11923 - document.write() crashes

Status: VERIFIED FIXED

(Core :: Networking, defect, P3)

Description

[Syd Logan]

Here's the script:

function CreateGroupList( a )
{
	var wind = top.frames["AddGroupList"];   // this is an iframe
	listDocument = wind.document;

	dump( "listDocument " + listDocument + "\n" );

	listDocument.write("<HR>Hello world!<HR>");
}

And here's the stack crawl:

a7860f00()
nsIOService::NewChannelFromURI(nsIOService * const 0x00b1e290, const char *
0x01c6c608, nsIURI * 0x0012df84, nsIEventSinkGetter * 0x00000000, nsIChannel * *
0x0012df04) line 219 + 37 bytes
NS_OpenURI(nsIChannel * * 0x0012df64, nsIURI * 0x0012df84) line 62 + 27 bytes
nsHTMLDocument::OpenCommon(nsIURI * 0x0012df84) line 1478 + 33 bytes
nsHTMLDocument::Open(nsHTMLDocument * const 0x03eb6768, JSContext * 0x03deb330,
long * 0x02f9ee14, unsigned int 1) line 1570 + 18 bytes
nsHTMLDocument::ScriptWriteCommon(JSContext * 0x03deb330, long * 0x02f9ee14,
unsigned int 1, int 0) line 1648 + 34 bytes
nsHTMLDocument::Write(nsHTMLDocument * const 0x03eb6768, JSContext * 0x03deb330,
long * 0x02f9ee14, unsigned int 1) line 1687
NSHTMLDocumentWrite(JSContext * 0x03deb330, JSObject * 0x02fac3a0, unsigned int
1, long * 0x02f9ee14, long * 0x0012e104) line 1129 + 24 bytes
js_Invoke(JSContext * 0x03deb330, unsigned int 1, unsigned int 0) line 654 + 26
bytes
js_Interpret(JSContext * 0x03deb330, long * 0x0012e930) line 2228 + 15 bytes
js_Invoke(JSContext * 0x03deb330, unsigned int 1, unsigned int 0) line 670 + 13
bytes
js_Interpret(JSContext * 0x03deb330, long * 0x0012f118) line 2228 + 15 bytes
js_Invoke(JSContext * 0x03deb330, unsigned int 0, unsigned int 0) line 670 + 13
bytes
js_Interpret(JSContext * 0x03deb330, long * 0x0012f900) line 2228 + 15 bytes
js_Invoke(JSContext * 0x03deb330, unsigned int 1, unsigned int 2) line 670 + 13
bytes
js_InternalCall(JSContext * 0x03deb330, JSObject * 0x02f6d550, long 49734968,
unsigned int 1, long * 0x0012fa40, long * 0x0012fa48) line 747 + 15 bytes
JS_CallFunctionValue(JSContext * 0x03deb330, JSObject * 0x02f6d550, long
49734968, unsigned int 1, long * 0x0012fa40, long * 0x0012fa48) line 2643 + 29
bytes
nsJSEventListener::HandleEvent(nsIDOMEvent * 0x03ee3070) line 97 + 34 bytes
nsEventListenerManager::HandleEvent(nsIPresContext & {...}, nsEvent *
0x0012fc80, nsIDOMEvent * * 0x0012fb7c, unsigned int 3, nsEventStatus &
nsEventStatus_eIgnore) line 971 + 21 bytes
GlobalWindowImpl::HandleDOMEvent(GlobalWindowImpl * const 0x03deb4f4,
nsIPresContext & {...}, nsEvent * 0x0012fc80, nsIDOMEvent * * 0x0012fb7c,
unsigned int 1, nsEventStatus & nsEventStatus_eIgnore) line 2824
nsWebShell::OnEndDocumentLoad(nsWebShell * const 0x03e0e5f4, nsIDocumentLoader *
0x03eb5380, nsIChannel * 0x03e89c60, unsigned int 0, nsIDocumentLoaderObserver *
0x03e0e5f4) line 3286 + 34 bytes
nsDocLoaderImpl::FireOnEndDocumentLoad(nsIDocumentLoader * 0x03eb5380, unsigned
int 0) line 1124
nsDocLoaderImpl::ChildDocLoaderFiredEndDocumentLoad(nsDocLoaderImpl *
0x03eb5380, nsIDocumentLoader * 0x03eb5380, unsigned int 0) line 1147
nsDocLoaderImpl::FireOnEndDocumentLoad(nsIDocumentLoader * 0x03eb5380, unsigned
int 0) line 1132
nsDocLoaderImpl::OnStopRequest(nsDocLoaderImpl * const 0x03eb5384, nsIChannel *
0x03eb6920, nsISupports * 0x00000000, unsigned int 0, const unsigned short *
0x00000000) line 1031
nsOnStopRequestEvent::HandleEvent(nsOnStopRequestEvent * const 0x03ee3160) line
274
nsStreamListenerEvent::HandlePLEvent(PLEvent * 0x03ee3164) line 149 + 12 bytes
PL_HandleEvent(PLEvent * 0x03ee3164) line 509 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x00b1bec0) line 470 + 9 bytes
_md_EventReceiverProc(HWND__ * 0x01120524, unsigned int 49335, unsigned int 0,
long 11648704) line 932 + 9 bytes
USER32! 77e71250()
00b1bec0()

Comment 1

[Paul MacQuiddy]

syd, is this an M9 blocker??

Comment 2

[Syd Logan]

No need to hold up M9, but we are very much in need of this ability and hope
that within a few days of the tree opening for M10 development that this bug be
addressed.

Comment 3

[lchiang]

adding myself to cc: list.

Comment 4

[Gagan]

Verify please.

Comment 5

[Paul MacQuiddy]

verified that this is no longer crashing, 9/24 builds.

Comment 6

[leger]

Bulk move of all Necko (to be deleted component) bugs to new Networking

component.

Comment 7

[Pulsebot]

Pushed by ctuns@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/b0b16ea0b44d
[fenix] For https://github.com/mozilla-mobile/fenix/issues/9625: Add telemetry for Tracking Protection CFR (https://github.com/mozilla-mobile/fenix/pull/11923)