Closed Bug 50994 Opened 24 years ago Closed 24 years ago

Crashing in nsCParserNode::GetNodeType, with strict DOCTYPE and unclosed tags [@ nsCParserNode::GetNodeType]

Categories

(Core :: DOM: HTML Parser, defect, P3)

Product:
Core
Component:
DOM: HTML Parser
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: jwbaker, Assigned: harishd)

References

(
URL
)

Details

(Keywords: crash, testcase, topcrash, Whiteboard: [nsbeta3+]fix in hand)

Crash Data

Attachments

(3 files)

Minimal valid testcase
223 bytes, text/html
Details
Real testcase this time
235 bytes, text/html
Details
Proposed patch..
1.46 KB, patch
Details | Diff | Splinter Review 
Mozilla crashes on the valid HTML file that I will attach herein.  Stack trace:

#0  0x40a8078c in nsCParserNode::GetNodeType (this=0x85e64d8) at
nsParserNode.cpp:232
#1  0x4179e7eb in HTMLContentSink::CloseContainer (this=0x86a77f8,
aNode=@0x85e64d8) at nsHTMLContentSink.cpp:3013
#2  0x40a70975 in CElement::CloseContainer (this=0x80ea958, aNode=0x85e64d8,
aTag=eHTMLTag_p, aContext=0x8617490, aSink=0x86a77f8) at COtherElements.h:321
#3  0x40a7087f in CElement::CloseContainerInContext (this=0x80ea958,
aNode=0x85e64d8, aTag=eHTMLTag_p, aContext=0x8617490, aSink=0x86a77f8) at
COtherElements.h:349
#4  0x40a6e629 in CElement::HandleStartToken (this=0x80ea958, aNode=0x85e6400,
aTag=eHTMLTag_form, aContext=0x8617490, aSink=0x86a77f8) at
COtherElements.h:2771
#5  0x40a6fe45 in COtherDTD::HandleStartToken (this=0x8677480, aToken=0x86d52a8)
at COtherDTD.cpp:784
#6  0x40a6f8e2 in COtherDTD::HandleToken (this=0x8677480, aToken=0x86d52a8,
aParser=0x86a7058) at COtherDTD.cpp:584
#7  0x40a6f5ec in COtherDTD::BuildModel (this=0x8677480, aParser=0x86a7058,
aTokenizer=0x85e1880, anObserver=0x0, aSink=0x86a77f8) at COtherDTD.cpp:479
#8  0x40a7c97f in nsParser::BuildModel (this=0x86a7058) at nsParser.cpp:1978
#9  0x40a7c715 in nsParser::ResumeParse (this=0x86a7058, allowIteration=1,
aIsFinalChunk=0) at nsParser.cpp:1859
#10 0x40a7d4da in nsParser::OnDataAvailable (this=0x86a7058, channel=0x85c2dd0,
aContext=0x0, pIStream=0x8611630, sourceOffset=0, aLength=230) at
nsParser.cpp:2309
#11 0x410ab8c2 in nsDocumentOpenInfo::OnDataAvailable (this=0x85df370,
aChannel=0x85c2dd0, aCtxt=0x0, inStr=0x8611630, sourceOffset=0, count=230) at
nsURILoader.cpp:251
#12 0x409af641 in nsFileChannel::OnDataAvailable (this=0x85c2dd0,
transportChannel=0x85e1f88, context=0x0, aIStream=0x8611630, aSourceOffset=0,
aLength=230) at nsFileChannel.cpp:673
#13 0x4093ab8c in nsOnDataAvailableEvent::HandleEvent (this=0x41d02e38) at
nsAsyncStreamListener.cpp:400
#14 0x40939dff in nsStreamListenerEvent::HandlePLEvent (aEvent=0x41d02e60) at
nsAsyncStreamListener.cpp:97
#15 0x4011e80f in PL_HandleEvent (self=0x41d02e60) at plevent.c:587
#16 0x4011e6b1 in PL_ProcessPendingEvents (self=0x80ab6d0) at plevent.c:528
#17 0x40120431 in nsEventQueueImpl::ProcessPendingEvents (this=0x80ab698) at
nsEventQueue.cpp:356
#18 0x40bccbcc in event_processor_callback (data=0x80ab698, source=8,
condition=GDK_INPUT_READ) at nsAppShell.cpp:158
#19 0x40bcc80b in our_gdk_io_invoke (source=0x82084f0, condition=G_IO_IN,
data=0x82084e0) at nsAppShell.cpp:58
#20 0x40d8920e in g_io_unix_dispatch (source_data=0x8208508,
current_time=0xbffff680, user_data=0x82084e0) at giounix.c:135
#21 0x40d8a717 in g_main_dispatch (dispatch_time=0xbffff680) at gmain.c:656
#22 0x40d8acdb in g_main_iterate (block=1, dispatch=1) at gmain.c:877
#23 0x40d8ae59 in g_main_run (loop=0x8208550) at gmain.c:935
#24 0x40cb9069 in gtk_main () at gtkmain.c:476
#25 0x40bcd2b5 in nsAppShell::Run (this=0x80f41f8) at nsAppShell.cpp:335
#26 0x406a7290 in nsAppShellService::Run (this=0x80f3010) at
nsAppShellService.cpp:378
#27 0x8055374 in main1 (argc=1, argv=0xbffff964, nativeApp=0x0) at
nsAppRunner.cpp:958
#28 0x8055a48 in main (argc=1, argv=0xbffff964) at nsAppRunner.cpp:1139
#29 0x4036a2e7 in __libc_start_main () from /lib/libc.so.6

