Closed Bug 578914 Opened 15 years ago Closed 13 years ago

crash [@ nsHtml5TreeBuilder::appendVoidElementToCurrentMayFoster]

Categories

(Core :: DOM: HTML Parser, defect, P3)

Product:
Core
Component:
DOM: HTML Parser
Platform:
x86
macOS
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: timeless, Assigned: hsivonen)

References

Details

(Keywords: crash, Whiteboard: [waiting for bug 610823])

Crash Data

Signature nsHtml5TreeBuilder::appendVoidElementToCurrentMayFoster(int, nsHtml5ElementName*, nsHtml5HtmlAttributes*) UUID bbe169a3-6b44-40a8-9f63-66c2d2100714 Time 2010-07-14 23:52:29.236958 Uptime 87945 Last Crash 605122 seconds (1.0 weeks) before submission Install Age 640500 seconds (1.1 weeks) since version was first installed. Product Firefox Version 4.0b1 Build ID 20100630131607 Branch 2.0 OS Mac OS X OS Version 10.6.4 10F569 CPU x86 CPU Info GenuineIntel family 6 model 23 stepping 6 Crash Reason EXC_BAD_ACCESS / KERN_PROTECTION_FAILURE Crash Address 0x0 User Comments Processor Notes EMCheckCompatibility False Crashing Thread Frame Module Signature [Expand] Source 0 XUL nsHtml5TreeBuilder::appendVoidElementToCurrentMayFoster parser/html/nsHtml5TreeOperation.h:138 1 XUL nsHtml5TreeBuilder::startTag parser/html/nsHtml5TreeBuilder.cpp:1067 2 XUL nsHtml5Tokenizer::emitCurrentTagToken parser/html/nsHtml5Tokenizer.cpp:298 3 XUL nsHtml5Tokenizer::stateLoop parser/html/nsHtml5Tokenizer.cpp:907 4 XUL nsHtml5Tokenizer::tokenizeBuffer parser/html/nsHtml5Tokenizer.cpp:383 5 XUL nsHtml5Parser::ParseFragment parser/html/nsHtml5Parser.cpp:473 6 XUL nsGenericHTMLElement::SetInnerHTML content/html/content/src/nsGenericHTMLElement.cpp:740 7 XUL nsIDOMNSHTMLElement_SetInnerHTML dom_quickstubs.cpp:17522 8 libmozjs.dylib js_NativeSet js/src/jsscope.h:1028 9 libmozjs.dylib js_Interpret js/src/jsops.cpp:1707 10 libmozjs.dylib js_Invoke js/src/jsinterp.cpp:664 11 libmozjs.dylib js_fun_call js/src/jsfun.cpp:1950 12 libmozjs.dylib js_Interpret js/src/jsops.cpp:2148 13 libmozjs.dylib js_Invoke js/src/jsinterp.cpp:664 14 libmozjs.dylib array_extra js/src/jsarray.cpp:2953 15 libmozjs.dylib js_Interpret js/src/jsops.cpp:2148 16 libmozjs.dylib js_Invoke js/src/jsinterp.cpp:664 17 libmozjs.dylib array_extra js/src/jsarray.cpp:2953 18 libmozjs.dylib js_Interpret js/src/jsops.cpp:2148 19 libmozjs.dylib js_Invoke js/src/jsinterp.cpp:664 20 libmozjs.dylib array_extra js/src/jsarray.cpp:2953 21 libmozjs.dylib js_Interpret js/src/jsops.cpp:2148 22 libmozjs.dylib js_Invoke js/src/jsinterp.cpp:664 23 libmozjs.dylib js_InternalInvoke js/src/jsinterp.cpp:694 24 libmozjs.dylib JS_CallFunctionValue js/src/jsapi.cpp:4634 25 XUL nsJSContext::CallEventHandler dom/base/nsJSEnvironment.cpp:2204 26 XUL nsJSEventListener::HandleEvent dom/src/events/nsJSEventListener.cpp:228 27 XUL nsEventListenerManager::HandleEventSubType content/events/src/nsEventListenerManager.cpp:1094 28 XUL nsEventListenerManager::HandleEventInternal content/events/src/nsEventListenerManager.cpp:1190 29 XUL nsEventTargetChainItem::HandleEventTargetChain content/events/src/nsEventListenerManager.h:146 30 XUL nsEventDispatcher::Dispatch content/events/src/nsEventDispatcher.cpp:628 31 XUL nsScriptElement::ScriptEvaluated content/base/src/nsScriptElement.cpp:105 32 XUL nsScriptLoader::ProcessRequest content/base/src/nsScriptLoader.cpp:109 33 XUL nsScriptLoader::ProcessPendingRequests content/base/src/nsScriptLoader.cpp:825 34 XUL nsScriptLoader::OnStreamComplete content/base/src/nsScriptLoader.cpp:1013 35 XUL nsStreamLoader::OnStopRequest netwerk/base/src/nsStreamLoader.cpp:125 36 XUL nsStreamListenerTee::OnStopRequest netwerk/base/src/nsStreamListenerTee.cpp:71 37 XUL nsHttpChannel::OnStopRequest netwerk/protocol/http/nsHttpChannel.cpp:4343 38 XUL nsInputStreamPump::OnStateStop netwerk/base/src/nsInputStreamPump.cpp:578 39 XUL nsInputStreamPump::OnInputStreamReady netwerk/base/src/nsInputStreamPump.cpp:403 40 XUL nsInputStreamReadyEvent::Run xpcom/io/nsStreamUtils.cpp:112 41 XUL nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:547 42 XUL NS_ProcessPendingEvents_P nsThreadUtils.cpp:200 43 XUL nsBaseAppShell::NativeEventCallback widget/src/xpwidgets/nsBaseAppShell.cpp:126 44 XUL nsAppShell::ProcessGeckoEvents widget/src/cocoa/nsAppShell.mm:394
Looks like an OOM to me. nsTArray failing to grow.
bsmedberg says nsTArray growth is already infallible, so a new guess about the cause of the crash is needed.
cjones, any ideas what's going on here? To me, it looks like there's some heavy inlining going on, and nsTArray::AppendElement() has returned a null pointer (if the file and line number of the crash are right). How could that still happen? OTOH, how possible is it that the crash file and line number are wrong when there's inlining going on?
I see that bug 550611 is still open despite what bsmedberg said on IRC.
Depends on: 550611
Priority: -- → P3
Assignee: nobody → hsivonen
Depends on: 610823
Whiteboard: [waiting for bug 610823]
Crash Signature: [@ nsHtml5TreeBuilder::appendVoidElementToCurrentMayFoster]
no nsHtml5TreeBuilder::appendVoidElementToCurrentMayFoster(int, nsHtml5ElementName*, nsHtml5HtmlAttributes*) crashes found for last 3 months for version 6,7,8,...
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.