Closed Bug 307707 Opened 19 years ago Closed 15 years ago

DOM L3 xpath Crash in nsStringBuffer::Realloc()

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Version:
1.8 Branch
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: bc, Unassigned)

Details

(Keywords: crash)

Attachments

(1 file)

dom ts crashes
30.66 KB, text/plain
Details 
Found this in FF 1.4/2005-09-08-05/Linux running the DOM TS with mime type
image/svg+xml and loader svgplugin.

TBID 9172290

ld-linux.so.2 + 0x7a2 (0x004307a2)
libc.so.6 + 0x29149 (0x00dcd149)
libc.so.6 + 0x5b27a (0x00dff27a)
libc.so.6 + 0x63712 (0x00e07712)
libc.so.6 + 0x645d6 (0x00e085d6)
nsStringBuffer::Realloc() 
[/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/xpcom/string/src/nsSubstring.cpp,
line 224]
nsCSubstring::MutatePrep() 
[/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/xpcom/string/src/nsSubstring.cpp,
line 117]
nsCSubstring::SetCapacity() 
[/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/xpcom/string/src/nsSubstring.cpp,
line 517]
nsCSubstring::SetLength() 
[/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/xpcom/string/src/nsSubstring.cpp,
line 551]
nsStandardURL::BuildNormalizedSpec() 
[/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/netwerk/base/src/nsStandardURL.cpp,
line 91]
nsStandardURL::SetSpec() 
[/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/netwerk/base/src/nsStandardURL.cpp,
line 1101]
nsStandardURL::Init() 
[/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/netwerk/base/src/nsStandardURL.cpp,
line 2548]
NewURI() 
[/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/netwerk/protocol/http/src/nsHttpHandler.cpp,
line 130]
nsIOService::NewURI() 
[/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/netwerk/base/src/nsIOService.cpp,
line 848]
nsContentUtils::NewURIWithDocumentCharset() 
[/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/content/base/src/nsContentUtils.cpp,
line 122]
nsGenericHTMLElement::GetHrefURIForAnchors() 
[/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/content/html/content/src/nsGenericHTMLElement.cpp,
line 842]
nsStyleUtil::IsHTMLLink() 
[/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/layout/style/nsStyleUtil.cpp,
line 830]
RuleProcessorData::RuleProcessorData() 
[/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/layout/style/nsCSSStyleSheet.cpp,
line 2711]
nsStyleSet::ResolveStyleFor() 
[/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/layout/style/nsStyleSet.cpp,
line 108]
nsCSSFrameConstructor::ResolveStyleContext() 
[/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 6739]
nsCSSFrameConstructor::ConstructFrame() 
[/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 919]
nsCSSFrameConstructor::ContentAppended() 
[/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/layout/base/nsCSSFrameConstructor.cpp,
line 8539]
PresShell::ContentAppended() 
[/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/layout/base/nsPresShell.cpp,
line 5472]
nsDocument::ContentAppended() 
[/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/content/base/src/nsDocument.cpp,
line 61]
HTMLContentSink::NotifyAppend() 
[/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/content/html/document/src/nsHTMLContentSink.cpp,
line 3884]
SinkContext::FlushTags() 
[/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/content/html/document/src/nsHTMLContentSink.cpp,
line 1675]
HTMLContentSink::CloseBody() 
[/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/content/html/document/src/nsHTMLContentSink.cpp,
line 2662]
CNavDTD::CloseBody() 
[/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/parser/htmlparser/src/CNavDTD.cpp,
line 2997]
CNavDTD::CloseContainer() 
[/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/parser/htmlparser/src/CNavDTD.cpp,
line 3299]
CNavDTD::CloseContainersTo() 
[/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/parser/htmlparser/src/CNavDTD.cpp,
line 3362]
CNavDTD::CloseContainersTo() 
[/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/parser/htmlparser/src/CNavDTD.cpp,
line 3548]
CNavDTD::DidBuildModel() 
[/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/parser/htmlparser/src/CNavDTD.cpp,
line 576]
nsParser::DidBuildModel() 
[/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/parser/htmlparser/src/nsParser.cpp,
line 842]
nsParser::ResumeParse() 
[/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/parser/htmlparser/src/nsParser.cpp,
line 2053]
nsParser::OnStopRequest() 
[/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/parser/htmlparser/src/nsParser.cpp,
line 2723]
nsDocumentOpenInfo::OnStopRequest() 
[/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/uriloader/base/nsURILoader.cpp,
line 189]
nsStreamListenerTee::OnStopRequest() 
[/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/netwerk/base/src/nsStreamListenerTee.cpp,
line 66]
nsHttpChannel::OnStopRequest() 
[/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp,
line 1149]
nsInputStreamPump::OnStateStop() 
[/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/netwerk/base/src/nsInputStreamPump.cpp,
line 1149]
nsInputStreamPump::OnInputStreamReady() 
[/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/netwerk/base/src/nsInputStreamPump.cpp,
line 343]
nsInputStreamReadyEvent::EventHandler()
PL_HandleEvent() 
[/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/xpcom/threads/plevent.c,
line 689]
PL_ProcessPendingEvents() 
[/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/xpcom/threads/plevent.c,
line 623]
nsEventQueueImpl::ProcessPendingEvents() 
[/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/xpcom/threads/nsEventQueue.cpp,
line 423]
event_processor_callback() 
[/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/widget/src/gtk2/nsAppShell.cpp,
line 67]
libglib-2.0.so.0 + 0x47907 (0x0066f907)
libglib-2.0.so.0 + 0x2374b (0x0064b74b)
libglib-2.0.so.0 + 0x251d2 (0x0064d1d2)
libglib-2.0.so.0 + 0x2547f (0x0064d47f)
libgtk-x11-2.0.so.0 + 0x10a6a7 (0x040df6a7)
nsAppShell::Run() 
[/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/widget/src/gtk2/nsAppShell.cpp,
line 141]
nsAppStartup::Run() 
[/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp,
line 146]
XRE_main() 
[/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/toolkit/xre/nsAppRunner.cpp,
line 2339]
main() 
[/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/browser/app/nsBrowserApp.cpp,
line 62]
libc.so.6 + 0x14e23 (0x00db8e23)
Summary: DOM L3 xpath Crash in nsStringBuffer::Realloc() → DOM L3 xpath Crash in nsStringBuffer::Realloc()
Have just had crash TB30877127Y on a Win98 box with fx 2.0.0.3.
I suspect the same code is used in both Linux and windows versions... can you confirm if I am indeed hitting this bug?
Assignee: general → nobody
QA Contact: ian → general
bc, can you retest this with a newer version of Firefox, or explain the steps in more detail so I can test it?
Whiteboard: [needs retesting - bc]
Attached file dom ts crashes 
I couldn't reproduce the original crash, but could get a number of crashes related to freeing memory in debug linux 1.9.0, 1.9.1, 1.9.2, 1.9.3. Opt builds didn't crash. So far I can't reproduce on Mac OS X. I haven't been able to do Windows yet.

The attachment contains a list of line of the form

branch,debug,linux,url,exit status time to crash.

simply load each url and let it run.
jst, see comment 3.
these crashes may not be real. investigating...
Whiteboard: [needs retesting - bc]
for reference, you can run the tests individually following the links from http://test.bclary.com/tests/w3.org/2001/DOM-Test-Suite/testlist.html
I think the original crash is wfm. The other issues I was seeing are due to centos5.4 glibc issues with MALLOC_CHECK_=2. Marking wfm. I'll do a clean DOM TS and file any issues in new bugs.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → WORKSFORME
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: