Closed Bug 48427 Opened 24 years ago Closed 24 years ago

Crashing opening this site

Categories

(Core :: Layout, defect, P3)

Product:
Core
Component:
Layout
Platform:
x86
Windows ME
Type:
defect

Tracking

()

Status:
VERIFIED DUPLICATE of bug 49122

People

(Reporter: ezh, Assigned: waterson)

References

(
URL
)

Details

(Keywords: crash, testcase)

Attachments

(1 file)

minimized testcase
69 bytes, text/html
Details 
Tried about 10 times. Every attempt has ended with crash.
Keywords: crash
Sorry, forgot - tested with 2000081008 on winMe
crashes for me, too.  testcase coming
Assignee: asa → gagan
Component: Browser-General → Networking
Keywords: makingtest
QA Contact: doronr → tever
OK, unbelievably, this is the minimized testcase:

<form>
<table><td><map name="w"><area></map><img usemap="#w"></form>

Removing ANYTHING from the testcase will prevent the crash.  Note that I 
realize there's improper HTML there (like missing closing tags), but even with 
those in, it crashes -- so I removed them.
URL: www.ixbt.ruhttp://www.ixbt.ru
Keywords: makingtesttestcase
Attached file minimized testcase 

    
    

    
  
my stack trace from talkback
nsQueryInterface::operator()[...\xpcom\base\nsCOMPtr.cpp,line37]

nsCOMPtr_base::assign_from_helper[...\xpcom\base\nsCOMPtr.cpp,line66]

nsGenericElement::SetDocument[...\layout\base\src\nsGenericElement.cpp,line1294]

nsGenericHTMLElement::SetDocument[...\layout\html\content\src\nsGenericHTMLElement.cpp,line966]

nsHTMLIsIndexElement::SetDocument[...\layout\html\content\src\nsHTMLIsIndexElement.cpp,line65]

nsGenericElement::SetDocumentInChildrenOf[...\layout\base\src\nsGenericElement.cpp,line1235]

nsGenericElement::SetDocument[...\layout\base\src\nsGenericElement.cpp,line1326]

nsGenericHTMLElement::SetDocument[...\layout\html\content\src\nsGenericHTMLElement.cpp,line966]

nsHTMLMapElement::SetDocument[...\layout\html\content\src\nsHTMLMapElement.cpp,line276]

nsGenericElement::SetDocumentInChildrenOf[...\layout\base\src\nsGenericElement.cpp,line1235]

nsGenericElement::SetDocument[...\layout\base\src\nsGenericElement.cpp,line1326]

nsGenericHTMLElement::SetDocument[...\layout\html\content\src\nsGenericHTMLElement.cpp,line966]

nsHTMLIsIndexElement::SetDocument[...\layout\html\content\src\nsHTMLIsIndexElement.cpp,line65]

nsGenericElement::SetDocumentInChildrenOf[...\layout\base\src\nsGenericElement.cpp,line1235]

nsGenericElement::SetDocument[...\layout\base\src\nsGenericElement.cpp,line1326]

nsGenericHTMLElement::SetDocument[...\layout\html\content\src\nsGenericHTMLElement.cpp,line966]

nsHTMLIsIndexElement::SetDocument[...\layout\html\content\src\nsHTMLIsIndexElement.cpp,line65]

nsGenericElement::SetDocumentInChildrenOf[...\layout\base\src\nsGenericElement.cpp,line1235]

nsGenericElement::SetDocument[...\layout\base\src\nsGenericElement.cpp,line1326]

nsGenericHTMLElement::SetDocument[...\layout\html\content\src\nsGenericHTMLElement.cpp,line966]

nsHTMLIsIndexElement::SetDocument[...\layout\html\content\src\nsHTMLIsIndexElement.cpp,line65]

nsGenericElement::SetDocumentInChildrenOf[...\layout\base\src\nsGenericElement.cpp,line1235]

nsGenericElement::SetDocument[...\layout\base\src\nsGenericElement.cpp,line1326]

nsGenericHTMLElement::SetDocument[...\layout\html\content\src\nsGenericHTMLElement.cpp,line966]

nsHTMLIsIndexElement::SetDocument[...\layout\html\content\src\nsHTMLIsIndexElement.cpp,line65]

nsGenericHTMLContainerElement::RemoveChildAt[...\layout\html\content\src\nsGenericHTMLElement.cpp,line3538]

nsHTMLFormElement::RemoveChildAt[...\layout\html\content\src\nsHTMLFormElement.cpp,line94]

SinkContext::DemoteContainer[...\layout\html\document\src\nsHTMLContentSink.cpp,line1637]

HTMLContentSink::CloseForm[...\layout\html\document\src\nsHTMLContentSink.cpp,line2897]

CNavDTD::CloseForm[...\htmlparser\src\CNavDTD.cpp,line2976]

CNavDTD::CloseContainer[...\htmlparser\src\CNavDTD.cpp,line3241]

CNavDTD::HandleEndToken[...\htmlparser\src\CNavDTD.cpp,line1747]

CNavDTD::HandleToken[...\htmlparser\src\CNavDTD.cpp,line770]

CNavDTD::BuildModel[...\htmlparser\src\CNavDTD.cpp,line504]

CNavDTD::DidBuildModel[...\htmlparser\src\CNavDTD.cpp,line536]

nsParser::DidBuildModel[...\htmlparser\src\nsParser.cpp,line1394]

nsParser::ResumeParse[...\htmlparser\src\nsParser.cpp,line1914]

nsParser::OnStopRequest[...\htmlparser\src\nsParser.cpp,line2361]

nsDocumentOpenInfo::OnStopRequest[...\uriloader\base\nsURILoader.cpp,line269]

nsHTTPFinalListener::OnStopRequest[...\netwerk\protocol\http\src\nsHTTPResponseListener.cpp,line1193]

InterceptStreamListener::OnStopRequest[...\netwerk\cache\mgr\nsCachedNetData.cpp,line1186]

nsHTTPChunkConv::OnStopRequest[...\netwerk\streamconv\converters\nsHTTPChunkConv.cpp,line109]

nsHTTPChannel::ResponseCompleted[...\netwerk\protocol\http\src\nsHTTPChannel.cpp,line1772]

nsHTTPServerListener::OnStopRequest[...\netwerk\protocol\http\src\nsHTTPResponseListener.cpp,line720]

nsOnStopRequestEvent::HandleEvent[...\netwerk\base\src\nsAsyncStreamListener.cpp,line302]

nsStreamListenerEvent::HandlePLEvent[...\netwerk\base\src\nsAsyncStreamListener.cpp,line106]

PL_HandleEvent[...\xpcom\threads\plevent.c,line588]

PL_ProcessPendingEvents[...\xpcom\threads\plevent.c,line547]

_md_EventReceiverProc[...\xpcom\threads\plevent.c,line1045]

USER32.dll+0x1820(0x77e71820)

    
    

    
  
over to XPCOM for an initial look.  
Assignee: gagan → rayw
Component: Networking → XPCOM
QA Contact: tever → leger

    
    

    
  
Whatever it is, it's certainly not XPCOM. I'll take a look. It's working fine in 
a Linux build that's two days old, so it may be new.
Assignee: rayw → waterson
Component: XPCOM → Layout

    
    

    
  
We're down in the bowels of DemoteContainer here, shuffling the content model
around.

What's happening is that GetPrimaryFrameFor(<area>) is finding what appears to
be a deleted frame. In SetDocument(), it tries to QI() this to an
nsIAnonymousContentCreator, and crashes in the process.

This is a bona fide layout problem. I don't know we're finding a destroyed frame
in the pres shell's primary-frame-for map.
Status: NEW → ASSIGNED
Target Milestone: --- → M18

    
    

    
  
Chris, any idea why the minimized testcase is such a strange mix of elements 
that all contribute to the crash?

    
    

    
  
When you have jumbled up, incorrect HTML like that, the HTML parser does the 
best it can to form a coherent content model from the elements. That sometimes 
causes elements to be removed, and then re-inserted into the document. That's 
what's happening here.

    
    

    
  
See also bug 49122.  Doesn't crash in quite the same place, but similar. 
Testcase on that bug is valid HTML.

    
    

    
  

*** This bug has been marked as a duplicate of 49122 ***
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → DUPLICATE

    
    

    
  
vrfy dup
Status: RESOLVED → VERIFIED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: