Closed
Bug 121841
Opened 23 years ago
Closed 22 years ago
<!ENTITY> hangs 0.9.8 and trunk using 100% CPU
Categories
(Core :: DOM: HTML Parser, defect, P2)
Tracking
()
VERIFIED
FIXED
mozilla1.0
People
(Reporter: jonasj, Assigned: jag+mozilla)
References
()
Details
(Keywords: hang, regression, topembed+, Whiteboard: [ADT1] [ETA 04/16])
Attachments
(3 files, 2 obsolete files)
47 bytes,
text/html
|
Details | |
930 bytes,
patch
|
bryner
:
review+
scc
:
superreview+
scc
:
approval+
|
Details | Diff | Splinter Review |
882 bytes,
patch
|
Details | Diff | Splinter Review |
Build 2002012403, Win2k-SP2. Go to http://www.tdc.dk/tdc/english/menu/sm0278.htm. Click one of the links "Investor" or "Press" in the lower right corner of the page.
Comment 1•23 years ago
|
||
confirming withj win2k build 20020125..
I'm "looping" between this assertions:
###!!! ASSERTION: You can't |write| into an |nsWritingIterator| with no space!:
'size_forward() > 0', file ..\..\dist\include\string\nsStringIterator.h, line 35
###!!! ASSERTION: |copy_string| will never terminate: 'count_copied > 0', file .
.\..\dist\include\string\nsAlgorithm.h, line 91
I really don't know who should get this !
-> String ???????
The stack from the first assertion:
NTDLL! 778a018c()
nsDebug::Assertion(const char * 0x10132db8 `string', const char * 0x10132df8
`string', const char * 0x10132c80 `string', int 356) line 290 + 13 bytes
nsWritingIterator<unsigned short>::write(const unsigned short * 0x01151e8c,
unsigned int 75) line 356 + 37 bytes
nsCharSinkTraits<nsWritingIterator<unsigned short>
>::write(nsWritingIterator<unsigned short> & {...}, const unsigned short *
0x01151e8c, unsigned int 75) line 559
copy_string(nsReadingIterator<unsigned short> & {...}, const
nsReadingIterator<unsigned short> & {...}, nsWritingIterator<unsigned short> &
{...}) line 90 + 39 bytes
nsAString::do_AppendFromReadable(const nsAString & {...}) line 362 + 55 bytes
nsAString::AppendFromReadable(const nsAString & {...}) line 329
nsAString::Append(const nsAString & {...}) line 282 + 19 bytes
nsAutoString::nsAutoString(const nsAString & {...}) line 1455
nsCommentNode::SetText(nsCommentNode * const 0x0386bc00, const nsAString &
{...}, int 0) line 246
nsGenericDOMDataNode::AppendData(const nsAString & {...}) line 508 + 50 bytes
nsCommentNode::AppendData(nsCommentNode * const 0x0386bc1c, const nsAString &
{...}) line 60 + 18 bytes
SinkContext::AddComment(const nsIParserNode & {...}) line 1952
HTMLContentSink::AddComment(HTMLContentSink * const 0x03839720, const
nsIParserNode & {...}) line 3473 + 18 bytes
CNavDTD::HandleCommentToken(CToken * 0x01124d08) line 2204 + 34 bytes
CNavDTD::HandleToken(CNavDTD * const 0x0383be10, CToken * 0x01124d08, nsIParser
* 0x03839ac0) line 903 + 12 bytes
CNavDTD::BuildModel(CNavDTD * const 0x0383be10, nsIParser * 0x03839ac0,
nsITokenizer * 0x038619c0, nsITokenObserver * 0x00000000, nsIContentSink *
0x03839720) line 525 + 20 bytes
nsParser::BuildModel() line 1981 + 34 bytes
nsParser::ResumeParse(int 1, int 1, int 1) line 1847 + 11 bytes
nsParser::ContinueParsing() line 1495 + 19 bytes
nsParser::HandleParserContinueEvent() line 1555
nsParserContinueEvent::HandleEvent() line 230
HandlePLEvent(nsParserContinueEvent * 0x0386c790) line 241
PL_HandleEvent(PLEvent * 0x0386c790) line 590 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x004959b0) line 520 + 9 bytes
_md_EventReceiverProc(HWND__ * 0x00320250, unsigned int 49426, unsigned int 0,
long 4807088) line 1071 + 9 bytes
USER32! 77e02e98()
USER32! 77e030e0()
USER32! 77e05824()
nsAppShellService::Run(nsAppShellService * const 0x004b5120) line 308
main1(int 2, char * * 0x00444fa0, nsISupports * 0x00000000) line 1285 + 32 bytes
main(int 2, char * * 0x00444fa0) line 1625 + 37 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 77e87d08()
Comment 2•23 years ago
|
||
CC dbaron because he can help in this case
Reporter | ||
Comment 3•23 years ago
|
||
The source of the page begins with: <!ENTITY % HTML.Version "-//W3C//DTD HTML 4.01 Transitional//EN" <html> <head> <title>Tele Danmark</title> It seems to be the first line that causes it. Actually, it seems that even a file containing only these 9 characters: <!ENTITY> will make Mozilla hang!
Comment 4•23 years ago
|
||
*** Bug 123723 has been marked as a duplicate of this bug. ***
Reporter | ||
Updated•23 years ago
|
Summary: tdc.dk hangs build 2002012403 with 100% CPU → <!ENTITY> hangs 0.9.8 and trunk using 100% CPU
Keywords: regression
parser is the top caller culprit, cc'ing all victims and passing to parser.
Assignee: scc → harishd
Component: String → Parser
QA Contact: jaggernaut → moied
AFAIK, this is not a parser bug. Jag, could you please take a look at this bug and see if it's string related? --> m1.0
Priority: -- → P2
Target Milestone: --- → mozilla1.0
Comment 8•23 years ago
|
||
*** Bug 125827 has been marked as a duplicate of this bug. ***
Comment 9•23 years ago
|
||
As a note. I tried calling NS_ConvertUCS2toUTF8 on the string passed to nsCommentNode::SetText. After it chewed up about 600 MB of memory I killed it.... Something is wacky with the concatenation that's coming in there....
Comment 10•23 years ago
|
||
Mozilla doesn't hang if it sees ENTITY while rendering XML - for example, the MathML team's demo pages (such as http://www.mozilla.org/projects/mathml/demo/mfrac.xhtml) all have <!ENTITY mathml "http://www.w3.org/1998/Math/MathML"> at the top, and they render fine. This with trunk 2002021508. Investigating why XML mode makes a difference might be useful.
> Something is wacky with the concatenation that's coming in there....
Is something creating an nsPromiseConcatenation with the right side being
another nsPromiseConcatenation?
Comment 12•23 years ago
|
||
Not quite... The left is is nsAutoString, the right side is nsSlidingSubstring::nsAPromiseString
The case I described is known to fail (see bug 74709 / bug 70083). I'm not sure if what you described is the same.
jag, when I try this and pause the debugger when it seems to have hanged, I end up in different locations but in some occasions it is showing nsSlidingSubstring in the stack... so maybe more manifestations of the things we saw in bug 110544.
Comment 15•22 years ago
|
||
*** Bug 129739 has been marked as a duplicate of this bug. ***
Comment 16•22 years ago
|
||
hangs logging into www.verizon.com, so this affects ecommerce as well.
Keywords: topembed
Comment 17•22 years ago
|
||
*** Bug 130288 has been marked as a duplicate of this bug. ***
Comment 18•22 years ago
|
||
This is not a parser bug. Sounds like a string bug. Observation: <!XXXXXX> does not crash ( underlying string nsAFlatString ) <!ENTITY> does crash ( underlying string nsAPromiseString ). --> jag
Assignee: harishd → jaggernaut
Assignee | ||
Comment 19•22 years ago
|
||
So it's either <!ENTITY> or nsPromiseFlatString or the combination.
Comment 20•22 years ago
|
||
*** Bug 131234 has been marked as a duplicate of this bug. ***
Comment 21•22 years ago
|
||
*** Bug 131785 has been marked as a duplicate of this bug. ***
Comment 22•22 years ago
|
||
*** Bug 132084 has been marked as a duplicate of this bug. ***
Comment 23•22 years ago
|
||
*** Bug 132354 has been marked as a duplicate of this bug. ***
Comment 24•22 years ago
|
||
Plusing to topembed+ since this is a regression and a hang. Adding ADT1.
Comment 25•22 years ago
|
||
*** Bug 134020 has been marked as a duplicate of this bug. ***
Comment 26•22 years ago
|
||
*** Bug 134476 has been marked as a duplicate of this bug. ***
Updated•22 years ago
|
Keywords: mozilla1.0+
Comment 27•22 years ago
|
||
*** Bug 134918 has been marked as a duplicate of this bug. ***
Comment 28•22 years ago
|
||
*** Bug 135495 has been marked as a duplicate of this bug. ***
Comment 29•22 years ago
|
||
Stack from bug 135495 (it is hang so got this hitting pause): nsDependentConcatenation::GetReadableFragment(nsReadableFragment<unsigned short> & {...}, nsFragmentRequest kFirstFragment, unsigned int 0) line 96 + 32 bytes nsReadingIterator<unsigned short>::normalize_forward() line 371 + 39 bytes nsReadingIterator<unsigned short>::advance(int 56) line 179 IsASCII(const nsAString & {...}) line 325 + 26 bytes nsTextFragment::operator=(const nsAString & {...}) line 142 + 10 bytes nsGenericDOMDataNode::SetText(nsGenericDOMDataNode * const 0x044509d8, const nsAString & {...}, int 0) line 1330 nsGenericDOMDataNode::AppendData(const nsAString & {...}) line 508 + 50 bytes nsCommentNode::AppendData(nsCommentNode * const 0x044509f4, const nsAString & {...}) line 60 + 18 bytes SinkContext::AddComment(const nsIParserNode & {...}) line 1978 HTMLContentSink::AddComment(HTMLContentSink * const 0x036bcb80, const nsIParserNode & {...}) line 3503 + 18 bytes CNavDTD::HandleCommentToken(CToken * 0x038cf848) line 2194 + 34 bytes CNavDTD::HandleToken(CNavDTD * const 0x036cfeb0, CToken * 0x038cf848, nsIParser * 0x0361a938) line 894 + 12 bytes CNavDTD::BuildModel(CNavDTD * const 0x036cfeb0, nsIParser * 0x0361a938, nsITokenizer * 0x038e6c10, nsITokenObserver * 0x00000000, nsIContentSink * 0x036bcb80) line 512 + 20 bytes nsParser::BuildModel() line 1859 + 34 bytes nsParser::ResumeParse(int 1, int 0, int 1) line 1731 + 11 bytes nsParser::OnDataAvailable(nsParser * const 0x0361a93c, nsIRequest * 0x03726390, nsISupports * 0x00000000, nsIInputStream * 0x036eca90, unsigned int 0, unsigned int 1024) line 2383 + 21 bytes nsDocumentOpenInfo::OnDataAvailable(nsDocumentOpenInfo * const 0x03758000, nsIRequest * 0x03726390, nsISupports * 0x00000000, nsIInputStream * 0x036eca90, unsigned int 0, unsigned int 1024) line 242 + 46 bytes nsUnknownDecoder::FireListenerNotifications(nsIRequest * 0x03726390, nsISupports * 0x00000000) line 442 + 49 bytes nsUnknownDecoder::OnDataAvailable(nsUnknownDecoder * const 0x03758178, nsIRequest * 0x03726390, nsISupports * 0x00000000, nsIInputStream * 0x037ad308, unsigned int 1024, unsigned int 3194) line 189 + 16 bytes nsDocumentOpenInfo::OnDataAvailable(nsDocumentOpenInfo * const 0x04456a60, nsIRequest * 0x03726390, nsISupports * 0x00000000, nsIInputStream * 0x037ad308, unsigned int 0, unsigned int 4218) line 242 + 46 bytes nsFileChannel::OnDataAvailable(nsFileChannel * const 0x03726398, nsIRequest * 0x04456b14, nsISupports * 0x00000000, nsIInputStream * 0x037ad308, unsigned int 0, unsigned int 4218) line 507 + 49 bytes nsOnDataAvailableEvent::HandleEvent() line 192 + 70 bytes nsARequestObserverEvent::HandlePLEvent(PLEvent * 0x0445c0bc) line 116 PL_HandleEvent(PLEvent * 0x0445c0bc) line 596 + 10 bytes PL_ProcessPendingEvents(PLEventQueue * 0x01209048) line 526 + 9 bytes _md_EventReceiverProc(HWND__ * 0x00120726, unsigned int 49458, unsigned int 0, long 18911304) line 1077 + 9 bytes USER32! 77e13eb0() USER32! 77e1401a() USER32! 77e192da() nsAppShellService::Run(nsAppShellService * const 0x011c91b8) line 309 main1(int 1, char * * 0x00304e90, nsISupports * 0x00000000) line 1350 + 32 bytes main(int 1, char * * 0x00304e90) line 1698 + 37 bytes mainCRTStartup() line 338 + 17 bytes KERNEL32! 77e87903()
Comment 30•22 years ago
|
||
*** Bug 135988 has been marked as a duplicate of this bug. ***
Comment 31•22 years ago
|
||
note that any of the following will hang Mozilla: <!ENTITY> (this bug) <!ELEMENT> (bug 127347) <!ATTLIST> Other tags with the same format do not seem to be a problem.
Comment 32•22 years ago
|
||
This seems like a very good bug to fix for 1.0, with lots people interested in it. Can we get an ETA in Status Whiteboard?
Whiteboard: [ADT1] → [ADT1] [ETA ??/??]
Comment 33•22 years ago
|
||
High visibility with a lot of dupes. We really should try to get a fix into RC1.
Blocks: 134771
Assignee | ||
Comment 34•22 years ago
|
||
The problem here is in using nsSlidingSubstring as the second string of a dependent concatenation. The dependent concatenation, when asked for the next fragment, gets confused by the fragment the sliding substring returns (which isn't guaranteed to be the same as when the dependent concatenation was created), and concludes that the GetNextFragment call must've come for the first string (an empty nsAutoString in this case), so it'll return the next fragment relative to the first string, which is the first fragment in the sliding substring, while it should return the next fragment in the sliding substring (in this case, none). Net result: we keep iterating over the first fragment of the sliding substring ad infinitum.
Comment 35•22 years ago
|
||
*** Bug 137082 has been marked as a duplicate of this bug. ***
Comment 36•22 years ago
|
||
hmm. using linux trunk 2002041211 and it doesn't seem to hang anymore ...
Comment 37•22 years ago
|
||
Comment 38•22 years ago
|
||
the testcase does not hang. could anyone else try a recent build?
Comment 39•22 years ago
|
||
the testcase hangs with Linux build 2002041207 for me. the URL removed the offending tags, so it works even with older builds.
Comment 40•22 years ago
|
||
*** Bug 137163 has been marked as a duplicate of this bug. ***
Comment 41•22 years ago
|
||
WFM with build 2002041203 on Win98SE with both the testcase, and the original URL.
So what changed? I tested a fair number of the dupes, and did not see any problems. Finally one caused an assertion: can't write into writing iterator with no space and that was an indication it went into a loop. In any case, this is not completely gone but something has changed...
Branch still hangs. harishd tested that his line number fix did not change this behavior.
Assignee | ||
Updated•22 years ago
|
Whiteboard: [ADT1] [ETA ??/??] → [ADT1] [ETA 10/16]
Assignee | ||
Updated•22 years ago
|
Whiteboard: [ADT1] [ETA 10/16] → [ADT1] [ETA 04/16]
Comment 44•22 years ago
|
||
Bug 77585 checkin seems like a good possibility for having partially fixed this. The only other two checkins that even weakly touch this bug in the timeframe are bug 5693 and bug 133410.
Comment 45•22 years ago
|
||
I think comment 39 must have been incorrect. CVS from 20020411 20:40 works. sorry for the confusion.
Comment 46•22 years ago
|
||
linux build 2002041108 works fine, 2002041008 hangs.
Comment 47•22 years ago
|
||
CVS-trunk 20020412 works. I backed out the patch for bug 77585, and it hangs again.
Good find! I added a comment to the other bug about this. Also those that are testing this: please test ALL the duplicates before you say wfm. I saw at least one that was not fixed, and I did not test all dupes.
Comment 49•22 years ago
|
||
I tested all the dupes (except www.verizon.com, which needs an account) with linux build 20020411 and they all worked. Which one still didn't work for you? (ac_gyrefalcon suggested bug 77585... I just tried it out)
Comment 50•22 years ago
|
||
Heikki- If you've got a site that you think is still seeing this bug, check the char set. If the node contains 2 byte chars or the concatenation involves non-ASCII it'll still use an nsAutoString which is what causes the blow up. Should that be what's happening and jag's comment 34 is right then it's a maybe that checking for old_data being empty and avoiding the concatenation rv = SetText(old_data + aData, PR_FALSE); on line 510 in that case would completely wallpaper over this bug for a quick fix. And unfortunately I'm leaving for vacation in a few hours and won't find out how this progresses :(
Assignee | ||
Comment 51•22 years ago
|
||
It doesn't really matter whether old_data is empty. The point was that the code in nsDependentConcatenation gets confused by nsSlidingS(ubs)tring's behaviour of returning new fragment objects each time GetNextFragment is called. The quick fix would be something along these lines: nsAutoString text(old_data); text.Append(aData); rv = SetText(text, PR_FALSE); Though that'll do an extra copy. Would this be an issue?
Assignee | ||
Comment 52•22 years ago
|
||
We should really fix the underlying problem.
Comment 53•22 years ago
|
||
As a followup to comment #49. I just tested www.verizon.com (I have an account) and it works fine on build 2002041203. So now I'm somewhat confused. If all reported instances work with the latest builds, then what exactly is the patch going to fix? Or, is there an example URL that Andrew and I missed?
Comment 54•22 years ago
|
||
1) the patch for bug 77585 made it into the trunk and not the 1.0 branch. 2) the patch for bug 77585 only covers up the problem, rather than fixing it.
Comment 55•22 years ago
|
||
This patch plus the one for bug 77585 should fully cover up this problem by not using the dependent concatenation.
Assignee | ||
Comment 56•22 years ago
|
||
Nice, I was merging this patch from an older version of this file where old_data was later used for something else and couldn't be modified. However, I think we should put such a hack, if we want it at all, at the call site that passes in the SlidingSubstring. This code on its own is fine, it's the passed in SlidingSubstring that's the problem, so IMO any work-around kinda "fix" should be placed near there. Of course, I'd rather look into real fix, which probably means reviving scc's string fragment patch in bug 70083.
Comment 57•22 years ago
|
||
Comment on attachment 79220 [details] [diff] [review] Same work around with no extra string copy sr=scc. Yes, let's work on the underlying problem from bug 70083; but this is a reasonable and important patch in the meantime.
Attachment #79220 -
Flags: superreview+
Assignee | ||
Comment 58•22 years ago
|
||
I've changed my mind. The way I proposed would mean making sure all callers were patched with the hack, while this keeps the hack local. Added a comment with a reference to this bug.
Attachment #79053 -
Attachment is obsolete: true
Attachment #79220 -
Attachment is obsolete: true
Comment 59•22 years ago
|
||
Comment on attachment 79393 [details] [diff] [review] Same fix, add comment r=bryner
Attachment #79393 -
Flags: review+
Comment 60•22 years ago
|
||
Comment on attachment 79393 [details] [diff] [review] Same fix, add comment sr=scc .. carrying forward my sr
Attachment #79393 -
Flags: superreview+
Comment 61•22 years ago
|
||
Comment on attachment 79393 [details] [diff] [review] Same fix, add comment a=scc (on behalf of drivers for mozilla1.0 .. after this vets on the trunk, I'm sure ADT will want to plus this and get it on the branch ASAP)
Attachment #79393 -
Flags: approval+
Comment 62•22 years ago
|
||
Please checkin asap to branch, and add fixed1.0.0 keyword
Keywords: adt1.0.0+
Assignee | ||
Comment 63•22 years ago
|
||
Assignee | ||
Comment 64•22 years ago
|
||
Checked in to trunk and branch.
Comment 65•22 years ago
|
||
Testcase and URL WFM with build 20020424 (branch) on WINXP, I have tested a fair number of the dupes, and did not see any problems
Keywords: verified1.0.0
Comment 66•22 years ago
|
||
With 20020416, the browser does not hang, but my test page doesn't render quite right either. I see an "]>" at the top of the page, and the entity is not replaced with its definition. (This does work with an XHTML doctype.) See <http://www.panix.com/~zackw/mozbugs/defining-entities.html> Presumably this should be a separate bug, or has it already been reported?
Assignee | ||
Comment 67•22 years ago
|
||
That's a separate bug. heikki, is this a known bug or should one be filed?
Is that a regression? I am not sure we ever supported that, and IE6 does not support it either.
Comment 69•22 years ago
|
||
It works if I change the doctype declaration to XHTML 1.0 -- the ]> disappears and the entity reference is expanded. I have no strong opinion as to whether plain-HTML documents should be allowed to define local entities, but certainly the ]> should not appear.
Defining entities like that should not work in HTML. It works in XML, of course. As far as showing ]> in HTML, all I want to know is if it is a regression from some earlier Mozilla version. After that I will know if we need to open a new bug or if I already have a bug on that.
Comment 71•22 years ago
|
||
Poking around through some old Usenet threads on DOCTYPE sniffing, M18 apparently used the same (dumb) heuristic we use today, which is to cruise through looking for ">" and end the DOCTYPE there.
Doctype sniffing and parsing are two separate phases. I wanted to unify them, but the parser is too complicated. So the DOCTYPE sniffing code is now smarter than that, but the HTML parsing code is not.
Comment 73•22 years ago
|
||
Tested URL and testcase CPU is happy, Verified fixed with trunk build ID 20020529 using winxp
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•