Closed Bug 798275 Opened 12 years ago Closed 12 years ago

crash in nsParser::WillBuildModel

Categories

(Core :: DOM: HTML Parser, defect)

18 Branch
x86
Windows 7
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla19
Tracking Status
firefox17 --- wontfix
firefox18 --- verified
firefox19 --- verified
firefox-esr17 - wontfix

People

(Reporter: scoobidiver, Assigned: hsivonen)

References

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

It slightly spiked from 18.0a1/20121004. The regression range is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=635fcc11d2b1&tochange=4cb8f88213f5 It's likely a regression from bug 750019. Signature nsParser::WillBuildModel(nsString&) More Reports Search UUID 7e01cc23-3c0e-42e2-a64d-c0b872121005 Date Processed 2012-10-05 06:16:21 Uptime 4372 Last Crash 5.8 weeks before submission Install Age 10.2 hours since version was first installed. Install Time 2012-10-04 20:02:09 Product Firefox Version 18.0a1 Build ID 20121004030525 Release Channel nightly OS Windows NT OS Version 5.1.2600 Service Pack 3 Build Architecture x86 Build Architecture Info AuthenticAMD family 15 model 127 stepping 2 Crash Reason EXCEPTION_ACCESS_VIOLATION_WRITE Crash Address 0x3682e90 App Notes AdapterVendorID: 0x10de, AdapterDeviceID: 0x03d0, AdapterSubsysID: 73091462, AdapterDriverVersion: 6.14.11.9107 D3D10 Layers? D3D10 Layers- D3D9 Layers? D3D9 Layers- EMCheckCompatibility True Adapter Vendor ID 0x10de Adapter Device ID 0x03d0 Total Virtual Memory 2147352576 Available Virtual Memory 1766838272 System Memory Use Percentage 69 Available Page File 1360216064 Available Physical Memory 242753536 Frame Module Signature Source 0 @0x4f21e36 1 xul.dll nsParser::WillBuildModel parser/htmlparser/src/nsParser.cpp:928 2 xul.dll nsParser::ResumeParse parser/htmlparser/src/nsParser.cpp:1509 3 xul.dll nsHTMLDocument::WriteCommon content/html/document/src/nsHTMLDocument.cpp:1739 4 xul.dll nsHTMLDocument::Write content/html/document/src/nsHTMLDocument.cpp:1752 5 mozjs.dll js::Wrapper::New js/src/jswrapper.cpp:56 6 mozjs.dll JSCompartment::wrap js/src/jscompartment.cpp:309 7 nspr4.dll _MD_CURRENT_THREAD nsprpub/pr/src/md/windows/w95thred.c:312 8 mozjs.dll js::gc::ArenaLists::allocateFromArena js/src/jsgc.cpp:1653 9 mozjs.dll js::gc::ArenaLists::refillFreeList js/src/jsgc.cpp:1859 10 xul.dll XPC_WN_JSOp_ThisObject js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1275 11 mozjs.dll js::CrossCompartmentWrapper::call js/src/jswrapper.cpp:722 12 mozjs.dll proxy_Call js/src/jsproxy.cpp:3001 13 mozjs.dll js::types::TypeSet::addType js/src/jsinferinlines.h:1381 14 mozjs.dll js::Interpret js/src/jsinterp.cpp:2461 15 mozjs.dll js::InvokeKernel js/src/jsinterp.cpp:378 16 mozjs.dll js::Invoke js/src/jsinterp.h:109 17 mozjs.dll JSFunction::getBoundFunctionArgument js/src/jsfun.cpp:1034 18 mozjs.dll js::CallOrConstructBoundFunction js/src/jsfun.cpp:1086 19 mozjs.dll js::InvokeKernel js/src/jsinterp.cpp:367 20 mozjs.dll js::Invoke js/src/jsinterp.cpp:411 21 mozjs.dll JS_CallFunctionValue js/src/jsapi.cpp:5863 22 xul.dll nsJSContext::CallEventHandler dom/base/nsJSEnvironment.cpp:1921 ... More reports at: https://crash-stats.mozilla.com/report/list?signature=nsParser%3A%3AWillBuildModel%28nsString%26%29
Very weird. Either something has managed to call document.write() on about:blank during the about:blank parsing or there is an XML parser parsing a document marked as HTML.
Keywords: needURLs
(In reply to Henri Sivonen (:hsivonen) from comment #1) > Very weird. Either something has managed to call document.write() on > about:blank during the about:blank parsing or there is an XML parser parsing > a document marked as HTML. Interesting. How did you know it was during about:blank?
(In reply to David Mandelin [:dmandelin] from comment #2) > (In reply to Henri Sivonen (:hsivonen) from comment #1) > > Very weird. Either something has managed to call document.write() on > > about:blank during the about:blank parsing or there is an XML parser parsing > > a document marked as HTML. > > Interesting. How did you know it was during about:blank? about:blank is the only text/html URL that still uses nsParser.
I’m pretty confident that this is the right fix, but it would be proper to write a test case, still.
Assignee: nobody → hsivonen
Status: NEW → ASSIGNED
Comment on attachment 669053 [details] [diff] [review] Report the insertion point as undefined in nsParser I tried to come up with a test case for this but failed. However, this is green on try and logic says this should help, so I suggest we land this and see if the crashes go away. nsParser::IsInsertionPointDefined() has been bogus ever since the option to run the old HTML parser went away.
Attachment #669053 - Flags: review?(bugs)
Comment on attachment 669053 [details] [diff] [review] Report the insertion point as undefined in nsParser Could you perhaps explain this a bit to ease reviewing.
Ah, IsInsertionPointDefined is something which was added for HTML5 parser. But based on Bug 503473 the patch would be wrong, since the old parser shouldn't be terminated. Did the removal or mWriteState cause this? or Removal of !mPendingScripts.Contains(key)?
Comment on attachment 669053 [details] [diff] [review] Report the insertion point as undefined in nsParser r-, but if you can explain why the patch would be right, feel free to re-ask review.
