Closed Bug 501113 Opened 15 years ago Closed 15 years ago

HTML5 Crash EXCEPTION_INT_DIVIDE_BY_ZERO [@ _aulldiv - nsHtml5TreeBuilder::Flush] loading complex pages

Categories

(Core :: DOM: HTML Parser, defect)

x86
Windows NT
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla1.9.2a1
Tracking Status
status1.9.2 --- beta1-fixed

People

(Reporter: jmjjeffery, Assigned: timeless)

References

Details

(Keywords: crash)

Crash Data

Attachments

(2 files, 2 obsolete files)

Loading any complex page with the new HTML5 parser set to 'true' crashes the browser on page load.

1. Load www.cnn.com 
2. crash before page loads

Crash-report here:
http://crash-stats.mozilla.com/report/index/14604f15-d79d-4ef1-8f9c-5343b2090629?p=1

Using nightly build:
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2a1pre) Gecko/20090629 Minefield/3.6a1pre Firefox/3.0.11 ID:20090629044912

changeset: 
http://hg.mozilla.org/mozilla-central/rev/643cdff78555
Signature	_aulldiv
UUID	14604f15-d79d-4ef1-8f9c-5343b2090629
Time 	2009-06-29 06:45:52.502461
Uptime	35
Last Crash	37626 seconds before submission
Product	Firefox
Version	3.6a1pre
Build ID	20090629044912
Branch	1.9.2
OS	Windows NT
OS Version	6.1.7100
CPU	x86
CPU Info	AuthenticAMD family 16 model 2 stepping 3
Crash Reason	EXCEPTION_INT_DIVIDE_BY_ZERO
Crash Address	0x68ebc924
User Comments	HTML5 enabled - crash loading CNN
Processor Notes 	
Crashing Thread
Frame 	Module 	Signature [Expand] 	Source
0 	xul.dll 	_aulldiv 	ulldiv.asm:87
1 	xul.dll 	nsHtml5TreeBuilder::end 	parser/html/nsHtml5TreeBuilderCppSupplement.h:281
2 	xul.dll 	nsHtml5TreeBuilder::endTokenization 	parser/html/nsHtml5TreeBuilder.cpp:555
3 	xul.dll 	nsHtml5Tokenizer::end 	parser/html/nsHtml5Tokenizer.cpp:3181
4 	xul.dll 	nsHtml5Parser::ParseFragment 	parser/html/nsHtml5Parser.cpp:527

ted suggests:
http://hg.mozilla.org/mozilla-central/annotate/643cdff78555/parser/html/nsHtml5TreeBuilderCppSupplement.h#l487

hsivonen@29805   487    sTreeOpQueueMaxLength = (PRUint32)((NS_HTML5_TREE_BUILDER_MAX_QUEUE_TIME * (PRUint64)opQueueLength) / (PR_Now() - flushStart));

and he notes that flushStart is assigned from PR_Now() earlier.
Keywords: crash
Summary: HTML5 Crash [@ _aulldiv ] loading complex pages → HTML5 Crash EXCEPTION_INT_DIVIDE_BY_ZERO [@ _aulldiv - nsHtml5TreeBuilder::Flush] loading complex pages
ted mentioned PR_IntervalNow()
bsmedberg recommended mozilla::TimeStamp
Crashing Thread on Win XP:

0  	xul.dll  	_aulldiv  	 ulldiv.asm:87
1 	xul.dll 	nsHtml5TreeBuilder::end 	parser/html/nsHtml5TreeBuilderCppSupplement.h:281
2 	xul.dll 	nsHtml5TreeBuilder::endTokenization 	parser/html/nsHtml5TreeBuilder.cpp:555
3 	xul.dll 	nsHtml5Tokenizer::end 	parser/html/nsHtml5Tokenizer.cpp:3181
4 	xul.dll 	nsHtml5Parser::DidBuildModel 	parser/html/nsHtml5Parser.cpp:789
5 	xul.dll 	nsHtml5Parser::ParseUntilSuspend 	parser/html/nsHtml5Parser.cpp:1200
6 	xul.dll 	nsHtml5Parser::OnStopRequest 	parser/html/nsHtml5Parser.cpp:655
7 	xul.dll 	nsDocumentOpenInfo::OnStopRequest 	uriloader/base/nsURILoader.cpp:323
8 	xul.dll 	nsStreamListenerTee::OnStopRequest 	netwerk/base/src/nsStreamListenerTee.cpp:65
9 	xul.dll 	nsHttpChannel::OnStopRequest 	netwerk/protocol/http/src/nsHttpChannel.cpp:5031
10 	xul.dll 	nsInputStreamPump::OnStateStop 	netwerk/base/src/nsInputStreamPump.cpp:576
11 	xul.dll 	nsInputStreamPump::OnInputStreamReady 	netwerk/base/src/nsInputStreamPump.cpp:401
12 	xul.dll 	nsOutputStreamReadyEvent::Run 	xpcom/io/nsStreamUtils.cpp:190
13 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:527
14 	xul.dll 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:170
15 	xul.dll 	nsAppStartup::Run 	toolkit/components/startup/src/nsAppStartup.cpp:193
16 	nspr4.dll 	PR_GetEnv 	
17 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp:110
18 	firefox.exe 	firefox.exe@0x21a7 	
19 	kernel32.dll 	kernel32.dll@0x17076
Martijn, I think this is the crash you were seeing?
Flags: blocking1.9.2?
To be more specific: PRNow() is only accurate to 15 miliseconds iirc, so the second call to PRNow could be of equivalent value to flushStart hence making the division by zero...
henri, et al:

looks like same stack as when loading
http://tinderbox.mozilla.org/showbuilds.cgi?tree=Firefox 
in case you're looking for a test case that's a bit less a moving target than cnn

http://crash-stats.mozilla.com/report/index/2ec2d988-805c-4bcc-9cda-cc47b2090629?p=1
Assignee: nobody → timeless
Status: NEW → ASSIGNED
Attachment #385845 - Flags: review?(hsivonen)
Attachment #385845 - Attachment is obsolete: true
Attachment #385847 - Flags: review?(hsivonen)
Attachment #385845 - Flags: review?(hsivonen)
Docs say PR_IntervalNow() and PR_Now() have different units, so need to change the magic constant accordingly.
Attachment #385847 - Attachment is obsolete: true
Attachment #385847 - Flags: review?(hsivonen)
Comment on attachment 385983 [details] [diff] [review]
Change the constant to milliseconds, too

The patch seems to work. Thanks, timeless! 

However, my Windows box is a virtual machine, so I may not seeing the same timing as one would have on a real box.
Attachment #385983 - Flags: superreview?(mrbkap)
Attachment #385983 - Flags: review?(jonas)
Attachment #385983 - Flags: superreview?(mrbkap)
Attachment #385983 - Flags: superreview+
Attachment #385983 - Flags: review?(jonas)
Attachment #385983 - Flags: review+
Comment on attachment 385983 [details] [diff] [review]
Change the constant to milliseconds, too

You can't assume that PRIntervalNow returns milliseconds. You have to use PR_IntervalToMilliseconds

r/sr=me with that
Attached patch Pushed patchSplinter Review
Pushed patch for the record. With PR_IntervalToMilliseconds. Thanks.
http://hg.mozilla.org/mozilla-central/rev/231fe6f453d8
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Verified fixed, no more instant crash on complex pages with HTMO5 = True

changeset: 
http://hg.mozilla.org/mozilla-central/rev/231fe6f453d8

Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2a1pre) Gecko/20090702 Minefield/3.6a1pre Firefox/3.0.11 ID:20090702004326
Status: RESOLVED → VERIFIED
Flags: blocking1.9.2? → blocking1.9.2-
Crash Signature: [@ _aulldiv - nsHtml5TreeBuilder::Flush]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: