87030 - crash [@ nsXMLContentSink::RefreshIfEnabled ] when calling Document.load()

Status: RESOLVED WORKSFORME

(Core :: XML, defect, P2)

Description

[Jesse Ruderman]

Steps to reproduce:
1. Debug->Viewer Demos->XML Sorting
2. Type javascript:document.load(".","text/xml"); into the location bar and 
press enter.  (Using "text/html" instead of "text/xml" gives the same result.)

Result: assertion, followed by a crash
###!!! ASSERTION: You can't dereference a NULL nsCOMPtr with operator->().: 'mRa
wPtr != 0', file ..\..\..\dist\include\nsCOMPtr.h, line 649

If I replace "." with "books.xml", the page appears to reload, and I get an 
extra assertion before the dereferencing-null assertion:
###!!! ASSERTION: initial containing block already created: 'nsnull == mInitialC
ontainingBlock', file d:\buildmoz\mozilla\layout\html\style\src\nsCSSFrameConstr
uctor.cpp, line 8444

Comment 1

[harishd]

Heikki's domain.

Comment 2

[Heikki Toivonen (remove -bugzilla when emailing directly)]

So this only occurs if you type that funny URL in the URLbar? Or do we crash if
that URL is embedded in the page as well?

Comment 3

[Jesse Ruderman]

Attachment: testcase with javascript in the page

Comment 4

[Chris Hiner]

Attachment: stack trace from the testcase

Comment 5

[Chris Hiner]

I just attached a stack trace that I got from a crash using the testcase, using
a linux cvs build from this afternoon.

Comment 6

[Heikki Toivonen (remove -bugzilla when emailing directly)]

document.load() tries to load document as data, so it is no wonder there are
problems with this usage scenario. I have a fix to the crash, but I don't like
it... The idea in the fix is: in XML content sink DidBuildModel() where we
normally call StartLayout() check the parser command and if it is "loadAsData"
don't call StartLayout(). The reason why I don't like it is that for typical
document.load() calls embedded in scripts things just work even without this
hack. I have not yet tracked down why this usase pattern here causes these
problems...

Comment 7

[Heikki Toivonen (remove -bugzilla when emailing directly)]

Attachment: Band aid fix

Comment 8

[scottputterman]

Moving Netscape owned 0.9.9 and 1.0 bugs that don't have an nsbeta1, nsbeta1+,
topembed, topembed+, Mozilla0.9.9+ or Mozilla1.0+ keyword.  Please send any
questions or feedback about this to adt@netscape.com.  You can search for
"Moving bugs not scheduled for a project" to quickly delete this bugmail.

Comment 9

[Arno Roefs]

*** Bug 141245 has been marked as a duplicate of this bug. ***

Comment 10

[Kevin Berkheiser]

Not seeing any crashes on Windows XP using the attached test case or following
the manual procedure to reproduce.

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7b) Gecko/20040316

Comment 11

[Jesse Ruderman]

Clicking #2 in the testcase crashes in a month-old build:

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7a) Gecko/20040210
Firebird/0.8.0+

But WFM in a build from this week:

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7b) Gecko/20040327
Firefox/0.8.0+