This occurs on every build after 2000-08-30-15 on Linux.  cc harishd because he
diddled in this code at the right time re: Bug 46702.
Keywordage.
Severity: normal → critical
Keywords: crash, nsbeta3, testcase
Attached file Minimal valid testcase — 

    
    

    
  
Unable to reproduce crash on 083111 Win98.

    
    

    
  
I apologize.  I uploaded the wrong testcase.  The second testcase really does
crash repeatably.

    
    

    
  

      
      
      
      

        Attached file
          
        Real testcase this time
        — 
      

    


  

    
    

    
  
*** Bug 50964 has been marked as a duplicate of this bug. ***

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Proposed patch..
        — 
          — Splinter Review
      

    


  

    
    

    
  
The problem is that in COtherElements the node that got recycled was being 
referenced!

Rickg, could you please review the patch? Thanx


    
    

    
  
Harishd, I applied you patch to source pulled 2000-09-01-06.  It applies,
compiles, and fixes the crash.  However, I get a new compiler warning:

COtherElements.h: In method `nsresult CElement::CloseContainerInContext(class
nsIParserNode *, enum nsHTMLTag, class nsDTDContext *, class nsIHTMLContentSink
*)':
In file included from COtherDTD.cpp:82:
COtherElements.h:344: warning: unused variable `nsresult result'

I don't see any reason for the result variable, either.  You don't use it or
return it.  It seems vestigial.

    
    

    
  
Ya, I was planning on using that variable then decided not to..but then forgot
to remove it!!! Thanx for the heads up Jeffrey.

    
    

    
  
This was also seen on Win2k.
OS: Linux → All

    
    

    
  
*** Bug 51071 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 51183 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 51162 has been marked as a duplicate of this bug. ***

    
    

    
  
I probably have a dupe of this bug. CCing myself so I can check after fix goes
in.

