Closed Bug 133669 Opened 23 years ago Closed 23 years ago

[PATCH]Crash (stack overflow) when loading this site [@ nsEventListenerManager::HandleEvent][@ nsString::nsString][@ nsXULElement::HandleDOMEvent]

Categories

(Core :: DOM: HTML Parser, defect)

Product:
Core
Component:
DOM: HTML Parser
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.0

People

(Reporter: nallen, Assigned: john)

References

(
URL
)

Details

(Keywords: crash, testcase, topcrash+, Whiteboard: [FIX][adt2])

Crash Data

Attachments

(1 file)

Patch
851 bytes, patch
harishd
: review+
jst
: superreview+
asa
: approval+
Details | Diff | Splinter Review
Was trying to reproduce the hang doing "save page as" in bug 133593 but instead crash immediately upon loading the site. This happens every time I try to load the page. Build 2002032203 on Win2k. This is probably related to what's going on in bug 133593 but didn't want to potentially confuse two seperate issues. Dupe as necessary. TB 4522145M Stack dump: GKCONTENT! 602f451d() JSDOM! 606c7f99() JSDOM! 606b5822() GKCONTENT! 602c6748() GKCONTENT! 602ba459() GKCONTENT! 602ba43b() GKCONTENT! 602ba43b() GKCONTENT! 602ba43b() GKCONTENT! 602ba43b() GKCONTENT! 602ba43b() GKCONTENT! 602ba43b() GKCONTENT! 602ba43b() GKCONTENT! 602bc5b1() JSDOM! 606b5822() GKCONTENT! 60243dfd() GKCONTENT! 602379e5() GKCONTENT! 602379c7() GKCONTENT! 602379c7() GKCONTENT! 602379c7() GKCONTENT! 602379c7() GKCONTENT! 602379c7() GKCONTENT! 602379c7() GKCONTENT! 602379c7() GKCONTENT! 602379c7() GKCONTENT! 602379c7() GKCONTENT! 602379c7() GKCONTENT! 602379c7() GKCONTENT! 603209ba() GKCONTENT! 602379c7() GKCONTENT! 60314d80() GKCONTENT! 602fc1e5() GKCONTENT! 602f6370() GKCONTENT! 60235f77() GKCONTENT! 6031431c() GKCONTENT! 60313388() GKCONTENT! 60313691() GKCONTENT! 603131e3() GKCONTENT! 60277277() GKCONTENT! 6027b545() GKCONTENT! 603315ac() GKCONTENT! 6026e906() 8510758b()
Adding crash keyword and cc'ing bug 133593 reporter.
Keywords: crash
i confirm, mozilla crashes on this page i use 2002031423/linux build
Here's the stack that shows the deadly recursion: SinkContext::FlushTags(int 1) line 2135 HTMLContentSink::BeginUpdate(HTMLContentSink * const 0x03412360, nsIDocument * 0x03484168) line 4888 + 16 bytes nsDocument::BeginUpdate(nsDocument * const 0x03484168) line 1759 nsGenericDOMDataNode::SetText(nsGenericDOMDataNode * const 0x03873170, const unsigned short * 0x00051308, int 8, int 1) line 1246 nsComboboxControlFrame::ActuallyDisplayText(nsAString & {...}, int 1) line 1981 + 81 bytes nsComboboxControlFrame::RedisplayText(int 725) line 1952 + 20 bytes nsComboboxControlFrame::OnOptionSelected(nsComboboxControlFrame * const 0x03871c68, nsIPresContext * 0x036f3858, int 725, int 1) line 2628 nsHTMLSelectElement::OnOptionSelected(nsISelectControlFrame * 0x03871c68, nsIPresContext * 0x036f3858, int 725, int 1, int 1) line 1059 nsHTMLSelectElement::InsertOptionsIntoList(nsIContent * 0x038751a0, int 725, int 0) line 474 nsHTMLSelectElement::WillAddOptions(nsHTMLSelectElement * const 0x0387174c, nsIContent * 0x038751a0, nsIContent * 0x03871710, int 0) line 672 nsHTMLSelectElement::AppendChildTo(nsHTMLSelectElement * const 0x03871710, nsIContent * 0x038751a0, int 0, int 0) line 381 SinkContext::FlushTags(int 1) line 2135
Status: UNCONFIRMED → NEW
Ever confirmed: true
We can't have jailbabes crashing! Taking, I know what to do with this one.
Assignee: jst → jkeiser
Component: DOM Level 0 → Parser
Attached patch PatchSplinter Review
This is a recursion problem: content sink flushes and does not update the flag that says not to flush this stuff anymore, calls AppendChild, which ends up calling BeginUpdate, which flushes ... Bug 133867 had a similar recursion problem in FlushText(). This fixes FlushTags().
Keywords: nsbeta1
Target Milestone: --- → mozilla1.0
Comment on attachment 76688 [details] [diff] [review] Patch sr=jst
Attachment #76688 - Flags: superreview+
Attachment #76688 - Flags: review+
(That was r=harishd, BTW.)
Whiteboard: [FIX]
Comment on attachment 76688 [details] [diff] [review] Patch a=asa (on behalf of drivers) for checkin to the 1.0 trunk
Attachment #76688 - Flags: approval+
nsbeta1+
Keywords: nsbeta1nsbeta1+
[adt2]
Whiteboard: [FIX] → [FIX][adt2]
Keywords: adt1.0.0
Summary: Crash (stack overflow) when loading this site → [PATCH]Crash (stack overflow) when loading this site
adt1.0.0+ (on ADT's behalf) approval for checkin to 1.0.
Keywords: adt1.0.0adt1.0.0+
*** Bug 135194 has been marked as a duplicate of this bug. ***
Moving over keywords and data from bug 133593. Here are a couple of Talkback incidents for this crash: Incident ID 4752723 Stack Signature nsString::nsString 3abca528 Trigger Time 2002-04-02 16:52:11 Email Address jpatel@netscape.com URL visited http://www.jailbabes.com/home.db Build ID 2002040110 Product ID MozillaTrunk Platform Operating System Win32 Module Trigger Reason Stack overflow User Comments just loading http://www.jailbabes.com/home.db in a new tab... Stack Trace nsString::nsString [d:\builds\seamonkey\mozilla\string\obsolete\nsString2.cpp, line 68] nsWindowRoot::HandleChromeEvent [d:\builds\seamonkey\mozilla\dom\src\base\nsWindowRoot.cpp, line 182] GlobalWindowImpl::HandleDOMEvent [d:\builds\seamonkey\mozilla\dom\src\base\nsGlobalWindow.cpp, line 693] nsXULDocument::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\xul\document\src\nsXULDocument.cpp, line 2449] nsXULElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\xul\content\src\nsXULElement.cpp, line 3449] nsXULElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\xul\content\src\nsXULElement.cpp, line 3442] nsXULElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\xul\content\src\nsXULElement.cpp, line 3442] nsXULElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\xul\content\src\nsXULElement.cpp, line 3442] nsXULElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\xul\content\src\nsXULElement.cpp, line 3442] nsXULElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\xul\content\src\nsXULElement.cpp, line 3442] nsXULElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\xul\content\src\nsXULElement.cpp, line 3442] nsXULElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\xul\content\src\nsXULElement.cpp, line 3442] nsXULElement::HandleChromeEvent [d:\builds\seamonkey\mozilla\content\xul\content\src\nsXULElement.cpp, line 4690] GlobalWindowImpl::HandleDOMEvent [d:\builds\seamonkey\mozilla\dom\src\base\nsGlobalWindow.cpp, line 693] nsDocument::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\base\src\nsDocument.cpp, line 3230] nsGenericElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\base\src\nsGenericElement.cpp, line 1636] nsGenericElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\base\src\nsGenericElement.cpp, line 1630] nsGenericElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\base\src\nsGenericElement.cpp, line 1630] nsGenericElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\base\src\nsGenericElement.cpp, line 1630] nsGenericElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\base\src\nsGenericElement.cpp, line 1630] nsGenericElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\base\src\nsGenericElement.cpp, line 1630] nsGenericElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\base\src\nsGenericElement.cpp, line 1630] nsGenericElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\base\src\nsGenericElement.cpp, line 1630] nsGenericElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\base\src\nsGenericElement.cpp, line 1630] nsGenericElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\base\src\nsGenericElement.cpp, line 1630] nsGenericElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\base\src\nsGenericElement.cpp, line 1630] nsGenericElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\base\src\nsGenericElement.cpp, line 1630] nsHTMLFormElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\html\content\src\nsHTMLFormElement.cpp, line 605] nsGenericElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\base\src\nsGenericElement.cpp, line 1630] nsHTMLSelectElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\html\content\src\nsHTMLSelectElement.cpp, line 1798] nsEventStateManager::DispatchNewEvent [d:\builds\seamonkey\mozilla\content\events\src\nsEventStateManager.cpp, line 4073] nsEventListenerManager::DispatchEvent [d:\builds\seamonkey\mozilla\content\events\src\nsEventListenerManager.cpp, line 2661] nsDOMEventRTTearoff::DispatchEvent [d:\builds\seamonkey\mozilla\content\base\src\nsGenericElement.cpp, line 545] nsHTMLSelectElement::SetOptionsSelectedByIndex [d:\builds\seamonkey\mozilla\content\html\content\src\nsHTMLSelectElement.cpp, line 