Closed Bug 731169 Opened 12 years ago Closed 5 years ago

OOM Crash [@ nsDocument::InsertChildAt] with failed parser component initialization

Categories

(Core :: DOM: HTML Parser, defect)

Product:
Core
Component:
DOM: HTML Parser
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash)

Crash Data

Tested on m-c revision 66e4d53697c2: An allocation failure in nsHTMLEntities::AddRefTable seems to be propagated properly (returns an OOM error), but not handled correctly at some point, because I get the following warning, asserts and crash afterwards:

************************************************************
* Call to xpconnect wrapped JSObject produced this error:  *
[Exception... "Component returned failure code: 0x80040154 (NS_ERROR_FACTORY_NOT_REGISTERED) [nsIRDFService.GetDataSource]"  nsresult: "0x80040154 (NS_ERROR_FACTORY_NOT_REGISTERED)"  location: "JS frame :: file:///srv/repos/browser/mozilla-central/objdir-ff-gcc64dbg/dist/bin/components/nsBrowserGlue.js :: BG__migrateUI :: line 984"  data: no]
************************************************************

###!!! ASSERTION: unable to create parser: 'NS_SUCCEEDED(rv)', file /srv/repos/browser/mozilla-central/content/xul/document/src/nsXULDocument.cpp, line 2123
WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0x80040154: file /srv/repos/browser/mozilla-central/docshell/base/nsDocShell.cpp, line 7563
###!!! ASSERTION: DoContent returned no listener?: 'abort || m_targetStreamListener', file /srv/repos/browser/mozilla-central/uriloader/base/nsURILoader.cpp, line 728
###!!! ASSERTION: OnDataAvailable implementation consumed no data: 'Error', file /srv/repos/browser/mozilla-central/netwerk/base/src/nsInputStreamPump.cpp, line 535
WARNING: NS_ENSURE_TRUE(parserService) failed: file /srv/repos/browser/mozilla-central/content/base/src/nsContentUtils.cpp, line 2140
WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0x80004005: file /srv/repos/browser/mozilla-central/content/html/content/src/nsGenericHTMLElement.cpp, line 350
WARNING: NS_ENSURE_TRUE(root) failed: file /srv/repos/browser/mozilla-central/layout/base/nsDocumentViewer.cpp, line 3266
###!!! ASSERTION: Element creation created null pointer.: 'newContent', file /srv/repos/browser/mozilla-central/parser/html/nsHtml5TreeOperation.cpp, line 378

nsDocument::InsertChildAt (this=0x2aaabd2f9860, aKid=0x0, aIndex=1, aNotify=false) at /srv/repos/browser/mozilla-central/content/base/src/nsDocument.cpp:3492
3492      if (aKid->IsElement() && GetRootElement()) {
#0  nsDocument::InsertChildAt (this=0x2aaabd2f9860, aKid=0x0, aIndex=1, aNotify=false) at /srv/repos/browser/mozilla-central/content/base/src/nsDocument.cpp:3492
#1  0x00002aaaacbfad6d in nsHtml5TreeOperation::AppendToDocument (this=<optimized out>, aNode=0x0, aBuilder=<optimized out>) at /srv/repos/browser/mozilla-central/parser/html/nsHtml5TreeOperation.cpp:244
#2  0x00002aaaacbfb27a in nsHtml5TreeOperation::Perform (this=0x8fdc80, aBuilder=0x2aaabd303620, aScriptElement=0x7fffffffaf18) at /srv/repos/browser/mozilla-central/parser/html/nsHtml5TreeOperation.cpp:329
#3  0x00002aaaacc00004 in nsHtml5TreeOpExecutor::RunFlushLoop (this=0x2aaabd303620) at /srv/repos/browser/mozilla-central/parser/html/nsHtml5TreeOpExecutor.cpp:527
#4  0x00002aaaacc00131 in nsHtml5ExecutorReflusher::Run (this=<optimized out>) at /srv/repos/browser/mozilla-central/parser/html/nsHtml5TreeOpExecutor.cpp:95
#5  0x00002aaaad2891a0 in nsThread::ProcessNextEvent (this=0x4d2270, mayWait=false, result=<optimized out>) at /srv/repos/browser/mozilla-central/xpcom/threads/nsThread.cpp:657
#6  0x00002aaaad248366 in NS_ProcessNextEvent_P (thread=<optimized out>, mayWait=false) at /srv/repos/browser/mozilla-central/objdir-ff-gcc64dbg/xpcom/build/nsThreadUtils.cpp:245
#7  0x00002aaaad1937b8 in mozilla::ipc::MessagePump::Run (this=0x4c5be0, aDelegate=0x4c7ad0) at /srv/repos/browser/mozilla-central/ipc/glue/MessagePump.cpp:110


The backtrace of the failing allocation is as follows:

#0 /srv/repos/browser/mozilla-central/objdir-ff-gcc64dbg/dist/bin/libmozalloc.so(moz_malloc+0x5f) [0x2aaaaab2415c] (aab2415c)
#1 PL_DHashTableInit at objdir-ff-gcc64dbg/xpcom/build/pldhash.cpp:270
#2 nsHTMLEntities::AddRefTable() at parser/htmlparser/src/nsHTMLEntities.cpp:125
#3 Initialize at parser/htmlparser/src/nsParserModule.cpp:108
#4 nsComponentManagerImpl::KnownModule::Load() at xpcom/components/nsComponentManager.cpp:733
#5 nsFactoryEntry::GetFactory() at xpcom/components/nsComponentManager.cpp:1738
#6 nsComponentManagerImpl::CreateInstance(nsID const&, nsISupports*, nsID const&, void**) at xpcom/components/nsComponentManager.cpp:974
#7 nsCreateInstanceByCID::operator()(nsID const&, void**) const at objdir-ff-gcc64dbg/xpcom/build/nsComponentManagerUtils.cpp:200
#8 nsCOMPtr<nsIParser>::assign_from_helper(nsCOMPtr_helper const&, nsID const&) at objdir-ff-gcc64dbg/parser/xml/src/../../../dist/include/nsCOMPtr.h:1232
#9 nsRDFXMLParser::ParseAsync(nsIRDFDataSource*, nsIURI*, nsIStreamListener**) at rdf/base/src/nsRDFXMLParser.cpp:99


Not sure which category this belongs to, and where the OOM should have been handled exactly, but I hope the traces give some insight to developers more knowledgeable in this area.
Component: General → HTML: Parser
QA Contact: general → parser

Closing because no crashes reported for 12 weeks.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.