775972 - crash in nsGenericElement::BindToTree

Status: RESOLVED FIXED

(Core :: DOM: Core & HTML, defect)

Description

[Scoobidiver (away)]

It's a low volume crash but there's a spike in crashes from 17.0a1/20120720. The regression range for the spike is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=6d8456a77e57&tochange=3a05d298599e
It might be a regression from bug 773945.

Signature 	nsGenericElement::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) More Reports Search
UUID	3fa7aeaa-d5e4-43f9-9529-881732120720
Date Processed	2012-07-20 14:55:00
Uptime	11
Last Crash	16 seconds before submission
Install Age	11.6 minutes since version was first installed.
Install Time	2012-07-20 14:42:43
Product	Firefox
Version	17.0a1
Build ID	20120720030549
Release Channel	nightly
OS	Windows NT
OS Version	6.1.7600
Build Architecture	x86
Build Architecture Info	GenuineIntel family 6 model 23 stepping 10
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0xc
App Notes 	
AdapterVendorID: 0x8086, AdapterDeviceID: 0x2a42, AdapterSubsysID: 00000000, AdapterDriverVersion: 8.15.10.1892
EMCheckCompatibility	True
Adapter Vendor ID	0x8086
Adapter Device ID	0x2a42
Total Virtual Memory	2147352576
Available Virtual Memory	1903738880
System Memory Use Percentage	67
Available Page File	977223680
Available Physical Memory	320991232

Frame 	Module 	Signature 	Source
0 	xul.dll 	nsGenericElement::BindToTree 	content/base/src/nsGenericElement.cpp:2076
1 	xul.dll 	nsXULElement::BindToTree 	content/xul/content/src/nsXULElement.cpp:702
2 	xul.dll 	nsGenericElement::BindToTree 	content/base/src/nsGenericElement.cpp:2069
3 	xul.dll 	nsINode::doInsertChildAt 	content/base/src/nsINode.cpp:1304
4 	xul.dll 	nsGenericElement::InsertChildAt 	content/base/src/nsGenericElement.cpp:2617
5 	xul.dll 	nsINode::ReplaceOrInsertBefore 	content/base/src/nsINode.cpp:1886
6 	xul.dll 	nsINode::AppendChild 	obj-firefox/dist/include/nsINode.h:504
7 	xul.dll 	nsIDOMNode_AppendChild 	obj-firefox/js/xpconnect/src/dom_quickstubs.cpp:5395
8 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:344
9 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:2425
10 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:355
11 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:387
12 	mozjs.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:5577
13 	xul.dll 	nsXPCWrappedJSClass::CallMethod 	js/xpconnect/src/XPCWrappedJSClass.cpp:1436
14 	xul.dll 	nsXPCWrappedJS::CallMethod 	js/xpconnect/src/XPCWrappedJS.cpp:580
15 	xul.dll 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:85
16 	xul.dll 	SharedStub 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:112
17 	xul.dll 	nsEventListenerManager::HandleEventInternal 	content/events/src/nsEventListenerManager.cpp:869
18 	xul.dll 	nsEventTargetChainItem::HandleEventTargetChain 	content/events/src/nsEventDispatcher.cpp:316
19 	xul.dll 	nsRefPtr<nsIRunnable>::~nsRefPtr<nsIRunnable> 	obj-firefox/dist/include/nsAutoPtr.h:874
20 	xul.dll 	nsRunnable::Release 	obj-firefox/xpcom/build/nsThreadUtils.cpp:27
21 	xul.dll 	nsDocument::EndLoad 	content/base/src/nsDocument.cpp:4218

More reports at:
https://crash-stats.mozilla.com/report/list?signature=nsGenericElement%3A%3ABindToTree%28nsIDocument*%2C+nsIContent*%2C+nsIContent*%2C+bool%29

Comment 1

[Boris Zbarsky [:bzbarsky]]

That looks like a null-deref crash.  I wonder what's null...  Olli, could our id flags be off?

Comment 2

[Olli Pettay [:smaug][bugs@pettay.fi]]

Ah, I guess so

Comment 3

[Olli Pettay [:smaug][bugs@pettay.fi]]

Attachment: patch

In other places we check the length of ID, and empty ID is no-ID.


If there are still some other similar crashes after this patch landed, 
please file a new bug and CC me.

Comment 4

[Boris Zbarsky [:bzbarsky]]

Comment on attachment 644485 [details] [diff] [review]
patch

r=me

Comment 5

[Olli Pettay [:smaug][bugs@pettay.fi]]

https://hg.mozilla.org/mozilla-central/rev/6dae57cd2f85