    
    

    
  
*** Bug 51217 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 51219 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 51234 has been marked as a duplicate of this bug. ***

    
    

    
  
Changing Summary to make easier to find(it's getting lots of dups)
Summary: Crashing in nsCParserNode::GetNodeType → Crashing in nsCParserNode::GetNodeType, with strict DOCTYPE and unclosed tags

    
  
Keywords: mostfreq

    
    

    
  
Adding topcrash keyword.  This is #5 on today's list of top crashes for the past
week (in n.p.m.crash-data).  (And #1 and #4 are fixed.)
Keywords: topcrash

    
    

    
  
*** Bug 51243 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 51257 has been marked as a duplicate of this bug. ***

    
    

    
  
Another example of this is http://www.mozart-oz.org/ . This starts with
<!doctype html public "-//w3c//dtd html 4.0 transitional//en"> .
PC/Linux build 2000090308.

    
    

    
  
*** Bug 51200 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 51173 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 51277 has been marked as a duplicate of this bug. ***

    
    

    
  
It should be but it wasn't (I don't have perms but bugzilla doesn't seem to
check before making the annotation above).

    
    

    
  
*** Bug 51277 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 51293 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 51310 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 51310 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 51290 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 51302 has been marked as a duplicate of this bug. ***

    
    

    
  
Here's another testcase (not that it's really needed):
http://www.davidkrause.com/~david/crash.html

Also, just a reminder that we're going to need to check each of these dups once
this is fixed to make sure nothing slipped through the cracks.

    
    

    
  
*** Bug 51344 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 51356 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 51332 has been marked as a duplicate of this bug. ***

    
    

    
  
Harishd has the probable fix for this.  We are accumulating more and more
duplicate bug reports everyday.  Since this crash is so frequent, this is
preventing everyday use, and also most likely masking other bugs.

I have this fixed in my tree, but people who test with the nightlies do not have
that remedy.  I would be very appreciative if someone could review this patch
ASAP, and if leger or whomever could please come along and nsbeta3+ this bug.
Whiteboard: fix in hand

    
  
Keywords: review
Whiteboard: fix in hand → fix in hand [needs review]

    
    

    
  
nisheeth, i summon thee to review harish's patch.

harish, i implore you to find a reviewer if nisheeth/rickg cannot be found (and,
maybe, take ownership of the bug!)

    
    

    
  
Only code written by Netscapers requires an nsbeta3+ for checkin; anyone can
checkin this patch with module owner review and approval from brendan or waterson.

    
    

    
  
But Harish wrote the code, and he's a netscape employee...

    
    

    
  
Reassigning to myself. Got the patch reviewed by nisheeth. Will checkin first
thing in the morning after comprehensive ( walking top 100 sites ) testing.
Assignee: rickg → harishd

    
  
Keywords: reviewapproval
Whiteboard: fix in hand [needs review] → fix in hand [should be + by pdt since a netscape employee intends to check this in]

    
    

    
  
Putting on [nsbeta3+] radar.
Whiteboard: fix in hand [should be + by pdt since a netscape employee intends to check this in] → [nsbeta3+]fix in hand [should be + by pdt since a netscape employee intends to check this in]

    
    

    
  
Bug asserts iteslf on Mac versions, crashes repetedly, reccommend changing
platform to 'all'

    
  
Hardware: PC → All

    
    

    
  
thank you
Status: NEW → ASSIGNED
Whiteboard: [nsbeta3+]fix in hand [should be + by pdt since a netscape employee intends to check this in] → [nsbeta3+]fix in hand

    
    

    
  
*** Bug 51369 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 51394 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 51402 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 51383 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 51458 has been marked as a duplicate of this bug. ***

    
    

    
  
Will checkin as soon as the tree opens today.

    
    

    
  
*** Bug 51542 has been marked as a duplicate of this bug. ***

    
    

    
  
I'm absolutely dead in the water today with this crash.  I'll try your patch...

    
    

    
  
so far, this patch is working for me.  no more crashes!

    
    

    
  
Fix is in. Everyone should be happy :-)

Good...marking FIXED.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago

    
    

    
  
*** Bug 51204 has been marked as a duplicate of this bug. ***

    
    

    
  
How did you manage to resolve this bug w/o it getting marked as fixed? 
[Reopening to reresolve as fixed - please excuse the spam]
Status: RESOLVED → REOPENED

    
    

    
  
Trying to resolve as Fixed
Status: REOPENED → RESOLVED
Closed: 24 years ago24 years ago
Resolution: --- → FIXED

    
    

    
  
*** Bug 51647 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 51654 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 51819 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 51818 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 51864 has been marked as a duplicate of this bug. ***

    
    

    
  
I verified every URL and testcase attached to this bug and its duplicates.  None
of them crashed on Linux build 2000-09-08-06.  The fact that I could visit every
one of these URLs, and then back-button through them without crashing is an
unexpected testament to Mozilla's current quality.

http://bugzilla.mozilla.org/showattachment.cgi?attach_id=14260
http://www.la-sorciere.de/Wine-HOWTO/index.html
http://www.lokigames.com/
http://people.netscape.com/ftang/number/test/armenian.html
http://blanalex.dyndns.org/
http://studweb.euv-frankfurt-o.de/twardoch/f/en/charsets/html4_0unicode2_0.html
http://bugzilla.mozilla.org/showattachment.cgi?attach_id=14096
http://www.psu.edu/ur/directory/
http://www.physik.fu-berlin.de/~fsi/statistik.html
http://www.gnu.org/software/hurd/
http://www.mihalis.org/Laurent/cv_lc.html
http://www.kde.org/announcements/k2launchpad.html
http://johnandlucy.com/crash.html
http://www.davidkrause.com/~david/crash.html
http://www.lowfield.co.uk/archers/
http://bugzilla.mozilla.org/showattachment.cgi?attach_id=13998
http://www.amd.com/news/corppr/20152.html
http://www.nemesis.se/about_site
http://www.swiss.ai.mit.edu/~rms/anti-posco/
http://www.amd.com/products/cpg/athlon/benchmarks/benchmarks.html
http://www.nemesis.se/clients/
http://bugzilla.mozilla.org/showattachment.cgi?attach_id=13960
http://www.lokigames.com/products/sc3k/
http://www.mozart-oz.org/
http://www.htmlhelp.org/reference/html40/deprecated.html
http://www.gtk.org/~otaylor/gtk/gobject/
http://www.strusel007.de/linux/xawtv/
http://bugzilla.mozilla.org/showattachment.cgi?attach_id=13953
http://www.w3.org/StyleSheets/Core/preview
http://bugzilla.mozilla.org/showattachment.cgi?attach_id=13888
http://www.richinstyle.com/bugs/ie5demo.html
http://www.americangreetings.com/
http://bugzilla.mozilla.org/showattachment.cgi?attach_id=13861
http://bugzilla.mozilla.org/showattachment.cgi?attach_id=13849
http://www.northernsun.com/



    
    

    
  
[@ nsCParserNode::GetNodeType]
Summary: Crashing in nsCParserNode::GetNodeType, with strict DOCTYPE and unclosed tags → Crashing in nsCParserNode::GetNodeType, with strict DOCTYPE and unclosed tags [@ nsCParserNode::GetNodeType]

    
    

    
  
*** Bug 51818 has been marked as a duplicate of this bug. ***

    
    

    
  
I checked the links as well, on NT, and did not get a crash. However, I got 
unrelated assertion on two of them:

http://studweb.euv-frankfurt-o.de/twardoch/f/en/charsets/html4_0unicode2_0.html
http://www.physik.fu-berlin.de/~fsi/statistik.html

I will see if there are bugs on them and file new ones if not.

But, since Jeffrey passed the list on Linux and I passed the list on NT I am 
marking this verified.
Status: RESOLVED → VERIFIED

    
    

    
  
Crashtest added as part of http://hg.mozilla.org/mozilla-central/rev/5a6def05ccbc
Flags: in-testsuite+
Crash Signature: [@ nsCParserNode::GetNodeType]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: