Bug 157865 (</html>)

</HTML> at the beginning of the page followed by <HEAD> or <BODY> causes Mozilla to freeze

VERIFIED FIXED

Status

()

Core
HTML: Parser
--
critical
VERIFIED FIXED
16 years ago
15 years ago

People

(Reporter: Miloslaw Smyk, Assigned: Jerry)

Tracking

({fixedOEM, hang, regression})

Trunk
x86
All
fixedOEM, hang, regression
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(2 attachments, 2 obsolete attachments)

(Reporter)

Description

16 years ago
Mozilla 2002071509 (and at least a week back)/Linux-i686

1. Enter the page
2. Observe your Mozilla hanging.

Step 2 should not hang (yes!).

Happens: always.

Comment 1

16 years ago
Hangs on me too. (W2K, 20020714). 
Site use Frames, site works in IE6, Opera 6.01

Comment 2

16 years ago
worksforme with 2002071608 on win98 

Updated

16 years ago
Severity: normal → critical
Keywords: hang

Comment 3

16 years ago
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.1b) Gecko/20020715

Hangs for me

Comment 4

16 years ago
Created attachment 91630 [details]
Testcase (my hang mozilla)

Document starts with </HTML> (!) and has another typo: </title (without <)

Correcting </HTML> to <HTML> _or_ </title to </title> helps
(Reporter)

Comment 5

16 years ago
Changing OS to ALL as it also hangs in Windows.
OS: Linux → All

Comment 6

16 years ago
here some details on comment #2:

Preferences:Advanced:Scripts and Plugins: activated are only
- JS for Navigator
- Change Images, Create/change Cookies, read cookies

and my proxy runs this script on every page to prevent window.open while the
page is loading

<script language='javascript'>
          NS_ActualOpen=window.open;
          function NS_NullWindow(){this.window;}
          function NS_NewOpen(url,nam,atr){return(new NS_NullWindow());}
          window.open=NS_NewOpen;
</script>

Comment 7

16 years ago
your 'Testcase' attachement has no <body> ! right?

wfm also with this attachement

Comment 8

16 years ago
Freeze on the page Linux 2002041621

Comment 9

16 years ago
Confirmed. Testcase freezes my build 2002071504/win2000.

Gonna play around with the testcase a little bit.
Summary: hang entering page → Malformed HTML causes Mozilla to freeze

Comment 10

16 years ago
Okay, here we go.

The REFINED test case is as follows:
----------
</HTML>
<HEAD>
----------

"</HTML>" MUST be located at the very start of the fole. If you put anything
before it (space, or newline, or whatever), it does NOT freeze.

The second tag must be ether <HEAD> or <BODY>, i.e. one of the tags that must go
into <HTML>...</HTML>, otherwise it won't freeze.

Having anything between the </HTML> and <HEAD> doesn't affect the freeze.

Task Manager shows 99% CPU usage by Mozilla when it's "frozen".

I strongly beleive that it's something like an attempt to destroy the container
for <HTML> object before it has been created, leading to usecount going below
zero, and the following  "while (i--!=0) {}".


Summary: Malformed HTML causes Mozilla to freeze → </HTML> at the beginning of the page followed by <HEAD> or <BODY> causes Mozilla to freeze
(Reporter)

Comment 11

16 years ago
On my machines Moz continues to allocate more and more memory while it is "hung".
CNavDTD::CanOmit(nsHTMLTag eHTMLTag_unknown, nsHTMLTag eHTMLTag_head, int & 0)
line 2701 + 7 bytes
CNavDTD::HandleDefaultStartToken(CToken * 0x062080c8, nsHTMLTag eHTMLTag_head,
nsCParserNode * 0x0620dcd8) line 1235 + 23 bytes
CNavDTD::HandleStartToken(CToken * 0x062080c8) line 1752 + 22 bytes
CNavDTD::HandleToken(CNavDTD * const 0x06246b20, CToken * 0x062080c8, nsIParser
* 0x06234898) line 908 + 12 bytes
CNavDTD::BuildModel(CNavDTD * const 0x06246b20, nsIParser * 0x06234898,
nsITokenizer * 0x06246e70, nsITokenObserver * 0x00000000, nsIContentSink *
0x062181b8) line 519 + 20 bytes
nsParser::BuildModel() line 1878 + 34 bytes
nsParser::ResumeParse(int 1, int 0, int 1) line 1745 + 11 bytes
nsParser::OnDataAvailable(nsParser * const 0x0623489c, nsIRequest * 0x06225398,
nsISupports * 0x00000000, nsIInputStream * 0x061c2800, unsigned int 0, unsigned
int 774) line 2379 + 21 bytes
nsDocumentOpenInfo::OnDataAvailable(nsDocumentOpenInfo * const 0x06225cb0,
nsIRequest * 0x06225398, nsISupports * 0x00000000, nsIInputStream * 0x061c2800,
unsigned int 0, unsigned int 774) line 243 + 46 bytes
nsStreamListenerTee::OnDataAvailable(nsStreamListenerTee * const 0x0620d2a0,
nsIRequest * 0x06225398, nsISupports * 0x00000000, nsIInputStream * 0x062281c0,
unsigned int 0, unsigned int 774) line 97 + 51 bytes
nsHttpChannel::OnDataAvailable(nsHttpChannel * const 0x0622539c, nsIRequest *
0x06228404, nsISupports * 0x00000000, nsIInputStream * 0x062281c0, unsigned int
0, unsigned int 774) line 2996 + 63 bytes
nsOnDataAvailableEvent::HandleEvent() line 194 + 70 bytes
nsARequestObserverEvent::HandlePLEvent(PLEvent * 0x062462bc) line 116
PL_HandleEvent(PLEvent * 0x062462bc) line 596 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x0120d790) line 526 + 9 bytes
_md_EventReceiverProc(HWND__ * 0x00230100, unsigned int 49427, unsigned int 0,
long 18929552) line 1077 + 9 bytes
USER32! 77e01b60()
USER32! 77e01cca()
USER32! 77e083f1()
nsAppShellService::Run(nsAppShellService * const 0x03a04958) line 452
main1(int 2, char * * 0x00283160, nsISupports * 0x00000000) line 1510 + 32 bytes
main(int 2, char * * 0x00283160) line 1859 + 37 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 77e7d326()

-> Parser
Assignee: Matti → harishd
Component: Browser-General → Parser
QA Contact: asa → moied

Comment 13

16 years ago
regression due to bug 133853 (backing out of the trunk fixes the problem)
cc'ing Jerry Tan
Depends on: 133853
Keywords: regression
(Assignee)

Comment 14

16 years ago
I will take it.
Assignee: harishd → jerry.tan
(Assignee)

Comment 15

16 years ago
Created attachment 91742 [details] [diff] [review]
patch for this
(Assignee)

Comment 16

16 years ago
in the patch of 133853,   I only calculate that if first token is html token
but the first toekn may be html token, but is an </html> token.
just like the testcase does.


So I add some more judgement in this patch.
it wont hang anymore.

r=choess. cc'ing heikki for sr=.
Keywords: patch, review
> +          if ((theTag != eHTMLTag_html) ||(theTag == eHTMLTag_html && theType
> != eToken_start)) {

"||" short-circuits, so you can simplify the part of the condition that comes
after it, no?
(Assignee)

Comment 19

16 years ago
Created attachment 91947 [details] [diff] [review]
another patch
Attachment #91742 - Attachment is obsolete: true

Comment 20

16 years ago
>            if (theTag != eHTMLTag_html) {
> +            needHTMLToken = PR_TRUE;
> +          }
> +          else if (theType != eToken_start) {
> +            needHTMLToken = PR_TRUE;
>            }


Guys, why not just 

           if (theTag != eHTMLTag_html || theType != eToken_start) {
             needHTMLToken = PR_TRUE;
           }

?
Comment on attachment 91947 [details] [diff] [review]
another patch

Exactly what Wesha said.
Attachment #91947 - Flags: needs-work+
(Assignee)

Comment 22

16 years ago
Created attachment 92182 [details] [diff] [review]
more simple one
Attachment #91947 - Attachment is obsolete: true
Comment on attachment 92182 [details] [diff] [review]
more simple one

sr=bzbarsky
Attachment #92182 - Flags: superreview+
Comment on attachment 92182 [details] [diff] [review]
more simple one

r=choess
Attachment #92182 - Flags: review+

Comment 25

16 years ago
Comment on attachment 92182 [details] [diff] [review]
more simple one

a=asa (on behalf of drivers) for checkin to 1.1
Attachment #92182 - Flags: approval+

Comment 26

16 years ago
checked in!
Status: NEW → RESOLVED
Last Resolved: 16 years ago
Resolution: --- → FIXED

Comment 27

16 years ago
Verified! It works! YAY!!!
Alias: </html>
Status: RESOLVED → VERIFIED

Comment 28

16 years ago
*** Bug 159546 has been marked as a duplicate of this bug. ***

Updated

16 years ago
Whiteboard: branchOEM

Updated

16 years ago
Whiteboard: branchOEM → branchOEM+

Comment 29

16 years ago
*** Bug 161697 has been marked as a duplicate of this bug. ***
(Assignee)

Updated

16 years ago
Whiteboard: branchOEM+ → branchOEM+, fixedOEM

Updated

16 years ago
Keywords: review
Whiteboard: branchOEM+, fixedOEM → fixedOEM

Updated

16 years ago
Keywords: fixedOEM
Whiteboard: fixedOEM
You need to log in before you can comment on or make changes to this bug.