Closed Bug 142108 Opened 22 years ago Closed 22 years ago

Crash when reloading XML+XSLT Trunk, M100, N70PR1, M11A [@ nsXMLContentSink::Observe][@ 0x00000001]

Categories

(Core :: XSLT, defect, P1)

Product:
Core
Component:
XSLT
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.0.1

People

(Reporter: bugzilla, Assigned: peterv)

References

(
URL
)

Details

(4 keywords, Whiteboard: [adt2 RTM][fixed on trunk 6/20] [ETA 06/24])

Crash Data

Attachments

(3 files, 4 obsolete files)

testing xml document and xslt
1.30 KB, application/octet-stream
Details
Platforms, Releases, builds and comments for this crash
3.83 KB, text/plain
Details
v2.2
60.34 KB, patch
axel
: review+
jst
: superreview+
jud
: approval+
Details | Diff | Splinter Review 
Reloading an XSL-transformed XML document crashes build 2002050304 on Win2K
(reproduced on 2 machines).  My weblog at http://12.239.72.33/~jj is one example
but I've seen it on other documents as well.

Steps:
1) Load http://12.239.72.33/~jj
2) Press the reload button.
3) Submit talkback report.

Talkback IDs:
  TB5908516X
  TB5908278M
  TB5908064Y
  TB5908030Z
  TB5900665E
Confirming 2002050208 on Win2k. With this build, it took about 4 or 5 reloads to
get the crash (but, sure enough, it eventually did crash). Talkback ID for that
crash is TB5908747Y. 

CC: stephend@netscape.com for talkback retrieval, please (TB5908747Y)
Keywords: crash
Err, in comment #1:

s/2002050208/2002050308
Should've mentioned that these are trunk builds.  Haven't tried the branch
nightlies but RC1 is unaffected.
nsXMLContentSink::Observe [nsXMLContentSink.cpp, line 449]
nsObserverService::NotifyObservers [nsObserverService.cpp, line 213]
XSLTProcessor::SignalTransformEnd [XSLTProcessor.cpp, line 2527]
XSLTProcessor::TransformDocument [XSLTProcessor.cpp, line 2472]
nsTransformMediator::TryToTransform [nsTransformMediator.cpp, line 113]
nsTransformMediator::SetTransformObserver [nsTransformMediator.cpp, line 186]
nsXMLContentSink::SetupTransformMediator [nsXMLContentSink.cpp, line 555]
nsXMLContentSink::DidBuildModel [nsXMLContentSink.cpp, line 393]
nsExpatDriver::DidBuildModel [nsExpatDriver.cpp, line 882]
nsParser::DidBuildModel [nsParser.cpp, line 1253]
nsParser::ResumeParse [nsParser.cpp, line 1790]
nsParser::OnStopRequest [nsParser.cpp, line 2419]
nsDocumentOpenInfo::OnStopRequest [nsURILoader.cpp, line 255]
nsHTTPChunkConv::OnStopRequest [nsHTTPChunkConv.cpp, line 125]
nsStreamListenerTee::OnStopRequest [nsStreamListenerTee.cpp, line 25]
nsHttpChannel::OnStopRequest [nsHttpChannel.cpp, line 2909]
nsOnStopRequestEvent::HandleEvent [nsRequestObserverProxy.cpp, line 213]
PL_HandleEvent [plevent.c, line 597]
PL_ProcessPendingEvents [plevent.c, line 530]
_md_EventReceiverProc [plevent.c, line 1078]
nsAppShellService::Run [nsAppShellService.cpp, line 451]
main1 [nsAppRunner.cpp, line 1472]
main [nsAppRunner.cpp, line 1808]
WinMain [nsAppRunner.cpp, line 1826]
WinMainCRTStartup()
KERNEL32.DLL + 0x17d08 (0x77e97d08) 
Related: bug 129006.
could reproduce this in viewer.
mXSLTransformMediator is null, and I have no idea how that could happen.
I think this is a platform independent bug. I'm seeing (load/reload) crashes on
Linux and WinXP - mozilla RC1.

There's also another weird thing, adjusting the mime-type in apache
configuration from:
-text/xml
		xml
+text/xml
		xml xsl

prevents crashing on WinXP (Linux build crashed). Mozilla also crashed if the
reported document type was text/plain instead of test/xml which is IMO a Bad
Thing(tm) - it should render it as plain text unless we want to emulate IE.
Steps to reproduce a crash:
- extract the archive somewhere
- place the xml document (and nothing else) to a standalone directory
- load it to mozilla (file:///... in URL field)
- copy in that directory the xslt component
- hit reload
- reproducible crash (but this seems to be Linux specific way)
-> All/All

Kamil: RC1/Linux is affected for you? Here on Win2k (for myself and the original
reporter), only the trunk builds are afffected (RC1 is ok).
OS: Windows 2000 → All
Hardware: PC → All
Yes, I tested RC1 candidate on Linux and WinXP. Both crash. However I can only
reproduce it on the Linux machine. WinXP build crashes only on certain apache
servers which send 'text/plain' instead of 'text/xml'. I have no such world-wide
accessible server so I can't pass URL.
Relevant talkback IDs:
TB6105603H
TB6092658G
CC: stephend@netscape.com for talkback retrieval, please (TB6105603H)
Depends on: 143265
CNavDTD::DidBuildModel()
nsParser::DidBuildModel()
nsParser::ResumeParse()
nsParser::OnStopRequest()
nsStreamListenerTee::OnStopRequest()
nsHttpChannel::OnStopRequest()
nsOnStopRequestEvent::HandleEvent()
nsARequestObserverEvent::HandlePLEvent()
PL_HandleEvent()
PL_ProcessPendingEvents()
nsEventQueueImpl::ProcessPendingEvents()
event_processor_callback()
our_gdk_io_invoke()
Seems ok with
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0rc2) Gecko/20020504
(No crash after at least 50 refresh).

as a side note, IE6 doesn't load the page at all
(talkin' about illegal char)
Corrado, this bug appears only on trunk builds; branch builds appear to be
unaffected.

[If you can figure out what IE6 is complaining about please let me know via
private email.  I'm not really concerned about appeasing IE's shoddy support,
but if it's something _I'm_ doing wrong I definitely want to know about it.]
Crash still occurring on Win2K trunk build 2002052008

I've also noticed that the crash always seems to follow a rendering with
incompletely applied CSS.  For instance, the page in the url field should show
the "Links" section in the upper right corner, but it will occasionally render
it in unstyled text at the bottom of the page.  Immediately following this
faulty rendering it will crash when reloaded.

Also, I have only been able to reproduce this in Linux once or twice.  The only
difference (besides OS) between my Linux and Win2K installations are that the
Linux box is on the same local network as the server, whereas my Windows box is
at a remote location.  So perhaps network speed plays a role?
*** Bug 146119 has been marked as a duplicate of this bug. ***
No, this is showing up on the 1.0 branch. See Bug 146119 (a dupe of this one),
attachment 84595 [details] and attachment 84595 [details] (the xml and its xsl that caused a
reliable crash on 2002051606-1.0 and 2002052106-1.0 . (The document is the
draft 1.0 FAQ.)

We were hoping to use the 1.0 FAQ to showcase XML on the 1.0 start page.
Um ...

I meant, of course, attachment 84594 [details] (the XML that attachment 84595 [details] is the
XSL for).
Status: NEW → ASSIGNED
Keywords: nsbeta1
Priority: -- → P1
Target Milestone: --- → mozilla1.0
Keywords: mozilla1.0
Keywords: testcase, topcrash+
Summary: Crash when reloading XML+XSLT → Crash when reloading XML+XSLT Trunk M1RC3 [@ nsXMLContentSink::Observe]
Here's a breakdown of where we are seeing these crashes.
Ok, I'll try Windows and Linux and a slow proxy. I haven't been able to
reproduce this. I hit it once.
Look at bug 146119 for a setup that helped induce the crash.

velvet.net's content-type misconfiguration has been fixed, but some people have
been getting crashes just loading the document locally (with only faqs.xsl
present, not the other XSLT files that should be there).
I have an idea of what might be causing this and looking at the talkback stacks
seems to confirm it. We're notifying the wrong content sink. I'll supply a patch
for this tomorrow.
Attached patch v1 (obsolete) — Splinter Review 
I think this will fix the crash. Looking at the talkback stacks, we were
notifying the wrong nsXMLContentSink. The way this used to work is that we
registered the sink as an observer for the topic xslt-done. However, we never
removed it as an observer and we never checked if the notification that we got
was aimed at this content sink. I think somehow the content sink from a
previous load stayed around and received a notification that wasn't aimed at it
(and its transform mediator was null because the previous load had finished).
I've dropped the use of the observer service and just moved to calling the sink
directly when the transform is done. There's no need for using the observer
system, there's one sink that has to be notified of the end of the transform it
launched. I haven't hit the crash anymore with this patch, though I never
reproduced it reliably before.
Looking for reviews.
Comment on attachment 84906 [details] [diff] [review]
v1

patch applies like hell, different base dirs and adding files doesn't go
together well.

>Index: xml/content/src/nsXMLProcessingInstruction.cpp
do you really want this chunk in this patch?

>Index: xml/document/src/nsXMLContentSink.cpp
xml/document/src/Makefile.in needs content_xsl in the REQUIRES, 
makefile.win, too
same for xbl/src/Makefile.in

>RCS file: /cvsroot/mozilla/content/xml/document/src/nsXMLContentSink.cpp,v
>retrieving revision 1.224
>diff -u -3 -r1.224 nsXMLContentSink.cpp
>--- xml/document/src/nsXMLContentSink.cpp	22 May 2002 00:46:13 -0000	1.224
>+++ xml/document/src/nsXMLContentSink.cpp	24 May 2002 10:17:24 -0000
>@@ -402,87 +402,85 @@
>   return NS_OK;
> }
> 
>-// The observe method is called on completion of the transform.  The nsISupports argument is an
>-// nsIContent interface to the root node of the output content model.
> NS_IMETHODIMP
>-nsXMLContentSink::Observe(nsISupports *aSubject, const char *aTopic, const PRUnichar *someData)
>+nsXMLContentSink::OnTransformDone(nsIContent *aRootContent,
>+                                  nsresult aResult,
>+                                  const nsAString & aErrorMessage)
> {
>   nsresult rv = NS_OK;

the rv ain't used no more, just return NS_OK at the end.

>Index: transformiix/source/xslt/XSLTProcessor.cpp

I doubt that aRootContent is really the right thing to flag a failure.
We should use the aResult for this.
I'm not sure if there's a successful transformation not having the
root content of the document set, so that argument might not be needed at
all.
This interface might need to be changed once we do report errors in the
XSLTProcessor, I doubt that we're in the state to fix what we need for
the error report right now.

But this is definitly the way to go. We may want to have a 
OnTransformFailed, once we actually do errors.
You may want to fix some nits on nsIDocumentTransformer.idl. 
It's NPL :-(, nisheeth should be added to the contributors (as he drops out of
blame) and fix the indention
All checkins are visible in the log, so blame does not matter that much. I am
not opposing adding anyone to explicit contributors list, though.
as peterv moves the file, the log is lost. The log isn't really interesting though,
so I don't think we should copy the file in repository.
Ok, in that case it makes sense. However, if you really want to conserve the log
(change history, blame and all) you could ask leaf@mozilla.org to copy/move the
files in the repository itself. That is a bit of a hassle so I only do it with
big changes and/or situations where I really want to retain the change information.
I can confirm this on Linux with 2002052309 (RC3) and I submitted talkback info.
ID: TB6709662Y
is v1 patch applied in nightly builds? It still crashes in 2002052621 talkback
incident: TB6716557G
Blocks: 143047
Whiteboard: [adt2 RTM]
Attached patch v2 (obsolete) — Splinter Review 
This also fixes a circular ownership problem between the nsXSLContentSink and
the nsTransformMediator. I've cleared up the whole ownership model. The
nsXMLContentSink (and the nsXSLContentSink) owns the transform mediator. The
transform mediator holds a weak reference to the content sink, and passes that
to the XSLT processor, which also holds a weak reference. Since the content
sink owns the mediator and the mediator owns the processor, we're guaranteed
that the content sink held in the weak reference is alive when the mediator or
the processor use it. I've been running with this patch for two days, tried
XSLT transformations, error conditions (invalid source, invalid style),
couldn't get it to crash. If anyone else could test, I'd be grateful.
Attachment #84906 - Attachment is obsolete: true
Comment on attachment 85579 [details] [diff] [review]
v2

>Index: content/xml/document/src/nsXMLContentSink.cpp
>@@ -402,88 +401,87 @@
<...>
>+  nsCOMPtr<nsIDocShell> docShell(do_QueryInterface(mWebShell));
>+  nsCOMPtr<nsIContentViewer> contentViewer;
>+  docShell->GetContentViewer(getter_AddRefs(contentViewer));
do we need a null check here?

<...>
>+  // Reset the observer on the transform mediator
>+  mXSLTransformMediator->SetTransformObserver(nsnull);
>+  nsCOMPtr<nsITransformMediator> mediator = mXSLTransformMediator;
is this needed? It ain't used, but you wanted to check

>Index: content/xsl/document/public/nsIDocumentTransformer.idl
<...>
>+    void transformDocument(in nsIDOMNode aSourceDOM,
>+	                       in nsIDOMNode aStyleDOM,
>+						   in nsIDOMDocument aOutputDOC,
>+						   in nsITransformObserver aObserver);						  
Indention

>Index: content/xsl/document/src/makefile.win
>-REQUIRES	= xpcom \
<...>
>+REQUIRES = xpcom \
Indention

>Index: content/xsl/document/src/nsTransformMediator.cpp
>-#include "nsIComponentManager.h"
<...>
>+#include "nsComponentManagerUtils.h"
this file says you should include nsIComponentManager.h

Didn't test this yet, don't have the time to do this today
Attached patch v2.1 (obsolete) — Splinter Review 

        Attachment #85579 -
        Attachment is obsolete: true

    
    

    
  

      
      
      
      

        Attached patch
          
          
        v2.1 (without crap) (obsolete)
        — Splinter Review
      

    


  

        Attachment #85834 -
        Attachment is obsolete: true

    
    

    
  
URL is no longer xml+xslt
URL: http://12.239.72.33/~jj

    
    

    
  
Comment on attachment 86033 [details] [diff] [review]
v2.1 (without crap)

r=axel@pike.org

        Attachment #86033 -
        Flags: review+

    
    

    
  
Sorry for changing the testcase URL out from under you.  I've uploaded the
testcase exactly as it was prior to 11pm last night to
http://www.screaminweb.com/mozillatest/xslt-crash/index.xml
Still produces the crash reliably.
URL: http://www.screaminweb.com/mozillates...

    
    

    
  

      
      
      
      

        Attached patch
          
          
        v2.2Splinter Review
      

    


  
Changes between this and previous are in nsXMLContentSink.cpp,
nsXSLContentSink.cpp and XSLTProcessor.cpp. This also fixes two memory leaks,
by making sure we remove the nsXSLContentSink as script load observer and
remove nsXMLContentSink as script load observer from the right script loader
(of the original document). Looking for another review.

        Attachment #86033 -
        Attachment is obsolete: true

    
    

    
  
*** Bug 149433 has been marked as a duplicate of this bug. ***

    
    

    
  
Updating the summary. This one is crashing in large numbers under the 0x00000001
signature in the Talkback reports.

Peter, please re-target the milestone for this bug. Thanks.

    
    

    
  
Doh! Really updating this time.
Summary: Crash when reloading XML+XSLT Trunk M1RC3 [@ nsXMLContentSink::Observe] → Crash when reloading XML+XSLT Trunk, M100, N70PR1, M11A  [@ nsXMLContentSink::Observe][@ 0x00000001]

    
    

    
  
Comment on attachment 86506 [details] [diff] [review]
v2.2

r=axel@pike.org
Sorry for taking so long, I've been sick and busy.
tested debug on solaris

        Attachment #86506 -
        Flags: review+

        Attachment #86506 -
        Flags: superreview+

    
    

    
  
Comment on attachment 86506 [details] [diff] [review]
v2.2

From nsITransformMediator.h:

+/**
+ * This interface represents a mediator between raptor and an external

Bah, "raptor"! "Gecko", dude! :-)

sr=jst

    
    

    
  
Checked in on the trunk. If people could verify that this fixed the problem, it
would help in getting this on the branch
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
No longer depends on: 143265
Resolution: --- → FIXED

    
    

    
  
Verified FIXED on Win2K build 2002062008.  No crash after dozens of reloads.
Need verification on other OSes.
Keywords: nsbeta1adt1.0.1, 
          
            nsbeta1+
Whiteboard: [adt2 RTM] → [adt2 RTM][fixed on trunk 6/20]
Target Milestone: mozilla1.0 → mozilla1.0.1

    
    

    
  
ADT wants to see some talkback data confirming that this fixes the topcrash
before approving. Since this just landed, we need to wait a little to get the
data. Let's talk to shiva/jpatel tomorrow.

    
    

    
  
I was able to reproduce this crash with Jason's testcase with MozillaTrunk build
2002061908:
Incident ID 7556590
Stack Signature nsXMLContentSink::Observe 61de04a2
Email Address jpatel@netscape.com
Product ID MozillaTrunk
Build ID 2002061908
Trigger Time 2002-06-20 18:01:45
Platform Win32
Operating System Windows NT 4.0 build 1381
Module gkcontent.dll
URL visited http://www.screaminweb.com/mozillatest/xslt-crash/index.xml
User Comments Reproducing bug 142108...testcase:
http://www.screaminweb.com/mozillatest/xslt-crash/index.xml - Just loaded the
page and refreshed with F5...boom! Not happening on MozillaTrunk build
2002062008 (meaning this is fixed)
Trigger Reason Access violation
Source File Name
c:/builds/seamonkey/mozilla/content/xml/document/src/nsXMLContentSink.cpp
Trigger Line No. 422
Stack Trace
nsXMLContentSink::Observe
[c:/builds/seamonkey/mozilla/content/xml/document/src/nsXMLContentSink.cpp, line
422]
nsObserverService::NotifyObservers
[c:/builds/seamonkey/mozilla/xpcom/ds/nsObserverService.cpp, line 213]
XSLTProcessor::SignalTransformEnd
[c:/builds/seamonkey/mozilla/extensions/transformiix/source/xslt/XSLTProcessor.cpp,
line 2463]
XSLTProcessor::TransformDocument
[c:/builds/seamonkey/mozilla/extensions/transformiix/source/xslt/XSLTProcessor.cpp,
line 2408]
nsTransformMediator::TryToTransform
[c:/builds/seamonkey/mozilla/content/xsl/document/src/nsTransformMediator.cpp,
line 113]
nsTransformMediator::SetTransformObserver
[c:/builds/seamonkey/mozilla/content/xsl/document/src/nsTransformMediator.cpp,
line 186]
nsXMLContentSink::SetupTransformMediator
[c:/builds/seamonkey/mozilla/content/xml/document/src/nsXMLContentSink.cpp, line
528]
nsXMLContentSink::DidBuildModel
[c:/builds/seamonkey/mozilla/content/xml/document/src/nsXMLContentSink.cpp, line
366]
nsExpatDriver::DidBuildModel
[c:/builds/seamonkey/mozilla/htmlparser/src/nsExpatDriver.cpp, line 939]
nsParser::DidBuildModel
[c:/builds/seamonkey/mozilla/htmlparser/src/nsParser.cpp, line 1254]
nsParser::ResumeParse [c:/builds/seamonkey/mozilla/htmlparser/src/nsParser.cpp,
line 1796]
nsParser::OnStopRequest
[c:/builds/seamonkey/mozilla/htmlparser/src/nsParser.cpp, line 2425]
nsDocumentOpenInfo::OnStopRequest
[c:/builds/seamonkey/mozilla/uriloader/base/nsURILoader.cpp, line 256]
nsHttpChannel::OnStopRequest
[c:/builds/seamonkey/mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp, line 2915]
nsOnStopRequestEvent::HandleEvent
[c:/builds/seamonkey/mozilla/netwerk/base/src/nsRequestObserverProxy.cpp, line 213]
PL_HandleEvent [c:/builds/seamonkey/mozilla/xpcom/threads/plevent.c, line 597]
PL_ProcessPendingEvents [c:/builds/seamonkey/mozilla/xpcom/threads/plevent.c,
line 530]
_md_EventReceiverProc [c:/builds/seamonkey/mozilla/xpcom/threads/plevent.c, line
1078] 

But I was NOT able to crash with today's MozillaTrunk build 2002062008 (with
Peter's fix checked in).  This looks ready for the branch.

    
    

    
  
Verified fixed on Linux as well, trunk build 2002062011.  Marking as such.
Status: RESOLVED → VERIFIED

    
  
Keywords: adt1.0.1, 
          
            mozilla1.0adt1.0.1+, 
          
            mozilla1.0.1
Whiteboard: [adt2 RTM][fixed on trunk 6/20] → [adt2 RTM][fixed on trunk 6/20] [ETA 06/24]

    
    

    
  
adt1.0.1+ (on adt's behalf) approval for checkin to the 1.0 branch, pending
drivers' approval. pls check this in asap, then add the "fixed1.0.1" keyword.

    
    

    
  
I just sent an email to drivers asking for approval.

    
    

    
  
*** Bug 153984 has been marked as a duplicate of this bug. ***

    
  

        Attachment #86506 -
        Flags: approval+

    
    

    
  
please checkin to the 1.0.1 branch. once there, remove the "mozilla1.0.1+"
keyword and add the "fixed1.0.1" keyword.
Keywords: mozilla1.0.1mozilla1.0.1+

    
    

    
  
I know this comment perhaps do not belong here. But would it be possible to set
build Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.1a+) Gecko/2002062508 as the
default download when you download 1.1a? I have also verifed that that build
fixes problems with the tabels on aftonbladet.se and columns on
http://java.sun.com/j2se/1.4/download.html .


    
    

    
  
yes, this is a pretty useless place to put it.
But, so far I can help, 1.1alpha will stay 1.1alpha. But there will be a 1.1beta, 
that's gonna have the bugfixes you're looking for.

    
  
Keywords: mozilla1.0.1+fixed1.0.1

    
    

    
  
*** Bug 156120 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 153495 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 158884 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 165138 has been marked as a duplicate of this bug. ***
Crash Signature: [@ nsXMLContentSink::Observe]
[@ 0x00000001]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: