Last Comment Bug 704284 - Firefox Crash @ nsXMLHttpRequest::IsWaitingForHTMLCharset()
: Firefox Crash @ nsXMLHttpRequest::IsWaitingForHTMLCharset()
Status: RESOLVED FIXED
: crash, regression
Product: Core
Classification: Components
Component: DOM (show other bugs)
: Trunk
: x86 Windows 7
: -- critical (vote)
: mozilla11
Assigned To: Henri Sivonen (:hsivonen) (Not doing reviews or reading bugmail until 2016-08-01)
:
Mentors:
: 704445 704760 (view as bug list)
Depends on:
Blocks: 651072
  Show dependency treegraph
 
Reported: 2011-11-21 13:52 PST by Marcia Knous [:marcia - use ni]
Modified: 2012-02-01 14:00 PST (History)
10 users (show)
hsivonen: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Null-check mResponseXML (958 bytes, patch)
2011-11-22 00:23 PST, Henri Sivonen (:hsivonen) (Not doing reviews or reading bugmail until 2016-08-01)
bugs: review+
Details | Diff | Splinter Review
crashtest as a patch (1.09 KB, patch)
2011-11-22 06:51 PST, Masatoshi Kimura [:emk]
no flags Details | Diff | Splinter Review
crashtest as a patch (1.03 KB, patch)
2011-11-22 06:55 PST, Masatoshi Kimura [:emk]
no flags Details | Diff | Splinter Review
crashtest as a patch, v3 (1.06 KB, patch)
2011-11-22 07:29 PST, Masatoshi Kimura [:emk]
hsivonen: review+
Details | Diff | Splinter Review
crashtest as a patch for check in, r=hsivonen (1.10 KB, patch)
2011-11-22 23:48 PST, Masatoshi Kimura [:emk]
VYV03354: review+
Details | Diff | Splinter Review

Description Marcia Knous [:marcia - use ni] 2011-11-21 13:52:22 PST
Seen while looking at Windows trunk data. Crashes started showing up in crash stats using the 2011112100 build. https://crash-stats.mozilla.com/report/list?signature=nsXMLHttpRequest::IsWaitingForHTMLCharset%28%29 to the crashes - many seem to be one user but there is another OS with no service pack.

Possible pushlog regression range based on crash stats:

http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=7dd46087e678&tochange=78cd6a30e250

https://crash-stats.mozilla.com/report/index/2ae44bbb-2edd-4d36-82b5-cf1622111121

Frame 	Module 	Signature [Expand] 	Source
0 	xul.dll 	nsXMLHttpRequest::IsWaitingForHTMLCharset 	content/base/src/nsXMLHttpRequest.cpp:1483
1 	xul.dll 	xpc_qsUnwrapThis<nsIXMLHttpRequest> 	js/xpconnect/src/XPCQuickStubs.h:536
2 	xul.dll 	nsXMLHttpRequest::GetResponseText 	content/base/src/nsXMLHttpRequest.cpp:888
3 	xul.dll 	nsIXMLHttpRequest_GetResponseText 	obj-firefox/js/xpconnect/src/dom_quickstubs.cpp:22477
4 	xul.dll 	js::ContextStack::currentScript 	js/src/vm/Stack-inl.h:645
5 	xul.dll 	js::Shape::get 	js/src/jsscopeinlines.h:295
6 	xul.dll 	js_GetPropertyHelper 	js/src/jsobj.cpp:5944
7 	xul.dll 	js::Interpret 	js/src/jsinterp.cpp:3487
8 	xul.dll 	JSCompartment::wrap 	js/src/jscompartment.cpp:214
9 	xul.dll 	XPCNativeInterface::GetNewOrUsed 	js/xpconnect/src/XPCWrappedNativeInfo.cpp:162
10 	xul.dll 	XPCCallContext::Init 	js/xpconnect/src/XPCCallContext.cpp:148
11 	xul.dll 	XPCConvert::NativeInterface2JSObject 	js/xpconnect/src/XPCConvert.cpp:1302
12 	xul.dll 	XPCCallContext::XPCCallContext 	js/xpconnect/src/XPCCallContext.cpp:63
13 	xul.dll 	NS_IsMainThread_P 	obj-firefox/xpcom/build/nsThreadUtils.cpp:138
14 	xul.dll 	nsXPConnect::GetNativeOfWrapper 	js/xpconnect/src/nsXPConnect.cpp:1507
15 	xul.dll 	nsCycleCollector::Forget2 	xpcom/base/nsCycleCollector.cpp:2532
16 	xul.dll 	NS_IsMainThread_P 	obj-firefox/xpcom/build/nsThreadUtils.cpp:138
17 	xul.dll 	nsCOMPtr_base::assign_from_qi 	obj-firefox/xpcom/build/nsCOMPtr.cpp:96
18 	xul.dll 	XPCWrappedNative::InitTearOff 	js/xpconnect/src/XPCWrappedNative.cpp:2023
19 	xul.dll 	JS_NewObject 	js/src/jsapi.cpp:3236
20 	nspr4.dll 	MD_CURRENT_THREAD 	nsprpub/pr/src/md/windows/w95thred.c:308
21 	nspr4.dll 	MD_CURRENT_THREAD 	nsprpub/pr/src/md/windows/w95thred.c:308
22 	nspr4.dll 	PR_Unlock 	nsprpub/pr/src/threads/combined/prulock.c:347
23 	xul.dll 	FinishCreate 	js/xpconnect/src/XPCWrappedNative.cpp:633
24 	xul.dll 	nsCOMPtr_base::~nsCOMPtr_base 	obj-firefox/xpcom/build/nsCOMPtr.cpp:81
25 	xul.dll 	XPCWrappedNative::GetNewOrUsed 	js/xpconnect/src/XPCWrappedNative.cpp:584
26 	xul.dll 	JS_ObjectToInnerObject 	js/src/jsobj.cpp:142
27 	xul.dll 	JSCompartment::wrap 	js/src/jscompartment.cpp:214
28 	nspr4.dll 	PR_Unlock 	nsprpub/pr/src/threads/combined/prulock.c:347
29 	xul.dll 	JSCompartment::wrap 	js/src/jscompartment.cpp:359
30 	xul.dll 	XPCNativeInterface::GetNewOrUsed 	js/xpconnect/src/XPCWrappedNativeInfo.cpp:162
31 	xul.dll 	JS_WrapObject 	js/src/jsapi.cpp:1443
32 	xul.dll 	XPCConvert::NativeInterface2JSObject 	js/xpconnect/src/XPCConvert.cpp:1302
33 	xul.dll 	nsCOMPtr_base::~nsCOMPtr_base 	obj-firefox/xpcom/build/nsCOMPtr.cpp:81
34 	xul.dll 	XPCConvert::NativeData2JS 	js/xpconnect/src/XPCConvert.cpp:500
35 	xul.dll 	js::types::TypeScript::SetArgument 	js/src/jsinferinlines.h:682
36 	xul.dll 	js::types::TypeScript::SetThis 	js/src/jsinferinlines.h:631
37 	xul.dll 	js::ContextStack::pushInvokeFrame 	js/src/vm/Stack.cpp:691
38 	xul.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:647
39 	xul.dll 	JSCompartment::wrap 	js/src/jscompartment.cpp:220
40 	xul.dll 	js::Invoke 	js/src/jsinterp.cpp:679
41 	nspr4.dll 	PR_Lock 	nsprpub/pr/src/threads/combined/prulock.c:223
42 	xul.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:5223
43 	xul.dll 	nsXPCWrappedJSClass::CallMethod 	js/xpconnect/src/XPCWrappedJSClass.cpp:1530
44 	xul.dll 	nsUrlClassifierHash<4>::FromPlaintext 	toolkit/components/url-classifier/nsUrlClassifierDBService.cpp:256
Comment 1 Kyle Huey [:khuey] (khuey@mozilla.com) 2011-11-21 14:01:24 PST
Looks like doc is null here.
Comment 2 Henri Sivonen (:hsivonen) (Not doing reviews or reading bugmail until 2016-08-01) 2011-11-22 00:23:20 PST
Created attachment 576096 [details] [diff] [review]
Null-check mResponseXML

I failed to realize that in some error cases, mResponseXML gets nulled out even in the HTML mode.

Does anyone have a minimized test for provoking this crash (for landing as a crashtest)?
Comment 3 Masatoshi Kimura [:emk] 2011-11-22 01:18:31 PST
(In reply to Henri Sivonen (:hsivonen) from comment #2)
> Does anyone have a minimized test for provoking this crash (for landing as a
> crashtest)?
var xhr=new XMLHttpRequest();xhr.open("GET",location);xhr.send();xhr.onprogress=function(){xhr.abort();};xhr.onabort=function(){xhr.responseText;};
Comment 4 Henri Sivonen (:hsivonen) (Not doing reviews or reading bugmail until 2016-08-01) 2011-11-22 03:25:37 PST
https://hg.mozilla.org/integration/mozilla-inbound/rev/3a00a7c1227f

I'll prepare a crashtest from the suggestion in comment 3.
Comment 5 Masatoshi Kimura [:emk] 2011-11-22 03:33:02 PST
(In reply to Henri Sivonen (:hsivonen) from comment #2)
> XMLHttpRequest();xhr.open("GET",location);xhr.send();xhr.
> onprogress=function(){xhr.abort();};xhr.onabort=function(){xhr.responseText;
> };
Sorry, the above test will not work reliably if the server did not send the response body in 50ms. Try this:
var xhr=new XMLHttpRequest();xhr.open("GET",location);xhr.send();xhr.onprogress=function(){if(xhr.readyState==3)xhr.abort();};xhr.onabort=function(){xhr.responseText;};
Comment 6 Henri Sivonen (:hsivonen) (Not doing reviews or reading bugmail until 2016-08-01) 2011-11-22 03:42:46 PST
(In reply to Masatoshi Kimura [:emk] from comment #5)
> Sorry, the above test will not work reliably if the server did not send the
> response body in 50ms. Try this:

I'm unable to make a crashtest that actually crashes with the fix using either of the suggestions.
Comment 7 Masatoshi Kimura [:emk] 2011-11-22 03:58:34 PST
(In reply to Henri Sivonen (:hsivonen) from comment #6)
> (In reply to Masatoshi Kimura [:emk] from comment #5)
> > Sorry, the above test will not work reliably if the server did not send the
> > response body in 50ms. Try this:
> 
> I'm unable to make a crashtest that actually crashes with the fix using
> either of the suggestions.
I could reproduce a crash by typing my suggestion into Web Console without the fix.
(Didn't test with fix, but it's natural it is not reproducable on fixed build)
Comment 8 Masatoshi Kimura [:emk] 2011-11-22 06:51:57 PST
Created attachment 576146 [details] [diff] [review]
crashtest as a patch

Hm, my test case didn't work unless it was not loaded on HTTP.
Comment 9 Masatoshi Kimura [:emk] 2011-11-22 06:52:28 PST
> unless it was not loaded on HTTP.
unless it was loaded on HTTP.
Comment 10 Masatoshi Kimura [:emk] 2011-11-22 06:55:12 PST
Created attachment 576149 [details] [diff] [review]
crashtest as a patch

Removed a bogus onload handler.
Comment 11 Masatoshi Kimura [:emk] 2011-11-22 07:29:01 PST
Created attachment 576157 [details] [diff] [review]
crashtest as a patch, v3

I had to force MIME type to "text/html" by using overrideMimeType to reproduce the crash on local file. Is this intentional?
Comment 12 Ed Morley [:emorley] 2011-11-22 09:07:34 PST
https://hg.mozilla.org/mozilla-central/rev/3a00a7c1227f

Leaving open for crashtest.
Comment 13 Kyle Huey [:khuey] (khuey@mozilla.com) 2011-11-22 09:09:25 PST
Generally we set in-testsuite to ? and close the bug in this case.
Comment 14 Benoit Jacob [:bjacob] (mostly away) 2011-11-22 12:32:13 PST
*** Bug 704445 has been marked as a duplicate of this bug. ***
Comment 15 shailajajuluru 2011-11-22 15:10:11 PST
Firefox 11.0a1(update 21st Nov, 2011 and 22nd Nov, 2011)crashes several times.

Crash Occurred during the following events.

1.Closing the Firefox by clicking close button on the right side.
2.Logging out Gmail account. 

Crash IDS :
bp-b35185b8-302a-44c4-804b-c855a2111122
bp-2ca9131e-4601-4ffb-9590-138872111122

Crash Signature :
nsXMLHttpRequest::IsWaitingForHTMLCharset()
Comment 16 Tony Mechelynck [:tonymec] 2011-11-22 19:49:57 PST
Mozilla/5.0 (X11; Linux x86_64; rv:11.0a1) Gecko/20111122 Firefox/11.0a1 SeaMonkey/2.8a1 ID:20111122003001

I suspect that crash bp-0f400737-c0fb-462b-ab00-bceb92111122 (in a Linux64 SeaMonkey nightly built some 9 hours before comment #12) might be due to the same problem. At least it has the same crash signature. Let's install the latest tinderbox-build, just in case. Of course, for a sporadic crash, only negative verification is possible.
Comment 17 Henri Sivonen (:hsivonen) (Not doing reviews or reading bugmail until 2016-08-01) 2011-11-22 23:16:04 PST
Comment on attachment 576157 [details] [diff] [review]
crashtest as a patch, v3

Where's the JS identifier location defined in the crashtest?
Comment 18 Masatoshi Kimura [:emk] 2011-11-22 23:24:17 PST
(In reply to Henri Sivonen (:hsivonen) from comment #17)
> Comment on attachment 576157 [details] [diff] [review] [diff] [details] [review]
> crashtest as a patch, v3
> 
> Where's the JS identifier location defined in the crashtest?
It's a location property of the global object. That is, it's equivalent to window.location.
Comment 19 Henri Sivonen (:hsivonen) (Not doing reviews or reading bugmail until 2016-08-01) 2011-11-22 23:36:55 PST
Comment on attachment 576157 [details] [diff] [review]
crashtest as a patch, v3

(In reply to Masatoshi Kimura [:emk] from comment #18)
> (In reply to Henri Sivonen (:hsivonen) from comment #17)
> > Comment on attachment 576157 [details] [diff] [review] [diff] [details] [review] [diff] [details] [review]
> > crashtest as a patch, v3
> > 
> > Where's the JS identifier location defined in the crashtest?
> It's a location property of the global object. That is, it's equivalent to
> window.location.

Oh, right. That's not particularly obvious. Would be clearer to use window.location.
Comment 20 Scoobidiver (away) 2011-11-22 23:45:53 PST
(In reply to shailajajuluru from comment #15)
> Firefox 11.0a1(update 21st Nov, 2011 and 22nd Nov, 2011)crashes several
> times.
It's normal because it's fixed in 11.0a1/20111123 which is not yet released.
Comment 21 Masatoshi Kimura [:emk] 2011-11-22 23:48:59 PST
Created attachment 576418 [details] [diff] [review]
crashtest as a patch for check in, r=hsivonen
Comment 22 Masatoshi Kimura [:emk] 2011-11-22 23:51:06 PST
(In reply to Henri Sivonen (:hsivonen) from comment #19)
> > > Where's the JS identifier location defined in the crashtest?
> > It's a location property of the global object. That is, it's equivalent to
> > window.location.
> 
> Oh, right. That's not particularly obvious. Would be clearer to use
> window.location.
Fixed. Could you push the patch? I have no commit priv to the main tree.
Comment 23 Henri Sivonen (:hsivonen) (Not doing reviews or reading bugmail until 2016-08-01) 2011-11-23 00:23:54 PST
Thanks. Test landed:
https://hg.mozilla.org/integration/mozilla-inbound/rev/1bca914c339e
Comment 24 Ed Morley [:emorley] 2011-11-23 04:20:21 PST
https://hg.mozilla.org/mozilla-central/rev/1bca914c339e
Comment 25 Henri Sivonen (:hsivonen) (Not doing reviews or reading bugmail until 2016-08-01) 2011-11-24 02:46:21 PST
*** Bug 704760 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.