Closed
Bug 197015
Opened 21 years ago
Closed 20 years ago
Crash when loading table with CSS and typo [@ SinkContext::Begin ]
Categories
(Core :: DOM: HTML Parser, defect, P2)
Core
DOM: HTML Parser
Tracking
()
VERIFIED
FIXED
mozilla1.5alpha
People
(Reporter: dirk.heyne, Assigned: mrbkap)
References
()
Details
(Keywords: crash, regression, testcase)
Crash Data
Attachments
(4 files)
34.32 KB,
image/png
|
Details | |
176 bytes,
text/html
|
Details | |
2.20 KB,
patch
|
hjtoi-bugzilla
:
review+
jst
:
superreview+
|
Details | Diff | Splinter Review |
1.32 KB,
patch
|
jst
:
review+
bzbarsky
:
superreview+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.3) Gecko/20030311 Build Identifier: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.3) Gecko/20030311 When i try to search for a driver at http://www.intel.de (gets redirected to http://www.intel.com/deutsch/) the 1.3 release candidate crashes, it is reproduceable. It doesn't happen on the english site. Reproducible: Always Steps to Reproduce: 1. visit www.intel.de, get redirected to www.intel.com/deutsch/ 2. type "1000 MT" into the search form and press enter 3. confirm submission -> crash Actual Results: Mozilla crashed, talkback and Win98 error message came up Expected Results: Mozilla should have displayed the search results Talkback Incident IDs: TB17987000G TB17986958G TB17986926Y When i tried to reproduce the error, one time i got this error message: Microsoft visual C++ Library Runtime error! Programm (...)MOZILLA.EXE R6025 -pure virtual function call that time mozilla didn't crash. I can't reproduce this, but perhaps it's a hint. I'll attach a screenshot of mozilla frozen by the runtime error. Could someone with deeper insight look if this is related to the gklayout Bugs Bug 194582 or Bug 183220 ? This is the message i get after a crash: MOZILLA verursachte einen Fehler durch eine ungültige Seite in Modul GKLAYOUT.DLL bei 0177:60320e5c. Register: EAX=020136bc CS=0177 EIP=60320e5c EFLGS=00010213 EBX=00000292 SS=017f ESP=0065ecf0 EBP=0065ed28 ECX=00000291 DS=017f ESI=02008d60 FS=4cd7 EDX=303d792e ES=017f EDI=00000000 GS=0000 Bytes bei CS:EIP: 8b 02 52 ff 50 40 eb 09 ff 75 fc 8b 02 52 ff 50 Stapelwerte: 020a9400 00000291 00000000 00000000 020aa210 0200fe38 0200fd80 610bdf48 020a9400 00000000 00000000 020a9418 020a9418 020a9400 00000000 60322d03
Reporter | ||
Comment 1•21 years ago
|
||
Chrashes for me too, 20020310-1.3 (win95)
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash
OS: Windows 98 → All
Whiteboard: TB17995653X TB17999913G
Reporter | ||
Comment 4•21 years ago
|
||
Should this block the release of 1.3? The visibility of this bug may be high: Intel's Centrino marketing campaign just takes off, and due to CeBit Fair Intel is frequently reported about, e.g. at heise: http://www.heise.de/newsticker/search.shtml?T=intel&thresh=1&hs=1
Version: Trunk → Other Branch
Updated•21 years ago
|
Keywords: stackwanted
Comment 5•21 years ago
|
||
Mozilla will not crash with the testcase if: - you remove the typo in the rel link to load the CSS htp -> http - you remove the <table> tag, - you remove the 'foo' content of the table. Could be a parser issue, moving to Layout: Tables. Sometimes, loading this testcase won't crash but will either hang or leave Mozilla in memory after exiting. Can someone test this with a 1.3 branch build ?
Comment 6•21 years ago
|
||
Moving to Layout: Tables.
Assignee: form-submission → table
Component: Form Submission → Layout: Tables
Keywords: testcase
QA Contact: ashishbhatt → madhur
Updated•21 years ago
|
Keywords: stackwanted
Summary: crash in gklayout / c++ runtime error after submitting search at www.intel.de → Crash when loading table with CSS and typo [ @SinkContext::Begin ]
Whiteboard: TB17995653X TB17999913G
Comment 7•21 years ago
|
||
(gdb) frame 1 #1 0x40f2ddb8 in HTMLContentSink::BeginContext (this=0x8974ed8, aPosition=1) at nsHTMLContentSink.cpp:2972 2972 ion].mNumFlushed, (gdb) p content $16 = (nsIHTMLContent *) 0x0 (gdb) p mCurrentContext->mStack[aPosition].mContent $17 = (nsIHTMLContent *) 0x0 (gdb) p mCurrentContext->mStack[aPosition].mType $18 = eHTMLTag_abbr (gdb) frame 2 #2 0x415aeb4a in CNavDTD::HandleSavedTokens (this=0x8a4c3a8, anIndex=1) at CNavDTD.cpp:2100 2100 // The body context should contain contents only upto the marked position. (gdb) p theTag $29 = eHTMLTag_table (gdb) p theToken $30 = (CToken *) 0x89600c8 (gdb) p attrCount $31 = -1 #0 SinkContext::Begin (this=0x8a62270, aNodeType=eHTMLTag_abbr, aRoot=0x0, aNumFlushed=145087512, aInsertionPoint=-1) at nsHTMLContentSink.cpp:1457 #1 0x40f2ddb8 in HTMLContentSink::BeginContext (this=0x8974ed8, aPosition=1) at nsHTMLContentSink.cpp:2972 #2 0x415aeb4a in CNavDTD::HandleSavedTokens (this=0x8a4c3a8, anIndex=1) at CNavDTD.cpp:2100 #3 0x415ac69c in CNavDTD::HandleToken (this=0x8a4c3a8, aToken=0x8a512b8, aParser=0x8a60038) at CNavDTD.cpp:853 #4 0x415abc21 in CNavDTD::BuildModel (this=0x8a4c3a8, aParser=0x8a60038, aTokenizer=0x89602b8, anObserver=0x0, aSink=0x8974ed8) at CNavDTD.cpp:519 #5 0x415bcdab in nsParser::BuildModel (this=0x8a60038) at nsParser.cpp:1904 #6 0x415bcae7 in nsParser::ResumeParse (this=0x8a60038, allowIteration=1, aIsFinalChunk=0, aCanInterrupt=1) at nsParser.cpp:1771 #7 0x415bc024 in nsParser::ContinueParsing (this=0x8a60038) at nsParser.cpp:1388 #8 0x40f7317e in CSSLoaderImpl::SheetComplete (this=0x8a4ced8, aLoadData=0x8a627a8, aSucceeded=0) at nsCSSLoader.cpp:1459 #9 0x40f72753 in CSSLoaderImpl::LoadSheet (this=0x8a4ced8, aLoadData=0x8a627a8, aSheetState=eSheetNeedsParser) at nsCSSLoader.cpp:1298 #10 0x40f7403a in CSSLoaderImpl::LoadStyleLink (this=0x8a4ced8, aElement=0x8a62540, aURL=0x8a62660, aTitle=@0xbfffe4b0, aMedia=@0xbfffe390, aDefaultNameSpaceID=-1, aParserToUnblock=0x8a60038, aCompleted=@0xbfffe190, aObserver=0x0) at nsCSSLoader.cpp:1657 #11 0x410f57b9 in nsStyleLinkElement::UpdateStyleSheet (this=0x8a62568, aOldDocument=0x0, aObserver=0x0) at nsStyleLinkElement.cpp:335 #12 0x40f32fee in HTMLContentSink::ProcessLINKTag (this=0x8974ed8, aNode=@0x889c5d8) at nsHTMLContentSink.cpp:4985 #13 0x40f2ee6a in HTMLContentSink::AddLeaf (this=0x8974ed8, aNode=@0x889c5d8) at nsHTMLContentSink.cpp:3577 #14 0x40f2ed98 in HTMLContentSink::AddHeadContent (this=0x8974ed8, aNode=@0x889c5d8) at nsHTMLContentSink.cpp:3545 #15 0x415b1409 in CNavDTD::AddHeadLeaf (this=0x8a4c3a8, aNode=0x889c5d8) at CNavDTD.cpp:3807 #16 0x415ae22d in CNavDTD::HandleStartToken (this=0x8a4c3a8, aToken=0x8a50fb0) at CNavDTD.cpp:1779 #17 0x415acab0 in CNavDTD::HandleToken (this=0x8a4c3a8, aToken=0x8a50fb0, aParser=0x8a60038) at CNavDTD.cpp:950 #18 0x415abc21 in CNavDTD::BuildModel (this=0x8a4c3a8, aParser=0x8a60038, aTokenizer=0x89602b8, anObserver=0x0, aSink=0x8974ed8) at CNavDTD.cpp:519 #19 0x415bcdab in nsParser::BuildModel (this=0x8a60038) at nsParser.cpp:1904 #20 0x415bcae7 in nsParser::ResumeParse (this=0x8a60038, allowIteration=1, aIsFinalChunk=0, aCanInterrupt=1) at nsParser.cpp:1771 #21 0x415be242 in nsParser::OnDataAvailable (this=0x8a60038, request=0x8a4a6c0, aContext=0x0, pIStream=0x8a1382c, sourceOffset=0, aLength=176) at nsParser.cpp:2405 [...]
Comment 8•21 years ago
|
||
Harish, can you have a look at this bug ?
Assignee: table → harishd
Component: Layout: Tables → Parser
Comment 10•21 years ago
|
||
crashed when i followed the steps to reproduce. win2k sp3, build 20030031216. talkback id: TB18023954K
Comment 11•21 years ago
|
||
regression between linux trunk builds 2003010305 and 2003010404 bug 42945 and bug 182021 were checked in during that window.
Keywords: regression
Comment 12•21 years ago
|
||
backing out bug 42945 (and bug 159615) didn't help.
Reporter | ||
Comment 13•21 years ago
|
||
I tested with Build 2003010205 on Win95C. Both the Intel page and the testcase appear to work, but if i press control-Q afterwards Mozilla crashes reproduceable on exit "in Modul MORK.DLL bei 0137:61751b26". Talkback IDs: TB18026302H and TB18025932X Mozilla quitts as usual if i load an other Webpage between visiting the Intel sides and quitting. - That was my first impression. Later i discoverd, that Mozilla did NOT quitt but turned invisible, only to get reactivated with the next start of a Mozilla version. Nasty. It looks as if something was broken before this Bug emerged. --- @ comment #5: The testcase crashes the 1.3 Branch Gecko/20030311 on Win95C, too (TB18023547Q) Talkback for an "original" crash at the intel side in Win95C: TB18026113K
Updated•21 years ago
|
Summary: Crash when loading table with CSS and typo [ @SinkContext::Begin ] → Crash when loading table with CSS and typo [@ SinkContext::Begin ]
Comment 14•21 years ago
|
||
So... the issue is that we are calling ContinueParsing() on a parser that was never blocked and in fact is sorta in the middle of a table. Harish, should that lead to a crash? I can fix the loader to not call ContinueParsing() here if necessary, but I'd rather focus my time on not blocking the parser at all....
Comment 15•21 years ago
|
||
Boris: The crash happens because of the lack of bounds checking in Sink::AddComment. I will add that.
Comment 17•21 years ago
|
||
>Harish, should that lead to a crash? I can fix the loader to not call
>ContinueParsing() here if necessary, but I'd rather focus my time on not
>blocking the parser at all....
Boris: Could you please fix the loader? I don't understand what's the intention
of calling ContinueParsing() given that the loader never blocks the parser (
AFAICT ). I'm assigning the bug to you for now. Feel free to bounce it back if
you think the bug does not belong to you.
Assignee: harishd → bzbarsky
Status: ASSIGNED → NEW
Comment 18•21 years ago
|
||
Harish, the loader blocks the parser on every single non-alternate sheet that it starts loading (and unblocks when the load completes). But there are cases when it could attempt to unblock without blocking first.... Perhaps my question should be rephrased as "do we need a fix for this in the 1.4 timeframe?" Because in the 1.5 timeframe I plan to make the loader in fact not block the parser....
Comment 19•21 years ago
|
||
>But there are cases whenit could attempt to unblock without blocking first....
That does not sound right IMO. In any case, fixing a crash is a good thing.
Let's put the band-aid and avoid the crash. You can fix it the way you wanted to
in 1.5.
Comment 20•21 years ago
|
||
Heh. The band-aid will likely be a large patch itself... I'll try to get to it for 1.4b, but not guarantees. If it misses 1.4b, I'm not going to risk it for 1.4final.
Comment 21•21 years ago
|
||
Close the head context before the style sheet load is initiated. Also, added bounds checking in AddComment. This fixes both the url and the reduced test case.
Attachment #119024 -
Flags: superreview?(jst)
Attachment #119024 -
Flags: review?(heikki)
Comment on attachment 119024 [details] [diff] [review] Band aid fix Please also add a comment that this is a band aid fix for this bug and that it could be removed once the real fix from Boris (bug no?) lands.
Attachment #119024 -
Flags: review?(heikki) → review+
Comment 24•21 years ago
|
||
Comment on attachment 119024 [details] [diff] [review] Band aid fix + // Close the head context, that got opened up by the link tag, because + // our CSSLoader, on loading the linked style sheet, calls the parser's + // ContinueParsing() even if the parser is not blocked and that causes + // the sink, whose current context is head, to go haywire. Nit: Break up that really long sentence with way too many commas :-) And add a reference to the bug we're bandaiding against here. sr=jst
Attachment #119024 -
Flags: superreview?(jst) → superreview+
Comment 25•21 years ago
|
||
Hack landed. This shouldn't crash anymore. Reassigning the bug to Boris to fix it the right way ;). Boris, make sure to test your patch with the hack removed. Thanks!
Assignee: harishd → bzbarsky
Updated•21 years ago
|
Target Milestone: mozilla1.4alpha → mozilla1.5alpha
Version: Other Branch → Trunk
Reporter | ||
Comment 26•21 years ago
|
||
I tested with Build 2003040404 on Win98 SE (dt), and both the original page and the testcase work now, no more crashes. Good work. Boris: Should this Bug be marked FIXED or left open for your greater scale Fix? Since we have a testcase, what about the intel page? Many of the older builds out there will still crash (1.0x doesn't). As their customer i could complain about their broken searchfunction, or should tech evangelism contact intel to get the page fixed? There are two other open tech evangelism bugs with intel, and i guess a typo would be a good start if one argues that some pages are broken on their site. (Bug 113099 and Bug 150555)
Comment 27•21 years ago
|
||
See comment 25. This should stay open, since I will be backing out the patch Harish landed at some point....
Blocks: 256450
Assignee | ||
Comment 28•20 years ago
|
||
Since bug 220542 was checked in, there's a good chance this hack is no longer needed. Stealing so I remember to check.
Assignee: bzbarsky → mrbkap
Assignee | ||
Comment 29•20 years ago
|
||
I've tested this testcase with the hack removed and we don't crash (it was fixed by the patch for bug 220542). Looking for r= and sr= to back it out.
Attachment #172842 -
Flags: superreview?(bzbarsky)
Attachment #172842 -
Flags: review?(jst)
Comment 30•20 years ago
|
||
Comment on attachment 172842 [details] [diff] [review] patch v1 sr=bzbarsky
Attachment #172842 -
Flags: superreview?(bzbarsky) → superreview+
Comment 31•20 years ago
|
||
Comment on attachment 172842 [details] [diff] [review] patch v1 r=jst
Attachment #172842 -
Flags: review?(jst) → review+
Assignee | ||
Comment 32•20 years ago
|
||
Marking this bug as fixed since the band aid was backed out (but the bug is still fixed).
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Verified FIXED using the testcase at https://bugzilla.mozilla.org/attachment.cgi?id=117023 with build 2005-02-09-05 on Windows XP Seamonkey trunk.
Status: RESOLVED → VERIFIED
Comment 34•15 years ago
|
||
Crashtest added as part of http://hg.mozilla.org/mozilla-central/rev/afc662d52ab1
Flags: in-testsuite+
Updated•13 years ago
|
Crash Signature: [@ SinkContext::Begin ]
You need to log in
before you can comment on or make changes to this bug.
Description
•