Closed Bug 192373 Opened 22 years ago Closed 21 years ago

Crash with document.replaceChild and cloneNode on document.lastChild (documentElement )

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
PowerPC
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: dhtmlkitchen, Assigned: jst)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US; rv:1.3a) Gecko/20021212
Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US; rv:1.3a) Gecko/20021212

Date/Time:  2003-02-08 01:14:12 -0500
OS Version: 10.2.2 (Build 6F21)
Host:       Garrett-Smiths-Computer.local.

Command:    Mozilla
PID:        415

Exception:  EXC_BAD_INSTRUCTION (0x0002)
Code[0]:    0x00000002Code[1]:    0x019c7114

Thread 0 Crashed:
 #0   0x019c7114 in 0x19c7114
 #1   0x01515168 in StyleSetImpl::ResolveStyleFor(nsIPresContext *, nsIContent *)
 #2   0x01e14670 in ResolveStyleContextFor__13nsPresContextFP10nsIContentP15nsISty
 #3   0x01f4d0f8 in ReResolveStyleContext__12FrameManagerFP14nsIPresContextP8nsIFr
 #4   0x01f4d340 in ReResolveStyleContext__12FrameManagerFP14nsIPresContextP8nsIFr
 #5   0x01f4d340 in ReResolveStyleContext__12FrameManagerFP14nsIPresContextP8nsIFr
 #6   0x01f4d540 in ComputeStyleChangeFor__12FrameManagerFP14nsIPresContextP8nsIFr
 #7   0x01e27a44 in PresShell::ReconstructStyleData(int)
 #8   0x01e27c7c in PresShell::StyleSheetRemoved(nsIDocument *, nsIStyleSheet *)
 #9   0x01505cc4 in nsDocument::RemoveStyleSheet(nsIStyleSheet *)
 #10  0x01818624 in 0x1818624
 #11  0x01628f74 in nsHTMLLinkElement::SetDocument(nsIDocument *, int, int)
 #12  0x0169d50c in SetDocumentInChildrenOf__16nsGenericElementFP10nsIContentP11ns
 #13  0x0169d890 in nsGenericElement::SetDocument(nsIDocument *, int, int)
 #14  0x015b5960 in nsGenericHTMLElement::SetDocument(nsIDocument *, int, int)
 #15  0x0169d50c in SetDocumentInChildrenOf__16nsGenericElementFP10nsIContentP11ns
 #16  0x0169d890 in nsGenericElement::SetDocument(nsIDocument *, int, int)
 #17  0x015b5960 in nsGenericHTMLElement::SetDocument(nsIDocument *, int, int)
 #18  0x0150d944 in ReplaceChild__10nsDocumentFP10nsIDOMNodeP10nsIDOMNodePP10nsIDO
 #19  0x015301c0 in ReplaceChild__14nsHTMLDocumentFP10nsIDOMNodeP10nsIDOMNodePP10n
 #20  0x0029e71c in XPTC_InvokeByIndex
 #21  0x0029e610 in XPTC_InvokeByIndex
 #22  0x02fafa5c in 0x2fafa5c
 #23  0x02fb618c in XPC_WN_CallMethod(JSContext *, JSObject *, unsigned int,
long *, long *)
 #24  0x013e6190 in js_Invoke
 #25  0x013ee248 in 0x13ee248
 #26  0x013e6684 in js_Execute
 #27  0x013c6c7c in JS_EvaluateUCScriptForPrincipals
 #28  0x01a53324 in nsJSContext::EvaluateString(nsAString const &, void *,
nsIPrincipal *, char const *)
 #29  0x01def8e8 in nsJSThunk::EvaluateScript(nsIChannel *)
 #30  0x01df1cb0 in nsJSChannel::AsyncOpen(nsIStreamListener *, nsISupports *)
 #31  0x02df0140 in nsDocumentOpenInfo::Open(nsIChannel *, int, nsISupports *)
 #32  0x02df2dd0 in nsURILoader::OpenURIVia(nsIChannel *, int, nsISupports *,
unsigned int)
 #33  0x02df2bbc in nsURILoader::OpenURI(nsIChannel *, int, nsISupports *)
 #34  0x01a1f794 in nsDocShell::DoChannelLoad(nsIChannel *, nsIURILoader *)
 #35  0x01a1d9bc in DoURILoad__10nsDocShellFP6nsIURIP6nsIURIP11nsISupportsP14nsIIn
 #36  0x01a1bd6c in nsDocShell::InternalLoad(nsIURI *, nsIURI *, nsISupports *,
int, wchar_t const *,  *)
 #37  0x019fb2fc in nsDocShell::LoadURI(nsIURI *, nsIDocShellLoadInfo *,
unsigned int, int)
 #38  0x01a0af70 in LoadURI__10nsDocShellFPCwUiP6nsIURIP14nsIInputStreamP14nsIInpu
 #39  0x0029e71c in XPTC_InvokeByIndex
 #40  0x0029e610 in XPTC_InvokeByIndex
 #41  0x02fafa5c in 0x2fafa5c
 #42  0x02fb618c in XPC_WN_CallMethod(JSContext *, JSObject *, unsigned int,
long *, long *)
 #43  0x013e6190 in js_Invoke
 #44  0x013ee248 in 0x13ee248
 #45  0x013e61e8 in js_Invoke
 #46  0x013ee248 in 0x13ee248
 #47  0x013e61e8 in js_Invoke
 #48  0x013e6430 in js_InternalInvoke
 #49  0x013c6e9c in JS_CallFunctionValue
 #50  0x01a5442c in nsJSContext::CallEventHandler(void *, void *, unsigned int,
void *, int *, int)
 #51  0x01a74a6c in nsJSEventListener::HandleEvent(nsIDOMEvent *)
 #52  0x01593cc8 in HandleEventSubType__22nsEventListenerManagerFP16nsListenerStru
 #53  0x015964a4 in HandleEvent__22nsEventListene
 #54  0x017ed2b4 in HandleDOMEvent__12nsXULElementFP14nsIPresContextP7nsEventPP11n
 #55  0x01e29800 in HandleDOMEventWithTarget__9PresShellFP10nsIContentP7nsEventP13
 #56  0x01f68ad8 in MouseClicked__16nsButtonBoxFrameFP14nsIPresContextP10nsGUIEven
 #57  0x01f686d4 in nsButtonBoxFrame::HandleEvent(nsIPresContext *, nsGUIEvent *)
 #58  0x01e29698 in HandleEventInternal__9PresShellFP7nsEventP7nsIViewUiP13nsEvent
 #59  0x01e29364 in HandleEventWithTarget__9PresShellFP7nsEventP8nsIFrameP10nsICon
 #60  0x015a1930 in CheckForAndDispatchClick__19nsEventStateManagerFP14nsIPresCont
 #61  0x0159f314 in 0x159f314
 #62  0x01e296dc in HandleEventInternal__9PresShellFP7nsEventP7nsIViewUiP13nsEvent
 #63  0x01e2926c in PresShell::HandleEvent(nsIView *, nsGUIEvent *, nsEventStatus *)
 #64  0x02e3a180 in nsViewManager::HandleEvent(nsView *, nsGUIEvent *, int)
 #65  0x02e2f71c in nsView::HandleEvent(nsViewManager *, nsGUIEvent *, int)
 #66  0x02e39270 in 0x2e39270
 #67  0x02e2ede8 in HandleEvent(nsGUIEvent *)
 #68  0x02e7ddd0 in nsWindow::DispatchEvent(nsGUIEvent *, nsEventStatus &)
 #69  0x02e7deac in nsWindow::DispatchWindowEvent(nsGUIEvent &)
 #70  0x02e7e010 in nsWindow::DispatchMouseEvent(nsMouseEvent &)
 #71  0x02e92db8 in nsMacEventHandler::HandleMouseUpEvent(EventRecord &)
 #72  0x02e910c4 in nsMacEventHandler::HandleOSEvent(EventRecord &)
 #73  0x02e8f784 in nsMacWindow::DispatchEvent(void *, int *)
 #74  0x02e97c70 in DispatchOSEventToRaptor__16nsMacMessagePumpFR11EventRecordP15O
 #75  0x02e97720 in nsMacMessagePump::DoMouseUp(EventRecord &)
 #76  0x02e969cc in nsMacMessagePump::DispatchEvent(int, EventRecord *)
 #77  0x02e967f0 in nsMacMessagePump::DoMessagePump(void)
 #78  0x02e960fc in nsAppShell::Run(void)
 #79  0x0144224c in nsAppShellService::Run(void)
 #80  0x001a41b4 in main1(int, char **, nsISupports *)
 #81  0x001a4c0c in main

Thread 1:
 #0   0x9000570c in syscall
 #1   0x90515d9c in BSD_waitevent
 #2   0x9051576c in CarbonSelectThreadFunc
 #3   0x90021308 in _pthread_body

Thread 2:
 #0   0x9003f068 in semaphore_wait_signal_trap
 #1   0x9003ee84 in _pthread_cond_wait
 #2   0x9051dda0 in CarbonOperationThreadFunc
 #3   0x90021308 in _pthread_body

Thread 3:
 #0   0x90042c48 in semaphore_timedwait_signal_trap
 #1   0x9003ee74 in _pthread_cond_wait
 #2   0x90233438 in TSWaitOnSemaphoreCommon
 #3   0x9023c258 in TimerThread
 #4   0x90021308 in _pthread_body

Thread 4:
 #0   0x9003f068 in semaphore_wait_signal_trap
 #1   0x9003ee84 in _pthread_cond_wait
 #2   0x9023341c in TSWaitOnSemaphoreCommon
 #3   0x90248aec in AsyncFileThread(void*)
 #4   0x90021308 in _pthread_body

Thread 5:
 #0   0x9003f068 in semaphore_wait_signal_trap
 #1   0x9003ee84 in _pthread_cond_wait
 #2   0x90525b90 in CarbonInetOperThreadFunc
 #3   0x90021308 in _pthread_body

PPC Thread State:
  srr0: 0x019c7114 srr1: 0x0008f030                vrsave: 0x00000000
   xer: 0x00000000   lr: 0x0157cc3c  ctr: 0x019c7114   mq: 0x00000000
    r0: 0x019c7114   r1: 0xbfffb5f0   r2: 0x019c71f8   r3: 0x03fb3ee0
    r4: 0xbfffb6e0   r5: 0x03fb3ee0   r6: 0x03e65280   r7: 0x00000000
    r8: 0x019c15c4   r9: 0x00000018  r10: 0x03f8a830  r11: 0xffffffff
   r12: 0x03fb3d60  r13: 0x04159290  r14: 0x03e33d08  r15: 0x03fbc104
**********



From Mozilla 1.2:

**********

Date/Time:  2003-02-08 00:58:09 -0500
OS Version: 10.2.2 (Build 6F21)
Host:       Garrett-Smiths-Computer.local.

Command:    Mozilla
PID:        391

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0x00000000

Thread 0 Crashed:
 #0   0x019f0fb0 in 0x19f0fb0
 #1   0x016a0948 in StyleSetImpl::ResolveStyleFor(nsIPresContext *, nsIContent *)
 #2   0x024e4070 in ResolveStyleContextFor__13nsPresContextFP10nsIContentP15nsISty
 #3   0x0261b438 in ReResolveStyleContext__12FrameManagerFP14nsIPresContextP8nsIFr
 #4   0x0261b680 in ReResolveStyleContext__12FrameManagerFP14nsIPresContextP8nsIFr
 #5   0x0261b680 in ReResolveStyleContext__12FrameManagerFP14nsIPresContextP8nsIFr
 #6   0x0261b880 in ComputeStyleChangeFor__12FrameManagerFP14nsIPresContextP8nsIFr
 #7   0x024f7554 in PresShell::ReconstructStyleData(int)
 #8   0x024f771c in PresShell::StyleSheetRemoved(nsIDocument *, nsIStyleSheet *)
 #9   0x01691970 in nsDocument::RemoveStyleSheet(nsIStyleSheet *)
 #10  0x019a10e0 in 0x19a10e0
 #11  0x017dd630 in nsHTMLStyleElement::SetDocument(nsIDocument *, int, int)
 #12  0x018252bc in SetDocumentInChildrenOf__16nsGenericElementFP10nsIContentP11ns
 #13  0x01825640 in nsGenericElement::SetDocument(nsIDocument *, int, int)
 #14  0x0173e270 in nsGenericHTMLElement::SetDocument(nsIDocument *, int, int)
 #15  0x018252bc in SetDocumentInChildrenOf__16nsGenericElementFP10nsIContentP11ns
 #16  0x01825640 in nsGenericElement::SetDocument(nsIDocument *, int, int)
 #17  0x0173e270 in nsGenericHTMLElement::SetDocument(nsIDocument *, int, int)
 #18  0x016999bc in ReplaceChild__10nsDocumentFP10nsIDOMNodeP10nsIDOMNodePP10nsIDO
 #19  0x002a03bc in XPTC_InvokeByIndex
 #20  0x002a02b0 in XPTC_InvokeByIndex
 #21  0x0145b98c in 0x145b98c
 #22  0x01461dfc in XPC_WN_CallMethod(JSContext *, JSObject *, unsigned int,
long *, long *)
 #23  0x01375190 in js_Invoke
 #24  0x0137d248 in 0x137d248
 #25  0x01375684 in js_Execute
 #26  0x01355c8c in JS_EvaluateUCScriptForPrincipals
 #27  0x0209d304 in nsJSContext::EvaluateString(nsAString const &, void *,
nsIPrincipal *, char const *)
 #28  0x0318a8e8 in nsJSThunk::EvaluateScript(nsIChannel *)
 #29  0x0318ccb0 in nsJSChannel::AsyncOpen(nsIStreamListener *, nsISupports *)
 #30  0x013e50d0 in nsDocumentOpenInfo::Open(nsIChannel *, int, nsISupports *)
 #31  0x013e7c40 in nsURILoader::OpenURIVia(nsIChannel *, int, nsISupports *,
unsigned int)
 #32  0x013e7a2c in nsURILoader::OpenURI(nsIChannel *, int, nsISupports *)
 #33  0x02069584 in nsDocShell::DoChannelLoad(nsIChannel *, nsIURILoader *)
 #34  0x020677a0 in DoURILoad__10nsDocShellFP6nsIURIP6nsIURIP11nsISupportsP14nsIIn
 #35  0x02065bfc in nsDocShell::InternalLoad(nsIURI *, nsIURI *, nsISupports *,
int, wchar_t const *,  *)
 #36  0x020452fc in nsDocShell::LoadURI(nsIURI *, nsIDocShellLoadInfo *,
unsigned int, int)
 #37  0x02054ef8 in LoadURI__10nsDocShellFPCwUiP6nsIURIP14nsIInputStreamP14nsIInpu
 #38  0x002a03bc in XPTC_InvokeByIndex
 #39  0x002a02b0 in XPTC_InvokeByIndex
 #40  0x0145b98c in 0x145b98c
 #41  0x01461dfc in XPC_WN_CallMethod(JSContext *, JSObject *, unsigned int,
long *, long *)
 #42  0x01375190 in js_Invoke
 #43  0x0137d248 in 0x137d248
 #44  0x013751e8 in js_Invoke
 #45  0x0137d248 in 0x137d248
 #46  0x013751e8 in js_Invoke
 #47  0x01375430 in js_InternalInvoke
 #48  0x01355eac in JS_CallFunctionValue
 #49  0x0209e40c in nsJSContext::CallEventHandler(void *, void *, unsigned int,
void *, int *, int)
 #50  0x020be4cc in nsJSEventListener::HandleEvent(nsIDOMEvent *)
 #51  0x0171cdd8 in HandleEventSubType__22nsEventListenerManagerFP16nsListenerStru
 #52  0x0171f4d8 in HandleEvent__22nsEventListenerManagerFP14nsIP
 #53  0x0197636c in HandleDOMEvent__12nsXULElementFP14nsIPresContextP7nsEventPP11n
 #54  0x024f91e0 in HandleDOMEventWithTarget__9PresShellFP10nsIContentP7nsEventP13
 #55  0x02636de8 in MouseClicked__16nsButtonBoxFrameFP14nsIPresContextP10nsGUIEven
 #56  0x026369e4 in nsButtonBoxFrame::HandleEvent(nsIPresContext *, nsGUIEvent *)
 #57  0x024f906c in HandleEventInternal__9PresShellFP7nsEventP7nsIViewUiP13nsEvent
 #58  0x024f8df4 in HandleEventWithTarget__9PresShellFP7nsEventP8nsIFrameP10nsICon
 #59  0x0172a270 in CheckForAndDispatchClick__19nsEventStateManagerFP14nsIPresCont
 #60  0x01727d8c in 0x1727d8c
 #61  0x024f90b0 in HandleEventInternal__9PresShellFP7nsEventP7nsIViewUiP13nsEvent
 #62  0x024f8cfc in PresShell::HandleEvent(nsIView *, nsGUIEvent *, nsEventStatus *)
 #63  0x027b1170 in nsViewManager::HandleEvent(nsView *, nsGUIEvent *, int)
 #64  0x027a670c in nsView::HandleEvent(nsViewManager *, nsGUIEvent *, int)
 #65  0x027b0260 in 0x27b0260
 #66  0x027a5dd8 in HandleEvent(nsGUIEvent *)
 #67  0x01d03dc0 in nsWindow::DispatchEvent(nsGUIEvent *, nsEventStatus &)
 #68  0x01d03e9c in nsWindow::DispatchWindowEvent(nsGUIEvent &)
 #69  0x01d04000 in nsWindow::DispatchMouseEvent(nsMouseEvent &)
 #70  0x01d18a28 in nsMacEventHandler::HandleMouseUpEvent(EventRecord &)
 #71  0x01d16d34 in nsMacEventHandler::HandleOSEvent(EventRecord &)
 #72  0x01d153f4 in nsMacWindow::DispatchEvent(void *, int *)
 #73  0x01d1d8e0 in DispatchOSEventToRaptor__16nsMacMessagePumpFR11EventRecordP15O
 #74  0x01d1d390 in nsMacMessagePump::DoMouseUp(EventRecord &)
 #75  0x01d1c63c in nsMacMessagePump::DispatchEvent(int, EventRecord *)
 #76  0x01d1c460 in nsMacMessagePump::DoMessagePump(void)
 #77  0x01d1bd6c in nsAppShell::Run(void)
 #78  0x01cdb24c in nsAppShellService::Run(void)
 #79  0x001a42a0 in main1(int, char **, nsISupports *)
 #80  0x001a4cfc in main

Thread 1:
 #0   0x9000570c in syscall
 #1   0x90515d9c in BSD_waitevent
 #2   0x9051576c in CarbonSelectThreadFunc
 #3   0x90021308 in _pthread_body

Thread 2:
 #0   0x9003f068 in semaphore_wait_signal_trap
 #1   0x9003ee84 in _pthread_cond_wait
 #2   0x9051dda0 in CarbonOperationThreadFunc
 #3   0x90021308 in _pthread_body

Thread 3:
 #0   0x90042c48 in semaphore_timedwait_signal_trap
 #1   0x9003ee74 in _pthread_cond_wait
 #2   0x90233438 in TSWaitOnSemaphoreCommon
 #3   0x9023c258 in TimerThread
 #4   0x90021308 in _pthread_body

Thread 4:
 #0   0x9003f068 in semaphore_wait_signal_trap
 #1   0x9003ee84 in _pthread_cond_wait
 #2   0x9023341c in TSWaitOnSemaphoreCommon
 #3   0x90248aec in AsyncFileThread(void*)
 #4   0x90021308 in _pthread_body

Thread 5:
 #0   0x9003f068 in semaphore_wait_signal_trap
 #1   0x9003ee84 in _pthread_cond_wait
 #2   0x90525b90 in CarbonInetOperThreadFunc
 #3   0x90021308 in _pthread_body

PPC Thread State:
  srr0: 0x019f0fb0 srr1: 0x0000f030                vrsave: 0x00000000
   xer: 0x00000000   lr: 0x0170643c  ctr: 0x024e36c0   mq: 0x00000000
    r0: 0x00000001   r1: 0xbfffb790   r2: 0x01ab0000   r3: 0x032b92d0
    r4: 0xbfffb880   r5: 0x032b92d0   r6: 0x02b2c170   r7: 0x00000000
    r8: 0x01b39f78   r9: 0x00000018  r10: 0x00000002  r11: 0xffffffff
   r12: 0x00000000  r13: 0x0321d970  r14: 0x0324e234  r15: 0x031f6a74
   r16: 0x013d1970  r17: 0x00000000  r18: 0x031f6b20  r19: 0x0279e028
   r20: 0x00000000  r21: 0xbfffba2c  r22: 0xffffffff  r23: 0x0321f2f0
   r24: 0x030ec430  r25: 0x00000000  r26: 0x03250e40  r27: 0x03248c30
   r28: 0xbfffb84c  r29: 0x032b92d0  r30: 0x003e3fc0  r31: 0x01b138a4

**********


Reproducible: Always

Steps to Reproduce:
1. load a document
2. javascript:alert(document.replaceChild(document.lastChild.cloneNode(true),
document.lastChild))
3. crash

Actual Results:  
crash

Expected Results:  
Should alert "object HTMLHtmlDocument"

http://www.w3.org/TR/DOM-Level-2-Core/core.html#ID-785887307

Contrast with:
javascript:alert(document.documentElement.replaceChild(document.body.cloneNode(true),
document.body))

(which fails after the first time).
Worksforme, linux trunk build 2003-02-04-08.  The replacement happens, no crash
(some painting weirdness with backgrounds, but....)
Worksforme. 2003021308, Win2k. MacOS X specific, perhaps?
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.3b) Gecko/20030212

WFM in this browser. 


document.documentElement.replaceChild(document.body.cloneNode(true), document.body);

Still fails after first time, though.
Please file a separate bug on that (_especially_ if it't not crashing).
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → WORKSFORME
OK.
Component: DOM: Core → DOM: Core & HTML
QA Contact: desale → general
You need to log in before you can comment on or make changes to this bug.