Closed Bug 1487 Opened 26 years ago Closed 26 years ago

ss: Directory listing URLs crash NGLayout

Categories

(Core :: Layout, defect, P1)

x86
Other
defect

Tracking

()

VERIFIED FIXED

People

(Reporter: angus, Assigned: rickg)

References

()

Details

Any URL that is one of those auto-generated-by-the-server directory listings
(see http://grok/tests or http://checkmate/raptor/js98, for example) crashes
NGLayout. These are frequently encountered on the Web. Here's a stack trace:

nsBlockReflowState::nsBlockReflowState(nsIPresContext & {...}, const
nsHTMLReflowState & {...}, const nsHTMLReflowMetrics & {...}) line 1108 + 32
bytes
nsBlockFrame::Reflow(nsBlockFrame * const 0x00f5a794, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 1685
nsContainerFrame::ReflowChild(nsIFrame * 0x00f5a790, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 410 + 28 bytes
RootFrame::Reflow(RootFrame * const 0x00f58f34, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0)
line 217
PresShell::InitialReflow(PresShell * const 0x00f43af0, int 9180, int 4470) line
527
HTMLContentSink::StartLayout() line 1810
HTMLContentSink::OpenBody(HTMLContentSink * const 0x00f478c0, const
nsIParserNode & {...}) line 1557
CNavDTD::OpenBody(const nsIParserNode & {...}) line 2668 + 28 bytes
CNavDTD::OpenContainer(const nsIParserNode & {...}, int 1) line 2809 + 12 bytes
CNavDTD::HandleDefaultStartToken(CToken * 0x006c27e0 theToken, nsHTMLTag
eHTMLTag_body, nsIParserNode & {...}) line 800 + 14 bytes
CNavDTD::HandleStartToken(CToken * 0x006c27e0 theToken) line 886 + 23 bytes
CNavDTD::CreateContextStackFor(nsHTMLTag eHTMLTag_pre) line 3108
CNavDTD::HandleDefaultStartToken(CToken * 0x00f430a0, nsHTMLTag eHTMLTag_pre,
nsIParserNode & {...}) line 778 + 12 bytes
CNavDTD::HandleStartToken(CToken * 0x00f430a0) line 886 + 23 bytes
NavDispatchTokenHandler(CToken * 0x00f430a0, nsIDTD * 0x00f470b0) line 430 + 12
bytes
CTokenHandler::operator()(CToken * 0x00f430a0, nsIDTD * 0x00f470b0) line 80 +
14 bytes
CNavDTD::HandleToken(CNavDTD * const 0x00f470b0, CToken * 0x00f430a0) line 674
+ 18 bytes
nsParser::BuildModel() line 708 + 16 bytes
nsParser::ResumeParse() line 673
nsParser::OnDataAvailable(nsParser * const 0x00f47984, nsIURL * 0x00fa6db0,
nsIInputStream * 0x00f373b0, int 1469) line 907
nsDocumentBindInfo::OnDataAvailable(nsDocumentBindInfo * const 0x00fa6e10,
nsIURL * 0x00fa6db0, nsIInputStream * 0x00f373b0, int 1469) line 1463 + 24
bytes
OnDataAvailableProxyEvent::HandleEvent(OnDataAvailableProxyEvent * const
0x00f43d60) line 607
StreamListenerProxyEvent::HandlePLEvent(PLEvent * 0x00f43d64) line 452 + 12
bytes
PL_HandleEvent(PLEvent * 0x00f43d64) line 408 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x00ec9f60) line 370 + 9 bytes
_md_EventReceiverProc(HWND__ * 0x00ca0a32, unsigned int 49369, unsigned int 0,
long 15507296) line 701 + 9 bytes
USER32! 77e71250()
00ec9f60()
Assignee: troy → rickg
Could this be related to bug 1492? I notice that http://grok/tests/ does not
include a <body> tag. The start of the HTML source is:

<TITLE>Index of /tests/</TITLE>
<h1>Index of /tests/</h1>
The parser's not being our friend here. The content model looks like:

HTML
 |- HEAD
 |- H1

Notice there's no BODY element. That means we don't end with a BODY frame and
so we don't have a space manager and we crash during reflow. At some point
layout should better handle this case, but today we expect a valid HTML
document
*** Bug 1492 has been marked as a duplicate of this bug. ***
Assignee: rickg → gagan
I think this is a netlib problem, so I'm reassigning this to you.
Assignee: gagan → kipp
Assigning to owner of Layout
Assignee: kipp → rickg
Troy was right; rick should have read the bug report more carefully :-(

the content model is messed up because of a parser bug.
Status: NEW → RESOLVED
Closed: 26 years ago
Resolution: --- → FIXED
Sorry for the confusion. I *should* have read the report more carefully.
The bug is fixed as a side effect of fixing bug 1513.
*** Bug 1530 has been marked as a duplicate of this bug. ***
Status: RESOLVED → VERIFIED
Doesn't crash under Win 98. Marked verified. Note that the directory listing
isn't pretty - there are no carraige returns inserted at the appropriate places.
Inserting Milestone info.
You need to log in before you can comment on or make changes to this bug.