Closed Bug 581007 Opened 14 years ago Closed 14 years ago

Crash [@ AllocClassMatchingInfo] with showModalDialog and getElementsByClassName

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla2.0b3

People

(Reporter: martijn.martijn, Assigned: bzbarsky)

References

Details

(Keywords: crash, regression, testcase)

Crash Data

Attachments

(2 files, 1 obsolete file)

testcase
(deleted), text/html
Details
Fix
(deleted), patch
jst
: review+
jst
: approval2.0+
Details | Diff | Splinter Review
Attached file testcase (uses enhanced privileges) (obsolete) (deleted) — 
See testcase, which crashes current trunk build. The testcase uses enhanced privileges to force gc, so you need to test it locally.
I guess this is a regression from bug 194404.

http://crash-stats.mozilla.com/report/index/f48d34ec-7a97-4a4e-b927-289dc2100722
0  	xul.dll  	AllocClassMatchingInfo  	 content/base/src/nsContentUtils.cpp:5970
1 	xul.dll 	nsCacheableFuncStringContentList::nsCacheableFuncStringContentList 	content/base/src/nsContentList.h:465
2 	xul.dll 	NS_GetFuncStringContentList 	content/base/src/nsContentList.cpp:361
3 	xul.dll 	nsContentUtils::GetElementsByClassName 	content/base/src/nsContentUtils.cpp:5987
4 	xul.dll 	nsIDOMNSElement_GetElementsByClassName 	obj-firefox/js/src/xpconnect/src/dom_quickstubs.cpp:8080
5 	mozjs.dll 	js_Interpret 	js/src/jsops.cpp:2145
6 	mozjs.dll 	Invoke<int > 	js/src/jsinterp.cpp:602
7 	mozjs.dll 	js_Invoke 	js/src/jsinterp.cpp:693
8 	mozjs.dll 	js_InternalInvoke 	js/src/jsinterp.cpp:739
9 	mozjs.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:4850
10 	xul.dll 	nsJSContext::CallEventHandler 	dom/base/nsJSEnvironment.cpp:2204
11 	xul.dll 	nsGlobalWindow::RunTimeout 	dom/base/nsGlobalWindow.cpp:8502
12 	xul.dll 	nsGlobalWindow::TimerCallback 	dom/base/nsGlobalWindow.cpp:8846
13 	xul.dll 	nsTimerImpl::Fire 	xpcom/threads/nsTimerImpl.cpp:427
14 	xul.dll 	nsTimerEvent::Run 	xpcom/threads/nsTimerImpl.cpp:519
15 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:547
16 	xul.dll 	NS_ProcessNextEvent_P 	obj-firefox/xpcom/build/nsThreadUtils.cpp:250
17 	xul.dll 	nsXULWindow::CreateNewContentWindow 	xpfe/appshell/src/nsXULWindow.cpp:1819
18 	xul.dll 	nsXULWindow::CreateNewWindow 	xpfe/appshell/src/nsXULWindow.cpp:1742
19 	xul.dll 	nsAppStartup::CreateChromeWindow2 	
20 	xul.dll 	nsWindowWatcher::OpenWindowJSInternal 	embedding/components/windowwatcher/src/nsWindowWatcher.cpp:717
21 	xul.dll 	nsWindowWatcher::OpenWindow 	embedding/components/windowwatcher/src/nsWindowWatcher.cpp:421
22 	xul.dll 	nsGlobalWindow::OpenInternal 	
23 	xul.dll 	nsGlobalWindow::ShowModalDialog 	dom/base/nsGlobalWindow.cpp:6240
24 	xul.dll 	xul.dll@0xaacd37
Attached file testcase (deleted) — 

        Attachment #459419 -
        Attachment is obsolete: true

    
    

    
  
The nsCacheableFuncStringContentList stuff postdates the showModalDialog landing, so this could be a regression from that....  Looking into this.

    
    

    
  
Looks like I also have to enable popups for file:// to make this crash, right?

###!!! ASSERTION: Uh, LeaveModalState() called w/o a reachable top window?: 'Error', file /Users/bzbarsky/mozilla/css-frameconst/mozilla/dom/base/nsGlobalWindow.cpp, line 5866

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000060
0x126aa571 in nsIDocument::GetCompatibilityMode (this=0x0) at nsIDocument.h:1016
1016        return mCompatMode;

The issue is that we're doing el.getElementsByClassName() on an element which has no owner document (because it got GCed).  That code was there before the cacheable stuff landed.

    
    

    
  
(In reply to comment #3)
> Looks like I also have to enable popups for file:// to make this crash, right?

Yes, right.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Fix (deleted)
        — Splinter Review
      

    


  
I have no idea how to write a sane test for this; my attempts don't reproduce the bug (and even the attached testcase doesn't reproduce it reliably).
Assignee: nobody → bzbarsky
Status: NEW → ASSIGNED

        Attachment #459451 -
        Flags: review?(jst)

        Attachment #459451 -
        Flags: review?(jst) → review+

    
    

    
  
Comment on attachment 459451 [details] [diff] [review]
Fix

Requesting approval; this is just a null-check crash fix.

        Attachment #459451 -
        Flags: approval2.0?

        Attachment #459451 -
        Flags: approval2.0? → approval2.0+

    
    

    
  
(In reply to comment #5)
> I have no idea how to write a sane test for this; my attempts don't reproduce
> the bug (and even the attached testcase doesn't reproduce it reliably).

Yes, it was really difficult to get a semi-reliable minimized testcase.
One thing I noticed is, that after the modal dialog disappeared (in non-crashing testcases), that the page acts weird. It seems like timers are not working afterwards, anymore, or something like that. (I'm writing this as a reminder for myself, too)

    
    

    
  
You might be seeing bug 581072 or something.

    
    

    
  
Pushed http://hg.mozilla.org/mozilla-central/rev/228c38e68dda
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla2.0b3
Crash Signature: [@ AllocClassMatchingInfo]
Component: DOM → DOM: Core & HTML

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: