Closed Bug 464251 Opened 16 years ago Closed 8 years ago

Crash [@ CNavDTD::BuildModel] with document.write("</script>")

Categories

(Core :: DOM: HTML Parser, defect)

1.9.0 Branch
x86
All
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: ghiloni, Unassigned)

References

Details

(Keywords: crash)

Crash Data

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3

I can reproduce this on Win XP and Fedora 9. Crash reports are available here

http://crash-stats.mozilla.com/report/index/50b3e525-8c24-4a30-923f-120820081111

and here

http://crash-stats.mozilla.com/report/index/fafe1e76-bfc8-4b34-9256-d51420081111

Unfortunately, don't have much more info than that -- I refresh my page a few times and FF crashes.

Reproducible: Always

Steps to Reproduce:
1. go to a website
2. refresh (either a get url or repost)
3. repeat step 2 1..n times
Actual Results:  
Crash

Expected Results:  
Not crash

Seems to only happen on 3.0.3
More info from another dev on our team:
Looking at the call stack, I consistently got the following stack trace:
xul!CNavDTD::BuildModel(class nsIParser * aParser = <Memory access error>, class nsITokenizer * aTokenizer = <Memory access error>, class nsITokenObserver * anObserver = <Memory access error>, class nsIContentSink * aSink = <Memory access error>)+0x78
xul!nsParser::BuildModel(void)+0x68
xul!nsParser::ResumeParse(int allowIteration = 1623670480, int aIsFinalChunk = -2147483646, int aCanInterrupt = 19247280)+0x97
xul!nsParser::Parse(class nsAString_internal * aSourceBuffer = 0x0013ed58, void * aKey = 0x038f69bc, class nsACString_internal * aMimeType = 0x017c286c, int aLastCall = 1, nsDTDMode aMode = eDTDMode_autodetect (4))+0x1b4
xul!nsHTMLDocument::WriteCommon(class nsAString_internal * aText = 0x0013ed58, int aNewlineTerminate = 0)+0x19d
xul!nsHTMLDocument::ScriptWriteCommon(int aNewlineTerminate = 0)+0xee
xul!nsHTMLDocument::Write(void)+0x11
xul!NS_InvokeByIndex_P(class nsISupports * that = 0x017c29e4, unsigned int methodIndex = 0x14, unsigned int paramCount = 0, struct nsXPTCVariant * params = 0x0013eee0)+0x27
xul!XPCWrappedNative::CallMethod(class XPCCallContext * ccx = 0x0383c728, XPCWrappedNative::CallMode mode = 24914404 (No matching enumerant))+0x4de
js3250!js_AddScopeProperty(struct JSContext * cx = 0x00000007, struct JSScope * scope = 0x027b1d30, long id = 0, <function> * getter = 0x00000000, <function> * setter = 0x00000000, unsigned long slot = 0x1722000, unsigned int attrs = 5, unsigned int flags = 0x1c00, int shortid = 1)+0x185
js3250!js_AddScopeProperty(struct JSContext * cx = 0x8b0003aa, struct JSScope * scope = 0x85038bf0, long id = -1962117952, <function> * getter = 0x503b2057, <function> * setter = 0x96850f1c, unsigned long slot = 0x8b000001, unsigned int attrs = 0x4f891c4e, unsigned int flags = 0x307f8320, int shortid = -813363456)+0x354
xul!NS_NewAtom(class nsAString_internal * aUTF16String = 0x0383c728)+0x79
xul!nsCOMPtr_base::~nsCOMPtr_base(void)+0xe
xul!nsDocumentSH::NewResolve(class nsIXPConnectWrappedNative * wrapper = 0x606c2446, struct JSContext * cx = 0x6095858d, struct JSObject * obj = 0x60a2bddf, long id = 1620864610, unsigned int flags = 0x6049f7d0, struct JSObject ** objp = 0x60b37ba6, int * _retval = 0x606405df)+0x60
xul!nsHTMLDocumentSH::NewResolve(class nsIXPConnectWrappedNative * wrapper = 0x027b1d30, struct JSContext * cx = 0x0013f0dc, struct JSObject * obj = 0x00000000, long id = 41622832, unsigned int flags = 0x22b8f00, struct JSObject ** objp = 0x0013f0dc, int * _retval = 0x601197c0)+0x85
xul!XPC_WN_CallMethod(struct JSContext * cx = 0x01a1aaf0, struct JSObject * obj = 0x035c76b0, unsigned int argc = 0x32c3e48, long * argv = 0x02518ce0, long * vp = 0x0288d7c0)+0x11e
xul!XPCWrappedNative::GetWrappedNativeOfJSObject(struct JSContext * cx = 0x016b1cc0, struct JSObject * obj = 0x0128b260, struct JSObject * funobj = 0x02505d35, struct JSObject ** pobj2 = 0x01a1aaf1, class XPCWrappedNativeTearOff ** pTearOff = 0x022a6540)+0x3f
xul!XPC_WN_OuterObject(struct JSContext * cx = <Memory access error>, struct JSObject * obj = <Memory access error>)+0x19
js3250!js_Invoke(struct JSContext * cx = <Memory access error>, unsigned int argc = <Memory access error>, long * vp = <Memory access error>, unsigned int flags = <Memory access error>)+0x2bb


By inspecting the arguments to the last few function calls:
	HTMLDocument::Write
	HTMLDocument::WriteCommon
	HTMLDocument::ScriptWriteCommon
it appeared the following Javascript call was causing the crash:
	document.write("</script>");


Writing a single "</script>" tag from Javascript is unusual, so I was able to search the Javascript files for that, and found this in searchmenu.js
document.write("<script type=\"text/javascript\" language=\"Javascript\">");
document.write("searchInitJsControlField(\"" + queryName + "\", \"" + scopeName + "\", \"" + suffix + "\");");
document.write("</script>");


This code is just writing a script element which is immediately evaluated to call the searchInitJsControlField function. That function performed DOM modication on the search field, which was probably what was causing issues when the page was being refreshed rapidly (document.write > DOM parse of <script>...</script> > JS evaluation > DOM modification while DOM is being disposed).


We were able to replace the document.write strategy with a direct Javascript invocation:
	try{ searchInitJsControlField(queryName, scopeName, suffix); }catch(e){}
Stack looks a bit like bug 453624 comment 8.

Josh, do you have a testcase that reproduces the crash we can look at?
Component: General → HTML: Parser
Keywords: crash
OS: Windows XP → All
Product: Firefox → Core
QA Contact: general → parser
Summary: CNavDTD::BuildModel throws error → Crash [@ CNavDTD::BuildModel] with document.write("</script>")
Depends on: 453624
I think you can add another crash report to this list:
http://crash-stats.mozilla.com/report/index/8eb5a4df-ac44-49b5-bc83-882282090220
Status: UNCONFIRMED → NEW
Ever confirmed: true
Version: unspecified → 1.9.0 Branch
(In reply to comment #2)
> Stack looks a bit like bug 453624 comment 8.

fixed in early 2009 by Bug 444322 ?
Crash Signature: [@ CNavDTD::BuildModel]
zero examples with  CNavDTD::BuildModel in signature in the past week for any version
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.