1327] nsHTMLSelectElement::InsertOptionsIntoList [d:\builds\seamonkey\mozilla\content\html\content\src\nsHTMLSelectElement.cpp, line 467] nsHTMLSelectElement::WillAddOptions [d:\builds\seamonkey\mozilla\content\html\content\src\nsHTMLSelectElement.cpp, line 668] nsHTMLSelectElement::AppendChildTo [d:\builds\seamonkey\mozilla\content\html\content\src\nsHTMLSelectElement.cpp, line 377] SinkContext::FlushTags [d:\builds\seamonkey\mozilla\content\html\document\src\nsHTMLContentSink.cpp, line 2147] HTMLContentSink::BeginUpdate [d:\builds\seamonkey\mozilla\content\html\document\src\nsHTMLContentSink.cpp, line 4891] nsDocument::BeginUpdate [d:\builds\seamonkey\mozilla\content\base\src\nsDocument.cpp, line 1628] nsGenericDOMDataNode::SetText [d:\builds\seamonkey\mozilla\content\base\src\nsGenericDOMDataNode.cpp, line 1251] FindChar1 [d:\builds\seamonkey\mozilla\string\obsolete\bufferRoutines.h, line 427] nsFSURLEncoded::AddRef [d:\builds\seamonkey\mozilla\content\html\content\src\nsFormSubmission.cpp, line 403] nsDocument::CloneNode [d:\builds\seamonkey\mozilla\content\base\src\nsDocument.cpp, line 3115] nsDocument::CloneNode [d:\builds\seamonkey\mozilla\content\base\src\nsDocument.cpp, line 3115] nsGenericDOMDataNode::SetText [d:\builds\seamonkey\mozilla\content\base\src\nsGenericDOMDataNode.cpp, line 1284] SheetLoadData::AddRef [d:\builds\seamonkey\mozilla\content\html\style\src\nsCSSLoader.cpp, line 501] SheetLoadData::AddRef [d:\builds\seamonkey\mozilla\content\html\style\src\nsCSSLoader.cpp, line 501] nsSelection::Release [d:\builds\seamonkey\mozilla\content\base\src\nsSelection.cpp, line 1037] nsSelection::RepaintSelection [d:\builds\seamonkey\mozilla\content\base\src\nsSelection.cpp, line 2940] nsSelection::GetFrameForNodeOffset [d:\builds\seamonkey\mozilla\content\base\src\nsSelection.cpp, line 2951] nsSelection::WordMove [d:\builds\seamonkey\mozilla\content\base\src\nsSelection.cpp, line 3090] Another user crashes at the same site, but with a different stack signature: Incident ID 4522145 Stack Signature nsEventListenerManager::HandleEvent f88a8ab2 Trigger Time 2002-03-26 23:10:21 Email Address ac_gyrefalcon@hotmail.com URL visited http://www.jailbabes.com/home.db Build ID 2002032211 Product ID MozillaTrunk Platform Operating System Win32 Module Trigger Reason Stack overflow User Comments Crashed trying to repro hang in bug 133593. oops! Stack Trace nsEventListenerManager::HandleEvent [d:\builds\seamonkey\mozilla\content\events\src\nsEventListenerManager.cpp, line 1243] nsWindowRoot::HandleChromeEvent [d:\builds\seamonkey\mozilla\dom\src\base\nsWindowRoot.cpp, line 182] GlobalWindowImpl::HandleDOMEvent [d:\builds\seamonkey\mozilla\dom\src\base\nsGlobalWindow.cpp, line 693] nsXULDocument::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\xul\document\src\nsXULDocument.cpp, line 2449] nsXULElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\xul\content\src\nsXULElement.cpp, line 3445] nsXULElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\xul\content\src\nsXULElement.cpp, line 3438] nsXULElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\xul\content\src\nsXULElement.cpp, line 3438] nsXULElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\xul\content\src\nsXULElement.cpp, line 3438] nsXULElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\xul\content\src\nsXULElement.cpp, line 3438] nsXULElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\xul\content\src\nsXULElement.cpp, line 3438] nsXULElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\xul\content\src\nsXULElement.cpp, line 3438] nsXULElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\xul\content\src\nsXULElement.cpp, line 3438] nsXULElement::HandleChromeEvent [d:\builds\seamonkey\mozilla\content\xul\content\src\nsXULElement.cpp, line 4686] GlobalWindowImpl::HandleDOMEvent [d:\builds\seamonkey\mozilla\dom\src\base\nsGlobalWindow.cpp, line 693] nsDocument::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\base\src\nsDocument.cpp, line 3232] nsGenericElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\base\src\nsGenericElement.cpp, line 1635] nsGenericElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\base\src\nsGenericElement.cpp, line 1629] nsGenericElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\base\src\nsGenericElement.cpp, line 1629] nsGenericElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\base\src\nsGenericElement.cpp, line 1629] nsGenericElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\base\src\nsGenericElement.cpp, line 1629] nsGenericElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\base\src\nsGenericElement.cpp, line 1629] nsGenericElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\base\src\nsGenericElement.cpp, line 1629] nsGenericElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\base\src\nsGenericElement.cpp, line 1629] nsGenericElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\base\src\nsGenericElement.cpp, line 1629] nsGenericElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\base\src\nsGenericElement.cpp, line 1629] nsGenericElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\base\src\nsGenericElement.cpp, line 1629] nsGenericElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\base\src\nsGenericElement.cpp, line 1629] nsHTMLFormElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\html\content\src\nsHTMLFormElement.cpp, line 605] nsGenericElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\base\src\nsGenericElement.cpp, line 1629] nsHTMLSelectElement::HandleDOMEvent [d:\builds\seamonkey\mozilla\content\html\content\src\nsHTMLSelectElement.cpp, line 1790] nsEventStateManager::DispatchNewEvent [d:\builds\seamonkey\mozilla\content\events\src\nsEventStateManager.cpp, line 4049] nsEventListenerManager::DispatchEvent [d:\builds\seamonkey\mozilla\content\events\src\nsEventListenerManager.cpp, line 2661] nsDOMEventRTTearoff::DispatchEvent [d:\builds\seamonkey\mozilla\content\base\src\nsGenericElement.cpp, line 545] nsHTMLSelectElement::SetOptionsSelectedByIndex [d:\builds\seamonkey\mozilla\content\html\content\src\nsHTMLSelectElement.cpp, line 1324] nsHTMLSelectElement::InsertOptionsIntoList [d:\builds\seamonkey\mozilla\content\html\content\src\nsHTMLSelectElement.cpp, line 464] nsHTMLSelectElement::WillAddOptions [d:\builds\seamonkey\mozilla\content\html\content\src\nsHTMLSelectElement.cpp, line 665] nsHTMLSelectElement::AppendChildTo [d:\builds\seamonkey\mozilla\content\html\content\src\nsHTMLSelectElement.cpp, line 374] SinkContext::FlushTags [d:\builds\seamonkey\mozilla\content\html\document\src\nsHTMLContentSink.cpp, line 2123] HTMLContentSink::BeginUpdate [d:\builds\seamonkey\mozilla\content\html\document\src\nsHTMLContentSink.cpp, line 4868] nsDocument::BeginUpdate [d:\builds\seamonkey\mozilla\content\base\src\nsDocument.cpp, line 1628] nsGenericDOMDataNode::SetText [d:\builds\seamonkey\mozilla\content\base\src\nsGenericDOMDataNode.cpp, line 1246] FindChar1 [d:\builds\seamonkey\mozilla\string\obsolete\bufferRoutines.h, line 427] nsHTMLFrameElement::AddRef [d:\builds\seamonkey\mozilla\content\html\content\src\nsHTMLFrameElement.cpp, line 136] nsDocument::CloneNode [d:\builds\seamonkey\mozilla\content\base\src\nsDocument.cpp, line 3117] nsHTMLLegendElement::SubmitNamesValues [d:\builds\seamonkey\mozilla\content\html\content\src\nsHTMLLegendElement.cpp, line 255] 0x8510758b
Keywords: testcase, topcrash+
Summary: [PATCH]Crash (stack overflow) when loading this site → [PATCH]Crash (stack overflow) when loading this site [@ nsEventListenerManager::HandleEvent][@ nsString::nsString]
*** Bug 133593 has been marked as a duplicate of this bug. ***
Blocks: 134771
Fix checked in.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
*** Bug 135009 has been marked as a duplicate of this bug. ***
Adding [@ nsXULElement::HandleDOMEvent] from duped bug 135009 for future reference. Verifying fixed...http://www.jailbabes.com/home.db no longer crashes for me...and Talkback data shows this last crashed on 4/5.
Status: RESOLVED → VERIFIED
Summary: [PATCH]Crash (stack overflow) when loading this site [@ nsEventListenerManager::HandleEvent][@ nsString::nsString] → [PATCH]Crash (stack overflow) when loading this site [@ nsEventListenerManager::HandleEvent][@ nsString::nsString][@ nsXULElement::HandleDOMEvent]
Keywords: fixed1.0.0
*** Bug 137376 has been marked as a duplicate of this bug. ***
verified1.0.0
Keywords: verified1.0.0
Crash Signature: [@ nsEventListenerManager::HandleEvent] [@ nsString::nsString] [@ nsXULElement::HandleDOMEvent]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: