Closed
Bug 180217
Opened 22 years ago
Closed 22 years ago
nsXULDocument::~nsXULDocument will crash if mDocumentURL is null
Categories
(Core :: XUL, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: timeless, Assigned: timeless)
References
Details
(Keywords: crash)
Attachments
(1 file)
856 bytes,
patch
|
dbradley
:
review+
brendan
:
superreview+
|
Details | Diff | Splinter Review |
nsXULPrototypeCache::nsIURIKey::HashCode() line 135 + 21 bytes
nsHashtable::Remove(nsHashKey * 0x0012e1e8) line 322 + 11 bytes
nsSupportsHashtable::Remove(nsHashKey * 0x0012e1e8, nsISupports * * 0x00000000)
line 984 + 12 bytes
nsXULPrototypeCache::RemoveFromFastLoadSet(nsXULPrototypeCache * const
0x016df390, nsIURI * 0x00000000) line 631
nsXULDocument::~nsXULDocument() line 533
nsXULDocument::`scalar deleting destructor'() + 15 bytes
nsXULDocument::Release(nsXULDocument * const 0x01d4c3f0) line 575 + 186 bytes
XPCWrappedNative::~XPCWrappedNative() line 547 + 18 bytes
XPCWrappedNative::`scalar deleting destructor'(unsigned int 1) + 15 bytes
XPCWrappedNative::Release(XPCWrappedNative * const 0x01d4d6a0) line 777 + 147 bytes
XPCWrappedNative::FlatJSObjectFinalized(JSContext * 0x004f4e70, JSObject *
0x0141f310) line 897
XPC_WN_NoHelper_Finalize(JSContext * 0x004f4e70, JSObject * 0x0141f310) line 630
js_FinalizeObject(JSContext * 0x004f4e70, JSObject * 0x0141f310) line 1840 + 96
bytes
js_GC(JSContext * 0x004f4e70, unsigned int 5) line 1311 + 11 bytes
- mDocumentURL {...}
\+ mRawPtr 0x00000000
There is a real way this could happen in addition to the way i forced it to
happen, the real way is:
(you're really low on memory)
you call NS_NewXULDocument for the first time
nsXULDocument* doc = new nsXULDocument();
succeeds
if (NS_FAILED(rv = doc->Init())) {
Init fails.
NS_RELEASE(doc);
Crash.
There are probably other ways this can fail. but I felt brendan would appreciate
a legitimate sequence.
Attachment #106276 -
Flags: superreview?(brendan)
Attachment #106276 -
Flags: review?(ben)
Comment 2•22 years ago
|
||
timeless, what was the fake (not 'legitimate') way that you made the crash happen?
/be
Comment 3•22 years ago
|
||
Comment on attachment 106276 [details] [diff] [review]
check mDocumentURL for null before trying to remove it from the hash
sr=brendan@mozilla.org
/be
Attachment #106276 -
Flags: superreview?(brendan) → superreview+
const C=Components.classes, I=Components.interfaces;
and one of the following:
var o; for (a in C) if (!/dom|box/i.test(a)) try {o=C[a].getService(); for (i in
I) o instanceof I[i];} catch (e) {}
var o; for (a in C) if (!/dom|box/i.test(a)) try {o=C[a].createInstance(); for
(i in I) o instanceof I[i];} catch (e) {}
I don't remember which variation i was using at the time (and it doesn't
matter). it's also possible i didn't have the dom|box exclusion (which is
designed to save me from hundreds of asserts). I didn't want to have a
discussion about the legitimacy of my method. There's almost always a real way
for the crashes that I've triggered to happen.
Status: NEW → ASSIGNED
Comment 5•22 years ago
|
||
Timeless: cool, keep it up. We should regression test such loops regularly.
Cc'ing pschwartau.
/be
Comment 6•22 years ago
|
||
I think we really need to initialize mDocumentURL to null in the constructor as
well.
Comment 7•22 years ago
|
||
Comment on attachment 106276 [details] [diff] [review]
check mDocumentURL for null before trying to remove it from the hash
r=dbradley
Ugh, I was looking at nsDocument and not nsXULDocument
Attachment #106276 -
Flags: review?(ben) → review+
checked in
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Comment 9•22 years ago
|
||
I am still crashing in the current xpcshell on the loops in Comment #4.
Should we re-open this bug? Or are those tests too 'artificial'?
WINNT STACK TRACE
nsGenericFactory::GetHelperForLanguage(nsGenericFactory * const 0x02cb67f4,
unsigned int 2, nsISupports * * 0x0012d868) line 110 + 6 bytes
XPCWrappedNative::GatherProtoScriptableCreateInfo(nsIClassInfo * 0x02cb67f4,
XPCNativeScriptableCreateInfo * 0x0012d9e4) line 565 + 38 bytes
XPCWrappedNative::GatherScriptableCreateInfo(nsISupports * 0x02cb67f0,
nsIClassInfo * 0x02cb67f4, XPCNativeScriptableCreateInfo * 0x0012d9e4,
XPCNativeScriptableCreateInfo * 0x0012d9d8) line 597 + 13 bytes
XPCWrappedNative::GetNewOrUsed(XPCCallContext & {...}, nsISupports * 0x02cb67f0,
XPCWrappedNativeScope * 0x00a6d4b0, XPCNativeInterface * 0x00a4c1f0,
XPCWrappedNative * * 0x0012da1c) line 281 + 61 bytes
XPCConvert::NativeInterface2JSObject(XPCCallContext & {...},
nsIXPConnectJSObjectHolder * * 0x0012db68, nsISupports * 0x02cb67f0, const nsID
* 0x0012db8c, JSObject * 0x0104d950, unsigned int * 0x0012dadc) line 1059 + 30
bytes
nsXPConnect::WrapNative(nsXPConnect * const 0x00a49630, JSContext * 0x00a5a860,
JSObject * 0x0104d950, nsISupports * 0x02cb67f0, const nsID & {...},
nsIXPConnectJSObjectHolder * * 0x0012db68) line 565 + 29 bytes
nsJSCID::GetService(nsJSCID * const 0x02cb6a90, nsISupports * * 0x0012dd4c) line
886 + 57 bytes
XPTC_InvokeByIndex(nsISupports * 0x02cb6a90, unsigned int 11, unsigned int 1,
nsXPTCVariant * 0x0012dd4c) line 106
XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode
CALL_METHOD) line 2016 + 42 bytes
XPC_WN_CallMethod(JSContext * 0x00a5a860, JSObject * 0x0104d950, unsigned int 0,
long * 0x00c30e28, long * 0x0012e028) line 1283 + 14 bytes
js_Invoke(JSContext * 0x00a5a860, unsigned int 0, unsigned int 0) line 839 + 23
bytes
js_Interpret(JSContext * 0x00a5a860, long * 0x0012fe50) line 2803 + 15 bytes
js_Execute(JSContext * 0x00a5a860, JSObject * 0x00c864c0, JSScript * 0x00a74b20,
JSStackFrame * 0x00000000, unsigned int 0, long * 0x0012fe50) line 1020 + 13
bytes
JS_ExecuteScript(JSContext * 0x00a5a860, JSObject * 0x00c864c0, JSScript *
0x00a74b20, long * 0x0012fe50) line 3277 + 25 bytes
Process(JSContext * 0x00a5a860, JSObject * 0x00c864c0, char * 0x00000000, _iobuf
* 0x1025a828 __iob) line 517 + 22 bytes
ProcessArgs(JSContext * 0x00a5a860, JSObject * 0x00c864c0, char * * 0x00a14524,
int 0) line 655 + 33 bytes
main(int 0, char * * 0x00a14524) line 912 + 21 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 77f1b9ea()
Function at crashpoint:
NS_IMETHODIMP nsGenericFactory::GetHelperForLanguage(PRUint32 language,
nsISupports **helper)
{
if (mInfo->mGetLanguageHelperProc) <<<--------------------- CRASHED HERE
return mInfo->mGetLanguageHelperProc(language, helper);
*helper = nsnull;
return NS_OK;
}
At crashpoint, |mInfo| = 0x00000000
Component: XP Toolkit/Widgets: XUL → XUL
QA Contact: shrir → xptoolkit.widgets
You need to log in
before you can comment on or make changes to this bug.
Description
•