Closed Bug 578914 Opened 14 years ago Closed 13 years ago

crash [@ nsHtml5TreeBuilder::appendVoidElementToCurrentMayFoster]

Categories

(Core :: DOM: HTML Parser, defect, P3)

Product:
Core
Component:
DOM: HTML Parser
Platform:
x86
macOS
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: timeless, Assigned: hsivonen)

References

Details

(Keywords: crash, Whiteboard: [waiting for bug 610823])

Crash Data

Signature	nsHtml5TreeBuilder::appendVoidElementToCurrentMayFoster(int, nsHtml5ElementName*, nsHtml5HtmlAttributes*)
UUID	bbe169a3-6b44-40a8-9f63-66c2d2100714
Time 	2010-07-14 23:52:29.236958
Uptime	87945
Last Crash	605122 seconds (1.0 weeks) before submission
Install Age	640500 seconds (1.1 weeks) since version was first installed.
Product	Firefox
Version	4.0b1
Build ID	20100630131607
Branch	2.0
OS	Mac OS X
OS Version	10.6.4 10F569
CPU	x86
CPU Info	GenuineIntel family 6 model 23 stepping 6
Crash Reason	EXC_BAD_ACCESS / KERN_PROTECTION_FAILURE
Crash Address	0x0
User Comments	
Processor Notes 	
EMCheckCompatibility	False
Crashing Thread
Frame 	Module 	Signature [Expand] 	Source
0 	XUL 	nsHtml5TreeBuilder::appendVoidElementToCurrentMayFoster 	parser/html/nsHtml5TreeOperation.h:138
1 	XUL 	nsHtml5TreeBuilder::startTag 	parser/html/nsHtml5TreeBuilder.cpp:1067
2 	XUL 	nsHtml5Tokenizer::emitCurrentTagToken 	parser/html/nsHtml5Tokenizer.cpp:298
3 	XUL 	nsHtml5Tokenizer::stateLoop 	parser/html/nsHtml5Tokenizer.cpp:907
4 	XUL 	nsHtml5Tokenizer::tokenizeBuffer 	parser/html/nsHtml5Tokenizer.cpp:383
5 	XUL 	nsHtml5Parser::ParseFragment 	parser/html/nsHtml5Parser.cpp:473
6 	XUL 	nsGenericHTMLElement::SetInnerHTML 	content/html/content/src/nsGenericHTMLElement.cpp:740
7 	XUL 	nsIDOMNSHTMLElement_SetInnerHTML 	dom_quickstubs.cpp:17522
8 	libmozjs.dylib 	js_NativeSet 	js/src/jsscope.h:1028
9 	libmozjs.dylib 	js_Interpret 	js/src/jsops.cpp:1707
10 	libmozjs.dylib 	js_Invoke 	js/src/jsinterp.cpp:664
11 	libmozjs.dylib 	js_fun_call 	js/src/jsfun.cpp:1950
12 	libmozjs.dylib 	js_Interpret 	js/src/jsops.cpp:2148
13 	libmozjs.dylib 	js_Invoke 	js/src/jsinterp.cpp:664
14 	libmozjs.dylib 	array_extra 	js/src/jsarray.cpp:2953
15 	libmozjs.dylib 	js_Interpret 	js/src/jsops.cpp:2148
16 	libmozjs.dylib 	js_Invoke 	js/src/jsinterp.cpp:664
17 	libmozjs.dylib 	array_extra 	js/src/jsarray.cpp:2953
18 	libmozjs.dylib 	js_Interpret 	js/src/jsops.cpp:2148
19 	libmozjs.dylib 	js_Invoke 	js/src/jsinterp.cpp:664
20 	libmozjs.dylib 	array_extra 	js/src/jsarray.cpp:2953
21 	libmozjs.dylib 	js_Interpret 	js/src/jsops.cpp:2148
22 	libmozjs.dylib 	js_Invoke 	js/src/jsinterp.cpp:664
23 	libmozjs.dylib 	js_InternalInvoke 	js/src/jsinterp.cpp:694
24 	libmozjs.dylib 	JS_CallFunctionValue 	js/src/jsapi.cpp:4634
25 	XUL 	nsJSContext::CallEventHandler 	dom/base/nsJSEnvironment.cpp:2204
26 	XUL 	nsJSEventListener::HandleEvent 	dom/src/events/nsJSEventListener.cpp:228
27 	XUL 	nsEventListenerManager::HandleEventSubType 	content/events/src/nsEventListenerManager.cpp:1094
28 	XUL 	nsEventListenerManager::HandleEventInternal 	content/events/src/nsEventListenerManager.cpp:1190
29 	XUL 	nsEventTargetChainItem::HandleEventTargetChain 	content/events/src/nsEventListenerManager.h:146
30 	XUL 	nsEventDispatcher::Dispatch 	content/events/src/nsEventDispatcher.cpp:628
31 	XUL 	nsScriptElement::ScriptEvaluated 	content/base/src/nsScriptElement.cpp:105
32 	XUL 	nsScriptLoader::ProcessRequest 	content/base/src/nsScriptLoader.cpp:109
33 	XUL 	nsScriptLoader::ProcessPendingRequests 	content/base/src/nsScriptLoader.cpp:825
34 	XUL 	nsScriptLoader::OnStreamComplete 	content/base/src/nsScriptLoader.cpp:1013
35 	XUL 	nsStreamLoader::OnStopRequest 	netwerk/base/src/nsStreamLoader.cpp:125
36 	XUL 	nsStreamListenerTee::OnStopRequest 	netwerk/base/src/nsStreamListenerTee.cpp:71
37 	XUL 	nsHttpChannel::OnStopRequest 	netwerk/protocol/http/nsHttpChannel.cpp:4343
38 	XUL 	nsInputStreamPump::OnStateStop 	netwerk/base/src/nsInputStreamPump.cpp:578
39 	XUL 	nsInputStreamPump::OnInputStreamReady 	netwerk/base/src/nsInputStreamPump.cpp:403
40 	XUL 	nsInputStreamReadyEvent::Run 	xpcom/io/nsStreamUtils.cpp:112
41 	XUL 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:547
42 	XUL 	NS_ProcessPendingEvents_P 	nsThreadUtils.cpp:200
43 	XUL 	nsBaseAppShell::NativeEventCallback 	widget/src/xpwidgets/nsBaseAppShell.cpp:126
44 	XUL 	nsAppShell::ProcessGeckoEvents 	widget/src/cocoa/nsAppShell.mm:394
Looks like an OOM to me. nsTArray failing to grow.
bsmedberg says nsTArray growth is already infallible, so a new guess about the cause of the crash is needed.
cjones, any ideas what's going on here? To me, it looks like there's some heavy inlining going on, and nsTArray::AppendElement() has returned a null pointer (if the file and line number of the crash are right). How could that still happen?

OTOH, how possible is it that the crash file and line number are wrong when there's inlining going on?
I see that bug 550611 is still open despite what bsmedberg said on IRC.
Depends on: 550611
Priority: -- → P3
Assignee: nobody → hsivonen
Depends on: 610823
Whiteboard: [waiting for bug 610823]
Crash Signature: [@ nsHtml5TreeBuilder::appendVoidElementToCurrentMayFoster]
no nsHtml5TreeBuilder::appendVoidElementToCurrentMayFoster(int, nsHtml5ElementName*, nsHtml5HtmlAttributes*) crashes found for last 3 months for version 6,7,8,...
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.