Closed Bug 288460 Opened 19 years ago Closed 19 years ago

link urls get replaced by urls appearing earlier in the page

Categories

(Core :: DOM: HTML Parser, defect)

Product:
Core
Component:
DOM: HTML Parser
Platform:
PowerPC
All
Type:
defect
Priority:
Not set
Severity:
minor

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: caines, Assigned: mrbkap)

References

(
URL
)

Details

Attachments

(2 files)

Minimal testcase based on mail from reporter
160 bytes, text/html
Details
patch v1
4.74 KB, patch
rbs
: review+
bzbarsky
: superreview+
shaver
: approval1.8b3+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b2) Gecko/20050330 Firefox/1.0+
Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b2) Gecko/20050330 Firefox/1.0+

In the page www.abstractappeal.com, some of the tags in the column running down
the right hand side point to incorrect locations when the page is rendered. In
particular, the link "Fla ERISA Blog" and all the links below it point to the
same url (the url of the florida erisa blog). When the page is saved from
Firefox errors are also introduced: an extra <a> tag pointing at the florida
erisa blog is inserted, without a corresponding </a> tag.

In the page's source code the links have distinct url's, and Safari renders the
page correctly.

Reproducible: Always

Steps to Reproduce:
1. Go to www.abstractappeal.com
2. Look at the targets of the links below the "Fla ERISA Blog" link.

Actual Results:  
You see a large number of links all going to the same location.

Expected Results:  
You should see large number of links going to distinct locations of interest to
some guy in Florida.

The problem was seen with the latest builds of Mozilla, Firefox and Camino.

You can obviously work around it by copying the correct urls out of the page
source, but it's annoying.
Oops. Looking again I see that abstractappeal.com is missing an </a> tag, so the
page is bad html. But, still, is there a reason it's bad to implicitly close out
a previous <a> tag when a new one opens?
Severity: major → minor
OS: MacOS X → All
The site works fine in a mid-April trunk build... did the page change?
Blake, do we have a bug on this already?

The problem, of course, is that <a> may contain <font> and <font> may contain
<div> and <div> may contain <a> (but <a> may not contain <div> or <a>, but by
the time we get there we'd have to close out the font too and that gets messy).
 In any case, in the content model we have:

a
  font
    div
      a

and due to other bugs we have the click goes to the URL of the outer <a>...
I don't know offhand of an existing bug that describes this.

What's happening is that my fix for bug 90664 wasn't strong enough to catch this
case. Perhaps ScanDocStructure() needs to be more thorough in marking all
children of the outer "malformed" tag as malformed.
Assignee: parser → mrbkap
Status: UNCONFIRMED → NEW
Ever confirmed: true
Status: NEW → ASSIGNED
Attached patch patch v1Splinter Review 
What's happening here is that the <font> is "well formed" as far as the parser
could tell, so we're allowing it to contain the <div>. This means that we
implicitly allow the <a> to contain the <div>, and are unable to close it when
we reach the inner <a>. With this patch, once we see a case such as
<a><font><div><a>, we mark the outer <a> and all of its children (including the
<font>) as being malformed, which allows us to perform RS handling on it.

I had to export nsDequeIterator to get this patch to link. I could write a
version that doesn't use it, but I think this is cleaner.
Attachment #183743 - Flags: review?(rbs)
Comment on attachment 183743 [details] [diff] [review]
patch v1

r=rbs, the idea seems reasonnable to me.
Attachment #183743 - Flags: review?(rbs) → review+
Attachment #183743 - Flags: superreview?(bzbarsky)
Comment on attachment 183743 [details] [diff] [review]
patch v1

>Index: src/nsHTMLTokenizer.cpp

>+                  // all. Mark the previous one and all of its children as 
>+                  // malformed to increase our chances of doing RS handling
>+                  // all of them. We want to do this for cases 

"on all of them", perhaps?

such as:
>+                  // <a><div><a></a></div></a>.
>+                  // Note that we have to iterate through all of the chilren
>+                  // of the original malformed tag to protect against:
>+                  // <a><font><div><a></a></div></font></a>, so that the <font>
>+                  // is allowed to contain the <div>.
>                   // XXX What about <a><span><a>, where the second <a> closes
>                   // the <span>?
>-                  CHTMLToken *theMalformedToken = 
>-                    NS_STATIC_CAST(CHTMLToken*, theStack.ObjectAt(earlyPos));
>+                  nsDequeIterator it(theStack, earlyPos);
>+                  while (it < theStack.End()) {
>+                    CHTMLToken *theMalformedToken = 
>+                        NS_STATIC_CAST(CHTMLToken*, it++);
>                   
>-                  theMalformedToken->SetContainerInfo(eMalformed);
>+                    theMalformedToken->SetContainerInfo(eMalformed);
>+                  }
>                 }
>               }
> 
>               theStack.Push(theToken);
>               ++theStackDepth;
>             }
>             break;
>           case eToken_end: 
>             {
>               CHTMLToken *theLastToken = NS_STATIC_CAST(CHTMLToken*, theStack.Peek());
>Index: ../../xpcom/ds/nsDeque.h
>===================================================================
>RCS file: /cvsroot/mozilla/xpcom/ds/nsDeque.h,v
>retrieving revision 3.30
>diff -u -1 -0 -p -r3.30 nsDeque.h
>--- ../../xpcom/ds/nsDeque.h	18 Apr 2004 14:18:13 -0000	3.30
>+++ ../../xpcom/ds/nsDeque.h	16 May 2005 18:11:10 -0000
>@@ -238,21 +238,21 @@ private:
>    */
>   nsDeque& operator=(const nsDeque& anOther);
> 
>   PRInt32 GrowCapacity();
> };
> 
> /******************************************************
>  * Here comes the nsDequeIterator class...
>  ******************************************************/
> 
>-class nsDequeIterator {
>+class NS_COM nsDequeIterator {
> public:
>   /**
>    * DequeIterator is an object that knows how to iterate
>    * (forward and backward) through a Deque. Normally,
>    * you don't need to do this, but there are some special
>    * cases where it is pretty handy.
>    *
>    * One warning: the iterator is not bound to an item,
>    * it is bound to an index, so if you insert or remove
>    * from the beginning while using an iterator
>Index: ../../xpcom/build/dlldeps.cpp
>===================================================================
>RCS file: /cvsroot/mozilla/xpcom/build/dlldeps.cpp,v
>retrieving revision 1.124
>diff -u -1 -0 -p -r1.124 dlldeps.cpp
>--- ../../xpcom/build/dlldeps.cpp	27 Apr 2005 01:38:35 -0000	1.124
>+++ ../../xpcom/build/dlldeps.cpp	16 May 2005 18:11:11 -0000
>@@ -116,20 +116,21 @@ void XXXNeverCalled()
>     NS_OutputStreamIsBuffered(nsnull);
>     PL_DHashStubEnumRemove(nsnull, nsnull, nsnull, nsnull);
>     nsIDHashKey::HashKey(nsnull);
>     nsFixedSizeAllocator a;
>     nsRecyclingAllocator recyclingAllocator(2);
>     a.Init(0, 0, 0, 0, 0);
>     a.Alloc(0);
>     a.Free(0, 0);
>     nsIThread::GetCurrent(nsnull);
>     nsDeque(nsnull);
>+    nsDequeIterator(nsDeque());
>     nsTraceRefcnt::LogAddCOMPtr(nsnull, nsnull);
>     nsTraceRefcntImpl::DumpStatistics();
>     NS_NewEmptyEnumerator(nsnull);
>     new nsArrayEnumerator(nsnull);
>     NS_QuickSort(nsnull, 0, 0, nsnull, nsnull);
>     nsString();
>     NS_ProxyRelease(nsnull, nsnull, PR_FALSE);
>     XPT_DoString(nsnull, nsnull, nsnull);
>     XPT_DoHeader(nsnull, nsnull, nsnull);
> #if defined (DEBUG) && !defined (WINCE)
Attachment #183743 - Flags: superreview?(bzbarsky) → superreview+
Comment on attachment 183743 [details] [diff] [review]
patch v1

This is a fairly safe fix that wallpapers over some weird event handling bugs.
Attachment #183743 - Flags: approval1.8b2?
Attachment #183743 - Flags: approval1.8b2? → approval1.8b3?
Comment on attachment 183743 [details] [diff] [review]
patch v1

a=shaver
Attachment #183743 - Flags: approval1.8b3? → approval1.8b3+
Fix checked in.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
I'm not 100% sure, but I think this caused the following on Win32/MinGW/cygwin :-

e:/mozilla/source/mozilla/xpcom/build/../ds/nsDeque.h: In function `void XXXNeve
rCalled()':
e:/mozilla/source/mozilla/xpcom/build/../ds/nsDeque.h:231: error: `nsDeque::nsDe
que(const nsDeque&)' is private
e:/mozilla/source/mozilla/xpcom/build/dlldeps.cpp:131: error: within this contex
t
make[4]: *** [dlldeps.o] Error 1
make[4]: Leaving directory `/cygdrive/e/mozilla/source/mozilla/obj/mozilla/xpcom
/build'
make[3]: *** [libs] Error 2
make[3]: Leaving directory `/cygdrive/e/mozilla/source/mozilla/obj/mozilla/xpcom
'
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
It did. I checked in a bustage fix, and the t'boxes that were complaining are
now green again. Marking FIXED.
Status: REOPENED → RESOLVED
Closed: 19 years ago19 years ago
Resolution: --- → FIXED
I've just pulled from the trunk and rebuilt, and still get the same error.

It's not Fixed.

(In reply to comment #13)
> It did. I checked in a bustage fix, and the t'boxes that were complaining are
> now green again. Marking FIXED.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
2005-06-03 08:00
mozilla/xpcom/build/dlldeps.cpp 	1.130

patch by mrbkap (on irc), r=me (on irc), sr=dmose (on irc), a=shaver (on irc)
Status: REOPENED → RESOLVED
Closed: 19 years ago19 years ago
Resolution: --- → FIXED
Confirming that the patch has fixed by MinGW build problems. Thanks guys.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: