nsReadableUtils.cpp:211
#13 0x40f0d067 in GetURIStringFromRequest (request=0x81c79b8,
aStr=@0xbfffedb0)
    at nsDocLoader.cpp:92
#14 0x40f0fd64 in nsDocLoaderImpl::FireOnStateChange (this=0x817c888,
    aProgress=0x816381c, aRequest=0x81c79b8, aStateFlags=786448, aStatus=0)
    at nsDocLoader.cpp:1080
#15 0x40f100c5 in nsDocLoaderImpl::FireOnStateChange (this=0x8163808,
    aProgress=0x816381c, aRequest=0x81c79b8, aStateFlags=786448, aStatus=0)
    at nsDocLoader.cpp:1116
#16 0x40f0f009 in nsDocLoaderImpl::doStopDocumentLoad (this=0x8163808,
    request=0x81c79b8, aStatus=0) at nsDocLoader.cpp:749
#17 0x40f0ecd8 in nsDocLoaderImpl::DocLoaderIsEmpty (this=0x8163808)
    at nsDocLoader.cpp:645
#18 0x40f0e9f2 in nsDocLoaderImpl::OnStopRequest (this=0x8163808,
    aRequest=0x81c79b8, aCtxt=0x0, aStatus=0) at nsDocLoader.cpp:575
#19 0x40835745 in nsLoadGroup::RemoveRequest (this=0x81324b0,
    request=0x81c79b8, ctxt=0x0, aStatus=0) at nsLoadGroup.cpp:527
#20 0x4089a1a3 in nsFileChannel::OnStopRequest (this=0x81c79b8,
    request=0x81c7704, context=0x0, aStatus=0) at nsFileChannel.cpp:485
#21 0x408c26ec in nsOnStopRequestEvent::HandleEvent (this=0x81ea4a0)
    at nsRequestObserverProxy.cpp:176
#22 0x4083b919 in nsARequestObserverEvent::HandlePLEvent (plev=0x81ea4a0)
    at nsRequestObserverProxy.cpp:79
#23 0x401eaaa1 in PL_HandleEvent (self=0x81ea4a0) at plevent.c:590
#24 0x401eb2cd in PL_ProcessEventsBeforeID (aSelf=0x8097270, aID=158)
    at plevent.c:1256
#25 0x40b897fb in processQueue (aElement=0x8097270, aData=0x9e)
    at nsAppShell.cpp:479
#26 0x401a35b1 in nsVoidArray::EnumerateForwards (this=0x807e520,
    aFunc=0x40b897cc <processQueue(void *, void *)>, aData=0x9e)
#27 0x40b89844 in nsAppShell::ProcessBeforeID (aID=158) at nsAppShell.cpp:487
#28 0x40b92ae7 in handle_gdk_event (event=0x81fce50, data=0x0)
    at nsGtkEventHandler.cpp:908
#29 0x40496d00 in gdk_event_free () from /usr/lib/libgdk-1.2.so.0


Confirming on 2001121808/Linux. Talkback TB643545X
Status: NEW → ASSIGNED
Target Milestone: --- → Future
No longer seeing this with a linux CVS build (20020210) -- instead I get an XML
parser error.  Anyone mind if I close this one?
I don't see it either on the original platform (NT). So its probably fixed.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Component: XP Toolkit/Widgets: XUL → XUL
QA Contact: jrgmorrison → xptoolkit.widgets
You need to log in before you can comment on or make changes to this bug.