8185 - <window> </html:window> in a frame causes crash

Status: VERIFIED WORKSFORME

(Core :: XUL, defect, P3)

Description

[jim_nance]

Using an apprunner build using a checkout done early in the morning
of June 15, I get a reproducable crash.  To trigger it pull down
the Editor menu and select Preferences.  When the Preferences window
pops up, select the Applications item which is a subitem under Navigator.
apprunner should crash when you do this.  From inside the debugger
I get:
(gdb) w
#0  0x40e4e69e in CSSStyleSheetImpl::RulesMatching (this=0x80e5c10,
    aPresContext=0x84b3180, aContent=0x0, aParentContext=0x0,
    aResults=0x820ddc0)
    at
/home/jlnance/src/19980429/mozilla/layout/html/style/src/nsCSSStyleSheet.cpp:1632
1627      RuleCascadeData* cascade = GetRuleCascade(presMedium);
1628
1629      if (cascade) {
1630        ContentEnumData data(aPresContext, aContent, aParentContext,
aResults);
1631        nsIAtom* tagAtom;
1632 >      aContent->GetTag(tagAtom);
1633        nsIAtom* idAtom = nsnull;
1634        nsVoidArray classArray; // XXX need to recycle this guy (or make
nsAutoVoidArray?)
1635
1636        nsIStyledContent* styledContent;
(gdb) p aContent
$1 = (nsIContent *) 0x0

(gdb) bt
#0  0x40e4e69e in CSSStyleSheetImpl::RulesMatching (this=0x80e5c10,
    aPresContext=0x84b3180, aContent=0x0, aParentContext=0x0,
    aResults=0x820ddc0)
    at
/home/jlnance/src/19980429/mozilla/layout/html/style/src/nsCSSStyleSheet.cpp:1632
#1  0x40ee5280 in EnumRulesMatching (aSheet=0x80e5c10, aData=0xbfffc6a0)
    at /home/jlnance/src/19980429/mozilla/layout/base/src/nsStyleSet.cpp:423
#2  0x4008e7ca in nsSupportsArray::EnumerateBackwards (this=0x849a270,
    aFunc=0x40ee5214 <EnumRulesMatching(nsISupports *, void *)>,
    aData=0xbfffc6a0)
    at /home/jlnance/src/19980429/mozilla/xpcom/ds/nsSupportsArray.cpp:357
#3  0x40ee560d in StyleSetImpl::ResolveStyleFor (this=0x849a1f8,
    aPresContext=0x84b3180, aContent=0x0, aParentContext=0x0, aForceUnique=0)
    at /home/jlnance/src/19980429/mozilla/layout/base/src/nsStyleSet.cpp:539
#4  0x40ecb525 in nsPresContext::ResolveStyleContextFor (this=0x84b3180,
    aContent=0x0, aParentContext=0x0, aForceUnique=0, aResult=0xbfffc7d0)
    at /home/jlnance/src/19980429/mozilla/layout/base/src/nsPresContext.cpp:369
#5  0x40adb262 in XULDocumentImpl::StartLayout (this=0x85bd568)
    at /home/jlnance/src/19980429/mozilla/rdf/content/src/nsXULDocument.cpp:3909
#6  0x40ad4a92 in XULDocumentImpl::EndLoad (this=0x85bd568)
    at /home/jlnance/src/19980429/mozilla/rdf/content/src/nsXULDocument.cpp:1828
#7  0x40af5052 in XULContentSinkImpl::DidBuildModel (this=0x85c0040,
    aQualityLevel=1)
    at
/home/jlnance/src/19980429/mozilla/rdf/datasource/src/nsXULContentSink.cpp:504
#8  0x403231a3 in CWellFormedDTD::DidBuildModel (this=0x84b0e10,
    anErrorCode=0, aNotifySink=1, aParser=0x85c0dd8, aSink=0x85c0040)
    at /home/jlnance/src/19980429/mozilla/htmlparser/src/nsWellFormedDTD.cpp:287
#9  0x4031b71e in nsParser::DidBuildModel (this=0x85c0dd8, anErrorCode=0)
    at /home/jlnance/src/19980429/mozilla/htmlparser/src/nsParser.cpp:507
#10 0x4031c21a in nsParser::ResumeParse (this=0x85c0dd8, aDefaultDTD=0x0)
    at /home/jlnance/src/19980429/mozilla/htmlparser/src/nsParser.cpp:853
#11 0x4031c782 in nsParser::OnDataAvailable (this=0x85c0dd8, aURL=0x85bad20,
    pIStream=0x85bac88, aLength=1902)
    at /home/jlnance/src/19980429/mozilla/htmlparser/src/nsParser.cpp:1071
#12 0x402de54f in ?? ()
   from
/usr/local/home/jlnance/src/19980429/nbt/dist/bin/./libraptorwebwidget.so
#13 0x402c4ba7 in ?? ()
   from /usr/local/home/jlnance/src/19980429/nbt/dist/bin/./libnetlib.so
#14 0x401d3f27 in ?? ()
   from /usr/local/home/jlnance/src/19980429/nbt/dist/bin/./libfileurl.so
#15 0x401d4909 in ?? ()
#16 0x4029359e in ?? ()
   from /usr/local/home/jlnance/src/19980429/nbt/dist/bin/./libnetwork.so
#17 0x4029b605 in ?? ()
   from /usr/local/home/jlnance/src/19980429/nbt/dist/bin/./libnetwork.so
#18 0x402bdfa2 in ?? ()
   from /usr/local/home/jlnance/src/19980429/nbt/dist/bin/./libnetlib.so
#19 0x4014b945 in ?? ()
   from /usr/local/home/jlnance/src/19980429/nbt/dist/bin/./libgfxgtk.so
#20 0x4014bdca in ?? ()
   from /usr/local/home/jlnance/src/19980429/nbt/dist/bin/./libgfxgtk.so
#21 0x406b4fa3 in ?? () from /usr/lib/libglib-1.2.so.0
#22 0x406b42c6 in ?? () from /usr/lib/libglib-1.2.so.0
#23 0x406b4801 in ?? () from /usr/lib/libglib-1.2.so.0
#24 0x406b48a3 in ?? () from /usr/lib/libglib-1.2.so.0
#25 0x400efa07 in ?? ()
   from /usr/local/home/jlnance/src/19980429/nbt/dist/bin/./libwidgetgtk.so
#26 0x400308ca in ?? ()
   from /usr/local/home/jlnance/src/19980429/nbt/dist/bin/./libnsappshell.so
#27 0x400307c5 in ?? ()
   from /usr/local/home/jlnance/src/19980429/nbt/dist/bin/./libnsappshell.so
#28 0x41128366 in ?? ()
   from #29 0x400afe3c in XPTC_InvokeByIndex (that=0x835df20, methodIndex=3,
    paramCount=3, params=0xbfffd274)
    at
/home/jlnance/src/19980429/mozilla/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_unixish_x86.cpp:154
#30 0x410ab86b in ?? ()
   from
/usr/local/home/jlnance/src/19980429/nbt/dist/bin/components/libxpconnect.so
#31 0x410abf23 in ?? ()
   from
/usr/local/home/jlnance/src/19980429/nbt/dist/bin/components/libxpconnect.so
#32 0x4045c4e7 in ?? ()
   from /usr/local/home/jlnance/src/19980429/nbt/dist/bin/./libmozjs.so
#33 0x4046ab61 in ?? ()
   from /usr/local/home/jlnance/src/19980429/nbt/dist/bin/./libmozjs.so
#34 0x4045c543 in ?? ()
   from /usr/local/home/jlnance/src/19980429/nbt/dist/bin/./libmozjs.so
#35 0x4046ab61 in ?? ()
   from /usr/local/home/jlnance/src/19980429/nbt/dist/bin/./libmozjs.so
#36 0x4045c543 in ?? ()
   from /usr/local/home/jlnance/src/19980429/nbt/dist/bin/./libmozjs.so
#37 0x4045c808 in ?? ()
   from /usr/local/home/jlnance/src/19980429/nbt/dist/bin/./libmozjs.so
/usr/local/home/jlnance/src/19980429/nbt/dist/bin/components/libprefwind
#38 0x40434769 in ?? ()
   from /usr/local/home/jlnance/src/19980429/nbt/dist/bin/./libmozjs.so
#39 0x403a9f84 in ?? ()
   from /usr/local/home/jlnance/src/19980429/nbt/dist/bin/./libjsdom.so
#40 0x40cf6b9a in nsEventListenerManager::HandleEvent (this=0x836c6f0,
    aPresContext=@0x80f4a18, aEvent=0xbfffea7c, aDOMEvent=0xbfffe9f0,
    aFlags=3, aEventStatus=@0xbfffeab0)
    at
/home/jlnance/src/19980429/mozilla/layout/events/src/nsEventListenerManager.cpp:569
#41 0x40aa6c4f in RDFElementImpl::HandleDOMEvent (this=0x836b338,
    aPresContext=@0x80f4a18, aEvent=0xbfffea7c, aDOMEvent=0xbfffe9f0,
    aFlags=1, aEventStatus=@0xbfffeab0)
    at /home/jlnance/src/19980429/mozilla/rdf/content/src/nsRDFElement.cpp:2337
#42 0x400f9d76 in ?? ()
   from /usr/local/home/jlnance/src/19980429/nbt/dist/bin/./libwidgetgtk.so
#43 0x400f9869 in ?? ()
   from /usr/local/home/jlnance/src/19980429/nbt/dist/bin/./libwidgetgtk.so
#44 0x400fade2 in ?? ()
   from /usr/local/home/jlnance/src/19980429/nbt/dist/bin/./libwidgetgtk.so
#45 0x40647abb in ?? () from /usr/lib/libgtk-1.2.so.0
#46 0x4060f037 in ?? () from /usr/lib/libgtk-1.2.so.0
#47 0x4060e52f in ?? () from /usr/lib/libgtk-1.2.so.0
#48 0x4060c800 in ?? () from /usr/lib/libgtk-1.2.so.0
#49 0x4063f6e8 in ?? () from /usr/lib/libgtk-1.2.so.0
#50 0x405eafbd in ?? () from /usr/lib/libgtk-1.2.so.0
#51 0x405ea3fb in ?? () from /usr/lib/libgtk-1.2.so.0
#52 0x4064779d in ?? () from /usr/lib/libgtk-1.2.so.0
#53 0x4060e568 in ?? () from /usr/lib/libgtk-1.2.so.0
#54 0x4060c800 in ?? () from /usr/lib/libgtk-1.2.so.0
#55 0x4063f5b8 in ?? () from /usr/lib/libgtk-1.2.so.0
#56 0x405e41a2 in ?? () from /usr/lib/libgtk-1.2.so.0
#57 0x405e34da in ?? () from /usr/lib/libgtk-1.2.so.0
#58 0x40686ab2 in ?? () from /usr/lib/libgdk-1.2.so.0
#59 0x406b42c6 in ?? () from /usr/lib/libglib-1.2.so.0
#60 0x406b4801 in ?? () from /usr/lib/libglib-1.2.so.0
#61 0x406b4979 in ?? () from /usr/lib/libglib-1.2.so.0
#62 0x405e2f3a in ?? () from /usr/lib/libgtk-1.2.so.0
#63 0x400ef8f9 in ?? ()
   from /usr/local/home/jlnance/src/19980429/nbt/dist/bin/./libwidgetgtk.so
#64 0x4002a3bd in ?? ()
   from /usr/local/home/jlnance/src/19980429/nbt/dist/bin/./libnsappshell.so
#65 0x804ac9c in main (argc=2, argv=0xbffff5b4)
    at /home/jlnance/src/19980429/mozilla/xpfe/bootstrap/nsAppRunner.cpp:664

Comment 1

[shuang (gone)]

reassign it to don for proper owner to fix it

Comment 2

[mcmullen]

I have reproduced this on Macintosh, too! Looks M7-ish to me. Marking it so.

Comment 3

[mcmullen]

This is a content bug. I have the fix. The pref-appearance.xul file contained
mismatched tags <window> </html:window>

Comment 4

[mcmullen]

So I fixed the xul file, and checked it in (a=chofmann, r=chofmann).

However, we should not crash, should we?

Changing component to XUL, reassigning to trudelle for triage. Changing milestone
from M7 to M8. Maybe it's a parser bug, a layout bug, or whatever. But the
crashing is not a prefs bug.

Comment 5

[Peter Trudelle]

reassigning to hyatt to check out the XULContentSink involvement on the stack,
cc'ing evaughan because CSS styles are involved.

Comment 6

[Peter Linss]

This is the same thing reported in several other places. The problem is that
nsXULDocument is attempting to resolve style for a null content node (it has no
root content). The nsXULDocument needs to be safed for this condition.

Comment 7

[David Hyatt]

My hands have deteriorated to the point where I can no longer type.  I need
help.  If you think you can fix this bug on your own, please take it away from
me.  If you'd like to volunteer to be my hands for a specific bug, then I'll be
happy to come up to your cube and sit with you and fix the bug (assuming you
have the patience for that).

Comment 8

[Peter Trudelle]

crash -> critical severity

Comment 9

[Peter Trudelle]

I can't reproduce this using today's opt bits. resolving as worksforme.

Comment 10

[leger]

BULK MOVE: Changing component from XUL to XP Toolkit/Widgets: XUL.  XUL 
component will be deleted.