Closed Bug 240592 Opened 20 years ago Closed 15 years ago

crash when script element inserted into DOM that removes its parent [@ nsGenericElement::InsertChildAt ]

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: webmaster, Unassigned)

References

(
URL
)

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(4 files, 1 obsolete file)

minimal XSL file
439 bytes, application/xml
Details
testcase
148 bytes, application/xml
Details
Crash testcase, no XSLT
431 bytes, text/html
Details
Along these lines
4.82 KB, patch
Details | Diff | Splinter Review 
User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Build Identifier: 

Each time I try and load the page http://www.elitefx.com/firefox_bugs/order.xml 
it crashes. Works fine in IE. Says there is a memory access violation each time 
is loaded in Firefox on Windows 2000 Pro.

Reproducible: Always
Steps to Reproduce:
1. Open the page through Firefox in Windows 2000 Pro
2.
3.

Actual Results:  
The page crashed and could only be closed or debugged.

Expected Results:  
The software should of generated an xml product list that displays images using 
javascript from an xsl file.

Application error - Memory cannot be "read"

=================

about:buildconfig

Build platform
target
i586-pc-msvc

Build tools
Compiler 	Version 	Compiler flags
$(CYGWIN_WRAPPER) cl 	12.00.8804 for 80x86 	-TC -nologo -W3 -nologo -Gy -
Fd$(PDBFILE)
$(CYGWIN_WRAPPER) cl 	12.00.8804 for 80x86 	-TP -nologo -W3 -nologo -Gy -
Fd$(PDBFILE)

Configure arguments
--disable-tests --disable-debug --enable-optimize --disable-shared --enable-
static --enable-crypto --disable-composer --disable-ldap --disable-mailnews --
disable-profilesharing --enable-extensions=cookie,xml-
rpc,xmlextras,p3p,pref,transformiix,universalchardet,typeaheadfind,webservices,i
nspector --enable-static --disable-shared
Same thing happens in Mozilla 1.6, so I guess it will probably happen in all
Mozilla based products.
Same think with my linux build
So OS -> All ?
(In reply to comment #2)
> Same think with my linux build
> So OS -> All ?

I also noticed that if the javascript function is reference from a file rather
than having in all in the xsl file, the page loads up blank. I guess the whole
area of using javascript with xsl is not been fully implemented just yet.
Severity: normal → critical
Keywords: crash
Not Firefox specific, confirming using 2004041408/trunk/W2K -> TB19696M, TB19695W
-> NEW, Browser
Assignee: firefox → general
Status: UNCONFIRMED → NEW
Component: General → Browser-General
Ever confirmed: true
Keywords: talkbackid
Product: Firefox → Browser
QA Contact: general
Whiteboard: TB19696M, TB19695W
Version: unspecified → Trunk
Adam, please do NOT confirm layout bugs in browser-general and without minimal
testcases!  That's the best way to make sure no one ever looks at the bug again.

When I load that page in a debug build, I get:

WARNING: NS_ENSURE_TRUE(aContainer) failed, file
/home/bzbarsky/mozilla/xlib/mozilla/content/html/document/src/nsHTMLContentSink.cpp,
line 2115
WARNING: NS_ENSURE_TRUE(NS_SUCCEEDED(rv)) failed, file
/home/bzbarsky/mozilla/xlib/mozilla/content/html/document/src/nsHTMLContentSink.cpp,
line 1995
WARNING: NS_ENSURE_TRUE(NS_SUCCEEDED(rv)) failed, file
/home/bzbarsky/mozilla/xlib/mozilla/content/html/document/src/nsHTMLDocument.cpp,
line 2115
WARNING: NS_ENSURE_TRUE(NS_SUCCEEDED(rv)) failed, file
/home/bzbarsky/mozilla/xlib/mozilla/content/html/document/src/nsHTMLDocument.cpp,
line 2170
JavaScript error: , line 0: uncaught exception: [Exception... "Component
returned failure code: 0x80004003 (NS_ERROR_INVALID_POINTER)
[nsIDOMNSHTMLDocument.writeln]"  nsresult: "0x80004003
(NS_ERROR_INVALID_POINTER)"  location: "JS frame ::
http://www.elitefx.com/firefox_bugs/order.xml :: show_image :: line 18"  data: no]

Then I crash:

#0  0x413c2856 in nsGenericElement::InsertChildAt(nsIContent*, unsigned, int, int) (
    this=0x8897a60, aKid=0x8897b80, aIndex=0, aNotify=1, aDeepSetDocument=1)
    at
/home/bzbarsky/mozilla/xlib/mozilla/content/base/src/nsGenericElement.cpp:2490
#1  0x413c3702 in nsGenericElement::doInsertBefore(nsIContent*, nsIDOMNode*,
nsIDOMNode*, nsIDOMNode**) (aElement=0x8897a60, aNewChild=0x8897ba0, aRefChild=0x0, 
    aReturn=0xbfffe630)
    at
/home/bzbarsky/mozilla/xlib/mozilla/content/base/src/nsGenericElement.cpp:2817
#2  0x4139ad23 in nsGenericElement::AppendChild(nsIDOMNode*, nsIDOMNode**) (
    this=0x8897a60, aNewChild=0x8897ba0, aReturn=0xbfffe630) at
nsGenericElement.h:498
#3  0x414e3ab9 in nsHTMLTableCellElement::AppendChild(nsIDOMNode*, nsIDOMNode**) (
    this=0x8897a60, aNewChild=0x8897ba0, aReturn=0xbfffe630)
    at
/home/bzbarsky/mozilla/xlib/mozilla/content/html/content/src/nsHTMLTableCellElement.cpp:64
#4  0x429985de in txMozillaXMLOutput::endElement(nsAString const&, int)
(this=0x8396088, 
    aName=@0xbfffe720, aNsID=0)
    at
/home/bzbarsky/mozilla/xlib/mozilla/extensions/transformiix/source/xslt/txMozillaXMLOutput.cpp:298
#5  0x42966a70 in txEndElement::execute(txExecutionState&) (this=0x86276f0, 
    aEs=@0xbfffe850)
    at
/home/bzbarsky/mozilla/xlib/mozilla/extensions/transformiix/source/xslt/txInstructions.cpp:484
#6  0x4298ba72 in txXSLTProcessor::execute(txExecutionState&) (aEs=@0xbfffe850)
    at
/home/bzbarsky/mozilla/xlib/mozilla/extensions/transformiix/source/xslt/txXSLTProcessor.cpp:98
#7  0x4299fd51 in txMozillaXSLTProcessor::DoTransform() (this=0x883c7b0)
    at
/home/bzbarsky/mozilla/xlib/mozilla/extensions/transformiix/source/xslt/txMozillaXSLTProcessor.cpp:375
#8  0x429a0e23 in txMozillaXSLTProcessor::setStylesheet(txStylesheet*)
(this=0x883c7b0, 
    aStylesheet=0x883c920)
    at
/home/bzbarsky/mozilla/xlib/mozilla/extensions/transformiix/source/xslt/txMozillaXSLTProcessor.cpp:667
#9  0x4298f0d2 in txCompileObserver::onDoneCompiling(txStylesheetCompiler*,
unsigned, unsigned short const*, unsigned short const*) (this=0x883af60,
aCompiler=0x883c818, 
    aResult=0, aErrorText=0x0, aParam=0x0)


(gdb) frame 0
#0  0x413c2856 in nsGenericElement::InsertChildAt(nsIContent*, unsigned, int, int) (
    this=0x8897a60, aKid=0x8897b80, aIndex=0, aNotify=1, aDeepSetDocument=1)
    at
/home/bzbarsky/mozilla/xlib/mozilla/content/base/src/nsGenericElement.cpp:2490
2490            mDocument->ContentAppended(this, aIndex);
(gdb) p mDocument
$1 = (class nsIDocument *) 0x0

The relevant code is:

2486   if (mDocument) {
2487     aKid->SetDocument(mDocument, aDeepSetDocument, PR_TRUE);
2488     if (aNotify) {
2489       if (isAppend) {
2490         mDocument->ContentAppended(this, aIndex);
2491       } else {
2492         mDocument->ContentInserted(this, aKid, aIndex);
2493       }

The problem is that the script executes during that SetDocument() call onthe
child.  This is not a problem in AppendChildTo when coming from the sink,
because there the sink will set the kid's mDocument up front and when we
SetParent the script will execute.

In any case, I assume that the script removes this node from the tree, so
mDocument becomes null.  We probably need to re-null-check mDocument after the
SetDocument() call here.... (and I'd say similarly in AppendChildTo).

That said, I'm not sure what those errors up front are about....
Assignee: general → general
Component: Browser-General → DOM
OS: Windows 2000 → All
QA Contact: general → ian
Hardware: PC → All
Attached file XSL file (obsolete) — 

    
  

        Attachment #146253 -
        Attachment mime type: application/xml → text/xsl

    
    

    
  

      
      
      
      

        Attached file
          
        minimal XSL file
      

    


  

        Attachment #146253 -
        Attachment is obsolete: true

    
  

        Attachment #146254 -
        Attachment mime type: text/xsl → application/xml

    
    

    
  

      
      
      
      

        Attached file
          
        testcase
      

    


  

    
    

    
  
Boris: Could you test, if minimal tescase is still crashing same way?
BTW 1.7b is crashing on this too.
Keywords: testcase

    
    

    
  
Oh, that's cute.  That explains all the warnings, then.  The problem is that
document.writeln is called, but the document is not loading as far as it knows
(no parser, since it's generated by XSLT!) so that calls document.open() and
wipes out the entire document (as it should, if this were being called in an
already-loaded document).  Then the crash ensues, of course.

So in addition to doing the bullet-proofing in nsGenericElement, we should
consider ways of not having this document clobber itself in this circumstance. 
Or just not support document.write/document.writeln in XSLT-generated documents.

sicking, thoughts?

    
    

    
  
document.write is currently not supported for XSLT documents. Most of the time
there are alternatives though, such as using .innerHTML.

*** This bug has been marked as a duplicate of 202765 ***
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE

    
    

    
  
Reopening.  You can reproduce this crash without document.write and XSLT, if
desired; see what I said in comment 5.  The XSLT issue is totally incidental. 
This is why I left the bug in the DOM component.

Nice quirks-mode HTML testcase with no hint of XML or XSLT coming up.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Summary: crash when loading a xml document that has javascript in the xsl stylesheet → crash when script element inserted into DOM that removes its parent

    
    

    
  
So bug 202765 can focus on not clobbering the document, I guess, but this bug
still needs to be fixed in the DOM code as I outlined in comment 5.

    
    

    
  


  
I'm not quite happy with this.	See the XXX comments.

    
    

    
  
In my mind, the only really correct way to handle this is to make sure the
script does not execute till after the ContentAppended/ContentInserted
notifications (and probably the DOM events) have fired.  Otherwise document
observers will just be confused (content being removed that was never in the DOM
as far as they're concerned, etc).

Perhaps one way to do that is to move the ContentAppended/ContentInserted firing
inside BindToTree() (which we then need).  That way we could ensure that we're
properly inserted before firing and all.

    
    

    
  
(no entry for both incidents, removing them)
Keywords: talkbackid
Whiteboard: TB19696M, TB19695W

    
    

    
  
*** Bug 257650 has been marked as a duplicate of this bug. ***

    
  
Summary: crash when script element inserted into DOM that removes its parent → crash when script element inserted into DOM that removes its parent [@ nsGenericElement::InsertChildAt ]

    
    

    
  
*** Bug 266888 has been marked as a duplicate of this bug. ***

    
    

    
  
Might it that this bug has been resolved? None of the testcases crashes for me
anymore with a current trunk build.

    
    

    
  
The patch to bug 27382 made it so that we get the document pointer up front in
this function instead of using mDocument throughout.  That prevents this exact
crash, but it still delivers a ContentAppended notification for a node that has
already been removed.  I bet I can write a more complicated testcase involving a
content list that will crash (because it will be holding a weak ptr to a node
that has already been destroyed).

The underlying problem is still here, as described in comment 5 and comment 16.

    
    

    
  
*** Bug 279612 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 293633 has been marked as a duplicate of this bug. ***

    
    

    
  
Testcases WFM using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060601 Minefield/3.0a1 ID:2006060105 [cairo]

    
    

    
  
Ronald, see comment 21.
Assignee: general → nobody
QA Contact: ian → general

    
    

    
  
This might just be worksforme now, if scripts can no longer run sync from under BindToTree, right?

    
    

    
  
Yeah, I can't think of any case anymore where scripts can run under BindToTree
Status: REOPENED → RESOLVED
Closed: 20 years ago15 years ago
Resolution: --- → WORKSFORME

    
  
See Also:  → https://launchpad.net/bugs/9375
Crash Signature: [@ nsGenericElement::InsertChildAt ]
Component: DOM → DOM: Core & HTML

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: