Closed
Bug 464251
Opened 16 years ago
Closed 8 years ago
Crash [@ CNavDTD::BuildModel] with document.write("</script>")
Categories
(Core :: DOM: HTML Parser, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: ghiloni, Unassigned)
References
Details
(Keywords: crash)
Crash Data
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3 I can reproduce this on Win XP and Fedora 9. Crash reports are available here http://crash-stats.mozilla.com/report/index/50b3e525-8c24-4a30-923f-120820081111 and here http://crash-stats.mozilla.com/report/index/fafe1e76-bfc8-4b34-9256-d51420081111 Unfortunately, don't have much more info than that -- I refresh my page a few times and FF crashes. Reproducible: Always Steps to Reproduce: 1. go to a website 2. refresh (either a get url or repost) 3. repeat step 2 1..n times Actual Results: Crash Expected Results: Not crash Seems to only happen on 3.0.3
Reporter | ||
Comment 1•16 years ago
|
||
More info from another dev on our team: Looking at the call stack, I consistently got the following stack trace: xul!CNavDTD::BuildModel(class nsIParser * aParser = <Memory access error>, class nsITokenizer * aTokenizer = <Memory access error>, class nsITokenObserver * anObserver = <Memory access error>, class nsIContentSink * aSink = <Memory access error>)+0x78 xul!nsParser::BuildModel(void)+0x68 xul!nsParser::ResumeParse(int allowIteration = 1623670480, int aIsFinalChunk = -2147483646, int aCanInterrupt = 19247280)+0x97 xul!nsParser::Parse(class nsAString_internal * aSourceBuffer = 0x0013ed58, void * aKey = 0x038f69bc, class nsACString_internal * aMimeType = 0x017c286c, int aLastCall = 1, nsDTDMode aMode = eDTDMode_autodetect (4))+0x1b4 xul!nsHTMLDocument::WriteCommon(class nsAString_internal * aText = 0x0013ed58, int aNewlineTerminate = 0)+0x19d xul!nsHTMLDocument::ScriptWriteCommon(int aNewlineTerminate = 0)+0xee xul!nsHTMLDocument::Write(void)+0x11 xul!NS_InvokeByIndex_P(class nsISupports * that = 0x017c29e4, unsigned int methodIndex = 0x14, unsigned int paramCount = 0, struct nsXPTCVariant * params = 0x0013eee0)+0x27 xul!XPCWrappedNative::CallMethod(class XPCCallContext * ccx = 0x0383c728, XPCWrappedNative::CallMode mode = 24914404 (No matching enumerant))+0x4de js3250!js_AddScopeProperty(struct JSContext * cx = 0x00000007, struct JSScope * scope = 0x027b1d30, long id = 0, <function> * getter = 0x00000000, <function> * setter = 0x00000000, unsigned long slot = 0x1722000, unsigned int attrs = 5, unsigned int flags = 0x1c00, int shortid = 1)+0x185 js3250!js_AddScopeProperty(struct JSContext * cx = 0x8b0003aa, struct JSScope * scope = 0x85038bf0, long id = -1962117952, <function> * getter = 0x503b2057, <function> * setter = 0x96850f1c, unsigned long slot = 0x8b000001, unsigned int attrs = 0x4f891c4e, unsigned int flags = 0x307f8320, int shortid = -813363456)+0x354 xul!NS_NewAtom(class nsAString_internal * aUTF16String = 0x0383c728)+0x79 xul!nsCOMPtr_base::~nsCOMPtr_base(void)+0xe xul!nsDocumentSH::NewResolve(class nsIXPConnectWrappedNative * wrapper = 0x606c2446, struct JSContext * cx = 0x6095858d, struct JSObject * obj = 0x60a2bddf, long id = 1620864610, unsigned int flags = 0x6049f7d0, struct JSObject ** objp = 0x60b37ba6, int * _retval = 0x606405df)+0x60 xul!nsHTMLDocumentSH::NewResolve(class nsIXPConnectWrappedNative * wrapper = 0x027b1d30, struct JSContext * cx = 0x0013f0dc, struct JSObject * obj = 0x00000000, long id = 41622832, unsigned int flags = 0x22b8f00, struct JSObject ** objp = 0x0013f0dc, int * _retval = 0x601197c0)+0x85 xul!XPC_WN_CallMethod(struct JSContext * cx = 0x01a1aaf0, struct JSObject * obj = 0x035c76b0, unsigned int argc = 0x32c3e48, long * argv = 0x02518ce0, long * vp = 0x0288d7c0)+0x11e xul!XPCWrappedNative::GetWrappedNativeOfJSObject(struct JSContext * cx = 0x016b1cc0, struct JSObject * obj = 0x0128b260, struct JSObject * funobj = 0x02505d35, struct JSObject ** pobj2 = 0x01a1aaf1, class XPCWrappedNativeTearOff ** pTearOff = 0x022a6540)+0x3f xul!XPC_WN_OuterObject(struct JSContext * cx = <Memory access error>, struct JSObject * obj = <Memory access error>)+0x19 js3250!js_Invoke(struct JSContext * cx = <Memory access error>, unsigned int argc = <Memory access error>, long * vp = <Memory access error>, unsigned int flags = <Memory access error>)+0x2bb By inspecting the arguments to the last few function calls: HTMLDocument::Write HTMLDocument::WriteCommon HTMLDocument::ScriptWriteCommon it appeared the following Javascript call was causing the crash: document.write("</script>"); Writing a single "</script>" tag from Javascript is unusual, so I was able to search the Javascript files for that, and found this in searchmenu.js document.write("<script type=\"text/javascript\" language=\"Javascript\">"); document.write("searchInitJsControlField(\"" + queryName + "\", \"" + scopeName + "\", \"" + suffix + "\");"); document.write("</script>"); This code is just writing a script element which is immediately evaluated to call the searchInitJsControlField function. That function performed DOM modication on the search field, which was probably what was causing issues when the page was being refreshed rapidly (document.write > DOM parse of <script>...</script> > JS evaluation > DOM modification while DOM is being disposed). We were able to replace the document.write strategy with a direct Javascript invocation: try{ searchInitJsControlField(queryName, scopeName, suffix); }catch(e){}
Comment 2•16 years ago
|
||
Stack looks a bit like bug 453624 comment 8. Josh, do you have a testcase that reproduces the crash we can look at?
Component: General → HTML: Parser
Keywords: crash
OS: Windows XP → All
Product: Firefox → Core
QA Contact: general → parser
Summary: CNavDTD::BuildModel throws error → Crash [@ CNavDTD::BuildModel] with document.write("</script>")
Comment 3•15 years ago
|
||
I think you can add another crash report to this list: http://crash-stats.mozilla.com/report/index/8eb5a4df-ac44-49b5-bc83-882282090220
Status: UNCONFIRMED → NEW
Ever confirmed: true
Version: unspecified → 1.9.0 Branch
Comment 4•13 years ago
|
||
(In reply to comment #2) > Stack looks a bit like bug 453624 comment 8. fixed in early 2009 by Bug 444322 ?
Assignee | ||
Updated•13 years ago
|
Crash Signature: [@ CNavDTD::BuildModel]
Comment 5•8 years ago
|
||
zero examples with CNavDTD::BuildModel in signature in the past week for any version
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•