Closed Bug 265376 Opened 20 years ago Closed 20 years ago

Crash when handling malformed HTML code [@ nsGenericHTMLElement::GetOffsetWidth]

Categories

(SeaMonkey :: General, defect)

Product:
SeaMonkey
Component:
General
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
VERIFIED DUPLICATE of bug 265181

People

(Reporter: thomas+mozilla, Unassigned)

References

(
URL
)

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

Test Case 27473: Table, Caption, Marquee
174 bytes, text/html
Details 
User-Agent:       Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/125.5 (KHTML, like Gecko) Safari/125.9
Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8a5) Gecko/20041020

I was doing some FireFox QA using iExploder - http://toadstool.se/software/iexploder - and stumbled 
upon this crash bug. I can't make heads or tails of what HTML generates the issue, as I've simplified it 
as much as I can. 

Reproducible: Always
Steps to Reproduce:




Talkback ID: TB1431888Q

Stack Trace:

Thread 0 Crashed:
0   <<00000000>> 	0x6e659cc0 0 + 0x6e659cc0
1   org.mozilla.firefox 	0x00319c6c nsGenericHTMLElement::GetOffsetWidth(int*) + 0x4c
2   libxpcom.dylib      	0x07059c80 _XPTC_InvokeByIndex + 0xd8
3   org.mozilla.firefox 	0x00031fec XPCWrappedNative::CallMethod(XPCCallContext&, 
XPCWrappedNative::CallMode) + 0x9cc
4   org.mozilla.firefox 	0x000284d4 XPC_WN_GetterSetter(JSContext*, JSObject*, unsigned, long*, 
long*) + 0x150
5   libmozjs.dylib      	0x06028678 js_Invoke + 0x6b4
6   libmozjs.dylib      	0x060288c4 js_InternalInvoke + 0xb8
7   libmozjs.dylib      	0x06028a50 js_InternalGetOrSet + 0x144
8   libmozjs.dylib      	0x0603ab60 js_GetProperty + 0x354
9   libmozjs.dylib      	0x0602eb84 js_Interpret + 0x57c4
10  libmozjs.dylib      	0x060286b8 js_Invoke + 0x6f4
11  libmozjs.dylib      	0x060288c4 js_InternalInvoke + 0xb8
12  libmozjs.dylib      	0x06028a50 js_InternalGetOrSet + 0x144
13  libmozjs.dylib      	0x0603ab60 js_GetProperty + 0x354
14  libmozjs.dylib      	0x0602eb84 js_Interpret + 0x57c4
15  libmozjs.dylib      	0x060286b8 js_Invoke + 0x6f4
16  org.mozilla.firefox 	0x0003b0dc nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned 
short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) + 0x8d4
This is as thin as I could make the test case. It crashes FireFox 0.10, and the
FireFox and Mozilla 20041020 nightlies as well, so you have been warned.
Confirmed with Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.3)
Gecko/20041019 Firefox/1.0
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash
Summary: nsGenericHTMLElement::GetOffsetWidth crash → Crash when handling malformed HTML code [@ nsGenericHTMLElement::GetOffsetWidth]
I believe its a dupe of bug 265181, it has the same pattern (two captions and
then a tag after it)
Depends on: 265181
this is now fixed even on aviary by the fix in bug 265181

*** This bug has been marked as a duplicate of 265181 ***
Status: NEW → RESOLVED
Closed: 20 years ago
No longer depends on: 265181
Resolution: --- → DUPLICATE
Product: Browser → Seamonkey
v.
Status: RESOLVED → VERIFIED
Blocks: iexploder
Crash Signature: [@ nsGenericHTMLElement::GetOffsetWidth]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: