Closed Bug 470687 Opened 17 years ago Closed 17 years ago

Crash [@ PR_vsnprintf] with observes, mathml element and setting color attrbute

Tracking

()

Status:

VERIFIED FIXED

People

(Reporter: martijn.martijn, Assigned: smaug)

References

Details

(4 keywords)

Crash Data

Attachments

(4 files)

testcase 17 years ago Martijn Wargers (dead) 658 bytes, application/vnd.mozilla.xul+xml		Details
a testcase with mutation listener 17 years ago Olli Pettay [:smaug][bugs@pettay.fi] 828 bytes, application/vnd.mozilla.xul+xml		Details
testcase 2 with a mutation listener 17 years ago Olli Pettay [:smaug][bugs@pettay.fi] 829 bytes, application/vnd.mozilla.xul+xml		Details
possible fix - trying to detect possible loop 17 years ago Olli Pettay [:smaug][bugs@pettay.fi] 7.53 KB, patch	enndeakin : review+ neil : superreview+ beltzner : approval1.9.1+	Details \| Diff \| Splinter Review

Martijn Wargers (dead)

Reporter

Description

•

17 years ago

Attached file testcase — Details

See testcase, which crashes current trunk build after 100ms. It doesn't crash in a 2008-12-03 build, it does crash in a 2008-12-04 build: http://hg.mozilla.org/mozilla-central/pushloghtml?startdate=2008-12-03+04%3A00%3A00&enddate=2008-12-04+06%3A00%3A00 http://crash-stats.mozilla.com/report/index/9918f626-058b-4243-8f9b-4606c2081221?p=1 0 nspr4.dll PR_vsnprintf nsprpub/pr/src/io/prprf.c:1184 1 nspr4.dll PR_snprintf nsprpub/pr/src/io/prprf.c:1164 2 xul.dll NS_RGBToHex gfx/src/nsColor.cpp:208 3 xul.dll xul.dll@0x2c0f42 Unminimized testcases used to crash with this breakpad stack, btw: http://crash-stats.mozilla.com/report/index/dc1e727d-4fd2-4e1c-b6e6-8f4db2081220?p=1 0 xul.dll nsAttrValue::ToString content/base/src/nsAttrValue.cpp:325 1 xul.dll nsXULDocument::AttributeChanged content/xul/document/src/nsXULDocument.cpp:1011 2 xul.dll nsGenericDOMDataNode::cycleCollection::UnmarkPurple

Olli Pettay [:smaug][bugs@pettay.fi]

Assignee

Comment 1

•

17 years ago

Fun. Apparently this happens because in some cases color attribute is serialized to #000, other cases to #000000.

Olli Pettay [:smaug][bugs@pettay.fi]

Assignee

Updated

•

17 years ago

Assignee: nobody → Olli.Pettay

Olli Pettay [:smaug][bugs@pettay.fi]

Assignee

Comment 2

•

17 years ago

Attached file a testcase with mutation listener — Details

Olli Pettay [:smaug][bugs@pettay.fi]

Assignee

Updated

•

17 years ago

Attachment #354884 - Attachment is patch: false

Attachment #354884 - Attachment mime type: text/plain → application/vnd.mozilla.xul+xml

Olli Pettay [:smaug][bugs@pettay.fi]

Assignee

Comment 3

•

17 years ago

Attached file testcase 2 with a mutation listener — Details

Olli Pettay [:smaug][bugs@pettay.fi]

Assignee

Comment 4

•

17 years ago

Attached patch possible fix - trying to detect possible loop — Details — Splinter Review

Mutation events and broadcasters are so fun :/ The patch removes temporary delayedAttrChangeBroadcasts and when the actual broadcasting happens, mDelayedAttrChangeBroadcasts is iterated until the end of it (even if new items are appended to it). mHandlingDelayedAttrChange makes sure that nested SetAttr calls don't restart iteration. The cycle detection happens in nsXULDocument::AttributeChanged before anything is appended to mDelayedAttrChangeBroadcasts. Fixes also bug 471416.

Attachment #354895 - Flags: review?(enndeakin)

Martijn Wargers (dead)

Reporter

Updated

•

17 years ago

Blocks: 471416

Neil Deakin

Updated

•

17 years ago

Attachment #354895 - Flags: review?(enndeakin) → review+

Neil Deakin

Comment 5

•

17 years ago

Comment on attachment 354895 [details] [diff] [review] possible fix - trying to detect possible loop OK, but the other Neil should probably give a superreview.

Olli Pettay [:smaug][bugs@pettay.fi]

Assignee

Updated

•

17 years ago

Attachment #354895 - Flags: superreview?(neil)

neil@parkwaycc.co.uk

Comment 6

•

17 years ago

Comment on attachment 354895 [details] [diff] [review] possible fix - trying to detect possible loop >+ PRBool possibleCycle = PR_FALSE; >+ for (PRUint32 j = 0; j < mDelayedAttrChangeBroadcasts.Length(); ++j) { >+ if (mDelayedAttrChangeBroadcasts[j].mListener == listenerEl && >+ mDelayedAttrChangeBroadcasts[j].mAttrName == aAttribute) { >+ possibleCycle = PR_TRUE; >+ break; >+ } >+ } I'm sure it must be possible to use nsTArray::Contains somehow. >+ if (possibleCycle) { >+ NS_WARNING("Broadcasting loop!"); >+ } else { I'd prefer separate NS_WARN_IF_FALSE(!possibleCycle) and if (!possibleCycle)

Attachment #354895 - Flags: superreview?(neil) → superreview+

Olli Pettay [:smaug][bugs@pettay.fi]

Assignee

Updated

•

17 years ago

Status: NEW → RESOLVED

Closed: 17 years ago

Resolution: --- → FIXED

Olli Pettay [:smaug][bugs@pettay.fi]

Assignee

Comment 7

•

17 years ago

Comment on attachment 354895 [details] [diff] [review] possible fix - trying to detect possible loop We need this on 1.9.1 too :/

Attachment #354895 - Flags: approval1.9.1?

Martijn Wargers (dead)

Reporter

Comment 8

•

17 years ago

Verified fixed, using: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090108 Minefield/3.2a1pre

Status: RESOLVED → VERIFIED

Mike Beltzner [:beltzner, not reading bugmail]

Comment 9

•

17 years ago

Comment on attachment 354895 [details] [diff] [review] possible fix - trying to detect possible loop a191=beltzner

Attachment #354895 - Flags: approval1.9.1? → approval1.9.1+

Olli Pettay [:smaug][bugs@pettay.fi]

Assignee

Comment 10

•

17 years ago

http://hg.mozilla.org/releases/mozilla-1.9.1/rev/1a72e7f44b09

Keywords: fixed1.9.1

Aakash Desai [:aakashd]

Comment 11

•

16 years ago

verified FIXED on Shiretoko: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b4pre) Gecko/20090422 Shiretoko/3.5b4pre ID:20090422042031

Keywords: fixed1.9.1 → verified1.9.1

Nobody; OK to take it and work on it

Updated

•

14 years ago

Crash Signature: [@ PR_vsnprintf]

Nobody; OK to take it and work on it

Updated

•

7 years ago

Component: DOM → DOM: Core & HTML

You need to log in before you can comment on or make changes to this bug.