Closed
Bug 253979
Opened 20 years ago
Closed 19 years ago
crash on geocities.com/killianrotc/ [@ nsEntryStack::Pop() ]
Categories
(Core :: DOM: HTML Parser, defect)
Core
DOM: HTML Parser
Tracking
()
RESOLVED
FIXED
mozilla1.8beta2
People
(Reporter: zorm, Assigned: mrbkap)
References
()
Details
(Keywords: crash, testcase)
Crash Data
Attachments
(5 files)
|
90.07 KB,
application/octet-stream
|
Details | |
|
3.31 KB,
text/plain
|
Details | |
|
88 bytes,
text/html
|
Details | |
|
6.04 KB,
text/plain
|
Details | |
|
1.04 KB,
patch
|
bzbarsky
:
review+
brendan
:
superreview+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Avant Browser [avantbrowser.com]; .NET CLR 1.1.4322) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7) Gecko/20040614 Firefox/0.9 I was surfing around a couple of web pages when firefox crashed. firefox!jpeg_get_small+0x4a4bb The web page I believe caused the crash is http://www.geocities.com/killianrotc/ but it doesn't crash now and im not really sure. Reproducible: Didn't try Steps to Reproduce: 1. 2. 3.
|
||
Comment 2•20 years ago
|
||
2004080107/1.8a3/W2K is crashing too, moving to Browser.
Assignee: firefox → general
Component: General → Browser-General
Keywords: crash
Product: Firefox → Browser
QA Contact: firefox.general → general
Version: unspecified → Trunk
|
||
Comment 3•20 years ago
|
||
Confirming. Crashing on Linux FF .9 as well. I am building a fresh debug FF build to see what is going on. My talkback isn't working, so someone else will have to send the ID.
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Windows 2000 → All
Hardware: PC → All
|
|
||
Comment 4•20 years ago
|
||
This was what I got when I ran the debug build. It ran OK the first time I accessed the page, I had to hit refresh 3 times to get a crash.
|
||
Comment 6•20 years ago
|
||
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8a3) Gecko/20040801 It is crashing after loading the menu, or crashing when I delete it´s Tab, JS disabled. It is crashing on Reload, JS enabled. TB465306Z, TB465190X, TB464703Y JS is in the main file to animate the Title. view-source:http://www.geocities.com/killianrotc/ The menu is very crappy html, with a lot of missing tags, and a funny <embed> past the end of the <html> http://www.geocities.com/killianrotc/menu.html <html><head><title>Killian Army JROTC Menu</title> <html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>menu</title> <base target="main"> </head> <BODY ..... .... <div align="center"> <center> <table border="0" cellspacing="0" cellpadding="0" bordercolor="#000080"> <tr> <td> </body></html> <script language="JavaScript1.2"> if (document.all) document.body.onmousedown=new Function("if (event.button==2||event.button==3)alert ('Code Yellow: Access Denied !')") </script> </body> <embed src="america2.mi" hidden=true autostart=true loop=true> <noembed><bgsound src="america2.mi" loop=1></noembed> </html> Script for timer controlled status bar news is in http://www.geocities.com/killianrotc/header.htm And this frame usues <style text/css> and lacks a </head> http://www.geocities.com/killianrotc/home.htm
|
|
||
Comment 7•20 years ago
|
||
Owen's incidents Talkback IDs TB464712Z and TB464710K: nsEntryStack::Pop() [/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/htmlparser/src/nsDTDUtils.cpp, line 295] nsDTDContext::Pop() [/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/htmlparser/src/nsDTDUtils.cpp, line 1040] CNavDTD::CloseContainersTo() [/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/htmlparser/src/CNavDTD.cpp, line 3577] CNavDTD::CloseContainersTo() [/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/htmlparser/src/CNavDTD.cpp, line 3767] CNavDTD::HandleEndToken() [/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/htmlparser/src/CNavDTD.cpp, line 2097] CNavDTD::HandleToken() [/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/htmlparser/src/CNavDTD.cpp, line 1022] CNavDTD::BuildModel() [/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/htmlparser/src/CNavDTD.cpp, line 510] nsParser::BuildModel() [/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/htmlparser/src/nsParser.cpp, line 704] nsParser::ResumeParse() [/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/htmlparser/src/nsParser.cpp, line 1761] nsParser::OnDataAvailable() [/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/htmlparser/src/nsParser.cpp, line 2426] nsDocumentOpenInfo::OnDataAvailable() [/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/uriloader/base/nsURILoader.cpp, line 710] nsHTTPCompressConv::do_OnDataAvailable() [/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/netwerk/streamconv/converters/nsHTTPCompressConv.cpp, line 364] nsHTTPCompressConv::OnDataAvailable() [/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/netwerk/streamconv/converters/nsHTTPCompressConv.cpp, line 291] nsHttpChannel::OnDataAvailable() [/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp, line 3631] nsInputStreamPump::OnStateTransfer() [/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/netwerk/base/src/nsInputStreamPump.cpp, line 436] nsInputStreamPump::OnInputStreamReady() [/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/netwerk/base/src/nsInputStreamPump.cpp, line 337] nsInputStreamReadyEvent::EventHandler() PL_HandleEvent() [/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/xpcom/threads/plevent.c, line 674] PL_ProcessPendingEvents() [/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/xpcom/threads/plevent.c, line 608] nsEventQueueImpl::ProcessPendingEvents() [/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/xpcom/threads/nsEventQueue.cpp, line 395] event_processor_callback() [/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/widget/src/gtk2/nsAppShell.cpp, line 67] libglib-2.0.so.0 + 0x4ba4b (0x40604a4b) libglib-2.0.so.0 + 0x26a99 (0x405dfa99) libglib-2.0.so.0 + 0x24b08 (0x405ddb08) libglib-2.0.so.0 + 0x26fb6 (0x405dffb6) libglib-2.0.so.0 + 0x25023 (0x405de023) libgtk-x11-2.0.so.0 + 0x117c43 (0x402cfc43) nsAppShell::Run() [/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/widget/src/gtk2/nsAppShell.cpp, line 144] nsAppShellService::Run() [/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/xpfe/appshell/src/nsAppShellService.cpp, line 495] xre_main() [/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/toolkit/xre/nsAppRunner.cpp, line 692] main() [/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/browser/app/nsBrowserApp.cpp, line 59] libc.so.6 + 0x15c4c (0x409bfc4c) Owen: Your build looks like 0.9 release. Could you retry with actual branch nightbuild? Hermann's stack are without symbols, but two of them are in GKPARSER.DLL too. -> Parser
Component: Browser-General → HTML: Parser
Keywords: talkbackid
Summary: crash in jpeg_get_small → crash in jpeg_get_small [@ nsEntryStack::Pop() ]
|
|
||
Updated•20 years ago
|
Assignee: general → parser
QA Contact: general
|
|
||
Comment 8•20 years ago
|
||
Adam, Huh, now I am not sure what I am building ;) I will pull a branch nightbuild and we shall see.
QA Contact: owen-bugzilla
|
||
Comment 9•20 years ago
|
||
jpeg_get_small is nowhere near the parser...
|
|
||
Comment 10•20 years ago
|
||
Boris, I changed component based on stack from TalkBack server. "jpeg_get_small" in summary is from original report. I would like to ask you if you could redefine it better based on comments or with your experience (URL should crash also your build). Thank you!
|
|
||
Comment 11•20 years ago
|
||
> URL should crash also your build
Not so far (loaded that page a dozen times or so, no crashes).|
|
||
Comment 12•20 years ago
|
||
Firefox branch nightbuild is crashing on subframe <http://www.geocities.com/killianrotc/home.htm> with this stack (TB478628): nsEntryStack::Pop [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Depend/mozilla/htmlparser/src/nsDTDUtils.cpp, line 295] CNavDTD::CloseContainersTo [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Depend/mozilla/htmlparser/src/CNavDTD.cpp, line 3764] CNavDTD::HandleEndToken [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Depend/mozilla/htmlparser/src/CNavDTD.cpp, line 2097] CNavDTD::HandleToken [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Depend/mozilla/htmlparser/src/CNavDTD.cpp, line 1022] CNavDTD::BuildModel [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Depend/mozilla/htmlparser/src/CNavDTD.cpp, line 511] nsParser::BuildModel [d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Depend/mozilla/htmlparser/src/nsParser.cpp, line 1899]
Summary: crash in jpeg_get_small [@ nsEntryStack::Pop() ] → crash on geocities.com/killianrotc/ [@ nsEntryStack::Pop() ]
|
|
||
Comment 13•20 years ago
|
||
Website crashes on Mozilla 1.4.2 and 1.7.2 too. instant crash Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.2) Gecko/20040803, rightclicked on the link in URL and tried to load http://www.geocities.com/killianrotc/home.htm into a new tab. view-source:http://www.geocities.com/killianrotc/home.htm shows, that the file doesn´t have a </head> tag: <html><head><title>...</title> <style text/css> a:link{color:blue} a:visited{color:green} a:hover{color:red} </style> <body .............. and there is some geocities JS-Code after the </html> tag: </body> </html><!-- text below generated by server. PLEASE REMOVE --></object></layer></div></span></style></noscript></table></script></applet> <script language="JavaScript">var PUpage="76001077"; var PUprop="geocities"; </script><script language="JavaScript" src="http://www.geocities.com/js_source/pu5geo.js"> .... more sccript, webbugs. Talkback: TB489751Y http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=TB489751Y
|
||
Comment 14•20 years ago
|
||
Crashes for me too (not all the time though), using: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8a6) Gecko/20041128 Firefox/0.9.1+ The most minimal testcase I could come up with is this (made from http://www.geocities.com/killianrotc/home.htm): <html><head></head><body> <a><a><p><font><p><font><b><a></font></a> </body></html> This testcase doesn't crash, but it sort of makes my browser unusable when I load it. After I closed the browser, the browser is still in the memory and I have to close it with the task manager.
|
|
||
Comment 15•20 years ago
|
||
Another "real life" crashing page - http://www.rawacoustics.ca/ and clicking on Subwoofers (TB2246031/FF1.0/W2K). BTW FF1.0/W2K is having same symptoms as Martinj described in previous comment - Firefox hang and resist in memory after closing.
|
|
||
Comment 16•20 years ago
|
||
The testcase seems especially to crash easily when pressing th 'Go' button.
|
Assignee | |
Comment 17•20 years ago
|
||
Taking since I'm investigating this. I have a potential fix/wallpaper for this crash, but I need to investigate it more. I'm still not entirely certain what all of the code here is trying to do, so I'm not quite going to attach a patch yet.
Assignee: parser → mrbkap
|
|
Assignee | |
Comment 18•20 years ago
|
||
I'm not sure if this is a real fix or a wallpaper. It stops us from crashing and doesn't change our behavior in any way. I have a feeling that we're duplicating stack entries or giving a RS stack to a non RS tag. rbs, any thoughts?
Attachment #168829 -
Flags: review?(rbs)
|
||
Comment 19•20 years ago
|
||
Comment on attachment 168829 [details] [diff] [review] wallpaper maybe Passing the ball to bz, I thought I could get back to this, but I have been swamped by end-of-year things.
Attachment #168829 -
Flags: review?(rbs) → review?(bzbarsky)
|
|
||
Comment 20•20 years ago
|
||
I'll try to get to this before alpha freeze, but don't hold your breath on that.... :(
|
|
||
Comment 21•20 years ago
|
||
Comment on attachment 168829 [details] [diff] [review] wallpaper maybe r=bzbarsky, but could we at least warn here?
Attachment #168829 -
Flags: review?(bzbarsky) → review+
|
|
Assignee | |
Comment 22•20 years ago
|
||
Comment on attachment 168829 [details] [diff] [review] wallpaper maybe I've changed the if statement to: NS_ENSURE_TRUE(scount > 0, result);
Attachment #168829 -
Flags: superreview?(rbs)
|
||
Comment 23•20 years ago
|
||
I'm not getting a crash on this site. But if there is need for a fix. *shrugs*
|
|
Assignee | |
Comment 24•20 years ago
|
||
Comment on attachment 168829 [details] [diff] [review] wallpaper maybe Asking brendan for sr= in hopes of getting this in 1.8b. Brendan, please see comment 21 and comment 22.
Attachment #168829 -
Flags: superreview?(rbs) → superreview?(brendan)
|
||
Comment 25•20 years ago
|
||
Comment on attachment 168829 [details] [diff] [review] wallpaper maybe > NS_ENSURE_TRUE(scount > 0, result); Sure, although I prefer != 0 to > 0 for unsigned comparisons. Also, you might move this line up to just after scount is initialized, and comment what it means ("that the style stack was empty before we were removed!"). /be
Attachment #168829 -
Flags: superreview?(brendan) → superreview+
|
|
Assignee | |
Comment 26•19 years ago
|
||
Fix checked in.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.8beta2
|
||
Comment 27•15 years ago
|
||
parser/htmlparser/tests/crashtests/253979-1.html http://hg.mozilla.org/mozilla-central/rev/b0337b6287f3
Flags: in-testsuite+
|
||
Updated•13 years ago
|
Crash Signature: [@ nsEntryStack::Pop() ]
You need to log in
before you can comment on or make changes to this bug.
Description
•