crash [@ nsHtml5TreeOpExecutor::RunScript(nsIContent*)], [@ nsHtml5TreeOpExecutor::RunScript] (Mac and linux)

RESOLVED FIXED in mozilla2.0b12

Status

()

--
critical
RESOLVED FIXED
8 years ago
9 months ago

People

(Reporter: wsmwk, Assigned: timeless)

Tracking

({crash, topcrash})

Trunk
mozilla2.0b12
x86
All
crash, topcrash
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(1 attachment, 1 obsolete attachment)

{}d
811 bytes, patch
timeless
: review+
Details | Diff | Splinter Review
(Reporter)

Description

8 years ago
crash [@ nsHtml5TreeOpExecutor::RunScript(nsIContent*)]

bp-bdcdc9b2-e9b2-4de2-aaa8-4b68d2101213

EXCEPTION_ACCESS_VIOLATION_READ
0x0
0	xul.dll	nsHtml5TreeOpExecutor::RunScript	
1	xul.dll	nsHtml5TreeOpExecutor::RunFlushLoop	parser/html/nsHtml5TreeOpExecutor.cpp:525
2	xul.dll	nsHtml5ExecutorFlusher::Run	parser/html/nsHtml5StreamParser.cpp:153
3	xul.dll	nsThread::ProcessNextEvent	xpcom/threads/nsThread.cpp:626
4	nspr4.dll	PR_AssertCurrentThreadOwnsLock	nsprpub/pr/src/threads/combined/prulock.c:404
5	nspr4.dll	PR_AssertCurrentThreadOwnsLock	nsprpub/pr/src/threads/combined/prulock.c:404
6	xul.dll	mozilla::ipc::MessagePump::Run	ipc/glue/MessagePump.cpp:110
7	xul.dll	MessageLoop::RunHandler	ipc/chromium/src/base/message_loop.cc:202
8	xul.dll	MessageLoop::Run	ipc/chromium/src/base/message_loop.cc:176
9	xul.dll	nsBaseAppShell::Run	widget/src/xpwidgets/nsBaseAppShell.cpp:192
10	xul.dll	xul.dll@0xb1c91b
(Assignee)

Comment 1

8 years ago
there's no line number for the crashing frame :(


nsHtml5TreeOpExecutor::RunScript(nsIContent* aScriptElement)
{
  nsCOMPtr<nsIScriptElement> sele = do_QueryInterface(aScriptElement);
QI could fail (not likely) leading to a crash of sele-> later:

  if (mFragmentMode) {
    if (mPreventScriptExecution) {
      sele->PreventExecution();
  if (sele->GetScriptDeferred() || sele->GetScriptAsync()) {


  nsCOMPtr<nsIHTMLDocument> htmlDocument = do_QueryInterface(mDocument);
QI could fail (not likely) leading to a crash of htmlDocument-> here:
  htmlDocument->ScriptLoading(sele);


  if (rv == NS_ERROR_HTMLPARSER_BLOCK) {
mParser could be null here:
    mParser->BlockParser();

  } else {
    // mParser may have been nulled out by now, but the flusher deals

Since there's a comment worrying about this, that's where my money is. I've grabbed a dump. I'll try to look tonight.
(Reporter)

Comment 2

8 years ago
timeless, I found Mac crasher has line#s  
bp-a16f1ddb-da8c-4ec7-86de-ebd8f2101214
0	XUL	nsHtml5TreeOpExecutor::RunScript	parser/html/nsHtml5TreeOpExecutor.cpp:736
1	XUL	nsHtml5TreeOpExecutor::RunFlushLoop	parser/html/nsHtml5TreeOpExecutor.cpp:525
2	XUL	nsHtml5ExecutorReflusher::Run	parser/html/nsHtml5TreeOpExecutor.cpp:90
3	XUL	nsThread::ProcessNextEvent	xpcom/threads/nsThread.cpp:609
4	XUL	NS_InvokeByIndex_P	xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:208 

this linux crash ends at same line# but has different stack bp-fc18ce99-d617-4236-82f1-3f6a22101209
So it sounds like the parsers gets stopped but the script blocks. I have no idea how those two things could occur at the same time, but I guess a null check is needed to deal.
(Assignee)

Comment 4

8 years ago
wayne: thanks, so i was right
(Assignee)

Comment 5

8 years ago
Created attachment 497633 [details] [diff] [review]
patch
Assignee: nobody → timeless
Status: NEW → ASSIGNED
Attachment #497633 - Flags: review?(hsivonen)
Attachment #497633 - Flags: approval2.0?
Comment on attachment 497633 [details] [diff] [review]
patch

r=hsivonen if you add {} braces around mParser->BlockParser();.
Attachment #497633 - Flags: review?(hsivonen) → review+
(Assignee)

Comment 7

8 years ago
Created attachment 497751 [details] [diff] [review]
{}d
Attachment #497633 - Attachment is obsolete: true
Attachment #497751 - Flags: review+
Attachment #497751 - Flags: approval2.0?
Attachment #497633 - Flags: approval2.0?
Comment on attachment 497751 [details] [diff] [review]
{}d

Mass minusing patch approval that don't have high return. Please renominate if this is more important for 2.0 than it appears.
Attachment #497751 - Flags: approval2.0? → approval2.0-
Comment on attachment 497751 [details] [diff] [review]
{}d

Renomming, this is a simple null check that stops crashes.
Attachment #497751 - Flags: approval2.0- → approval2.0?
(Reporter)

Comment 10

8 years ago
> Renomming, this is a simple null check that stops crashes.

plus it's a topcrash for 4.0b11, #71. so consider this a second nomination.


nsHtml5TreeOpExecutor::RunScript is the Mac and linux sig


and there is also a crash deserving of another bug ... 
nsCOMPtr_base::assign_from_qi(nsQueryInterface, nsID const&) | nsHtml5TreeOpExecutor::RunScript(nsIContent*)
bp-edbae1a4-1862-47a2-8b90-4c4512110213
EXCEPTION_ACCESS_VIOLATION_READ
0xfffffffff00ebfce
0	xul.dll	nsCOMPtr_base::assign_from_qi	obj-firefox/xpcom/build/nsCOMPtr.cpp:96
1	xul.dll	nsHtml5TreeOpExecutor::RunScript	parser/html/nsHtml5TreeOpExecutor.cpp:688
2	xul.dll	nsHtml5TreeOpExecutor::RunFlushLoop	parser/html/nsHtml5TreeOpExecutor.cpp:525
3	xul.dll	nsHtml5ExecutorFlusher::Run	parser/html/nsHtml5TreeOpExecutor.cpp:90
4	xul.dll	nsThread::ProcessNextEvent	xpcom/threads/nsThread.cpp:633
5	xul.dll	mozilla::ipc::MessagePump::Run	ipc/glue/MessagePump.cpp:110
Keywords: topcrash
OS: Windows Vista → All
Summary: crash [@ nsHtml5TreeOpExecutor::RunScript(nsIContent*)] → crash [@ nsHtml5TreeOpExecutor::RunScript(nsIContent*)], [@ nsHtml5TreeOpExecutor::RunScript] (Mac and linux)

Updated

8 years ago
Attachment #497751 - Flags: approval2.0? → approval2.0+

Updated

8 years ago
Keywords: checkin-needed
http://hg.mozilla.org/mozilla-central/rev/45b687344b21
Status: ASSIGNED → RESOLVED
Last Resolved: 8 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → mozilla2.0b12
Crash Signature: [@ nsHtml5TreeOpExecutor::RunScript(nsIContent*)] [@ nsHtml5TreeOpExecutor::RunScript]
You need to log in before you can comment on or make changes to this bug.