Closed Bug 502869 Opened 11 years ago Closed 10 years ago

[HTML5] Crash [@ nsHtml5TreeBuilder::appendToCurrentNodeAndPushElementMayFoster] with document.write and removing stuff

Categories

(Core :: DOM: HTML Parser, defect, critical)

x86
Windows XP
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: martijn.martijn, Assigned: hsivonen)

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(2 files, 1 obsolete file)

Attached file testcase
See testcase, to get this crash, you need to have the html5.enable pref set to true.
I guess it might be related to the other HTML5 parser crashes.

http://crash-stats.mozilla.com/report/index/13e74244-37ab-4a11-b461-4a1592090707?p=1
0  	XUL  	nsHtml5TreeBuilder::appendToCurrentNodeAndPushElementMayFoster  	 parser/html/nsHtml5TreeBuilder.cpp:3384
1 	XUL 	nsHtml5TreeBuilder::startTag 	parser/html/nsHtml5TreeBuilder.cpp:1292
2 	XUL 	nsHtml5Tokenizer::stateLoop 	parser/html/nsHtml5Tokenizer.cpp:364
3 	XUL 	nsHtml5Tokenizer::tokenizeBuffer 	parser/html/nsHtml5Tokenizer.cpp:459
4 	XUL 	nsHtml5Parser::Parse 	parser/html/nsHtml5Parser.cpp:378
5 	XUL 	nsHTMLDocument::WriteCommon 	content/html/document/src/nsHTMLDocument.cpp:2172
6 	XUL 	nsHTMLDocument::ScriptWriteCommon 	content/html/document/src/nsHTMLDocument.cpp:2228
7 	XUL 	nsHTMLDocument::Write 	content/html/document/src/nsHTMLDocument.cpp:2256
8 	XUL 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/unix/xptcinvoke_unixish_x86.cpp:179
9 	XUL 	XPCWrappedNative::CallMethod 	js/src/xpconnect/src/xpcwrappednative.cpp:2691
10 	XUL 	XPC_WN_CallMethod 	js/src/xpconnect/src/xpcwrappednativejsops.cpp:1732
11 	libmozjs.dylib 	js_Invoke 	js/src/jsinterp.cpp:1389
etc...
Assignee: nobody → hsivonen
Status: NEW → ASSIGNED
Attachment #393748 - Flags: review?(mrbkap)
Comment on attachment 393748 [details] [diff] [review]
Set life cycle before emitting EOF

This patch isn't quite right.
Attachment #393748 - Attachment is obsolete: true
Attachment #393748 - Flags: review?(mrbkap)
Attachment #393810 - Flags: review?(mrbkap) → review?(bnewman)
Attachment #393810 - Flags: review?(bnewman) → review+
Comment on attachment 393810 [details] [diff] [review]
Flush and set life cycle better relative to eof()

Changes make sense to me.  I can also confirm that this patch fixes the crash under WinXP.  Would it be useful to write a crash test for this, to prevent regressions?
http://hg.mozilla.org/mozilla-central/rev/15ea02367063

(In reply to comment #4)
> (From update of attachment 393810 [details] [diff] [review])
> Changes make sense to me.  I can also confirm that this patch fixes the crash
> under WinXP.

Thank you.

> Would it be useful to write a crash test for this, to prevent
> regressions?

Yes. I need to learn how to write crash tests.
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Crash Signature: [@ nsHtml5TreeBuilder::appendToCurrentNodeAndPushElementMayFoster]
Crash test:
https://hg.mozilla.org/integration/mozilla-inbound/rev/4a82058ffa7a
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.