Closed Bug 15560 Opened 25 years ago Closed 25 years ago

unsafe FireOnEndDocumentLoad code

Categories

(Core Graveyard :: Embedding: APIs, defect, P3)

Product:
Core Graveyard
Component:
Embedding: APIs
Platform:
x86
Linux
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: kipp, Assigned: rpotts)

Details

The viewer triggers this with it's "-f file" argument. What happens is that
during the firing of the end-document-load observer call, the observer removes
itself (because its being destroyed). Unfortunately, this causes the loop in
nsDocLoader.cpp to try to use an index past the end of the array of observers...

What really needs to be done here is to have a safe iterator over the doc
obserers that can handle changes to the observer list during iteration...

I have a temporary work around which should fix viewer: just check for null
combing back from ElementAt...But it's not a real solution.
When I execute the AutoFill smoke test I get a crash (stack trace follows). Is
this related to this bug?

nsDocLoaderImpl::FireOnEndDocumentLoad(nsDocLoaderImpl * 0x056d9c40, nsIChannel
* 0x056dabc0, unsigned int 2152398850) line 870 + 25 bytes
nsDocLoaderImpl::OnStopRequest(nsDocLoaderImpl * const 0x056d9c44, nsIChannel *
0x00000000, nsISupports * 0x00000000, unsigned int 2152398850, unsigned short *
0x00000000) line 752 + 31 bytes
nsLoadGroup::Cancel(nsLoadGroup * const 0x056d9bd0) line 326 + 44 bytes
nsDocLoaderImpl::Stop(nsDocLoaderImpl * const 0x056d9c40) line 584 + 26 bytes
nsWebShell::Stop(nsWebShell * const 0x056d8350) line 2350
nsWebShell::Destroy(nsWebShell * const 0x056d8350) line 1146
nsGfxTextControlFrame::~nsGfxTextControlFrame() line 250
nsGfxTextControlFrame::`scalar deleting destructor'(unsigned int 1) + 15 bytes
nsFrame::Destroy(nsFrame * const 0x0520e890, nsIPresContext & {...}) line 353 +
34 bytes
nsFrameList::DestroyFrames(nsIPresContext & {...}) line 29
nsContainerFrame::Destroy(nsContainerFrame * const 0x04484598, nsIPresContext &
{...}) line 88
nsFrameList::DestroyFrame(nsIPresContext & {...}, nsIFrame * 0x04484598) line
115
nsBoxFrame::RemoveFrame(nsBoxFrame * const 0x04482a70, nsIPresContext & {...},
nsIPresShell & {...}, nsIAtom * 0x00000000, nsIFrame * 0x04484598) line 1388
FrameManager::RemoveFrame(FrameManager * const 0x056d1760, nsIPresContext &
{...}, nsIPresShell & {...}, nsIFrame * 0x04482a70, nsIAtom * 0x00000000,
nsIFrame * 0x04484598) line 532
nsCSSFrameConstructor::ContentRemoved(nsCSSFrameConstructor * const 0x056d5660,
nsIPresContext * 0x056d57c0, nsIContent * 0x056b8f90, nsIContent * 0x056b8c00,
int 0) line 6411 + 58 bytes
nsCSSFrameConstructor::RecreateFramesForContent(nsIPresContext * 0x056d57c0,
nsIContent * 0x056b8c00) line 7814 + 28 bytes
nsCSSFrameConstructor::AttributeChanged(nsCSSFrameConstructor * const
0x056d5660, nsIPresContext * 0x056d57c0, nsIContent * 0x056b8c00, nsIAtom *
0x01657df0, int 2) line 6951 + 16 bytes
StyleSetImpl::AttributeChanged(StyleSetImpl * const 0x056d1a40, nsIPresContext *
0x056d57c0, nsIContent * 0x056b8c00, nsIAtom * 0x01657df0, int -1) line 923
PresShell::AttributeChanged(PresShell * const 0x056d5558, nsIDocument *
0x052596b0, nsIContent * 0x056b8c00, nsIAtom * 0x01657df0, int -1) line 1719 +
53 bytes
XULDocumentImpl::AttributeChanged(XULDocumentImpl * const 0x052596b0, nsIContent
* 0x056b8c00, nsIAtom * 0x01657df0, int -1) line 1735
RDFElementImpl::SetAttribute(RDFElementImpl * const 0x056b8c00, int 0, nsIAtom *
0x01657df0, const nsString & {...}, int 1) line 2453
RDFElementImpl::SetAttribute(RDFElementImpl * const 0x056b8bf0, const nsString &
{...}, const nsString & {...}) line 1275 + 35 bytes
ElementSetAttribute(JSContext * 0x051e7d50, JSObject * 0x02e42de0, unsigned int
2, long * 0x044790b4, long * 0x0012c18c) line 258 + 26 bytes
js_Invoke(JSContext * 0x051e7d50, unsigned int 2, unsigned int 0) line 672 + 26
bytes
js_Interpret(JSContext * 0x051e7d50, long * 0x0012ca04) line 2248 + 15 bytes
js_Invoke(JSContext * 0x051e7d50, unsigned int 0, unsigned int 0) line 688 + 13
bytes
js_Interpret(JSContext * 0x051e7d50, long * 0x0012d238) line 2248 + 15 bytes
js_Invoke(JSContext * 0x051e7d50, unsigned int 1, unsigned int 2) line 688 + 13
bytes
js_InternalCall(JSContext * 0x051e7d50, JSObject * 0x0260ba00, long 39893088,
unsigned int 1, long * 0x0012d3b8, long * 0x0012d370) line 765 + 15 bytes
JS_CallFunction(JSContext * 0x051e7d50, JSObject * 0x0260ba00, JSFunction *
0x056b75d0, unsigned int 1, long * 0x0012d3b8, long * 0x0012d370) line 2650 + 32
bytes
nsJSContext::CallFunction(nsJSContext * const 0x0519c030, void * 0x0260ba00,
void * 0x056b75d0, unsigned int 1, void * 0x0012d3b8, int * 0x0012d3b4) line 231
+ 39 bytes
nsJSEventListener::HandleEvent(nsIDOMEvent * 0x056dd7b0) line 103 + 48 bytes
nsEventListenerManager::HandleEvent(nsIPresContext & {...}, nsEvent *
0x0012d710, nsIDOMEvent * * 0x0012d5b8, unsigned int 7, nsEventStatus &
nsEventStatus_eIgnore) line 1025 + 21 bytes
GlobalWindowImpl::HandleDOMEvent(GlobalWindowImpl * const 0x051981c4,
nsIPresContext & {...}, nsEvent * 0x0012d710, nsIDOMEvent * * 0x0012d5b8,
unsigned int 1, nsEventStatus & nsEventStatus_eIgnore) line 2784
nsWebShell::OnEndDocumentLoad(nsWebShell * const 0x05234e54, nsIDocumentLoader *
0x05233090, nsIChannel * 0x0361bf10, unsigned int 0, nsIDocumentLoaderObserver *
0x05234e54) line 3388 + 34 bytes
nsDocLoaderImpl::FireOnEndDocumentLoad(nsDocLoaderImpl * 0x05233090, nsIChannel
* 0x0361bf10, unsigned int 0) line 872
nsDocLoaderImpl::OnStopRequest(nsDocLoaderImpl * const 0x05233094, nsIChannel *
0x05256170, nsISupports * 0x00000000, unsigned int 0, unsigned short *
0x00000000) line 752 + 31 bytes
nsLoadGroup::RemoveChannel(nsLoadGroup * const 0x05234dd0, nsIChannel *
0x05256170, nsISupports * 0x00000000, unsigned int 0, unsigned short *
0x00000000) line 597 + 39 bytes
nsFileChannel::OnStopRequest(nsFileChannel * const 0x05256174, nsIChannel *
0x05257a50, nsISupports * 0x00000000, unsigned int 0, unsigned short *
0x00000000) line 423
nsOnStopRequestEvent::HandleEvent(nsOnStopRequestEvent * const 0x056d9fd0) line
293
nsStreamListenerEvent::HandlePLEvent(PLEvent * 0x056d9cb0) line 164 + 12 bytes
PL_HandleEvent(PLEvent * 0x056d9cb0) line 541 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x05237140) line 500 + 9 bytes
_md_EventReceiverProc(void * 0x00020e66, unsigned int 49450, unsigned int 0,
long 86208832) line 970 + 9 bytes
USER32! 77e71820()
05237140()
Blocks: 17432
Status: NEW → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
I've just checked in code that reworks the way that the observer list is walked
during document observer notifications...

I believe that this should fix the problem.  If not, the DocLoader will ASSERT
:-)

-- rick
Status: RESOLVED → VERIFIED
v
No longer blocks: 17432
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.