Closed Bug 253979 Opened 21 years ago Closed 20 years ago

crash on geocities.com/killianrotc/ [@ nsEntryStack::Pop() ]

Categories

(Core :: DOM: HTML Parser, defect)

Product:
Core
Component:
DOM: HTML Parser
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.8beta2

People

(Reporter: zorm, Assigned: mrbkap)

References

(
URL
)

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(5 files)

Minidump created by VS after firefox crashed.
90.07 KB, application/octet-stream
Details
Debug build log
3.31 KB, text/plain
Details
testcase
88 bytes, text/html
Details
Backtrace from testcase from a debug build from 2004-11-01
6.04 KB, text/plain
Details
wallpaper maybe
1.04 KB, patch
bzbarsky
: review+
brendan
: superreview+
Details | Diff | Splinter Review
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Avant Browser [avantbrowser.com]; .NET CLR 1.1.4322) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7) Gecko/20040614 Firefox/0.9 I was surfing around a couple of web pages when firefox crashed. firefox!jpeg_get_small+0x4a4bb The web page I believe caused the crash is http://www.geocities.com/killianrotc/ but it doesn't crash now and im not really sure. Reproducible: Didn't try Steps to Reproduce: 1. 2. 3.
2004080107/1.8a3/W2K is crashing too, moving to Browser.
Assignee: firefox → general
URL: http://www.geocities.com/killianrotc/
Component: General → Browser-General
Keywords: crash
Product: Firefox → Browser
QA Contact: firefox.general → general
Version: unspecified → Trunk
Confirming. Crashing on Linux FF .9 as well. I am building a fresh debug FF build to see what is going on. My talkback isn't working, so someone else will have to send the ID.
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Windows 2000 → All
Hardware: PC → All
Attached file Debug build log
This was what I got when I ran the debug build. It ran OK the first time I accessed the page, I had to hit refresh 3 times to get a crash.
Talkback IDs: TB464712Z TB464710K
Keywords: talkbackid
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8a3) Gecko/20040801 It is crashing after loading the menu, or crashing when I delete it´s Tab, JS disabled. It is crashing on Reload, JS enabled. TB465306Z, TB465190X, TB464703Y JS is in the main file to animate the Title. view-source:http://www.geocities.com/killianrotc/ The menu is very crappy html, with a lot of missing tags, and a funny <embed> past the end of the <html> http://www.geocities.com/killianrotc/menu.html <html><head><title>Killian Army JROTC Menu</title> <html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>menu</title> <base target="main"> </head> <BODY ..... .... <div align="center"> <center> <table border="0" cellspacing="0" cellpadding="0" bordercolor="#000080"> <tr> <td> </body></html> <script language="JavaScript1.2"> if (document.all) document.body.onmousedown=new Function("if (event.button==2||event.button==3)alert ('Code Yellow: Access Denied !')") </script> </body> <embed src="america2.mi" hidden=true autostart=true loop=true> <noembed><bgsound src="america2.mi" loop=1></noembed> </html> Script for timer controlled status bar news is in http://www.geocities.com/killianrotc/header.htm And this frame usues <style text/css> and lacks a </head> http://www.geocities.com/killianrotc/home.htm
Owen's incidents Talkback IDs TB464712Z and TB464710K: nsEntryStack::Pop() [/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/htmlparser/src/nsDTDUtils.cpp, line 295] nsDTDContext::Pop() [/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/htmlparser/src/nsDTDUtils.cpp, line 1040] CNavDTD::CloseContainersTo() [/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/htmlparser/src/CNavDTD.cpp, line 3577] CNavDTD::CloseContainersTo() [/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/htmlparser/src/CNavDTD.cpp, line 3767] CNavDTD::HandleEndToken() [/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/htmlparser/src/CNavDTD.cpp, line 2097] CNavDTD::HandleToken() [/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/htmlparser/src/CNavDTD.cpp, line 1022] CNavDTD::BuildModel() [/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/htmlparser/src/CNavDTD.cpp, line 510] nsParser::BuildModel() [/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/htmlparser/src/nsParser.cpp, line 