435128 - Crash [@ nsParser::WillTokenize] trying to write something in a destroying iframe

Status: VERIFIED FIXED

(Core :: DOM: HTML Parser, defect)

Description

[Martijn Wargers (dead)]

Attachment: testcase

See testcase, which can crash in current trunk build, within 100ms or a minute or so. Usually, it should crash within 30 seconds.

The iframe source consists of this:
<html><head></head><body>
<iframe id="a"></iframe>
<script>
function doe() {
var x = window.frames[0].document;

var y=document.getElementById('a');
y.parentNode.removeChild(y);

try {x.write('t');} catch(e) {}
try {x.write('t');} catch(e) {}
try {x.write('t');} catch(e) {}
try {x.write('t');} catch(e) {}
try {x.write('t');} catch(e) {}
try {x.write('t');} catch(e) {}
try {x.write('t');} catch(e) {}
try {x.write('t');} catch(e) {}
try {x.write('t');} catch(e) {}
try {x.write('t');} catch(e) {}
}
setTimeout('doe()',20);
</script>
</body></html>

It seems like a regression, it doesn't seem to crash on branch. But because the crash doesn't happen instantly, it's kind of difficult to get a regression range.

http://crash-stats.mozilla.com/report/index/6caad09c-2793-11dd-be79-001321b13766?p=1
0  	xul.dll  	nsParser::WillTokenize  	 mozilla/parser/htmlparser/src/nsParser.cpp:2380
1 	xul.dll 	nsParser::Tokenize 	mozilla/parser/htmlparser/src/nsParser.cpp:2419
2 	xul.dll 	nsParser::ResumeParse 	mozilla/parser/htmlparser/src/nsParser.cpp:1649
3 	xul.dll 	nsParser::Parse 	mozilla/parser/htmlparser/src/nsParser.cpp:1450
4 	xul.dll 	nsHTMLDocument::WriteCommon 	mozilla/content/html/document/src/nsHTMLDocument.cpp:2475
5 	xul.dll 	nsHTMLDocument::ScriptWriteCommon 	mozilla/content/html/document/src/nsHTMLDocument.cpp:2531
6 	mozcrt19.dll 	arena_dalloc_small 	jemalloc.c:4094
7 	xul.dll 	NS_InvokeByIndex_P 	mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:101
8 	js3250.dll 	js_GetClassObject

Comment 1

[Blake Kaplan (:mrbkap) (inactive)]

Martijn, I'm having trouble making your testcase work at all. Is there any chance you could upload a full testcase to bugzilla?

Comment 2

[Martijn Wargers (dead)]

Attachment: testcase

Sorry, I attached the wrong file.

Comment 3

[Blake Kaplan (:mrbkap) (inactive)]

Attachment: Proposed fix

This is caused by calling document.open() on a document whose docshell has gone away. The crash is caused by creating a parser and then bailing out before calling SetContentSink on it (so when we get into nsHTMLDocument::Write, we have a partially-initialized parser, causing the crash).

This patch is defense-in-depth: it nulls out the parser if we couldn't create a content sink and bails out early if there's no docshell, since we won't be able to open the document successfully anyway. I also noticed that we got the docshell twice for no reason, so I took away one of the docshells.

I'll also attach a diff -w for easier reviewing.

Comment 4

[Blake Kaplan (:mrbkap) (inactive)]

Attachment: Proposed fix -w

Comment 5

[Blake Kaplan (:mrbkap) (inactive)]

Pushed as changeset 9c2b88886f7f.

Comment 6

[Martijn Wargers (dead)]

Thanks, that fixed it.
Verified fixed, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1a1pre) Gecko/2008071504 Minefield/3.1a1pre

Comment 7

[Blake Kaplan (:mrbkap) (inactive)]

Comment on attachment 327593 [details] [diff] [review]
Proposed fix

This fixes a crash.

Comment 8

[Samuel Sidler (old account; do not CC)]

Comment on attachment 327593 [details] [diff] [review]
Proposed fix

Approved for 1.9.0.2. Please land in CVS. a=ss

Also, be sure to land a testcase for this crash after this release has gone out.

Comment 9

[Blake Kaplan (:mrbkap) (inactive)]

Fix checked into the 1.9 branch.

Comment 10

[Bob Clary [:bc] (inactive)]

crash test added
http://hg.mozilla.org/mozilla-central/rev/0d115aa982f1

Comment 11

[Bob Clary [:bc] (inactive)]

test disabled due to length of time required.
http://hg.mozilla.org/mozilla-central/rev/f46badba0e2b