Attachment #669053 - Flags: review?(bugs) → review-
Comment on attachment 669053 [details] [diff] [review] Report the insertion point as undefined in nsParser This patch is correct because: mParser can be null, an instance of nsHtml5Parser or an instance of nsParser. Proceeding to calling Parse() on mParser can only be correct if mParser is an instance of nsHtml5Parser. Obviously, the method must not be called on null. Also, nsParser no longer supports that method. Furthermore, the call is made with a static_cast to nsHtml5Parser, so it's very important not to make that call unless mParser really is an instance of nsHtml5Parser. If the insertion point is not defined, WriteCommon will not proceed to calling Parse on the current mParser. http://mxr.mozilla.org/mozilla-central/source/content/html/document/src/nsHTMLDocument.cpp#1651 Instead, it will either return or terminate and right after implicitly call Open() (which creates a new mParser that's guaranteed to be an nsHtml5Parser). Thus, indicating that the insertion point is not defined is a sure way to prevent a call to Parse() on the current mParser. In the XML case, WriteCommon should have returned earlier at http://mxr.mozilla.org/mozilla-central/source/content/html/document/src/nsHTMLDocument.cpp#1635 . However, semantically it is correct to claim that the insertion point is not defined in the XML case, because there is no way for the insertion point to be defined in the XML case, since the whole concept of the insertion point being defined as an HTML concept. In the about:blank case, scripts should not have the opportunity to call into WriteCommon before mParser gets nulled away. However, since this crash exists, there must be some way for scripts to make that call and I just felt to figure out what that case is. Still, since that call cannot happen from within a script in the document being parsed (since about:blank by definition has no script tags in its zero-length stream), the insertion point has to be not defined during such a call into WriteCommon, since the insertion point could only be defined while an HTML parser is executing a script. It is, therefore, always semantically correct to claim that the insertion point is not defined when mParser is an nsParser. Furthermore, after the capability of handling document.write() was removed from nsParser, claiming that the insertion point is defined cannot be right. The reason why nsParser claims that the insertion point is always defined is that our old HTML parser, while it was still possible to enable it, did not have the concept of an insertion point, so always returning true was equivalent with the legacy behavior.
Attachment #669053 - Flags: review- → review?(bugs)
Comment on attachment 669053 [details] [diff] [review] Report the insertion point as undefined in nsParser thanks for the explanation!
Attachment #669053 - Flags: review?(bugs) → review+
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Flags: in-testsuite-
Resolution: --- → FIXED
Target Milestone: --- → mozilla19
Comment on attachment 669053 [details] [diff] [review] Report the insertion point as undefined in nsParser [Approval Request Comment] Bug caused by (feature/regressing bug #): Bug 731162 User impact if declined: Without this patch, it is possible that nsHTMLDocument makes a bogus static cast and then calls a method that doesn’t match the actual class of the pointer the method is called on. Testing completed (on m-c, etc.): Has baked on m-c for quite a while. Risk to taking this patch (and alternatives if risky): Very low risk. String or UUID changes made by this patch: None.
Attachment #669053 - Flags: approval-mozilla-beta?
Attachment #669053 - Flags: approval-mozilla-aurora?
Comment on attachment 669053 [details] [diff] [review] Report the insertion point as undefined in nsParser Given the low volume of this crash we won't take the fix for uplift to Beta, but please go ahead with uplift to Aurora (18).
Attachment #669053 - Flags: approval-mozilla-beta?
Attachment #669053 - Flags: approval-mozilla-beta-
Attachment #669053 - Flags: approval-mozilla-aurora?
Attachment #669053 - Flags: approval-mozilla-aurora+
Comment on attachment 669053 [details] [diff] [review] Report the insertion point as undefined in nsParser [Approval Request Comment] If this is not a sec:{high,crit} bug, please state case for ESR consideration: This is a crasher with a super-simple fix. User impact if declined: Without this patch, it is possible that nsHTMLDocument makes a bogus static cast and then calls a method that doesn’t match the actual class of the pointer the method is called on. Fix Landed on Version: 18 (originally landed for 19, got uplifted, uplift to non-ESR 17 got denied). Risk to taking this patch (and alternatives if risky): Very low risk. String or UUID changes made by this patch: None. See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.
Attachment #669053 - Flags: approval-mozilla-esr17?
Comment on attachment 669053 [details] [diff] [review] Report the insertion point as undefined in nsParser This isn't severe enough to need uplift to the ESR branch.
Attachment #669053 - Flags: approval-mozilla-esr17? → approval-mozilla-esr17-
Blocks: 731162
No longer blocks: 750019
(Disabling comments since this bug seems to be attracting spam.)
Restrict Comments: true
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: