Closed Bug 180217 Opened 22 years ago Closed 22 years ago

nsXULDocument::~nsXULDocument will crash if mDocumentURL is null

Categories

(Core :: XUL, defect)

Product:
Core
Component:
XUL
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: timeless, Assigned: timeless)

References

Details

(Keywords: crash)

Attachments

(1 file)

check mDocumentURL for null before trying to remove it from the hash
856 bytes, patch
dbradley
: review+
brendan
: superreview+
Details | Diff | Splinter Review 
nsXULPrototypeCache::nsIURIKey::HashCode() line 135 + 21 bytes
nsHashtable::Remove(nsHashKey * 0x0012e1e8) line 322 + 11 bytes
nsSupportsHashtable::Remove(nsHashKey * 0x0012e1e8, nsISupports * * 0x00000000)
line 984 + 12 bytes
nsXULPrototypeCache::RemoveFromFastLoadSet(nsXULPrototypeCache * const
0x016df390, nsIURI * 0x00000000) line 631
nsXULDocument::~nsXULDocument() line 533
nsXULDocument::`scalar deleting destructor'() + 15 bytes
nsXULDocument::Release(nsXULDocument * const 0x01d4c3f0) line 575 + 186 bytes
XPCWrappedNative::~XPCWrappedNative() line 547 + 18 bytes
XPCWrappedNative::`scalar deleting destructor'(unsigned int 1) + 15 bytes
XPCWrappedNative::Release(XPCWrappedNative * const 0x01d4d6a0) line 777 + 147 bytes
XPCWrappedNative::FlatJSObjectFinalized(JSContext * 0x004f4e70, JSObject *
0x0141f310) line 897
XPC_WN_NoHelper_Finalize(JSContext * 0x004f4e70, JSObject * 0x0141f310) line 630
js_FinalizeObject(JSContext * 0x004f4e70, JSObject * 0x0141f310) line 1840 + 96
bytes
js_GC(JSContext * 0x004f4e70, unsigned int 5) line 1311 + 11 bytes

-	mDocumentURL	{...}
\+	mRawPtr	0x00000000

There is a real way this could happen in addition to the way i forced it to
happen, the real way is:
(you're really low on memory)
you call NS_NewXULDocument for the first time
    nsXULDocument* doc = new nsXULDocument();
succeeds
    if (NS_FAILED(rv = doc->Init())) {
Init fails.
        NS_RELEASE(doc);
Crash.

There are probably other ways this can fail. but I felt brendan would appreciate
a legitimate sequence.
Attachment #106276 - Flags: superreview?(brendan)
Attachment #106276 - Flags: review?(ben)
Severity: normal → critical
Keywords: crash
timeless, what was the fake (not 'legitimate') way that you made the crash happen?

/be
Comment on attachment 106276 [details] [diff] [review]
check mDocumentURL for null before trying to remove it from the hash

sr=brendan@mozilla.org

/be
Attachment #106276 - Flags: superreview?(brendan) → superreview+
const C=Components.classes, I=Components.interfaces;

and one of the following:

var o; for (a in C) if (!/dom|box/i.test(a)) try {o=C[a].getService(); for (i in
I) o instanceof I[i];} catch (e) {}

var o; for (a in C) if (!/dom|box/i.test(a)) try {o=C[a].createInstance(); for
(i in I) o instanceof I[i];} catch (e) {}

I don't remember which variation i was using at the time (and it doesn't
matter). it's also possible i didn't have the dom|box exclusion (which is
designed to save me from hundreds of asserts).  I didn't want to have a
discussion about the legitimacy of my method. There's almost always a real way
for the crashes that I've triggered to happen.
Status: NEW → ASSIGNED
Timeless: cool, keep it up.  We should regression test such loops regularly. 
Cc'ing pschwartau.

/be
I think we really need to initialize mDocumentURL to null in the constructor as
well.
Comment on attachment 106276 [details] [diff] [review]
check mDocumentURL for null before trying to remove it from the hash

r=dbradley

Ugh, I was looking at nsDocument and not nsXULDocument
Attachment #106276 - Flags: review?(ben) → review+
checked in
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
I am still crashing in the current xpcshell on the loops in Comment #4.
Should we re-open this bug? Or are those tests too 'artificial'? 


WINNT STACK TRACE
nsGenericFactory::GetHelperForLanguage(nsGenericFactory * const 0x02cb67f4, 
unsigned int 2, nsISupports * * 0x0012d868) line 110 + 6 bytes
XPCWrappedNative::GatherProtoScriptableCreateInfo(nsIClassInfo * 0x02cb67f4, 
XPCNativeScriptableCreateInfo * 0x0012d9e4) line 565 + 38 bytes
XPCWrappedNative::GatherScriptableCreateInfo(nsISupports * 0x02cb67f0, 
nsIClassInfo * 0x02cb67f4, XPCNativeScriptableCreateInfo * 0x0012d9e4, 
XPCNativeScriptableCreateInfo * 0x0012d9d8) line 597 + 13 bytes
XPCWrappedNative::GetNewOrUsed(XPCCallContext & {...}, nsISupports * 0x02cb67f0, 
XPCWrappedNativeScope * 0x00a6d4b0, XPCNativeInterface * 0x00a4c1f0, 
XPCWrappedNative * * 0x0012da1c) line 281 + 61 bytes
XPCConvert::NativeInterface2JSObject(XPCCallContext & {...}, 
nsIXPConnectJSObjectHolder * * 0x0012db68, nsISupports * 0x02cb67f0, const nsID 
* 0x0012db8c, JSObject * 0x0104d950, unsigned int * 0x0012dadc) line 1059 + 30 
bytes
nsXPConnect::WrapNative(nsXPConnect * const 0x00a49630, JSContext * 0x00a5a860, 
JSObject * 0x0104d950, nsISupports * 0x02cb67f0, const nsID & {...}, 
nsIXPConnectJSObjectHolder * * 0x0012db68) line 565 + 29 bytes
nsJSCID::GetService(nsJSCID * const 0x02cb6a90, nsISupports * * 0x0012dd4c) line 
886 + 57 bytes
XPTC_InvokeByIndex(nsISupports * 0x02cb6a90, unsigned int 11, unsigned int 1, 
nsXPTCVariant * 0x0012dd4c) line 106
XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode 
CALL_METHOD) line 2016 + 42 bytes
XPC_WN_CallMethod(JSContext * 0x00a5a860, JSObject * 0x0104d950, unsigned int 0, 
long * 0x00c30e28, long * 0x0012e028) line 1283 + 14 bytes
js_Invoke(JSContext * 0x00a5a860, unsigned int 0, unsigned int 0) line 839 + 23 
bytes
js_Interpret(JSContext * 0x00a5a860, long * 0x0012fe50) line 2803 + 15 bytes
js_Execute(JSContext * 0x00a5a860, JSObject * 0x00c864c0, JSScript * 0x00a74b20, 
JSStackFrame * 0x00000000, unsigned int 0, long * 0x0012fe50) line 1020 + 13 
bytes
JS_ExecuteScript(JSContext * 0x00a5a860, JSObject * 0x00c864c0, JSScript * 
0x00a74b20, long * 0x0012fe50) line 3277 + 25 bytes
Process(JSContext * 0x00a5a860, JSObject * 0x00c864c0, char * 0x00000000, _iobuf 
* 0x1025a828 __iob) line 517 + 22 bytes
ProcessArgs(JSContext * 0x00a5a860, JSObject * 0x00c864c0, char * * 0x00a14524, 
int 0) line 655 + 33 bytes
main(int 0, char * * 0x00a14524) line 912 + 21 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 77f1b9ea()


Function at crashpoint:

NS_IMETHODIMP nsGenericFactory::GetHelperForLanguage(PRUint32 language,
                                                     nsISupports **helper)
{
    if (mInfo->mGetLanguageHelperProc)  <<<--------------------- CRASHED HERE
        return mInfo->mGetLanguageHelperProc(language, helper);
    *helper = nsnull;
    return NS_OK;
}


At crashpoint, |mInfo| = 0x00000000
Blocks: 181491
Blocks: 181494
Blocks: 181496
Blocks: 181498
Blocks: 181500
Blocks: 181503
Blocks: 181505
Blocks: 181507
Blocks: 181509
Blocks: 181512
No longer blocks: 181512
No longer blocks: 181509
No longer blocks: 181507
No longer blocks: 181505
No longer blocks: 181500
No longer blocks: 181498
No longer blocks: 181496
No longer blocks: 181494
No longer blocks: 181503
Component: XP Toolkit/Widgets: XUL → XUL
QA Contact: shrir → xptoolkit.widgets
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: