Closed Bug 289292 Opened 20 years ago Closed 20 years ago

[FIXr]crash while loading the page [@ nsContentList::IsContentAnonymous]

Categories

(Core :: DOM: Core & HTML, defect, P1)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
All
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.8beta2

People

(Reporter: ludovic, Assigned: bzbarsky)

References

(
URL
)

Details

(Keywords: crash, regression, testcase)

Crash Data

Attachments

(3 files, 2 obsolete files)

win2k3 stack trace from 20050404 debug
2.44 KB, text/plain
Details
Testcase, zipped
5.84 KB, application/zip
Details
Fix the hangs
15.68 KB, patch
sicking
: review+
jst
: superreview+
chofmann
: approval1.8b2+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050406 Firefox/1.0+
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050406 Firefox/1.0+

Firefox frequently crash or freeze while loading
http://www.phoenixjp.net/news/fr/. This bug has been present for approximately 2
months (maybe more, I don't remember) in the trunk builds. It should load the
page whithout crashing or freezing. 

Sometimes the page load well, sometimes I have to retry 5 or more times to
succesfully load it.

When it freezes, I have to kill Firefox's process in the task manager.

Reproducible: Sometimes

Steps to Reproduce:
1. Navigate to http://www.phoenixjp.net/news/fr
Actual Results:  
Firefox crash or freeze while opening the page

Expected Results:  
Open the page without crashing or hanging

Error when it crashes :

FIREFOX.EXE - Application Error

The instruction at "0x..." referenced memory at "0x...". The memory could not be
"read".

Click on OK to terminate the program
Click on CANCEL to debug the program
Version: unspecified → Trunk
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b2) Gecko/20050406
Firefox/1.0+

Crashed for me on second load, new profile.

TB4884417Z
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-GB; rv:1.7.6) Gecko/20050321
Firefox/1.0.2
Doesn't crash with ff v1.02
+kw regression
Keywords: regression
Another talkback id TB4884560W
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b) Gecko/20050119 Firefox/1.0+
Crashes in this (old) version too.
Note: 
I get many (10+) assertions (see the attachment) before the crash in my debug
build. 
The stack in attachment 179843 [details] is from the crash and not from the assertion
above and the crash is different from the Talkback stacks.

BTW: it's not the best idea to confirm such a bug in FF:General. 
Moving to layout...
Assignee: firefox → nobody
Component: General → Layout
Product: Firefox → Core
QA Contact: general → layout
got some one-liners and one longer Talkback:
http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=TB4887509E

found it not crashing if JS was disabled.

working: 1.8a Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8a) Gecko/20040418

crashing: BuildId 2004062123, 2004081709
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8a2) Gecko/20040621
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8a3) Gecko/20040817 Talkback:TB4887509E
crashing: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8a1) Gecko/20040520-09

Timeframe for regression:
1.8a  2004041809 working
1.8a1 2004052009 crashing

was looking shortly into http://archive.mozilla.org/pub/mozilla/nightly/, seems
all 1.8 based nightlys are deleted (didn´t check all)
Seeing this on current Linux debug build, so am changing OS to 'All'.

I get lots of
 
###!!! ASSERTION: Shallow unbind won't clear document and binding parent on
kids!: 'aDeep || (!GetCurrentDoc() && !GetBindingParent())', file
/home/clfenwi/moz/mozilla/content/base/src/nsGenericElement.cpp, line 1872

before 

Program ./mozilla-bin (pid = 23298) received signal 11.

subsequent bt matches stacktrace in comment 5.
OS: Windows XP → All
Summary: crash while loading the page → crash while loading the page [@ nsContentList::IsContentAnonymous]
Attached file Testcase, zipped 
Ok, this is sort of a minimal testcase.
- Unzip testcase
- Open the file named "U RL.htm"
Result: crash
Assignee: nobody → general
Component: Layout → DOM: Load and Save
Keywords: testcase
QA Contact: layout → ian
Attached patch Patch (obsolete) — Splinter Review 
So the problem is that the site calls document.load() a bunch of times in a row
on the same document (in a loop).  This starts of multiple loads, which then
race to complete, all parsing into the same document.  They clobber each
other's content in the document (via SetRootContent), which causes nodes to be
removed from the document (refs to them dropped) without UnbindFromTree being
called on them and without relevant nsIDocumentObserver notifications
happening.  The result is that content lists that think they're up to date are
holding pointers to deleted nodes; if they try to operate on them, they crash.

What should be done if document.load() is called on an XML document that's in
the middle of a load is an interesting question.  I see three options:

1)  Ignore the load() call.
2)  Throw an exception.
3)  Cancel the existing load and start the new one.

Option 2 would break the page in the URL bar, as far as I can tell.  Option 1
seems wrong in general.  So I went with option 3.
Assignee: general → bzbarsky
Status: NEW → ASSIGNED
Attachment #180194 - Flags: superreview?(jst)
Attachment #180194 - Flags: review?(bugmail)
Priority: -- → P1
Summary: crash while loading the page [@ nsContentList::IsContentAnonymous] → [FIX]crash while loading the page [@ nsContentList::IsContentAnonymous]
Target Milestone: --- → mozilla1.8beta2
I'm not too exited about the inserted loadlistener. Is it just needed for the
<parseerror> stuff? Couldn't we get hold of the sink instead and tell it to back
off from the document?
Oh, and is this really xml specific?
> Is it just needed for the <parseerror> stuff?

Yes.

> Couldn't we get hold of the sink instead and tell it to back off from the
> document?

Maybe... I don't see a general way to do it, short of storing a pointer to the
sink like the HTML document does.  Perhaps we do want to just do that; we may
need it later anyway to flush when we start doing incremental XML.

> Oh, and is this really xml specific?

So far, yes (can't call Load() on other document classes).  document.open/write
has a similar effect, but is sync and writing into a currently-being-parsed
document has well-defined behavior (open() is ignored, write() inserts into the
parse stream).


Yeah, I think adding a pointer to the sink is something we should do. Not sure
even then how to tell the sink to back off though, is it enough to call cancle
and set some flag indicating that it shouldn't create the <parseerror> stuff? Or
is there a risk that there will be a few more OnDataAvailable calls from the
stream even though it's cancled?

An alternative solution might be to let the sink detect that the load was
cancled and then not insert the parseerror?
> is it enough to call cancle and set some flag indicating that it shouldn't
> create the <parseerror> stuff?

Yes.

> Or is there a risk that there will be a few more OnDataAvailable calls from
> the stream even though it's cancled?

If someone mis-implemented a necko channel, yes.  But then there's risk of it
completely ignoring cancel() too... ;)

> An alternative solution might be to let the sink detect that the load was
> cancled and then not insert the parseerror?

That's a thought.  I wonder what happens if I hit the stop button while we're
parsing XML... Let me check on that.
Attached patch Without a listener (obsolete) — Splinter Review 
Summary of changes:

1)  Push mParser up from nsHTMLDocument to nsDocument.
2)  Terminate the parser in nsXMLDocument if we're reset while we have a
pending
    channel.
3)  Fix nsParser::Terminate to work even if called before any data has been
    parsed.

The change in nsDocument to where UnbindFromTree is called is just to make it
match the nsIContent documentation better.
Attachment #180194 - Attachment is obsolete: true
Attachment #180376 - Flags: superreview?(jst)
Attachment #180376 - Flags: review?(bugmail)
Attachment #180194 - Attachment is obsolete: false
Attachment #180194 - Flags: superreview?(jst)
Attachment #180194 - Flags: review?(bugmail)
Comment on attachment 180376 [details] [diff] [review]
Without a listener

I take it calling terminate on the parser before cancling the stream is what
stops us from creating the parseerror?

r=me if i got that part right :)
Attachment #180376 - Flags: review?(bugmail) → review+
Yep, exactly.  That Terminate() call shuts down expat on the stream (if we've
started parsing already) and makes sure we don't call into expat when we get the
OnStopRequest from necko.
Comment on attachment 180376 [details] [diff] [review]
Without a listener

This causes some nice hangs...
Attachment #180376 - Flags: superreview?(jst) → superreview-
Attached patch Fix the hangsSplinter Review 
Jonas, the only difference is that this removes the mParser member of
nsHTMLDocument in addition to adding an mParser to nsDocument... ;)
Attachment #180194 - Attachment is obsolete: true
Attachment #180376 - Attachment is obsolete: true
Attachment #180453 - Flags: superreview?(jst)
Attachment #180453 - Flags: review?(bugmail)
Comment on attachment 180453 [details] [diff] [review]
Fix the hangs

sr=jst
Attachment #180453 - Flags: superreview?(jst) → superreview+
Summary: [FIX]crash while loading the page [@ nsContentList::IsContentAnonymous] → [FIXr]crash while loading the page [@ nsContentList::IsContentAnonymous]
Comment on attachment 180453 [details] [diff] [review]
Fix the hangs

I think this is reasonably safe, for the sort of change it is, and this fixes
crashes/hangs by making sure we don't access deleted DOM nodes...
Attachment #180453 - Flags: approval1.8b2?
Comment on attachment 180453 [details] [diff] [review]
Fix the hangs

a=chofmann
Attachment #180453 - Flags: approval1.8b2? → approval1.8b2+
Fixed
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
Crash Signature: [@ nsContentList::IsContentAnonymous]
Component: DOM: Other → DOM
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: