Closed Bug 619045 Opened 14 years ago Closed 14 years ago

crash [@ nsHtml5TreeOpExecutor::RunScript(nsIContent*)], [@ nsHtml5TreeOpExecutor::RunScript] (Mac and linux)

Categories

(Core :: DOM: HTML Parser, defect)

Product:
Core
Component:
DOM: HTML Parser
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla2.0b12

People

(Reporter: wsmwk, Assigned: timeless)

References

Details

(Keywords: crash, topcrash)

Crash Data

Attachments

(1 file, 1 obsolete file)

{}d
811 bytes, patch
timeless
: review+
jst
: approval2.0+
Details | Diff | Splinter Review
crash [@ nsHtml5TreeOpExecutor::RunScript(nsIContent*)] bp-bdcdc9b2-e9b2-4de2-aaa8-4b68d2101213 EXCEPTION_ACCESS_VIOLATION_READ 0x0 0 xul.dll nsHtml5TreeOpExecutor::RunScript 1 xul.dll nsHtml5TreeOpExecutor::RunFlushLoop parser/html/nsHtml5TreeOpExecutor.cpp:525 2 xul.dll nsHtml5ExecutorFlusher::Run parser/html/nsHtml5StreamParser.cpp:153 3 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:626 4 nspr4.dll PR_AssertCurrentThreadOwnsLock nsprpub/pr/src/threads/combined/prulock.c:404 5 nspr4.dll PR_AssertCurrentThreadOwnsLock nsprpub/pr/src/threads/combined/prulock.c:404 6 xul.dll mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:110 7 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:202 8 xul.dll MessageLoop::Run ipc/chromium/src/base/message_loop.cc:176 9 xul.dll nsBaseAppShell::Run widget/src/xpwidgets/nsBaseAppShell.cpp:192 10 xul.dll xul.dll@0xb1c91b
there's no line number for the crashing frame :( nsHtml5TreeOpExecutor::RunScript(nsIContent* aScriptElement) { nsCOMPtr<nsIScriptElement> sele = do_QueryInterface(aScriptElement); QI could fail (not likely) leading to a crash of sele-> later: if (mFragmentMode) { if (mPreventScriptExecution) { sele->PreventExecution(); if (sele->GetScriptDeferred() || sele->GetScriptAsync()) { nsCOMPtr<nsIHTMLDocument> htmlDocument = do_QueryInterface(mDocument); QI could fail (not likely) leading to a crash of htmlDocument-> here: htmlDocument->ScriptLoading(sele); if (rv == NS_ERROR_HTMLPARSER_BLOCK) { mParser could be null here: mParser->BlockParser(); } else { // mParser may have been nulled out by now, but the flusher deals Since there's a comment worrying about this, that's where my money is. I've grabbed a dump. I'll try to look tonight.
timeless, I found Mac crasher has line#s bp-a16f1ddb-da8c-4ec7-86de-ebd8f2101214 0 XUL nsHtml5TreeOpExecutor::RunScript parser/html/nsHtml5TreeOpExecutor.cpp:736 1 XUL nsHtml5TreeOpExecutor::RunFlushLoop parser/html/nsHtml5TreeOpExecutor.cpp:525 2 XUL nsHtml5ExecutorReflusher::Run parser/html/nsHtml5TreeOpExecutor.cpp:90 3 XUL nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:609 4 XUL NS_InvokeByIndex_P xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:208 this linux crash ends at same line# but has different stack bp-fc18ce99-d617-4236-82f1-3f6a22101209
So it sounds like the parsers gets stopped but the script blocks. I have no idea how those two things could occur at the same time, but I guess a null check is needed to deal.
wayne: thanks, so i was right
Attached patch patch (obsolete) — Splinter Review
Assignee: nobody → timeless
Status: NEW → ASSIGNED
Attachment #497633 - Flags: review?(hsivonen)
Attachment #497633 - Flags: approval2.0?
Comment on attachment 497633 [details] [diff] [review] patch r=hsivonen if you add {} braces around mParser->BlockParser();.
Attachment #497633 - Flags: review?(hsivonen) → review+
Attached patch {}dSplinter Review
Attachment #497633 - Attachment is obsolete: true
Attachment #497751 - Flags: review+
Attachment #497751 - Flags: approval2.0?
Attachment #497633 - Flags: approval2.0?
Comment on attachment 497751 [details] [diff] [review] {}d Mass minusing patch approval that don't have high return. Please renominate if this is more important for 2.0 than it appears.
Attachment #497751 - Flags: approval2.0? → approval2.0-
Comment on attachment 497751 [details] [diff] [review] {}d Renomming, this is a simple null check that stops crashes.
Attachment #497751 - Flags: approval2.0- → approval2.0?
> Renomming, this is a simple null check that stops crashes. plus it's a topcrash for 4.0b11, #71. so consider this a second nomination. nsHtml5TreeOpExecutor::RunScript is the Mac and linux sig and there is also a crash deserving of another bug ... nsCOMPtr_base::assign_from_qi(nsQueryInterface, nsID const&) | nsHtml5TreeOpExecutor::RunScript(nsIContent*) bp-edbae1a4-1862-47a2-8b90-4c4512110213 EXCEPTION_ACCESS_VIOLATION_READ 0xfffffffff00ebfce 0 xul.dll nsCOMPtr_base::assign_from_qi obj-firefox/xpcom/build/nsCOMPtr.cpp:96 1 xul.dll nsHtml5TreeOpExecutor::RunScript parser/html/nsHtml5TreeOpExecutor.cpp:688 2 xul.dll nsHtml5TreeOpExecutor::RunFlushLoop parser/html/nsHtml5TreeOpExecutor.cpp:525 3 xul.dll nsHtml5ExecutorFlusher::Run parser/html/nsHtml5TreeOpExecutor.cpp:90 4 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:633 5 xul.dll mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:110
Keywords: topcrash
OS: Windows Vista → All
Summary: crash [@ nsHtml5TreeOpExecutor::RunScript(nsIContent*)] → crash [@ nsHtml5TreeOpExecutor::RunScript(nsIContent*)], [@ nsHtml5TreeOpExecutor::RunScript] (Mac and linux)
Attachment #497751 - Flags: approval2.0? → approval2.0+
http://hg.mozilla.org/mozilla-central/rev/45b687344b21
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → mozilla2.0b12
Crash Signature: [@ nsHtml5TreeOpExecutor::RunScript(nsIContent*)] [@ nsHtml5TreeOpExecutor::RunScript]
See Also: → 1424220
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: