Closed Bug 163988 Opened 22 years ago Closed 21 years ago

Crashes at www.macgamer.com (HREF="&#)

Categories

(Core :: Networking, defect, P1)

Product:
Core
Component:
Networking
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.5alpha

People

(Reporter: petteri.kamppuri, Assigned: waltershen)

References

(
URL
)

Details

(Keywords: crash, hang, Whiteboard: TB9679328W, TB9679210W, TB13239655X)

Attachments

(5 files, 2 obsolete files)

Crash log
3.46 KB, text/plain
Details
Testcase
85 bytes, text/html
Details
Testcase that does not crash
80 bytes, text/html
Details
valgrind log
64.84 KB, text/plain
Details
new patch without ^M's
1.02 KB, patch
Details | Diff | Splinter Review 
Whenever I try to load http://www.macgamer.com/news/item.php?id=5716 with
Mozilla 1.1b it crashes. I verified this with the latest nightly build I could
grab from mozilla.org (sorry can't get the build id right now, because I can't
run two copies of Mozilla at the same time). Reproducible every time.
Attached file Crash log 
This is the crash log I get with the official Mozilla 1.1b.
Confirmed 2002082109 trunk on Windows XP.

Platform/OS -> All

Talkbacks:
TB9679328W
TB9679210W
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: MacOS X → All
Hardware: Macintosh → All
Whiteboard: TB9679328W, TB9679210W
Keywords: crash
Attached file Testcase (crashes) (obsolete) — 
Note: all the file contains is '<A HREF="&#65279;http://www.google.com">'.  It
crashes immediately upon loading.  I guess Mozilla is crashing when it tries to
process the entity in URL.
Crash still happens with build 2002102415, TalkBack ID TB13239655X. Updating
summary to be easier to query. 
The test case does not crash for me, sharparrow1@yahoo.com could you please
review it?
Summary: Mozilla 1.1b crashes with this URL. → Mozilla 1.1b crashes at www.macgamer.com
Whiteboard: TB9679328W, TB9679210W → TB9679328W, TB9679210W, TB13239655X
Attached file Testcase 
I created a new testcase my self; in addition to the <A
HREF="&#65279;http://www.google.com/"> it also must contain a charset
declaration. Crash occurs both with iso-8859-1 and iso-8859-15, but _not_ with
UTF-8.
Attachment #97119 - Attachment is obsolete: true
Same as atachment 104516, but with charset=UTF-8
Strange, the testcase does not crash when loaded directly from the server, it
must be saved to disk and load from there to crash.
Changing component (hope this is the right one).
Component: Browser-General → Parser
Updating summery, this happens with recent mozilla builds also.
Summary: Mozilla 1.1b crashes at www.macgamer.com → Crashes at www.macgamer.com (HREF="&#)
Attached file valgrind log 
tested this a few times, and the only thing that appeared consistently was
malloc at the top of the stack.  tried it in valgrind and got this.

debug build says
###!!! ASSERTION: Input wasn't UTF8 or incorrect length was calculated:
'Error', file nsString2.cpp, line 1450

this seems related to bug 191965, although that should be fixed on trunk.
==> networking
Assignee: asa → dougt
Component: Parser → Networking
QA Contact: asa → benc
The assertion seemed to be when count==24 and mLength==23, which may be what I
mentioned in bug 172700 comment 9.
i can confirm the crash going to the above URL (none of the attached testcases
cause the crash).
Assignee: dougt → darin
> none of the attached testcases cause the crash

for some reason, you have to download the testcase before it will work
WFM, 2003-06-25-05 trunk Linux.  Maybe it was fixed by bug 188278?
I'm hanging with the same build and a debug build still throws the assertion in
comment 10 (which came after bug 188278)
Keywords: hang
i'm able to repro this crash using the 20030624 trunk build of firebird under WinXP.
Status: NEW → ASSIGNED
Priority: -- → P1
Attached patch Patch (obsolete) — Splinter Review 
Removed check on BOM.
Comment on attachment 126785 [details] [diff] [review]
Patch

This was causing the conversion from UTF8 to UCS2 (UTF16) to fail.  It seems
that it was not stripping BOM's properly, so I just removed that check, as you
suggested.  It fixes the crash, because Necko was assuming the conversion was
going to succeed.  (And now it does, I think.)
Attachment #126785 - Flags: review?(dbaron)
-> walter
Assignee: darin → waltershen
Status: ASSIGNED → NEW
Target Milestone: --- → mozilla1.5alpha
Comment on attachment 126785 [details] [diff] [review]
Patch

I don't know why waterson originally added this code to ignore the BOM, but I
think it's wrong at this level.  (It's a valid Unicode character, after all.) 
It should be (and is) done in the decoders for the encodings that use the BOM
as a byte-order mark.

jag should superreview.

You should generated a new patch without the "^M"s at the end of the three
lines before this is checked in.  (You should be able to tell you've succeeded
when the braces don't show as part of the +/- lines in the diff.)  You can't
use the VC++ editor if you've set up cygwin with UNIX newlines.
Attachment #126785 - Flags: superreview?(jaggernaut)
Attachment #126785 - Flags: review?(dbaron)
Attachment #126785 - Flags: review+
Comment on attachment 126785 [details] [diff] [review]
Patch

sr=jag
Attachment #126785 - Flags: superreview?(jaggernaut) → superreview+
Same patch, got rid of the line returns.
Attachment #126785 - Attachment is obsolete: true
fixed-on-trunk
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
IIRC, I just copied and pasted (or rewrote, possibly incorrectly) some code that
frang had done originally.  This bug maybe lurk elsewhere in the code.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: