Closed Bug 614583 Opened 14 years ago Closed 14 years ago

crash [@ nsDocument::AddToIdTable(mozilla::dom::Element*, nsIAtom*) ]

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- betaN+

People

(Reporter: scoobidiver, Assigned: sicking)

References

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

Patch to fix
26.76 KB, patch
jst
: review+
Details | Diff | Splinter Review
It is a residual crash signature that exist in trunk builds. It is #180 top crasher in 4.0b8pre for the last week. Comments say: "something is going wrong when I add a hashtag" "Just installed Firebug 1.7a5" "Using ExtJS" "I was clicking the middle button on a link to open it in a new tab. While waiting on the tab to finish loading (before switching to it), this crash happened" Signature nsDocument::AddToIdTable(mozilla::dom::Element*, nsIAtom*) UUID b699b8c1-7fca-444f-8d95-5f6cd2101124 Time 2010-11-24 07:38:20.261797 Uptime 2149 Last Crash 114900 seconds (1.3 days) before submission Install Age 2149 seconds (35.8 minutes) since version was first installed. Product Firefox Version 4.0b8pre Build ID 20101124042634 Branch 2.0 OS Windows NT OS Version 6.1.7600 CPU x86 CPU Info GenuineIntel family 6 model 23 stepping 6 Crash Reason EXCEPTION_ACCESS_VIOLATION_READ Crash Address 0x8 App Notes AdapterVendorID: 10de, AdapterDeviceID: 0611 MSAFD Tcpip [TCP/IP] : 2 : 1 : MSAFD Tcpip [UDP/IP] : 2 : 2 : %SystemRoot%\system32\mswsock.dll MSAFD Tcpip [RAW/IP] : 2 : 3 : MSAFD Tcpip [TCP/IPv6] : 2 : 1 : %SystemRoot%\system32\mswsock.dll MSAFD Tcpip [UDP/IPv6] : 2 : 2 : MSAFD Tcpip [RAW/IPv6] : 2 : 3 : %SystemRoot%\system32\mswsock.dll RSVP TCPv6 Service Provider : 2 : 1 : RSVP TCP Service Provider : 2 : 1 : %SystemRoot%\system32\mswsock.dll RSVP UDPv6 Service Provider : 2 : 2 : RSVP UDP Service Provider : 2 : 2 : %SystemRoot%\system32\mswsock.dll Frame Module Signature [Expand] Source 0 xul.dll nsDocument::AddToIdTable content/base/src/nsDocument.cpp:2569 1 xul.dll nsGenericHTMLElement::BindToTree content/html/content/src/nsGenericHTMLElement.cpp:947 2 xul.dll nsHTMLAnchorElement::BindToTree content/html/content/src/nsHTMLAnchorElement.cpp:196 3 xul.dll nsGenericElement::BindToTree content/base/src/nsGenericElement.cpp:2967 4 xul.dll mozAutoDocUpdate::~mozAutoDocUpdate 5 xul.dll nsGenericHTMLElement::BindToTree content/html/content/src/nsGenericHTMLElement.cpp:947 6 xul.dll PL_DHashMatchStringKey modules/libpref/src/prefapi.cpp:111 7 xul.dll nsGenericElement::BindToTree content/base/src/nsGenericElement.cpp:2967 8 mozcrt19.dll arena_dalloc_small obj-firefox/memory/jemalloc/crtsrc/jemalloc.c:4153 9 mozcrt19.dll arena_malloc_small obj-firefox/memory/jemalloc/crtsrc/jemalloc.c:3783 10 xul.dll nsAttrValue::GetStringBuffer content/base/src/nsAttrValue.cpp:1394 11 xul.dll nsRefPtr<nsPresContext>::~nsRefPtr<nsPresContext> obj-firefox/xpcom/build/nsCOMPtr.cpp:81 12 xul.dll nsAttrValue::ParseAtomArray content/base/src/nsAttrValue.cpp:943 13 xul.dll nsGenericElement::BindToTree content/base/src/nsGenericElement.cpp:2967 14 xul.dll nsINode::doInsertChildAt content/base/src/nsGenericElement.cpp:3592 15 xul.dll nsGenericElement::InsertChildAt content/base/src/nsGenericElement.cpp:3537 16 xul.dll nsINode::ReplaceOrInsertBefore content/base/src/nsGenericElement.cpp:4279 17 xul.dll nsIDOMNode_AppendChild obj-firefox/js/src/xpconnect/src/dom_quickstubs.cpp:5225 18 mozjs.dll mozjs.dll@0x19b567 More reports at: http://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=exact&query=&range_value=4&range_unit=weeks&hang_type=any&process_type=any&plugin_field=&plugin_query_type=&plugin_query=&do_query=1&admin=&signature=nsDocument%3A%3AAddToIdTable%28mozilla%3A%3Adom%3A%3AElement*%2C%20nsIAtom*%29
This is probably a regression :( Any steps to reproduce here would be rockin'. I'll see how much minidumps will help.
Assignee: nobody → jonas
blocking2.0: --- → betaN+
Jonas, I just reproduced this with the url http://inforum.insite.com.br/17356/2632270.html (found thanks to bc's awesome crash reproducing tool!). We've got a node that says it has an id, but the node's id is null. #0 0x00007ffff4f6968a in nsIAtom::GetLength (this=0x0) at ../../../dist/include/nsIAtom.h:66 #1 0x00007ffff4f696ad in nsDependentAtomString::nsDependentAtomString ( this=0x7fffffffccd0, aAtom=0x0) at ../../../dist/include/nsIAtom.h:244 #2 0x00007ffff53a4961 in nsDocument::AddToIdTable (this=0x7fffce3c8000, aElement=0x7fffcda109b0, aId=0x0) at ../../../../mozilla/content/base/src/nsDocument.cpp:2569 #3 0x00007ffff5436b30 in nsStyledElement::BindToTree (this=0x7fffcda109b0, aDocument=0x7fffce3c8000, aParent=0x7fffcda10240, aBindingParent=0x0, aCompileEventHandlers=1) at ../../../../mozilla/content/base/src/nsStyledElement.cpp:223 #4 0x00007ffff5405596 in nsMappedAttributeElement::BindToTree ( this=0x7fffcda109b0, aDocument=0x7fffce3c8000, aParent=0x7fffcda10240, aBindingParent=0x0, aCompileEventHandlers=1) at ../../../../mozilla/content/base/src/nsMappedAttributeElement.cpp:51 #5 0x00007ffff551ad00 in nsGenericHTMLElement::BindToTree ( this=0x7fffcda109b0, aDocument=0x7fffce3c8000, aParent=0x7fffcda10240, aBindingParent=0x0, aCompileEventHandlers=1) at ../../../../../mozilla/content/html/content/src/nsGenericHTMLElement.cpp:947 #6 0x00007ffff53f17b9 in nsINode::doInsertChildAt (this=0x7fffcda10240, aKid=0x7fffcda109b0, aIndex=3, aNotify=0, aChildArray=...) at ../../../../mozilla/content/base/src/nsGenericElement.cpp:3591 #7 0x00007ffff53f120b in nsGenericElement::InsertChildAt ( this=0x7fffcda10240, aKid=0x7fffcda109b0, aIndex=3, aNotify=0) at ../../../../mozilla/content/base/src/nsGenericElement.cpp:3536 #8 0x00007ffff4feea2d in nsINode::AppendChildTo (this=0x7fffcda10240, aKid=0x7fffcda109b0, aNotify=0) at ../../dist/include/nsINode.h:531 #9 0x00007ffff5908c7d in nsHtml5TreeOperation::Append (this=0x7fffcdd05718, aNode=0x7fffcda109b0, aParent=0x7fffcda10240, aBuilder=0x7fffcddf19b0) at ../../../mozilla/parser/html/nsHtml5TreeOperation.cpp:217
So the relevant element is the one that starts: <div class="mainpost3" id="msg-Virtual DJ and then has a missing close quote, so the next 122 lines of text all look like attributes on that element. As a result it claims to have 1023 attributes, which is ATTRCHILD_ARRAY_MAX_ATTR_COUNT. So I bet that in ParseAttribute() we set the NODE_HAS_ID flag, but the actual nsAttrAndChildArray::SetAttr call fails due to there being too many of them (recall that we set attributes backwards), so we don't actually have an attribute for GetID() to return anything from.
Attached patch Patch to fixSplinter Review
Thanks Boris for debugging this!
Attachment #497311 - Flags: review?(jst)
Attachment #497311 - Flags: review?(jst) → review+
Checked in http://hg.mozilla.org/mozilla-central/rev/5a4959ebd326
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Crash Signature: [@ nsDocument::AddToIdTable(mozilla::dom::Element*, nsIAtom*) ]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: