Closed Bug 301895 Opened 19 years ago Closed 19 years ago

XUL crash with <html:object> with bogus type attribute [@ nsBlockBandData::Init ]

Categories

(Core :: Layout, defect)

1.7 Branch
x86
Windows XP
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: migmigmig, Unassigned)

Details

(Keywords: crash, qawanted)

Crash Data

Attachments

(1 file)

465 bytes, application/vnd.mozilla.xul+xml
Details
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6 (ax)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6 (ax)

If an <html:object> in a XUL document carries a type attribute that cannot be
resolved by the plugin finder, the mozzy gets the crashy.

For instance, this line will always immediately crash the browser:
<html:object id="thecrashy" width="0" height="0" type="See Mozzy crash.  Crash,
Mozzy, crash!"/>

Amusingly, if you give the width and height to be nonzero, the app will still
crash but it will first hang around frozen with a wait-cursor for 30 or so
seconds.  Possibly different bugs, but one will lead to the other, I'm sure.

Reproducible: Always

Steps to Reproduce:
1. Make a XUL document with a bad <html:object>
2. Load it
3. Cry

Actual Results:  
I cried.

Expected Results:  
Other than crash?

This is a bit more difficult to call.  Obviously, if the plugin finder can't
find there should be some sort of feedback -- and if your object has no size
then that feedback won't be visible in the screen.

Outside of writing a whole big chunk of UI to give unknown plugin alerts in
their own windows, I'd say the best you can do is fail silently and leave lots
of useful info in the stdout/js consoles.

Talkback reports: TB7752978H, TB7752964H, TB7752958M, TB7752709G

These are for both sized and unsized attempts at testing my crash_object.xul
file (which I'll attach as soon as I'm done with Mr Bug Wizard here).

I assume because it's an actual crash that it should be "critical" severity, but
this is obviously arguable given it's in such a small, "unused," corner of the
codebase.
Attached file Crash yer mozzy.
Component: Plugin Finder Service → Layout
Product: Firefox → Core
QA Contact: plugin.finder → layout
Version: unspecified → 1.7 Branch
nsBlockBandData::Init 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsBlockBandData.cpp,
line 70]
nsBlockFrame::Reflow 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsBlockFrame.cpp,
line 688]
nsContainerFrame::ReflowChild 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsContainerFrame.cpp,
line 982]
nsObjectFrame::HandleChild 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsObjectFrame.cpp,
line 1514]
nsObjectFrame::Reflow 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsObjectFrame.cpp,
line 1117]
nsBoxToBlockAdaptor::Reflow 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxToBlockAdaptor.cpp,
line 884]
nsBoxToBlockAdaptor::DoLayout 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxToBlockAdaptor.cpp,
line 626]
nsBox::Layout 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBox.cpp,
line 1016]
nsContainerBox::DoLayout 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsContainerBox.cpp,
line 610]
nsBox::Layout 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBox.cpp,
line 1016]
nsContainerBox::DoLayout 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsContainerBox.cpp,
line 610]
nsBox::Layout 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBox.cpp,
line 1016]
nsContainerBox::DoLayout 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsContainerBox.cpp,
line 610]
nsBox::Layout 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBox.cpp,
line 1016]
nsRootBoxFrame::Reflow 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsRootBoxFrame.cpp,
line 240]
nsContainerFrame::ReflowChild 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsContainerFrame.cpp,
line 982]
ViewportFrame::Reflow 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsViewportFrame.cpp,
line 249]
PresShell::ResizeReflow 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsPresShell.cpp,
line 2936]
PresShell::ResizeReflow 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsPresShell.cpp,
line 6147]
nsViewManager::SetWindowDimensions 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp,
line 687]
nsViewManager::DispatchEvent 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp,
line 1871]
HandleEvent 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/view/src/nsView.cpp,
line 77]
nsWindow::DispatchEvent 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 1067]
nsWindow::OnResize 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 5114]
nsWindow::ProcessMessage 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 4284]
nsWindow::WindowProc 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 1349]
USER32.dll + 0x8734 (0x77d48734)
USER32.dll + 0xd05b (0x77d4d05b)
USER32.dll + 0xb4c0 (0x77d4b4c0)
USER32.dll + 0xd0a5 (0x77d4d0a5)
ntdll.dll + 0xeae3 (0x7c90eae3)
DocumentViewerImpl::SetBounds 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/content/base/src/nsDocumentViewer.cpp,
line 1477]
nsSubDocumentFrame::Reflow 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/document/src/nsFrameFrame.cpp,
line 422]
nsBoxToBlockAdaptor::Reflow 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxToBlockAdaptor.cpp,
line 884]
nsBoxToBlockAdaptor::DoLayout 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxToBlockAdaptor.cpp,
line 626]
nsBox::Layout 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBox.cpp,
line 1016]
nsContainerBox::DoLayout 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsContainerBox.cpp,
line 610]
nsBox::Layout 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBox.cpp,
line 1016]
nsContainerBox::DoLayout 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsContainerBox.cpp,
line 610]
nsDeckFrame::DoLayout 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsDeckFrame.cpp,
line 303]
nsBox::Layout 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBox.cpp,
line 1016]
nsContainerBox::DoLayout 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsContainerBox.cpp,
line 610]
nsBox::Layout 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBox.cpp,
line 1016]
nsContainerBox::DoLayout 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsContainerBox.cpp,
line 610]
nsBox::Layout 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBox.cpp,
line 1016]
nsContainerBox::DoLayout 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsContainerBox.cpp,
line 610]
nsBox::Layout 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBox.cpp,
line 1016]
nsContainerBox::DoLayout 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsContainerBox.cpp,
line 610]
nsBox::Layout 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBox.cpp,
line 1016]
nsContainerBox::DoLayout 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsContainerBox.cpp,
line 610]
nsBox::Layout 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBox.cpp,
line 1016]
nsContainerBox::DoLayout 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsContainerBox.cpp,
line 610]
nsBox::Layout 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBox.cpp,
line 1016]
nsRootBoxFrame::Reflow 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsRootBoxFrame.cpp,
line 240]
nsContainerFrame::ReflowChild 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsContainerFrame.cpp,
line 982]
ViewportFrame::Reflow 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsViewportFrame.cpp,
line 249]
IncrementalReflow::Dispatch 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsPresShell.cpp,
line 904]
PresShell::ProcessReflowCommands 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsPresShell.cpp,
line 6401]
PresShell::FlushPendingNotifications 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsPresShell.cpp,
line 5114]
nsEventStateManager::FlushPendingEvents 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/content/events/src/nsEventStateManager.cpp,
line 4654]
nsEventStateManager::PreHandleEvent 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/content/events/src/nsEventStateManager.cpp,
line 443]
PresShell::HandleEventInternal 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsPresShell.cpp,
line 6056]
PresShell::HandleEvent 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsPresShell.cpp,
line 5921]
nsViewManager::HandleEvent 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp,
line 2321]
Keywords: crash
Summary: XUL crash with <html:object> with bogus type attribute → XUL crash with <html:object> with bogus type attribute [@ nsBlockBandData::Init ]
Is this a problem with Deer Park alpha 2?
Keywords: qawanted
(In reply to comment #3)
> Is this a problem with Deer Park alpha 2?

not a Deer Park problem.

crash Mozilla/5.0 (Windows; U; Win98; de-DE; rv:1.7.10) Gecko/20050715 Firefox/1.0.6

wfm Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8b4) Gecko/20050724 Firefox/1.0+

wfm Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8b4) Gecko/20050723 SeaMonkey/1.0a


http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=TB7763128G

29 Talkbacks:
http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=1&searchby=stacksig&match=contains&searchfor=+nsBlockBandData%3A%3AInit&vendor=All&product=All&platform=All&buildid=&sdate=&stime=&edate=&etime=&sortby=bbid

MacOSX:
http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=7247780
If this is branch-only, then it's a pretty low priority unless there's a
security issue here or this is a topcrash....
Wontfix on 1.7 branch.  Worksforme on trunk.
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → WORKSFORME
Crash Signature: [@ nsBlockBandData::Init ]
You need to log in before you can comment on or make changes to this bug.