185073 - mozilla crashes when accessing to http://www.kccommunications.com/index.asp [@ nsGenericElement::HasMutationListeners]

Status: RESOLVED FIXED

(Core :: DOM: Core & HTML, defect)

Description

[penne296]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2.1) Gecko/20021130
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2.1) Gecko/20021130

http://www.kccommunications.com/index.asp crashes mozilla 

Reproducible: Always

Steps to Reproduce:
1.go to http://www.kccommunications.com/index.asp
2.
3.

Actual Results:  
crash

Expected Results:  
display a web page

Comment 1

[Jason Bassford]

Confirming with Mozilla trunk build 2002121204 under XP.

Comment 2

[Frederic Bezies]

Sent talkback for this crash : see TB15019499G

Comment 3

[Nicholas Allen]

I could not get this to crash with a debug build 121203 cvs trunk Win2k.  An
optimized build w/ symbols from 1207 trunk did crash.  Stack:

nsGenericElement::HasMutationListeners(nsIContent * 0x0256f020, unsigned int
0x00000002) line 3328
nsGenericContainerElement::AppendChildTo(nsGenericContainerElement * const
0x0256f020, nsIContent * 0x02a472c0, int 0x00000000, int 0x00000000) line 3936 +
8 bytes
HTMLContentSink::ProcessSCRIPTTag(HTMLContentSink * const 0x0012f830, const
nsIParserNode & {...}) line 5645
HTMLContentSink::AddLeaf(HTMLContentSink * const 0x029f9cf8, const nsIParserNode
& {...}) line 3626
CNavDTD::AddLeaf(CNavDTD * const 0x0012f830, const nsIParserNode * 0x02948810)
line 3750 + 13 bytes
CNavDTD::HandleScriptToken(CNavDTD * const 0x0012f830, const nsIParserNode *
0x02948810) line 2256
CNavDTD::OpenContainer(CNavDTD * const 0x0012f830, const nsCParserNode *
0x02948810, nsHTMLTag eHTMLTag_unknown, int 0x00000001, nsEntryStack *
0x00000000) line 3404 + 10 bytes
CNavDTD::HandleDefaultStartToken(CNavDTD * const 0x0012f830, CToken *
0x02945838, nsHTMLTag eHTMLTag_a, nsCParserNode * 0x02948810) line 1349
CNavDTD::HandleStartToken(CNavDTD * const 0x0012f830, CToken * 0x00000054) line
1752 + 14 bytes
CNavDTD::HandleToken(CNavDTD * const 0x024987e8, CToken * 0x00000054, nsIParser
* 0x0297f620) line 908 + 8 bytes
CNavDTD::BuildModel(CNavDTD * const 0x024a9ac0, nsIParser * 0x0297f620,
nsITokenizer * 0x024a9ac0, nsITokenObserver * 0x00000000, nsIContentSink *
0x029f9cf8) line 521 + 10 bytes
nsParser::BuildModel(nsParser * const 0x0012f830) line 1911
nsParser::ResumeParse(nsParser * const 0x0012f830, int 0x00000001, int
0x00000000, int 0x00000001) line 1773 + 7 bytes
nsParser::OnDataAvailable(nsParser * const 0x000005b4, nsIRequest * 0x029a36d8,
nsISupports * 0x00000000, nsIInputStream * 0x025e2d80, unsigned int 0x000065a2,
unsigned int 0x000005b4) line 2407 + 13 bytes
nsDocumentOpenInfo::OnDataAvailable(nsDocumentOpenInfo * const 0x02539830,
nsIRequest * 0x029a36d8, nsISupports * 0x00000000, nsIInputStream * 0x025e2d80,
unsigned int 0x000065a2, unsigned int 0x000005b4) line 246
nsStreamListenerTee::OnDataAvailable(nsStreamListenerTee * const 0x025e2d80,
nsIRequest * 0x029a36d8, nsISupports * 0x00000000, nsIInputStream * 0x00000000,
unsigned int 0x000065a2, unsigned int 0x000005b4) line 97 + 24 bytes
nsHttpChannel::OnDataAvailable(nsHttpChannel * const 0x029a36dc, nsIRequest *
0x02985294, nsISupports * 0x00000000, nsIInputStream * 0x028fcf54, unsigned int
0x000065a2, unsigned int 0x000005b4) line 3088
nsOnDataAvailableEvent::HandleEvent(nsOnDataAvailableEvent * const 0x0012f830)
line 195 + 24 bytes
PL_HandleEvent(PLEvent * 0x02a4bd1c) line 645
PL_ProcessPendingEvents(PLEventQueue * 0x10030cdb) line 574 + 6 bytes
_md_EventReceiverProc(HWND__ * 0x00fb9ea0, unsigned int 0x00402057, unsigned int
0x00f97108, long 0x00000000) line 1336
nsAppShellService::Run(nsAppShellService * const 0x00f97108) line 472
main1(int 0x00000000, char * * 0x1004c0f8 const  nsObserverService::`vftable',
nsISupports * 0x00000000) line 1541 + 9 bytes
main(int 0x00000001, char * * 0x002a3c00) line 1902 + 27 bytes
WinMain(HINSTANCE__ * 0x00400000, HINSTANCE__ * 0x00400000, char * 0x0013332f,
HINSTANCE__ * 0x00400000) line 1924 + 23 bytes
MOZILLA! WinMainCRTStartup + 308 bytes
KERNEL32! 77ea847c()

Comment 4

[JAV]

WFM - Build ID: 2002121215 (Mozilla 1.3a) WinXP sp1

Talkback report captured at 17-12-2002 09:20 and sent, see TB15188301M

Comment 5

[Markus Hübner]

crashing using trunk build 2002121808 on win-xp pro,sp1
TB 15278122Q

Comment 6

[Andrew Schultz]

Attachment: testcase

testcase crashes linux trunk 20021218

 <font>
    <div id="updateText">
       <script language=javascript type=text/javascript>
	  document.write('</div>');
	  document.getElementById("updateText").innerHTML = "foo";
       </script>
    </div>
 </font>

Comment 7

[Harshal Pradhan]

This is not exactly a parser bug. Its a use-after-delete in
nsHTMLContentSink::ProcessFrameTag(). I hope 'DOM Other' is the right component
for HTML ContentSink bugs.

We dont keep a strong ref to the parent element of a newly created script
element while we are the process of creating and inserting it into the document.
This means that the script can do something that causes the parent element to be
removed from the document and to make it to go away, while the script element is
still being processed. It looks like the right thing to do here is simply hold
on to the parent till we are done attempting to insert the script element into
the content tree.

(BTW, Andrew, thanks for the nice reduced testcase that illustrates exactly what
is happening.)

Comment 8

[Harshal Pradhan]

Attachment: straightforward use of an nsCOMPtr instead of a raw pointer

Comment 9

[Johnny Stenback (:jst)]

Comment on attachment 110694 [details] [diff] [review]
straightforward use of an nsCOMPtr instead of a raw pointer

sr=jst, but please add a comment explaining this just before the declaration of
parent.

Comment 10

[Olivier Cahagne]

can you check testcase for bug 188474 ? I got nearly to the same testcase.

Comment 11

[Harshal Pradhan]

Checked in.

Comment 12

[Jesse Ruderman]

Crashtest added as part of http://hg.mozilla.org/mozilla-central/rev/afc662d52ab1