Closed Bug 555462 Opened 15 years ago Closed 15 years ago

[html5] Heap corruption crash [@ nsHtml5TreeBuilder::ensureBufferSpace] with textarea

Categories

(Core :: DOM: HTML Parser, defect, P1)

Product:
Core
Component:
DOM: HTML Parser
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: martijn.martijn, Assigned: hsivonen)

References

Details

(Keywords: crash, testcase, Whiteboard: [sg:critical])

Crash Data

Attachments

(2 files)

testcase
5.02 KB, text/html
Details
Backout as a patch
16.47 KB, patch
Details | Diff | Splinter Review
Attached file testcase
I'm getting a crash with the testcase after a couple of reloads: http://crash-stats.mozilla.com/report/index/422d2439-2580-44bf-b997-83a1f2100327 0 mozcrt19.dll arena_dalloc_small obj-firefox/memory/jemalloc/crtsrc/jemalloc.c:4104 1 mozcrt19.dll arena_dalloc obj-firefox/memory/jemalloc/crtsrc/jemalloc.c:4227 2 mozcrt19.dll free obj-firefox/memory/jemalloc/crtsrc/jemalloc.c:6017 3 plds4.dll PL_FinishArenaPool nsprpub/lib/ds/plarena.c:324 4 xul.dll RuleHash::~RuleHash layout/style/nsCSSRuleProcessor.cpp:496 5 xul.dll RuleCascadeData::~RuleCascadeData layout/style/nsCSSRuleProcessor.cpp:735 6 xul.dll nsJARURI::FormatSpec modules/libjar/nsJARURI.cpp:116 7 xul.dll DocumentViewerImpl::Show layout/base/nsDocumentViewer.cpp:1901 8 xul.dll DocumentViewerImpl::QueryInterface layout/base/nsDocumentViewer.cpp:574 9 xul.dll nsCOMPtr_base::assign_from_qi obj-firefox/xpcom/build/nsCOMPtr.cpp:96 10 xul.dll DocumentViewerImpl::GetPresContext layout/base/nsDocumentViewer.cpp:1788 11 xul.dll nsPresContext::EnsureVisible layout/base/nsPresContext.cpp:1630 12 xul.dll PresShell::UnsuppressAndInvalidate layout/base/nsPresShell.cpp:4414 13 xul.dll nsTimerImpl::Release xpcom/threads/nsTimerImpl.cpp:94 14 xul.dll PresShell::UnsuppressPainting layout/base/nsPresShell.cpp:4450 15 xul.dll PresShell::UnsuppressPainting layout/base/nsPresShell.cpp:4463 16 xul.dll DocumentViewerImpl::LoadComplete layout/base/nsDocumentViewer.cpp:1069 But I seem to be getting different stacks. In a debug build, I get a complaint of heap corruption. I get this stack, when I hit the retry button: msvcr90d.dll!_free_dbg_nolock(void * pUserData=0x09ec7560, int nBlockUse=1) Line 1371 + 0x3b bytes C++ msvcr90d.dll!_free_dbg(void * pUserData=0x09ec7560, int nBlockUse=1) Line 1258 + 0xd bytes C++ msvcr90d.dll!free(void * pUserData=0x09ec7560) Line 49 + 0xb bytes C++ > mozalloc.dll!moz_free(void * ptr=0x09ec7560) Line 69 + 0xa bytes C++ xul.dll!operator delete[](void * ptr=0x09ec7560) Line 258 + 0x9 bytes C++ xul.dll!jArray<unsigned short,int>::release() Line 56 + 0x1a bytes C++ xul.dll!nsHtml5TreeBuilder::ensureBufferSpace(int addedLength=22) Line 204 C++ xul.dll!nsHtml5Tokenizer::ensureBufferSpace(int addedLength=22) Line 386 C++ xul.dll!nsHtml5Tokenizer::tokenizeBuffer(nsHtml5UTF16Buffer * buffer=0x091fd6d0) Line 359 C++ xul.dll!nsHtml5StreamParser::ParseAvailableData() Line 806 + 0x1e bytes C++ xul.dll!nsHtml5StreamParser::DoDataAvailable(unsigned char * aBuffer=0x0932f3b0, unsigned int aLength=5142) Line 649 C++ xul.dll!nsHtml5DataAvailable::Run() Line 669 C++ xul.dll!nsThread::ProcessNextEvent(int mayWait=1, int * result=0x08cffa88) Line 527 + 0x19 bytes C++ xul.dll!NS_ProcessNextEvent_P(nsIThread * thread=0x03620ad0, int mayWait=1) Line 250 + 0x16 bytes C++ xul.dll!nsThread::ThreadFunc(void * arg=0x03620ad0) Line 254 + 0xb bytes C++ nspr4.dll!_PR_NativeRunThread(void * arg=0x037c6dd0) Line 426 + 0xf bytes C nspr4.dll!pr_root(void * arg=0x037c6dd0) Line 122 + 0xf bytes C msvcr90d.dll!_callthreadstartex() Line 348 + 0xf bytes C msvcr90d.dll!_threadstartex(void * ptd=0x023b1ff0) Line 331 C kernel32.dll!76af1194() [Frames below may be incorrect and/or missing, no symbols loaded for kernel32.dll] ntdll.dll!774eb3f5() ntdll.dll!774eb3c8() So it seems html5 parser related. And indeed, if I turn off html5 parsing, then I don't seem to get a crash.
Weird, apparently, it's no problem online, only when loading the testcase locally.
Does the problem go away if you backout the two changesets mentioned above?
I'm unable to reproduce this either locally or online in an opt build on Linux x86_64.
Sorry, I have no idea to back out http://hg.mozilla.org/mozilla-central/rev/a0f0fde99844 in my local tree at this point.
I ran a debug build on Linux x86_64 in valgrind. When loading the test case from bugzilla, the result was clean. When loading locally, I got: Program ./firefox-bin (pid = 10172) received signal 11. Stack: UNKNOWN [/lib/libpthread.so.0 +0x0000F190] memset+0x00000040 [/lib/libc.so.6 +0x000810E0] UNKNOWN [./libplds4.so +0x00001753] PL_FinishArenaPool+0x00000024 [./libplds4.so +0x000018C5] UNKNOWN [./libxul.so +0x00B703FB] UNKNOWN [./libxul.so +0x00B77BBA] UNKNOWN [./libxul.so +0x00B763F5] UNKNOWN [./libxul.so +0x00B716C4] UNKNOWN [./libxul.so +0x00B718ED] UNKNOWN [./libxul.so +0x009DDD0C] UNKNOWN [./libxul.so +0x009DD3AD] UNKNOWN [./libxul.so +0x00A09CF4] UNKNOWN [./libxul.so +0x00A09275] UNKNOWN [./libxul.so +0x009A63CA] UNKNOWN [./libxul.so +0x009E1FAB] UNKNOWN [./libxul.so +0x009E0335] UNKNOWN [./libxul.so +0x009DC4AF] UNKNOWN [./libxul.so +0x009D22B6] UNKNOWN [./libxul.so +0x009D3279] UNKNOWN [./libxul.so +0x00A01F25] UNKNOWN [./libxul.so +0x00A13CA6] UNKNOWN [./libxul.so +0x00A13F23] UNKNOWN [./libxul.so +0x009CFA45] UNKNOWN [./libxul.so +0x0148A1A0] UNKNOWN [./libxul.so +0x01489B75] UNKNOWN [./libxul.so +0x014BB614] UNKNOWN [./libxul.so +0x014BA226] UNKNOWN [./libxul.so +0x014B9D41] UNKNOWN [./libxul.so +0x014B98EF] UNKNOWN [./libxul.so +0x00749FB4] UNKNOWN [./libxul.so +0x00D0A5BD] UNKNOWN [./libxul.so +0x00D0A398] UNKNOWN [./libxul.so +0x00CFF82C] UNKNOWN [./libxul.so +0x00D19A48] UNKNOWN [./libxul.so +0x01AF1953] UNKNOWN [./libxul.so +0x01A810A4] UNKNOWN [./libxul.so +0x019C5A08] MessageLoop::RunInternal()+0x00000079 [./libxul.so +0x01B6BDF1] MessageLoop::RunHandler()+0x00000018 [./libxul.so +0x01B6BD76] UNKNOWN [./libxul.so +0x01B6BD07] UNKNOWN [./libxul.so +0x0186959D] UNKNOWN [./libxul.so +0x0158254D] XRE_main+0x00002A81 [./libxul.so +0x005F64D9] UNKNOWN [./firefox-bin +0x000021F2] __libc_start_main+0x000000FD [/lib/libc.so.6 +0x0001EABD] UNKNOWN [./firefox-bin +0x00001CD9] Sleeping for 300 seconds. Type 'gdb ./firefox-bin 10172' to attach your debugger to this thread. (gdb) bt #0 0x00007f7ee4079f51 in nanosleep () from /lib/libc.so.6 #1 0x00007f7ee4079da0 in __sleep (seconds=<value optimized out>) at ../sysdeps/unix/sysv/linux/sleep.c:138 #2 0x00007f7ee898b6cf in ah_crap_handler (signum=11) at /opt/Projects/mozilla-html5/toolkit/xre/nsSigHandlers.cpp:164 #3 0x00007f7ee89902c5 in nsProfileLock::FatalSignalHandler (signo=11, info=0x7fff920451f0, context=0x7fff920450c0) at nsProfileLock.cpp:221 #4 <signal handler called> #5 memset () at ../sysdeps/x86_64/memset.S:65 #6 0x00007f7ee7905753 in FreeArenaList (pool=0x7f7ec1a068e0, head=0x7f7ec1a068e0, reallyFree=1) at /opt/Projects/mozilla-html5/nsprpub/lib/ds/plarena.c:284 #7 0x00007f7ee79058c5 in PL_FinishArenaPool (pool=0x7f7ec1a068e0) at /opt/Projects/mozilla-html5/nsprpub/lib/ds/plarena.c:324 #8 0x00007f7ee8ef73fb in ~RuleHash (this=0x7f7ec1a06800, __in_chrg=<value optimized out>) at /opt/Projects/mozilla-html5/layout/style/nsCSSRuleProcessor.cpp:496 #9 0x00007f7ee8efebba in ~RuleCascadeData (this=0x7f7ec1a06800, __in_chrg=<value optimized out>) at /opt/Projects/mozilla-html5/layout/style/nsCSSRuleProcessor.cpp:735 #10 0x00007f7ee8efd3f5 in nsCSSRuleProcessor::ClearRuleCascades ( this=0x7f7ec13c5240) at /opt/Projects/mozilla-html5/layout/style/nsCSSRuleProcessor.cpp:2453 ---Type <return> to continue, or q <return> to quit--- #11 0x00007f7ee8ef86c4 in ~nsCSSRuleProcessor (this=0x7f7ec13c5240, __in_chrg=<value optimized out>) at /opt/Projects/mozilla-html5/layout/style/nsCSSRuleProcessor.cpp:854 #12 0x00007f7ee8ef88ed in nsCSSRuleProcessor::Release (this=0x7f7ec13c5240) at /opt/Projects/mozilla-html5/layout/style/nsCSSRuleProcessor.cpp:857 #13 0x00007f7ee8d64d0c in ~nsCOMPtr (this=0x7f7eca5d1720, __in_chrg=<value optimized out>) at ../../dist/include/nsCOMPtr.h:510 #14 0x00007f7ee8d643ad in ~nsStyleSet (this=0x7f7eca5d16e0, __in_chrg=<value optimized out>) at /opt/Projects/mozilla-html5/layout/base/../style/nsStyleSet.h:80 #15 0x00007f7ee8d90cf4 in ~PresShell (this=0x7f7ec1a03000, __in_chrg=<value optimized out>) at /opt/Projects/mozilla-html5/layout/base/nsPresShell.cpp:1553 #16 0x00007f7ee8d90275 in PresShell::Release (this=0x7f7ec1a03000) at /opt/Projects/mozilla-html5/layout/base/nsPresShell.cpp:1530 #17 0x00007f7ee8d2d3ca in nsCOMPtr<nsIPresShell>::assign_assuming_AddRef ( this=0x7f7ec4046330, newPtr=0x0) at ../../dist/include/nsCOMPtr.h:495 #18 0x00007f7ee8d68fab in nsCOMPtr<nsIPresShell>::assign_with_AddRef ( this=0x7f7ec4046330, rawPtr=0x0) at ../../dist/include/nsCOMPtr.h:1181 #19 0x00007f7ee8d67335 in nsCOMPtr<nsIPresShell>::operator= ( this=0x7f7ec4046330, rhs=0x0) at ../../dist/include/nsCOMPtr.h:640 #20 0x00007f7ee8d634af in DocumentViewerImpl::DestroyPresShell ( this=0x7f7ec40462c0) ---Type <return> to continue, or q <return> to quit--- at /opt/Projects/mozilla-html5/layout/base/nsDocumentViewer.cpp:4230 #21 0x00007f7ee8d592b6 in DocumentViewerImpl::Destroy (this=0x7f7ec40462c0) at /opt/Projects/mozilla-html5/layout/base/nsDocumentViewer.cpp:1615 #22 0x00007f7ee8d5a279 in DocumentViewerImpl::Show (this=0x7f7ec4046540) at /opt/Projects/mozilla-html5/layout/base/nsDocumentViewer.cpp:1901 #23 0x00007f7ee8d88f25 in nsPresContext::EnsureVisible (this=0x7f7ec14d7000) at /opt/Projects/mozilla-html5/layout/base/nsPresContext.cpp:1630 #24 0x00007f7ee8d9aca6 in PresShell::UnsuppressAndInvalidate ( this=0x7f7ec407dc00) at /opt/Projects/mozilla-html5/layout/base/nsPresShell.cpp:4414 #25 0x00007f7ee8d9af23 in PresShell::UnsuppressPainting (this=0x7f7ec407dc00) at /opt/Projects/mozilla-html5/layout/base/nsPresShell.cpp:4463 #26 0x00007f7ee8d56a45 in DocumentViewerImpl::LoadComplete ( this=0x7f7ec4046540, aStatus=0) at /opt/Projects/mozilla-html5/layout/base/nsDocumentViewer.cpp:1069 #27 0x00007f7ee98111a0 in nsDocShell::EndPageLoad (this=0x7f7ecfd12800, aProgress=0x7f7ecfd12828, aChannel=0x7f7ec15f53c0, aStatus=0) at /opt/Projects/mozilla-html5/docshell/base/nsDocShell.cpp:5746 #28 0x00007f7ee9810b75 in nsDocShell::OnStateChange (this=0x7f7ecfd12800, aProgress=0x7f7ecfd12828, aRequest=0x7f7ec15f53c0, aStateFlags=131088, aStatus=0) at /opt/Projects/mozilla-html5/docshell/base/nsDocShell.cpp:5624 #29 0x00007f7ee9842614 in nsDocLoader::FireOnStateChange (this=0x7f7ecfd12800, aProgress=0x7f7ecfd12828, aRequest=0x7f7ec15f53c0, aStateFlags=131088, ---Type <return> to continue, or q <return> to quit--- aStatus=0) at /opt/Projects/mozilla-html5/uriloader/base/nsDocLoader.cpp:1314 #30 0x00007f7ee9841226 in nsDocLoader::doStopDocumentLoad ( this=0x7f7ecfd12800, request=0x7f7ec15f53c0, aStatus=0) at /opt/Projects/mozilla-html5/uriloader/base/nsDocLoader.cpp:926 #31 0x00007f7ee9840d41 in nsDocLoader::DocLoaderIsEmpty (this=0x7f7ecfd12800, aFlushLayout=1) at /opt/Projects/mozilla-html5/uriloader/base/nsDocLoader.cpp:802 #32 0x00007f7ee98408ef in nsDocLoader::OnStopRequest (this=0x7f7ecfd12800, aRequest=0x7f7ec13b0b00, aCtxt=0x0, aStatus=0) at /opt/Projects/mozilla-html5/uriloader/base/nsDocLoader.cpp:697 #33 0x00007f7ee8ad0fb4 in nsLoadGroup::RemoveRequest (this=0x7f7ed21358a0, request=0x7f7ec13b0b00, ctxt=0x0, aStatus=0) at /opt/Projects/mozilla-html5/netwerk/base/src/nsLoadGroup.cpp:680 #34 0x00007f7ee90915bd in nsDocument::DoUnblockOnload (this=0x7f7ec13df000) at /opt/Projects/mozilla-html5/content/base/src/nsDocument.cpp:7105 #35 0x00007f7ee9091398 in nsDocument::UnblockOnload (this=0x7f7ec13df000, aFireSync=1) at /opt/Projects/mozilla-html5/content/base/src/nsDocument.cpp:7052 #36 0x00007f7ee908682c in nsDocument::DispatchContentLoadedEvents ( this=0x7f7ec13df000) at /opt/Projects/mozilla-html5/content/base/src/nsDocument.cpp:4024 #37 0x00007f7ee90a0a48 in nsRunnableMethod<nsDocument, void>::Run ( ---Type <return> to continue, or q <return> to quit--- this=0x7f7ec4614bb0) at ../../../dist/include/nsThreadUtils.h:282 #38 0x00007f7ee9e78953 in nsThread::ProcessNextEvent (this=0x7f7edeb52700, mayWait=0, result=0x7fff920467ac) at /opt/Projects/mozilla-html5/xpcom/threads/nsThread.cpp:527 #39 0x00007f7ee9e080a4 in NS_ProcessNextEvent_P (thread=0x7f7edeb52700, mayWait=0) at nsThreadUtils.cpp:250 #40 0x00007f7ee9d4ca08 in mozilla::ipc::MessagePump::Run (this=0x7f7ed951b680, aDelegate=0x7f7ed950d6a0) at /opt/Projects/mozilla-html5/ipc/glue/MessagePump.cpp:118 #41 0x00007f7ee9ef2df1 in MessageLoop::RunInternal (this=0x7f7ed950d6a0) at /opt/Projects/mozilla-html5/ipc/chromium/src/base/message_loop.cc:216 #42 0x00007f7ee9ef2d76 in MessageLoop::RunHandler (this=0x7f7ed950d6a0) at /opt/Projects/mozilla-html5/ipc/chromium/src/base/message_loop.cc:199 #43 0x00007f7ee9ef2d07 in MessageLoop::Run (this=0x7f7ed950d6a0) at /opt/Projects/mozilla-html5/ipc/chromium/src/base/message_loop.cc:173 #44 0x00007f7ee9bf059d in nsBaseAppShell::Run (this=0x7f7ed588bda0) at /opt/Projects/mozilla-html5/widget/src/xpwidgets/nsBaseAppShell.cpp:174 #45 0x00007f7ee990954d in nsAppStartup::Run (this=0x7f7ed5c23060) at /opt/Projects/mozilla-html5/toolkit/components/startup/src/nsAppStartup.cpp:182 #46 0x00007f7ee897d4d9 in XRE_main (argc=4, argv=0x7fff92047148, aAppData=0x7f7edeb270f0) at /opt/Projects/mozilla-html5/toolkit/xre/nsAppRunner.cpp:3548 ---Type <return> to continue, or q <return> to quit--- #47 0x00000000004021f2 in main (argc=4, argv=0x7fff92047148) at /opt/Projects/mozilla-html5/browser/app/nsBrowserApp.cpp:158 Current language: auto The current source language is "auto; currently c".
I'll experiment with reverting various pieces of the changesets mentioned above.
OS: Windows 7 → All
Hardware: x86 → All
Ok, after backing out http://hg.mozilla.org/mozilla-central/rev/a0f0fde99844 , I don't get a heap corruption anymore, so I guess this is a regression from bug 483209.
Blocks: 483209
Yeah, the right fix here is to back out http://hg.mozilla.org/mozilla-central/rev/a0f0fde99844 and then re-land the only desirable part of that changeset (the limit of 200 on the tree builder stack size.) I'll back it out as soon as I have a time slot that permits me to stick around for long enough to watch the tree go green afterwards.
Attaching the diff that undoes the bad changeset without a merge node.
Assignee: nobody → hsivonen
Status: NEW → ASSIGNED
Pushed http://hg.mozilla.org/mozilla-central/rev/6b4e4692c3d0 This should probably get a crash test along the lines of document.write("<textarea><"); document.write("very long string");
Flags: in-testsuite?
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Whiteboard: [sg:critical]
Verified fixed, using: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.3a5pre) Gecko/20100419 Minefield/3.7a5pre
Status: RESOLVED → VERIFIED
Crash Signature: [@ nsHtml5TreeBuilder::ensureBufferSpace]
Crash test: https://hg.mozilla.org/integration/mozilla-inbound/rev/8ee1903fad58
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: