Closed Bug 614583 Opened 14 years ago Closed 14 years ago

crash [@ nsDocument::AddToIdTable(mozilla::dom::Element*, nsIAtom*) ]

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- betaN+

People

(Reporter: scoobidiver, Assigned: sicking)

References

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

Patch to fix
26.76 KB, patch
jst
: review+
Details | Diff | Splinter Review 
It is a residual crash signature that exist in trunk builds.
It is #180 top crasher in 4.0b8pre for the last week.

Comments say:
"something is going wrong when I add a hashtag"
"Just installed Firebug 1.7a5"
"Using ExtJS"
"I was clicking the middle button on a link to open it in a new tab. While waiting on the tab to finish loading (before switching to it), this crash happened"

Signature	nsDocument::AddToIdTable(mozilla::dom::Element*, nsIAtom*)
UUID	b699b8c1-7fca-444f-8d95-5f6cd2101124
Time 	2010-11-24 07:38:20.261797
Uptime	2149
Last Crash	114900 seconds (1.3 days) before submission
Install Age	2149 seconds (35.8 minutes) since version was first installed.
Product	Firefox
Version	4.0b8pre
Build ID	20101124042634
Branch	2.0
OS	Windows NT
OS Version	6.1.7600
CPU	x86
CPU Info	GenuineIntel family 6 model 23 stepping 6
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0x8
App Notes 	AdapterVendorID: 10de, AdapterDeviceID: 0611
MSAFD Tcpip [TCP/IP] : 2 : 1 :
MSAFD Tcpip [UDP/IP] : 2 : 2 : %SystemRoot%\system32\mswsock.dll
MSAFD Tcpip [RAW/IP] : 2 : 3 :
MSAFD Tcpip [TCP/IPv6] : 2 : 1 : %SystemRoot%\system32\mswsock.dll
MSAFD Tcpip [UDP/IPv6] : 2 : 2 :
MSAFD Tcpip [RAW/IPv6] : 2 : 3 : %SystemRoot%\system32\mswsock.dll
RSVP TCPv6 Service Provider : 2 : 1 :
RSVP TCP Service Provider : 2 : 1 : %SystemRoot%\system32\mswsock.dll
RSVP UDPv6 Service Provider : 2 : 2 :
RSVP UDP Service Provider : 2 : 2 : %SystemRoot%\system32\mswsock.dll

Frame 	Module 	Signature [Expand] 	Source
0 	xul.dll 	nsDocument::AddToIdTable 	content/base/src/nsDocument.cpp:2569
1 	xul.dll 	nsGenericHTMLElement::BindToTree 	content/html/content/src/nsGenericHTMLElement.cpp:947
2 	xul.dll 	nsHTMLAnchorElement::BindToTree 	content/html/content/src/nsHTMLAnchorElement.cpp:196
3 	xul.dll 	nsGenericElement::BindToTree 	content/base/src/nsGenericElement.cpp:2967
4 	xul.dll 	mozAutoDocUpdate::~mozAutoDocUpdate 	
5 	xul.dll 	nsGenericHTMLElement::BindToTree 	content/html/content/src/nsGenericHTMLElement.cpp:947
6 	xul.dll 	PL_DHashMatchStringKey 	modules/libpref/src/prefapi.cpp:111
7 	xul.dll 	nsGenericElement::BindToTree 	content/base/src/nsGenericElement.cpp:2967
8 	mozcrt19.dll 	arena_dalloc_small 	obj-firefox/memory/jemalloc/crtsrc/jemalloc.c:4153
9 	mozcrt19.dll 	arena_malloc_small 	obj-firefox/memory/jemalloc/crtsrc/jemalloc.c:3783
10 	xul.dll 	nsAttrValue::GetStringBuffer 	content/base/src/nsAttrValue.cpp:1394
11 	xul.dll 	nsRefPtr<nsPresContext>::~nsRefPtr<nsPresContext> 	obj-firefox/xpcom/build/nsCOMPtr.cpp:81
12 	xul.dll 	nsAttrValue::ParseAtomArray 	content/base/src/nsAttrValue.cpp:943
13 	xul.dll 	nsGenericElement::BindToTree 	content/base/src/nsGenericElement.cpp:2967
14 	xul.dll 	nsINode::doInsertChildAt 	content/base/src/nsGenericElement.cpp:3592
15 	xul.dll 	nsGenericElement::InsertChildAt 	content/base/src/nsGenericElement.cpp:3537
16 	xul.dll 	nsINode::ReplaceOrInsertBefore 	content/base/src/nsGenericElement.cpp:4279
17 	xul.dll 	nsIDOMNode_AppendChild 	obj-firefox/js/src/xpconnect/src/dom_quickstubs.cpp:5225
18 	mozjs.dll 	mozjs.dll@0x19b567 	

More reports at:
http://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=exact&query=&range_value=4&range_unit=weeks&hang_type=any&process_type=any&plugin_field=&plugin_query_type=&plugin_query=&do_query=1&admin=&signature=nsDocument%3A%3AAddToIdTable%28mozilla%3A%3Adom%3A%3AElement*%2C%20nsIAtom*%29
This is probably a regression :(

Any steps to reproduce here would be rockin'. I'll see how much minidumps will help.
Assignee: nobody → jonas
blocking2.0: --- → betaN+
Jonas, I just reproduced this with the url http://inforum.insite.com.br/17356/2632270.html (found thanks to bc's awesome crash reproducing tool!).

We've got a node that says it has an id, but the node's id is null.

#0  0x00007ffff4f6968a in nsIAtom::GetLength (this=0x0)
    at ../../../dist/include/nsIAtom.h:66
#1  0x00007ffff4f696ad in nsDependentAtomString::nsDependentAtomString (
    this=0x7fffffffccd0, aAtom=0x0) at ../../../dist/include/nsIAtom.h:244
#2  0x00007ffff53a4961 in nsDocument::AddToIdTable (this=0x7fffce3c8000, 
    aElement=0x7fffcda109b0, aId=0x0)
    at ../../../../mozilla/content/base/src/nsDocument.cpp:2569
#3  0x00007ffff5436b30 in nsStyledElement::BindToTree (this=0x7fffcda109b0, 
    aDocument=0x7fffce3c8000, aParent=0x7fffcda10240, aBindingParent=0x0, 
    aCompileEventHandlers=1)
    at ../../../../mozilla/content/base/src/nsStyledElement.cpp:223
#4  0x00007ffff5405596 in nsMappedAttributeElement::BindToTree (
    this=0x7fffcda109b0, aDocument=0x7fffce3c8000, aParent=0x7fffcda10240, 
    aBindingParent=0x0, aCompileEventHandlers=1)
    at ../../../../mozilla/content/base/src/nsMappedAttributeElement.cpp:51
#5  0x00007ffff551ad00 in nsGenericHTMLElement::BindToTree (
    this=0x7fffcda109b0, aDocument=0x7fffce3c8000, aParent=0x7fffcda10240, 
    aBindingParent=0x0, aCompileEventHandlers=1)
    at ../../../../../mozilla/content/html/content/src/nsGenericHTMLElement.cpp:947
#6  0x00007ffff53f17b9 in nsINode::doInsertChildAt (this=0x7fffcda10240, 
    aKid=0x7fffcda109b0, aIndex=3, aNotify=0, aChildArray=...)
    at ../../../../mozilla/content/base/src/nsGenericElement.cpp:3591
#7  0x00007ffff53f120b in nsGenericElement::InsertChildAt (
    this=0x7fffcda10240, aKid=0x7fffcda109b0, aIndex=3, aNotify=0)
    at ../../../../mozilla/content/base/src/nsGenericElement.cpp:3536
#8  0x00007ffff4feea2d in nsINode::AppendChildTo (this=0x7fffcda10240, 
    aKid=0x7fffcda109b0, aNotify=0) at ../../dist/include/nsINode.h:531
#9  0x00007ffff5908c7d in nsHtml5TreeOperation::Append (this=0x7fffcdd05718, 
    aNode=0x7fffcda109b0, aParent=0x7fffcda10240, aBuilder=0x7fffcddf19b0)
    at ../../../mozilla/parser/html/nsHtml5TreeOperation.cpp:217
So the relevant element is the one that starts:

 <div class="mainpost3" id="msg-Virtual DJ

and then has a missing close quote, so the next 122 lines of text all look like attributes on that element.  As a result it claims to have 1023 attributes, which is ATTRCHILD_ARRAY_MAX_ATTR_COUNT.

So I bet that in ParseAttribute() we set the NODE_HAS_ID flag, but the actual nsAttrAndChildArray::SetAttr call fails due to there being too many of them (recall that we set attributes backwards), so we don't actually have an attribute for GetID() to return anything from.
Attached patch Patch to fixSplinter Review 
Thanks Boris for debugging this!
Attachment #497311 - Flags: review?(jst)
Attachment #497311 - Flags: review?(jst) → review+
Checked in http://hg.mozilla.org/mozilla-central/rev/5a4959ebd326
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Crash Signature: [@ nsDocument::AddToIdTable(mozilla::dom::Element*, nsIAtom*) ]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: