Closed
Bug 27507
Opened 25 years ago
Closed 24 years ago
Crash instead of blank page for malformed xhtml page
Categories
(Core :: DOM: HTML Parser, defect, P3)
Tracking
()
VERIFIED
FIXED
M17
People
(Reporter: bratell, Assigned: rickg)
References
Details
(Keywords: crash, testcase, Whiteboard: [nsbeta2+]6/15)
Attachments
(1 file)
214 bytes,
text/html
|
Details |
From Bug Helper: User-Agent: Mozilla/4.7 [en] (WinNT; I) BuildID: When encountering a bad tag on a page with the start: <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http: //www.d.lintek.liu.se/css/xhtml-dsektionen.dtd"> <html xmlns="http://www.w3.org/Profiles/xhtml1-strict"><head> an ASSERT(0) is triggered. Reproducible: Always Steps to Reproduce: 1. start Mozilla with mozilla http://www.d.lintek.liu.se Actual Results: Crash (or ASSERT(0) mor exact with the stack trace: NTDLL! 77f9f9df() HTMLContentSink::NotifyError(HTMLContentSink * const 0x02988d28, const _nsParserError * 0x028ac968) line 4429 36 bytes CWellFormedDTD::HandleErrorToken(CToken * 0x028acad0) line 683 36 bytes CWellFormedDTD::HandleToken(CWellFormedDTD * const 0x029f0cc8, CToken * 0x028acad0, nsIParser * 0x029aa788) line 505 12 bytes CWellFormedDTD::BuildModel(CWellFormedDTD * const 0x029f0cc8, nsIParser * 0x029aa788, nsITokenizer * 0x029f0d30, nsITokenObserver * 0x00000000, nsIContentSink * 0x02988d28) line 258 20 bytes nsParser::BuildModel() line 1083 34 bytes nsParser::ResumeParse(nsIDTD * 0x00000000, int 0) line 998 11 bytes nsParser::OnDataAvailable(nsParser * const 0x029aa78c, nsIChannel * 0x02a4edc0, nsISupports * 0x00000000, nsIInputStream * 0x0228af54, unsigned int 0, unsigned int 7160) line 1377 19 bytes nsDocumentOpenInfo::OnDataAvailable(nsDocumentOpenInfo * const 0x02141c18, nsIChannel * 0x02a4edc0, nsISupports * 0x00000000, nsIInputStream * 0x0228af54, unsigned int 0, unsigned int 7160) line 256 46 bytes InterceptStreamListener::OnDataAvailable(InterceptStreamListener * const 0x0228af50, nsIChannel * 0x02a4edc0, nsISupports * 0x00000000, nsIInputStream * 0x02a75bf0, unsigned int 0, unsigned int 7160) line 1122 nsHTTPResponseListener::OnDataAvailable(nsHTTPResponseListener * const 0x02259038, nsIChannel * 0x02a4425c, nsISupports * 0x02a4edc0, nsIInputStream * 0x02a75bf0, unsigned int 0, unsigned int 7160) line 194 58 bytes nsOnDataAvailableEvent::HandleEvent(nsOnDataAvailableEvent * const 0x022fcd10) line 370 nsStreamListenerEvent::HandlePLEvent(PLEvent * 0x0234a7f0) line 93 12 bytes PL_HandleEvent(PLEvent * 0x0234a7f0) line 526 10 bytes PL_ProcessPendingEvents(PLEventQueue * 0x00d13758) line 487 9 bytes _md_EventReceiverProc(HWND__ * 0x001f0d84, unsigned int 49555, unsigned int 0, long 13711192) line 975 9 bytes USER32! 77e13eb0() USER32! 77e1401a() USER32! 77e192da() nsAppShellService::Run(nsAppShellService * const 0x00d13208) line 404 main1(int 2, char * * 0x00b76d10, nsISplashScreen * 0x00000000) line 562 32 bytes main(int 2, char * * 0x00b76d10) line 675 17 bytes mainCRTStartup() line 338 17 bytes KERNEL32! 77e87903() The output on the console was: Expected Results: Shown the page. The webmaster are going to fix the error in the output from the web server. I will try to grab the output before he does and attach it.
Reporter | ||
Comment 1•25 years ago
|
||
I managed to minimize the file that crashed Mozilla to: <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http: //www.d.lintek.liu.se/css/xhtml-dsektionen.dtd"> <html><head></head><body> </om> </body></html> Soon coming to an attachment near you.
Summary: Malformed data causes mozilla to crash → Malformed xhtml page causes mozilla to crash
Reporter | ||
Comment 2•25 years ago
|
||
Comment 4•25 years ago
|
||
There was a bogus assert in the HTML content sink. I have the fix ready to go. Will check it in once the tree opens.
Status: NEW → ASSIGNED
Target Milestone: M14
Comment 5•25 years ago
|
||
Just checked in the fix.
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 6•25 years ago
|
||
The minimal testcase no longer asserts but instead hangs the browser (no reaction to mouse clicks), once (forgot to check the stack trace) followed by a crash after a couple of impatient clicks by the mouse. I reopen the bug.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Summary: Malformed xhtml page causes mozilla to crash → Malformed xhtml page causes mozilla to hang and then crash
Comment 8•25 years ago
|
||
Which platform did you test on? This is working fine for me on today's NT build.
Reporter | ||
Comment 9•25 years ago
|
||
The "hang" is still there with a build only a couple of minutes old. It's in Windows 2000 (I've changed the platform). The application was completely hung though. The mouseover functions in the UI worked (back button and the like was changed when the pointer moved over). I tried to pause the run a couple of times, but didn't see any thread obviously stuck in a loop. The threads I see are in nsAppShellService::Run nsDNSService::Run _PR_WaitCondVar _PR_MD_PR_POLL (in some WinSock call) Several times I crashed with illegal memory access after pausing and restarting the program. It was a trashed (or at least not legal) mParent pointer in nsGenericElement::HandleDOMEvent. You can have the stack trace if you want. if (mParent) { // Pass off to our parent. ==> mParent->HandleDOMEvent(aPresContext, aEvent, aDOMEvent, NS_EVENT_FLAG_CAPTURE, aEventStatus); } else { //Initiate capturing phase. Special case first call to document if (nsnull != mDocument) { mDocument->HandleDOMEvent(aPresContext, aEvent, aDOMEvent, NS_EVENT_FLAG_CAPTURE, aEventStatus); I clear the URL which no longer contains malformed xhtml.
OS: Windows NT → Windows 2000
Comment 10•25 years ago
|
||
I just tested this on Win 2000 and the app does not hang or crash. But, a the page does not blank out as it should when you load the attached XHTML file. Lowering the severity, updating the summary and setting a new target milestone.
Severity: critical → minor
Summary: Malformed xhtml page causes mozilla to hang and then crash → Blank page not shown for malformed xhtml page
Target Milestone: M14 → M17
Comment 11•24 years ago
|
||
The page is getting blanked out on the latest builds. Marking worksforme.
Status: ASSIGNED → RESOLVED
Closed: 25 years ago → 24 years ago
Resolution: --- → WORKSFORME
Reporter | ||
Comment 12•24 years ago
|
||
The testcase still crashes, reopening.
Reporter | ||
Comment 13•24 years ago
|
||
I tried in Purify and once got a ABW (Array Bounds Write) in LookupAccountnameW (with no mozilla code in the short stack Purify reported) and once a Null Pointer Read with the following stack trace. Disturbing with so different events. memcpy [memcpy.asm:109] nsByteArrayInputStream::Read(char *,UINT,UINT *) [nsByteArrayInputStream.cpp:72] InterceptStreamListener::Read(char *,UINT,UINT *) [nsCachedNetData.cpp:1177] nsParser::OnDataAvailable(nsIChannel *,nsISupports *,nsIInputStream *,UINT,UINT) [nsParser.cpp:1816] nsDocumentOpenInfo::OnDataAvailable(nsIChannel *,nsISupports *,nsIInputStream *,UINT,UINT) [nsURILoader.cpp:187] nsHTTPFinalListener::OnDataAvailable(nsIChannel *,nsISupports *,nsIInputStream *,UINT,UINT) [nsHTTPResponseListener.cpp:1190] InterceptStreamListener::OnDataAvailable(nsIChannel *,nsISupports *,nsIInputStream *,UINT,UINT) [nsCachedNetData.cpp:1164] nsHTTPChunkConv::OnDataAvailable(nsIChannel *,nsISupports *,nsIInputStream *,UINT,UINT) [nsHTTPChunkConv.cpp:208] nsHTTPServerListener::OnDataAvailable(nsIChannel *,nsISupports *,nsIInputStream *,UINT,UINT) [nsHTTPResponseListener.cpp:526] nsOnDataAvailableEvent::HandleEvent(void) [nsAsyncStreamListener.cpp:406] nsStreamListenerEvent::HandlePLEvent(PLEvent *) [nsAsyncStreamListener.cpp:97] PL_HandleEvent [plevent.c:575]
Comment 14•24 years ago
|
||
The test case now crashes with the following call stack: memcpy(unsigned char * 0x02b12460, unsigned char * 0x00000000, unsigned long 214) line 171 nsByteArrayInputStream::Read(nsByteArrayInputStream * const 0x032390a0, char * 0x02b12460, unsigned int 214, unsigned int * 0x0012fa68) line 72 + 34 bytes InterceptStreamListener::Read(InterceptStreamListener * const 0x035b8364, char * 0x02b12460, unsigned int 214, unsigned int * 0x0012fa68) line 1177 + 38 bytes nsParser::OnDataAvailable(nsParser * const 0x035bff34, nsIChannel * 0x035b3380, nsISupports * 0x00000000, nsIInputStream * 0x035b8364, unsigned int 0, unsigned int 214) line 1818 + 30 bytes nsDocumentOpenInfo::OnDataAvailable(nsDocumentOpenInfo * const 0x035b35f0, nsIChannel * 0x035b3380, nsISupports * 0x00000000, nsIInputStream * 0x035b8364, unsigned int 0, unsigned int 214) line 187 + 46 bytes nsHTTPFinalListener::OnDataAvailable(nsHTTPFinalListener * const 0x035b3510, nsIChannel * 0x035b3380, nsISupports * 0x00000000, nsIInputStream * 0x035b8364, unsigned int 0, unsigned int 214) line 1225 + 46 bytes InterceptStreamListener::OnDataAvailable(InterceptStreamListener * const 0x035b8360, nsIChannel * 0x035b3380, nsISupports * 0x00000000, nsIInputStream * 0x032390a0, unsigned int 0, unsigned int 214) line 1165 nsHTTPChunkConv::OnDataAvailable(nsHTTPChunkConv * const 0x02aaa460, nsIChannel * 0x035b3380, nsISupports * 0x00000000, nsIInputStream * 0x035b87fc, unsigned int 0, unsigned int 5) line 208 + 46 bytes nsHTTPServerListener::OnDataAvailable(nsHTTPServerListener * const 0x035b8880, nsIChannel * 0x032cacc4, nsISupports * 0x035b3380, nsIInputStream * 0x035b87fc, unsigned int 417, unsigned int 5) line 544 + 67 bytes nsOnDataAvailableEvent::HandleEvent(nsOnDataAvailableEvent * const 0x035bac30) line 406 + 47 bytes nsStreamListenerEvent::HandlePLEvent(PLEvent * 0x035babe0) line 97 + 12 bytes PL_HandleEvent(PLEvent * 0x035babe0) line 575 + 10 bytes PL_ProcessPendingEvents(PLEventQueue * 0x01469530) line 520 + 9 bytes _md_EventReceiverProc(HWND__ * 0x00a703bc, unsigned int 49349, unsigned int 0, long 21402928) line 1030 + 9 bytes USER32! 77e71820() 01469530() Passing to Gagan, Mr. Necko, and ccing Harish, Mr. Parser.
Assignee: nisheeth → gagan
Status: REOPENED → NEW
Comment 15•24 years ago
|
||
*** Bug 39112 has been marked as a duplicate of this bug. ***
Comment 16•24 years ago
|
||
The testcase in bug 39112 is even more minimal than this one. But it may be malformed. Gerv
Comment 18•24 years ago
|
||
All small testcases work for me. The original test cases still crashes but the stack trace points to the parser. I examined the path from Necko and haven't found anything out of the ordinary. I don't see any chunk converters or cache being invovled on the stack at all, though it crashes on the first load. Reassgning back.
Assignee: ruslan → nisheeth
Status: ASSIGNED → NEW
Comment 19•24 years ago
|
||
I see the following call stack with today's build. Harish, this will probably be fixed once you checkin your changes to XML error handling. Re-assigning to you so that you can double check. Thanks. HTMLContentSink::CreateContentObject(const nsIParserNode & {...}, nsHTMLTag eHTMLTag_parsererror, nsIDOMHTMLFormElement * 0x00000000, nsIWebShell * 0x00000000, nsIHTMLContent * * 0x0012f6d4) line 949 + 48 bytes SinkContext::OpenContainer(const nsIParserNode & {...}) line 1244 + 69 bytes HTMLContentSink::OpenContainer(HTMLContentSink * const 0x0481feb0, const nsIParserNode & {...}) line 2903 + 18 bytes CWellFormedDTD::HandleStartToken(CToken * 0x03899d80) line 616 + 22 bytes CWellFormedDTD::HandleErrorToken(CToken * 0x03c7ab80) line 677 CWellFormedDTD::HandleToken(CWellFormedDTD * const 0x03c7b530, CToken * 0x03c7ab80, nsIParser * 0x04816d60) line 505 + 12 bytes CWellFormedDTD::BuildModel(CWellFormedDTD * const 0x03c7b530, nsIParser * 0x04816d60, nsITokenizer * 0x03c7b330, nsITokenObserver * 0x00000000, nsIContentSink * 0x0481feb0) line 257 + 20 bytes nsParser::BuildModel() line 1561 + 34 bytes nsParser::ResumeParse(int 1, int 0) line 1445 + 11 bytes nsParser::OnDataAvailable(nsParser * const 0x04816d68, nsIChannel * 0x046fff30, nsISupports * 0x00000000, nsIInputStream * 0x04823ce4, unsigned int 0, unsigned int 214) line 1891 + 19 bytes nsDocumentOpenInfo::OnDataAvailable(nsDocumentOpenInfo * const 0x046fabc0, nsIChannel * 0x046fff30, nsISupports * 0x00000000, nsIInputStream * 0x04823ce4, unsigned int 0, unsigned int 214) line 189 + 46 bytes nsHTTPFinalListener::OnDataAvailable(nsHTTPFinalListener * const 0x046cde30, nsIChannel * 0x046fff30, nsISupports * 0x00000000, nsIInputStream * 0x04823ce4, unsigned int 0, unsigned int 214) line 1217 + 46 bytes InterceptStreamListener::OnDataAvailable(InterceptStreamListener * const 0x04823ce0, nsIChannel * 0x046fff30, nsISupports * 0x00000000, nsIInputStream * 0x03c7bb40, unsigned int 0, unsigned int 214) line 1165 nsHTTPChunkConv::OnDataAvailable(nsHTTPChunkConv * const 0x03f2cc98, nsIChannel * 0x046fff30, nsISupports * 0x00000000, nsIInputStream * 0x049b450c, unsigned int 0, unsigned int 221) line 208 + 46 bytes nsHTTPServerListener::OnDataAvailable(nsHTTPServerListener * const 0x049b58f0, nsIChannel * 0x048282a4, nsISupports * 0x046fff30, nsIInputStream * 0x049b450c, unsigned int 0, unsigned int 221) line 540 + 67 bytes nsOnDataAvailableEvent::HandleEvent(nsOnDataAvailableEvent * const 0x048241f0) line 406 + 47 bytes nsStreamListenerEvent::HandlePLEvent(PLEvent * 0x04824090) line 97 + 12 bytes PL_HandleEvent(PLEvent * 0x04824090) line 575 + 10 bytes PL_ProcessPendingEvents(PLEventQueue * 0x02d54240) line 520 + 9 bytes _md_EventReceiverProc(HWND__ * 0x0bd90288, unsigned int 49367, unsigned int 0, long 47530560) line 1030 + 9 bytes USER32! 77e71820() 02d54240()
Assignee: nisheeth → harishd
Comment 20•24 years ago
|
||
The crash is due to a mismatch between mimetime ( text/html ) and the content ( XML PI ). Therefore, we ended up choosing WellFormedDTD ( for XHTML ) even though the sink given to the parser was HTMLContentSink. Rickg, has a fix in his tree and will be checking in soon. *** This bug has been marked as a duplicate of 39520 ***
Status: NEW → RESOLVED
Closed: 24 years ago → 24 years ago
Resolution: --- → DUPLICATE
Reporter | ||
Comment 21•24 years ago
|
||
This still crashes when the dupe is marked fixed so I reopens it. Tested with a CVS build from 2000-05-28. Two assertions about failed aName.length() (nsNodeInfoManager.cpp line 155) and then a crash with the following stack trace: SinkContext::CloseContainer(const nsIParserNode & {...}) line 1346 + 3 bytes HTMLContentSink::CloseContainer(HTMLContentSink * const 0x02f05008, const nsIParserNode & {...}) line 2927 + 18 bytes CWellFormedDTD::HandleEndToken(CToken * 0x024cd3c0) line 662 + 31 bytes CWellFormedDTD::HandleErrorToken(CToken * 0x02ff1f50) line 709 CWellFormedDTD::HandleToken(CWellFormedDTD * const 0x0306a328, CToken * 0x02ff1f50, nsIParser * 0x02f39178) line 526 + 12 bytes CWellFormedDTD::Terminate(nsIParser * 0x02f39178) line 362 + 20 bytes nsParser::Terminate() line 1091 + 33 bytes nsParser::Tokenize(int 0) line 2055 + 11 bytes nsParser::ResumeParse(int 1, int 0) line 1488 + 12 bytes nsParser::OnDataAvailable(nsParser * const 0x02f39180, nsIChannel * 0x030a4dc8, nsISupports * 0x00000000, nsIInputStream * 0x02f04b5c, unsigned int 0, unsigned int 214) line 1937 + 19 bytes nsDocumentOpenInfo::OnDataAvailable(nsDocumentOpenInfo * const 0x02f00bd8, nsIChannel * 0x030a4dc8, nsISupports * 0x00000000, nsIInputStream * 0x02f04b5c, unsigned int 0, unsigned int 214) line 210 + 46 bytes nsHTTPFinalListener::OnDataAvailable(nsHTTPFinalListener * const 0x030a4688, nsIChannel * 0x030a4dc8, nsISupports * 0x00000000, nsIInputStream * 0x02f04b5c, unsigned int 0, unsigned int 214) line 1217 + 46 bytes InterceptStreamListener::OnDataAvailable(InterceptStreamListener * const 0x02f04b58, nsIChannel * 0x030a4dc8, nsISupports * 0x00000000, nsIInputStream * 0x03127aa0, unsigned int 0, unsigned int 214) line 1165 nsHTTPChunkConv::OnDataAvailable(nsHTTPChunkConv * const 0x0301b340, nsIChannel * 0x030a4dc8, nsISupports * 0x00000000, nsIInputStream * 0x02f36f9c, unsigned int 0, unsigned int 221) line 208 + 46 bytes nsHTTPServerListener::OnDataAvailable(nsHTTPServerListener * const 0x03157758, nsIChannel * 0x02e600fc, nsISupports * 0x030a4dc8, nsIInputStream * 0x02f36f9c, unsigned int 29301, unsigned int 221) line 540 + 67 bytes nsOnDataAvailableEvent::HandleEvent(nsOnDataAvailableEvent * const 0x031562a0) line 406 + 47 bytes nsStreamListenerEvent::HandlePLEvent(PLEvent * 0x03221f98) line 97 + 12 bytes PL_HandleEvent(PLEvent * 0x03221f98) line 575 + 10 bytes PL_ProcessPendingEvents(PLEventQueue * 0x00e73178) line 520 + 9 bytes _md_EventReceiverProc(HWND__ * 0x00991f30, unsigned int 49510, unsigned int 0, long 15151480) line 1030 + 9 bytes USER32! 77e13eb0() USER32! 77e1401a() USER32! 77e192da() nsAppShellService::Run(nsAppShellService * const 0x00e72b98) line 387 main1(int 1, char * * 0x00b67380, nsISupports * 0x00000000) line 904 + 32 bytes main(int 1, char * * 0x00b67380) line 1188 + 37 bytes mainCRTStartup() line 338 + 17 bytes KERNEL32! 77e87903() The believed dupe was nsbeta2+ so I nominate this for nsbeta2
Status: RESOLVED → REOPENED
Keywords: nsbeta2
Resolution: DUPLICATE → ---
Summary: Blank page not shown for malformed xhtml page → Crash instead of blank page for malformed xhtml page
Comment 22•24 years ago
|
||
Over to rickg. I guess he's been working on a similar bug.
Assignee: harishd → rickg
Status: REOPENED → NEW
Assignee | ||
Comment 23•24 years ago
|
||
This no longer crashes, but I've fixed a few problems already that may have been related. I'll let you know when the changes land, and then you can retest.
Status: NEW → ASSIGNED
Whiteboard: fix in hand
Comment 24•24 years ago
|
||
Putting on nsbeta2+ radar. Will become minus on 6/15
Whiteboard: fix in hand → [nsbeta2+]6/15
Comment 25•24 years ago
|
||
The bottom line is that if the mimetype is text/html, we should not treat the contents as XML, even if it contains an XML decl. This should go through the regular codepath for HTML (Parser->CNavDTD/StrictDTD->HTMLContentSink). If the mimetype is text/xml, then only should we go through the XML codepath (Parser->CWellFormedDTD->XMLContentSink). Mixing and matching is dangerous, IMO.
Comment 26•24 years ago
|
||
Oops...typo. I meant "The bottom line is that if the mimetype is text/html, we should not treat the contents as *HTML*, even if it contains an XML decl."
Comment 27•24 years ago
|
||
vidur: Eh? I agreed with your first statement, not your correction...
Comment 28•24 years ago
|
||
OK, I'm confusing myself. I meant to say (and this time I mean it :-) "The bottom line is that if the mimetype is text/html, we should treat the contents as HTML, even if it contains an XML decl."
Comment 29•24 years ago
|
||
I disagree (with your final correction). Everybody who writes XHTML, do it on purpose, and *wants* strict (XML) parsing. The only reason they use 'text/html' is for their web pages to be backwards-compatible (and because the XHTML recommendation tells them to!). The HTML (4.01, not XHTML 1.0) Recommendation doesn't say what user agents should do when they encounter "bad" HTML. The closest thing I could find, was Appendix B, which only talkes about unknown elements and attributes. In theory, a HTML browser could refuse to display a HTML document that isn't "well-formed" (not in the XML sense, e.g. _<p>foo<p>baz_ would be OK, but not _<i>foo<b>baz</i>bar</b>_). It would of course be a very stupid thing to do, since it wouldn't display most web pages ... But, when it comes to XHTML, it's *not* a stupid thing to do; IMHO it's The Right Thing to do!
Comment 30•24 years ago
|
||
*** Bug 41243 has been marked as a duplicate of this bug. ***
Assignee | ||
Comment 31•24 years ago
|
||
Oh good grief. The XHTML spec itself is very clear. XHTML documents can be served as either text/html or text/xml, and we will follow two distinct code paths (via the xml sink or the html sink+strict DTD).
Comment 32•24 years ago
|
||
*** Bug 39112 has been marked as a duplicate of this bug. ***
Comment 33•24 years ago
|
||
*** Bug 41003 has been marked as a duplicate of this bug. ***
Assignee | ||
Comment 34•24 years ago
|
||
This is fixed, and was related to the mapping of xhtml to text/html mimetypes.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago → 24 years ago
Resolution: --- → FIXED
Comment 35•24 years ago
|
||
*** Bug 42789 has been marked as a duplicate of this bug. ***
Comment 36•24 years ago
|
||
*** Bug 42938 has been marked as a duplicate of this bug. ***
You need to log in
before you can comment on or make changes to this bug.
Description
•