704] nsParser::ResumeParse() [/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/htmlparser/src/nsParser.cpp, line 1761] nsParser::OnDataAvailable() [/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/htmlparser/src/nsParser.cpp, line 2426] nsDocumentOpenInfo::OnDataAvailable() [/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/uriloader/base/nsURILoader.cpp, line 710] nsHTTPCompressConv::do_OnDataAvailable() [/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/netwerk/streamconv/converters/nsHTTPCompressConv.cpp, line 364] nsHTTPCompressConv::OnDataAvailable() [/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/netwerk/streamconv/converters/nsHTTPCompressConv.cpp, line 291] nsHttpChannel::OnDataAvailable() [/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp, line 3631] nsInputStreamPump::OnStateTransfer() [/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/netwerk/base/src/nsInputStreamPump.cpp, line 436] nsInputStreamPump::OnInputStreamReady() [/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/netwerk/base/src/nsInputStreamPump.cpp, line 337] nsInputStreamReadyEvent::EventHandler() PL_HandleEvent() [/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/xpcom/threads/plevent.c, line 674] PL_ProcessPendingEvents() [/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/xpcom/threads/plevent.c, line 608] nsEventQueueImpl::ProcessPendingEvents() [/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/xpcom/threads/nsEventQueue.cpp, line 395] event_processor_callback() [/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/widget/src/gtk2/nsAppShell.cpp, line 67] libglib-2.0.so.0 + 0x4ba4b (0x40604a4b) libglib-2.0.so.0 + 0x26a99 (0x405dfa99) libglib-2.0.so.0 + 0x24b08 (0x405ddb08) libglib-2.0.so.0 + 0x26fb6 (0x405dffb6) libglib-2.0.so.0 + 0x25023 (0x405de023) libgtk-x11-2.0.so.0 + 0x117c43 (0x402cfc43) nsAppShell::Run() [/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/widget/src/gtk2/nsAppShell.cpp, line 144] nsAppShellService::Run() [/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/xpfe/appshell/src/nsAppShellService.cpp, line 495] xre_main() [/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/toolkit/xre/nsAppRunner.cpp, line 692] main() [/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/browser/app/nsBrowserApp.cpp, line 59] libc.so.6 + 0x15c4c (0x409bfc4c) Owen: Your build looks like 0.9 release. Could you retry with actual branch nightbuild? Hermann's stack are without symbols, but two of them are in GKPARSER.DLL too. -> Parser
Component: Browser-General → HTML: Parser
Keywords: talkbackid
Summary: crash in jpeg_get_small → crash in jpeg_get_small [@ nsEntryStack::Pop() ]
Assignee: general → parser
QA Contact: general
Adam, Huh, now I am not sure what I am building ;) I will pull a branch nightbuild and we shall see.
QA Contact: owen-bugzilla
jpeg_get_small is nowhere near the parser...
Boris, I changed component based on stack from TalkBack server. "jpeg_get_small" in summary is from original report. I would like to ask you if you could redefine it better based on comments or with your experience (URL should crash also your build). Thank you!
> URL should crash also your build Not so far (loaded that page a dozen times or so, no crashes).
Firefox branch nightbuild is crashing on subframe <http://www.geocities.com/killianrotc/home.htm> with this stack (TB478628): nsEntryStack::Pop [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Depend/mozilla/htmlparser/src/nsDTDUtils.cpp, line 295] CNavDTD::CloseContainersTo [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Depend/mozilla/htmlparser/src/CNavDTD.cpp, line 3764] CNavDTD::HandleEndToken [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Depend/mozilla/htmlparser/src/CNavDTD.cpp, line 2097] CNavDTD::HandleToken [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Depend/mozilla/htmlparser/src/CNavDTD.cpp, line 1022] CNavDTD::BuildModel [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Depend/mozilla/htmlparser/src/CNavDTD.cpp, line 511] nsParser::BuildModel [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Depend/mozilla/htmlparser/src/nsParser.cpp, line 1899]
Summary: crash in jpeg_get_small [@ nsEntryStack::Pop() ] → crash on geocities.com/killianrotc/ [@ nsEntryStack::Pop() ]
Website crashes on Mozilla 1.4.2 and 1.7.2 too. instant crash Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.2) Gecko/20040803, rightclicked on the link in URL and tried to load http://www.geocities.com/killianrotc/home.htm into a new tab. view-source:http://www.geocities.com/killianrotc/home.htm shows, that the file doesn´t have a </head> tag: <html><head><title>...</title> <style text/css> a:link{color:blue} a:visited{color:green} a:hover{color:red} </style> <body .............. and there is some geocities JS-Code after the </html> tag: </body> </html><!-- text below generated by server. PLEASE REMOVE --></object></layer></div></span></style></noscript></table></script></applet> <script language="JavaScript">var PUpage="76001077"; var PUprop="geocities"; </script><script language="JavaScript" src="http://www.geocities.com/js_source/pu5geo.js"> .... more sccript, webbugs. Talkback: TB489751Y http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=TB489751Y
Attached file testcase
Crashes for me too (not all the time though), using: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8a6) Gecko/20041128 Firefox/0.9.1+ The most minimal testcase I could come up with is this (made from http://www.geocities.com/killianrotc/home.htm): <html><head></head><body> <a><a><p><font><p><font><b><a></font></a> </body></html> This testcase doesn't crash, but it sort of makes my browser unusable when I load it. After I closed the browser, the browser is still in the memory and I have to close it with the task manager.
Keywords: testcase
Another "real life" crashing page - http://www.rawacoustics.ca/ and clicking on Subwoofers (TB2246031/FF1.0/W2K). BTW FF1.0/W2K is having same symptoms as Martinj described in previous comment - Firefox hang and resist in memory after closing.
The testcase seems especially to crash easily when pressing th 'Go' button.
Taking since I'm investigating this. I have a potential fix/wallpaper for this crash, but I need to investigate it more. I'm still not entirely certain what all of the code here is trying to do, so I'm not quite going to attach a patch yet.
Assignee: parser → mrbkap
Attached patch wallpaper maybeSplinter Review
I'm not sure if this is a real fix or a wallpaper. It stops us from crashing and doesn't change our behavior in any way. I have a feeling that we're duplicating stack entries or giving a RS stack to a non RS tag. rbs, any thoughts?
Attachment #168829 - Flags: review?(rbs)
Comment on attachment 168829 [details] [diff] [review] wallpaper maybe Passing the ball to bz, I thought I could get back to this, but I have been swamped by end-of-year things.
Attachment #168829 - Flags: review?(rbs) → review?(bzbarsky)
I'll try to get to this before alpha freeze, but don't hold your breath on that.... :(
Comment on attachment 168829 [details] [diff] [review] wallpaper maybe r=bzbarsky, but could we at least warn here?
Attachment #168829 - Flags: review?(bzbarsky) → review+
Comment on attachment 168829 [details] [diff] [review] wallpaper maybe I've changed the if statement to: NS_ENSURE_TRUE(scount > 0, result);
Attachment #168829 - Flags: superreview?(rbs)
I'm not getting a crash on this site. But if there is need for a fix. *shrugs*
Comment on attachment 168829 [details] [diff] [review] wallpaper maybe Asking brendan for sr= in hopes of getting this in 1.8b. Brendan, please see comment 21 and comment 22.
Attachment #168829 - Flags: superreview?(rbs) → superreview?(brendan)
Comment on attachment 168829 [details] [diff] [review] wallpaper maybe > NS_ENSURE_TRUE(scount > 0, result); Sure, although I prefer != 0 to > 0 for unsigned comparisons. Also, you might move this line up to just after scount is initialized, and comment what it means ("that the style stack was empty before we were removed!"). /be
Attachment #168829 - Flags: superreview?(brendan) → superreview+
Fix checked in.
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.8beta2
parser/htmlparser/tests/crashtests/253979-1.html http://hg.mozilla.org/mozilla-central/rev/b0337b6287f3
Flags: in-testsuite+
Crash Signature: [@ nsEntryStack::Pop() ]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: