crash [@ nsContentIterator::NextNode] or hang [@ nsRange::PopRanges]

RESOLVED DUPLICATE of bug 335896

Status

()

Core
DOM
--
critical
RESOLVED DUPLICATE of bug 335896
12 years ago
4 years ago

People

(Reporter: mats, Unassigned)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
x86
Linux
assertion, crash, hang, regression
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:dupe 335896], crash signature, URL)

Attachments

(1 attachment)

(Reporter)

Description

12 years ago
Run StirDOM v1.8 with default parameters on the URL.
(crash occurs after: "Stir DOM 1.8: 800")

It usually crashes in nsContentIterator::NextNode but I also saw hangs on two
occasions, I investigated one in a debugger and it was in nsRange::PopRanges.
The following assertion before the crash seems related.

###!!! ASSERTION: element not in the document: 'doc', file nsChildIterator.cpp, line 62

This could be the same underlying problem as bug 335896, but that bug is
a bit old and the behaviour here is new. The reason I know this is that I run
StirDOM on this URL as part of sanity checking my own patches, so I run it
regularly and this crash did not happen a few days ago.
(The crash also occurs with older versions of StirDOM)
SeaMonkey debug build on Linux.
(Reporter)

Comment 1

12 years ago
Created attachment 227360 [details]
stack for the crash
> the behaviour here is new. The reason I know this is that I run
> StirDOM on this URL as part of sanity checking my own patches, so I run it
> regularly and this crash did not happen a few days ago.

It could also be that CNN changed their content, have you re-tested with an older build?

Comment 3

11 years ago
bug 130900 among others deal w/ nsContentIterator::NextNode crashing

Comment 4

11 years ago
Stir DOM is very sensitive to changes in the page -- the addition of a whitespace node can completely change the behavior with a given seed, since it changes what is at each allNodes index and changes the length of allNodes (used as a modulus for large random integers).

CNN uses iframes, and the crash stack matches bug 335896, so this is probably bug 335896.  If you want to be sure, save a copy of the page now, test with the local copy, and retest after bug 335896 is fixed.  Or you could make a reduced testcase (perhaps using Lithium).

*** This bug has been marked as a duplicate of 335896 ***
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Keywords: top100
Resolution: --- → DUPLICATE
Whiteboard: [sg:dupe 335896] mentions stirdom
Crash Signature: [@ nsContentIterator::NextNode] [@ nsRange::PopRanges]
Group: core-security
Crash Signature: [@ nsContentIterator::NextNode] [@ nsRange::PopRanges] → [@ nsContentIterator::NextNode] [@ nsRange::PopRanges]
Whiteboard: [sg:dupe 335896] mentions stirdom → [sg:dupe 335896]
You need to log in before you can comment on or make changes to this bug.