Closed
Bug 297311
Opened 20 years ago
Closed 20 years ago
consistent crash when trying to call xmlDocument.replaceChild(newChild, xmlDocument.documentElement) on XML document rendered in a frame
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: martin.honnen, Assigned: peterv)
References
()
Details
(Keywords: crash, regression, testcase)
Attachments
(1 file)
|
848 bytes,
patch
|
bzbarsky
:
review+
bzbarsky
:
superreview+
asa
:
approval1.8b3+
|
Details | Diff | Splinter Review |
Latest Firefox trunk nightly build (Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050609 Firefox/1.0+) crashes with alert "R6025-pure virtual function call" when the button in the upper frame of the test case at <http://home.arcor.de/martin.honnen/mozillaBugs/domLevel2/replaceContentInFrameDoc.html> is pressed. That test case consists of a HTML frameset with a HTML page in the upper frame and an example XML document in the lower frame. Pressing the button in the upper frame calls DOM Core script that tries to replace the document element in the XML document with a newly created node. While this does not do what I want (show the new content) with the 1.7 branch it does not crash there while the crash on the trunk happens consistently. Unfortunately talkback does not come up, just the alert "pure virtual function call" so I cannot provide a stack for the test case. However while trying to develop the test case I crashed with talkback incident <http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=6553527>
|
Reporter | |
Comment 1•20 years ago
|
||
The talkback points to http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/content/base/src/nsGenericElement.cpp&mark=1929&rev=#1929 which was a change by Boris so adding him to CC.
|
||
Comment 2•20 years ago
|
||
Huh. That's really odd... I won't be able to really look into this until I get back in July. If people can give me a regression range I can maybe try to code-analyze the problem...
|
|
Reporter | |
Comment 3•20 years ago
|
||
(In reply to comment #2) > If people > can give me a regression range I can maybe try to code-analyze the problem... Firefox Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050525 Firefox/1.0+ crashes. Firefox Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050430 Firefox/1.0+ crashes. Mozilla Suite Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050330 crashes. Mozilla Suite Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050304 crashes. Mozilla Suite Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050226 crashes. Mozilla Suite Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b) Gecko/20050214 does not crash. Mozilla Suite Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b) Gecko/20050208 does not crash. Mozilla Suite Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b) Gecko/20050130 does not crash. Mozilla Suite Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a6) Gecko/20050106 does not crash.
bug 286000 played with this function. Incident ID: 6553527 Stack Signature nsGenericElement::UnbindFromTree d4118cd2 Product ID FirefoxTrunk Build ID 2005060906 Trigger Time 2005-06-10 07:01:20.0 Platform Win32 Operating System Windows NT 5.1 build 2600 Module firefox.exe + (00167b69) URL visited User Comments DOM scripting: calling replaceChild on an XML document rendered in a frame to replace the documentElement node with a new node. Since Last Crash 155 sec Total Uptime 155 sec Trigger Reason Access violation Source File, Line No. c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 1929 Stack Trace nsGenericElement::UnbindFromTree [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 1929] nsXBLBinding::ChangeDocument [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/xbl/src/nsXBLBinding.cpp, line 928] nsBindingManager::ChangeDocumentFor [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/xbl/src/nsBindingManager.cpp, line 421] nsGenericElement::UnbindFromTree [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 1900] nsDocument::ReplaceChild [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/base/src/nsDocument.cpp, line 3474] XPTC_InvokeByIndex [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp, line 102] XPCWrappedNative::CallMethod [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2105] XPC_WN_CallMethod [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 1348] js_Invoke [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1178] js_Interpret [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 3469] js_Execute [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1409] obj_eval [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 1140] js_Invoke [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1178] js_Interpret [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 3469] js_Invoke [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1198] js_Interpret [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 3469] js_Invoke [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1198] js_InternalInvoke [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1275] JS_CallFunctionValue [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 3862] nsJSContext::CallEventHandler [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1396] nsJSEventListener::HandleEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/dom/src/events/nsJSEventListener.cpp, line 184] nsEventListenerManager::HandleEventSubType [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/events/src/nsEventListenerManager.cpp, line 1568] nsEventListenerManager::HandleEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/events/src/nsEventListenerManager.cpp, line 1669] nsGenericElement::HandleDOMEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 2123] nsHTMLInputElement::HandleDOMEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/html/content/src/nsHTMLInputElement.cpp, line 1382] PresShell::HandleEventInternal [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6324] PresShell::HandleEventWithTarget [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6229] nsEventStateManager::CheckForAndDispatchClick [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/events/src/nsEventStateManager.cpp, line 2928] nsEventStateManager::PostHandleEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/content/events/src/nsEventStateManager.cpp, line 1958] PresShell::HandleEventInternal [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6395] PresShell::HandleEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 6167] nsViewManager::HandleEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 2502] nsViewManager::DispatchEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 2224] HandleEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/view/src/nsView.cpp, line 174] nsWindow::DispatchEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1173] nsWindow::DispatchMouseEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 5801] ChildWindow::DispatchMouseEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 6047] nsWindow::WindowProc [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1351] USER32.dll + 0x8734 (0x77d18734) USER32.dll + 0x8816 (0x77d18816) USER32.dll + 0x89cd (0x77d189cd) USER32.dll + 0x8a10 (0x77d18a10) nsAppShell::Run [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsAppShell.cpp, line 159] nsAppStartup::Run [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 145] main [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 61] kernel32.dll + 0x16d4f (0x7c816d4f)
|
||
Comment 5•20 years ago
|
||
Doesn't crash with 2005-02-2504 Mozilla build. Crashes with 2005-02-28 Mozilla build. Since Martin mentions it crashes in 2005-02-26 Mozilla build: http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2005-02-25+04%3A00%3A00&maxdate=2005-02-26+09%3A00%3A00&cvsroot=%2Fcvsroot
|
|
||
Comment 6•20 years ago
|
||
So based on the stack and the regression range, this looks like a regression from the XBL binding deCOMtamination in bug 194834 (nsIXBLBinding removal). I'm guessing that the problem is that the binding dies when we take it out of the old document's binding table. If nothing else, we should be holding a strong ref at http://lxr.mozilla.org/seamonkey/source/content/xbl/src/nsBindingManager.cpp#418 (using an nsRefPtr<nsXBLBinding> instead of an nsXBLBinding*). Could someone test whether that helps, please?
|
Assignee | |
Comment 7•20 years ago
|
||
Yeah, that works. I get assertions in layout (initial containing block already created: 'nsnull == mInitialContainingBlock', ...) but no crash. I looked at other places where we call SetBinding, I think this is the only one that needs this change.
|
|
Assignee | |
Updated•20 years ago
|
Assignee: general → peterv
Status: NEW → ASSIGNED
Attachment #185936 -
Flags: superreview?(bzbarsky)
Attachment #185936 -
Flags: review?(bzbarsky)
|
|
||
Comment 8•20 years ago
|
||
Comment on attachment 185936 [details] [diff] [review] v1 r+sr=bzbarsky. Please file a followup bug on the layout asserts and cc me on that?
Attachment #185936 -
Flags: superreview?(bzbarsky)
Attachment #185936 -
Flags: superreview+
Attachment #185936 -
Flags: review?(bzbarsky)
Attachment #185936 -
Flags: review+
|
|
Assignee | |
Comment 9•20 years ago
|
||
Comment on attachment 185936 [details] [diff] [review] v1 Simple fix for a crash.
Attachment #185936 -
Flags: approval1.8b3?
|
||
Updated•20 years ago
|
Attachment #185936 -
Flags: approval1.8b3? → approval1.8b3+
|
|
Assignee | |
Updated•20 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Flags: blocking1.8b3?
Resolution: --- → FIXED
|
|
Assignee | |
Comment 10•20 years ago
|
||
Bug 297644 filed on the assertions.
|
|
Reporter | |
Comment 11•20 years ago
|
||
Verifying that the crash does no longer occur with Firefox Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050615 Firefox/1.0+. I will file a separate bug that the replaced content is not displayed.
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•