239572 - M17beta crash in [@ GetDocumentFromScriptContext] XMLEXTRAS.DLL when killing loading popup

Status: VERIFIED FIXED

(Core :: XML, defect)

Description

[Hermann Schwab]

User-Agent:       Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7b) Gecko/20040316
Build Identifier: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7b) Gecko/20040316

If seen crashes in xmlextras.html for some time, but now found an URL were I
could reproduce it. Original code is invalid and ugly, I´ll attach a testcase.

Reproducible: Always
Steps to Reproduce:
1.enable Javascript, Popups, loading of images
2.http://www.terravista.pt/mussulo/1978/Biography.html
3. When a popup starts to load, kill it using the top right [x]

Actual Results:  
As long as the popup was showing empty while loading, Mozilla crashed, if I
closed it. When it didn´t crash, I just did a reload, and tried again.

Expected Results:  
not crash

Comment 1

[Hermann Schwab]

Attachment: testcase kill popup while loading -> crash

testcase, be sure to have loading of images, popups and Javascript enabled.
Load testcase
When Popup opens, close it before it starts to show something,
crash after some seconds.

Talkback from testcase, crashed on second try: 

TB11668G

Talkbacks from the original URL:
TB11512G, TB11505Q, TB11504Y, TB11502H, TB11501M

crashes also on current nightly

Comment 2

[Rene Pronk]

WFM, Mozilla 1.7b and Mozilla 20040401 WinXP.

The best I could get was an assertion which I got only once in my 1.7b debug build:

###!!! ASSERTION: OnStopDecode called multiple times.: '!(mState &
onStopDecode)', file e:/mozilla/d
ebug/mozilla/modules/libpr0n/src/imgRequest.cpp, line 517

Comment 3

[Hermann Schwab]

regressed between working BuildID 2004031008 and crashing BuildID 2004031619

code of the testcase:
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=windows-1252">
<TITLE>Bug239572</TITLE>
<script language="JavaScript">
if (navigator.appName.indexOf("Netscape")!=-1)
{
window.open("http://www.terravista.pt/meco/ad/ad.asp?param=" +
top.window.location.href
,"Pub","width=480,height=60,resizable=no,scrollbars=no,menubar=no,toolbar=no,directories=no,location=no,status=no");

}
else
{
window.open("http://www.terravista.pt/meco/ad/ad.asp?param=" +
top.window.location.href
,"Pub","width=470,height=60,resizable=no,scrollbars=no,menubar=no,toolbar=no,directories=no,location=no,status=no");
}
</script>
</HEAD>
<BODY TEXT="#000000" LINK="#0000ff" VLINK="#800080"
background="http://www.mozilla.org/images/mozilla-banner.gif">
</BODY>
</HTML>

I had have a background in the body, I assume otherwise the popup was loading
too fast to close it near the start of loading.
To reproduce the bug, you must have Javascript, images and popups enabled, and I
assume, also a fairly slow connection (ISDN) and a slow computer?
If you don´t succeed on the testcase, try the original URL.
It contains bigger images, and some invalid code.

the URLs loaded from Javascript:
http://www.terravista.pt/meco/ad/ad.asp?param=http://www.terravista.pt/mussulo/1978/Biography.html
http://www.terravista.pt/meco/ad/ad.asp?param=http://bugzilla.mozilla.org/attachment.cgi?id=145412&action=view

text/html, Quirks mode, ISO-8859-1 

Comment 4

[Hermann Schwab]

http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=SeaMonkeyAll&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2004-03-10+08%3A00&maxdate=2004-03-16+19%3A00&cvsroot=%2Fcvsroot

2004-03-16 14:00 Bug 237685 - make xmlextras not point to green.nscp. Not part
of build.

2004-03-15 22:34 Bug 237319. Adding support for server push of XML documents to
an XMLHttpRequest using "multipart/x-mixed-replace".

Comment 5

[Hermann Schwab]

Regression, working BuildID 2004031508, crashing 2004031608 

Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7b) Gecko/20040316
tested on an Athlon XP1600, DSL, Win98SE

http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=SeaMonkeyAll&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2004-03-15+08%3A00&maxdate=2004-03-16+08%3A00&cvsroot=%2Fcvsroot

2004-03-15 22:34	jst%mozilla.jstenback.com 	
mozilla/ extensions/ xmlextras/ base/ src/ nsXMLHttpRequest.h
mozilla/ extensions/ xmlextras/ base/ src/ nsXMLHttpRequest.cpp
mozilla/ extensions/ xmlextras/ base/ src/ nsLoadListenerProxy.cpp
mozilla/ extensions/ xmlextras/ base/ public/ nsIXMLHttpRequest.idl

Bug 237319 Add support for server push using multipart/x-mixed-replace with
XMLHttpRequest.

Comment 6

[Jay Patel [:jay]]

This is a topcrash with Mozilla 1.7 beta:

     Count   Offset    Real Signature
[ 14   GetDocumentFromScriptContext 182a0d18 - GetDocumentFromScriptContext ]
[ 9   GetDocumentFromScriptContext 60de5baf - GetDocumentFromScriptContext ]
 
     Crash date range: 01-APR-04 to 31-MAR-04
     Min/Max Seconds since last crash: 45 - 372537
     Min/Max Runtime: 4961 - 517724
 
     Count   Platform List 
     9   [Windows NT 5.1 build 2600]   
     9   [Windows 98 4.10 build 67766222]   
     4   [Windows NT 5.0 build 2195]   
     1   [Windows 98 4.90 build 73010104]   
 
     Count   Build Id List 
     23   2004031615
 
     No of Unique Users        14
 
 Stack trace(Frame) 

	 GetDocumentFromScriptContext
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/extensions/xmlextras/base/src/nsXMLHttpRequest.cpp
 line 250] 
	 nsXMLHttpRequest::GetBaseURI
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/extensions/xmlextras/base/src/nsXMLHttpRequest.cpp
 line 711] 
	 nsXMLHttpRequest::OnStartRequest
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/extensions/xmlextras/base/src/nsXMLHttpRequest.cpp
 line 1164] 
	 nsHttpChannel::CallOnStartRequest
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp
 line 638] 
	 nsHttpChannel::OnStartRequest
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp
 line 3328] 
	 nsInputStreamPump::OnStateStart
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/netwerk/base/src/nsInputStreamPump.cpp
 line 381] 
	 nsInputStreamPump::OnInputStreamReady
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/netwerk/base/src/nsInputStreamPump.cpp
 line 343] 
	 nsInputStreamReadyEvent::EventHandler
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/xpcom/io/nsStreamUtils.cpp
 line 119] 
	 PL_HandleEvent
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/xpcom/threads/plevent.c
 line 672] 
	 PL_ProcessPendingEvents
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/xpcom/threads/plevent.c
 line 610] 
	 nsEventQueueImpl::ProcessPendingEvents
[c:/builds/tinderbox/Mozilla1.7b/WINNT_5.0_Clobber/mozilla/xpcom/threads/nsEventQueue.cpp
 line 395]  
 
     (11682)	URL: http://bugzilla.mozilla.org/attachment.cgi?id=145412&action=view
     (11682)	Comments: Bug 239572 crash in XMLEXTRAS.DLL when killing loading
popup 	    was loadin tescase above  crash when closing the still loading popup
     (11668)	URL: http://www.terravista.pt/mussulo/1978/Biography.html
     (11668)	Comments: Bug 239572 testcase   loaded testcase  closed popup  ok.
 Did a reload  closed popup before it did show something  crash after some seconds.
     (11665)	URL: http://www.brezen.cz
     (11512)	URL: http://www.terravista.pt/mussulo/1978/Biography.html
     (11512)	Comments: http://www.terravista.pt/mussulo/1978/Biography.html   
This website starts a popup:  http://setemares.terravista.pt/   Killing this
popup when it starts loading crashes Mozilla.  See Talkbacks 11495Z .. TB11505Q
     (11505)	URL: http://www.terravista.pt/mussulo/1978/Biography.html
     (11504)	URL: http://www.terravista.pt/mussulo/1978/Biography.html
     (11504)	Comments: http://www.terravista.pt/mussulo/1978/Biography.html   
going to this URL openes a popup  and if you kill it before it has loaded 
Mozilla crashes:  TB11491Y  TB11495Z  TB11501M  TB11502H
     (11502)	URL: http://bugzilla.mozilla.org/attachment.cgi?id=139119&action=view
     (11502)	Comments: killing a popup
     (11501)	URL: http://bugzilla.mozilla.org/attachment.cgi?id=139119&action=view
     (11501)	Comments: opened groupmark with links from TB11491Y and TB11495Z
and killed a popup before it even loaded  crashed some seconds later.    Maybe
this URL called the popup  the complete list of URLS is in the other reports. 
     (11501)	Comments:  http://www.terravista.pt/mussulo/1978/Biography.html
     (11495)	URL: http://bugzilla.mozilla.org/attachment.cgi?id=139119&action=view
     (11495)	Comments: Followup to TB11491Y    Opened
http://www.heise.de/newsticker/meldung/46268 in 1st tab  and from there opened
some links which together produced TB11491Y one after another  this time waiting
untill it has loaded  before proceeding to the next.  No crash
     (11495)	Comments:  this way  so I closed all tabs besides the first  and
from there again opened the links  this time as fast as i Could  not waiting
until it had loaded. When the popup came up  i killed it.  After some seconds 
crash  and talkback came up.    1st URL 
     (11495)	Comments:  holding the others: 
http://www.heise.de/newsticker/meldung/46268    the others from the 6th
paragraph of the text:  *** Bleiben wir bei der Musik und wenden uns von Ice
Vanilla  Bowie und Queen der leidenden deutschen Musikindustrie zu  die in ihrer Not
     (11495)	Comments:  das Kriegsbeil ausgegraben hat. Wer nicht versteht  dass
wieder einmal der zyklische Wechsel der Musikformate abl??uft  muss wohl
kriminell werden und den Zorn rechtschaffen(d)er Fans aushalten. Ach  das waren
noch sch??ne Zeiten  als sich vor 30 Jahren
     (11495)	Comments:  Abba aufmachte  die Welt zu betr??llern. ??brigens gegen
den Widerstand besagter Industrie  die Waterloo ablehnte. Was ist von einer
Industrie zu halten  die es nicht schafft  den heute sich j??hrenden Todestag
von Arthur Russell zu begehen  einem der
     (11495)	Comments:  wichtigsten Musiker des ausgelaufenen Jahrhunderts  der
in vielen Welten zu Hause war? Wie sang noch Frau von Kappelhoff  die Jubilarin:
Que sera  sera? -- the future is not ours to see.   
http://www.heise.de/newsticker/meldung/46115/ 
     (11495)	Comments:  http://www.taz.de/pt/2004/04/01/a0248.nf/text 
http://www.heise.de/newsticker/meldung/46159/ 
http://www.taz.de/pt/2004/04/03/a0314.nf/text 
http://www.lyrics007.com/Abba%20Lyrics/Waterloo%20(German%20version)%20Lyrics.html 
     (11495)	Comments:  http://www.terravista.pt/mussulo/1978/Biography.html 
http://www.pitchforkmedia.com/record-reviews/r/russell_arthur/world-of.shtml 
http://www.heute.t-online.de/ZDFheute/artikel/11/0 1367 MAG-0-2116363 00.html  
     (11491)	URL: http://bugzilla.mozilla.org/attachment.cgi?id=139119&action=view
     (11491)	Comments: there are a lot of links in this article: 
http://www.heise.de/newsticker/meldung/46268    and when I opened some in the
middle  Mozila reproducible crashed. I had this crash in XMLEXTRAS.DLL seen some
more times  but now I could reproduce it using
     (11491)	Comments:  Mozilla 1.7b with Talkback. First crash was with current
nightly.    Links I opened:  http://www.heise.de/newsticker/meldung/46115/ 
http://www.taz.de/pt/2004/04/01/a0248.nf/text 
http://www.heise.de/newsticker/meldung/46159/ 
     (11491)	Comments:  http://www.taz.de/pt/2004/04/03/a0314.nf/text 
http://www.lyrics007.com/Abba%20Lyrics/Waterloo%20(German%20version)%20Lyrics.html
 http://www.terravista.pt/mussulo/1978/Biography.html 
     (11491)	Comments: 
http://www.pitchforkmedia.com/record-reviews/r/russell_arthur/world-of.shtml 
http://www.heute.t-online.de/ZDFheute/artikel/11/0 1367 MAG-0-2116363 00.html  
 I opened all of these links loading in the background  killed one popup  and
after half a
     (11491)	Comments:  minute  crash.  IA'll look further which of these links
is crashing.
     (9753)	Comments: I unblocked a popup window for a site  closed the site
window and re-opened it.  Upon loading the site and popup it crashed.
     (8596)	Comments: Open Javascript Debugger and changed my mind.  Crashed
when I tried to close it.
     (7037)	URL: http://www.brezen.cz
     (7017)	URL: www.cnn.com
     (6357)	URL:
http://forums.shareaza.com//newthread.php?s=&action=newthread&forumid=2
     (6357)	Comments: Typing a small tutorial and using the DownloadWith
plugin's config screen for reference.


I personally have not been able to reproduce with either MozillaTrunk 2004040413
or Mozilla 1.7 beta  on Windows XP.

Comment 7

[Andrew Schultz]

==> XML

"NEW" bugs in Browser-General aren't very useful.

Comment 8

[chris hofmann]

maybe sicking can help here too...

Comment 9

[Jonas Sicking (:sicking) No longer reading bugmail consistently]

Attachment: hopefully the fix

I can't reproduce the crash (i might be sitting on a too fast line), so i can't
verify that this actually fixes it. However looking at the stack and the code
it looks like the problem is calling CallQueryInterface on a nullpointer.

Comment 10

[Johnny Stenback (:jst)]

Comment on attachment 145516 [details] [diff] [review]
hopefully the fix

Yeah, this looks like the fix for this crash, and even if it doesn't fix this
crash, it's the right thing to do.

r+sr=jst

Requesting approval.

Comment 11

[chris hofmann]

Comment on attachment 145516 [details] [diff] [review]
hopefully the fix

a=chofmann for 1.7

Comment 12

[Jonas Sicking (:sicking) No longer reading bugmail consistently]

checked in.

Hermann: Could you please try tomorrows nighly and see if the problem is fixed
there. If you still can reproduce it please reopen this bug, otherwise go ahead
and mark it verified.

Comment 13

[Hermann Schwab]

verified BuildID 2004040610 (Creature)
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7b) Gecko/20040406