Crash or hang on display of some HTML 4 character entities

VERIFIED WORKSFORME

Status

()

P3
major
VERIFIED WORKSFORME
19 years ago
19 years ago

People

(Reporter: sidr, Assigned: buster)

Tracking

Trunk
x86
Windows NT
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(15 attachments)

16.28 KB, text/html
Details
644 bytes, text/html
Details
8.61 KB, text/html
Details
1.54 KB, text/html
Details
1.50 KB, text/html
Details
2.65 KB, text/html
Details
7.30 KB, text/html
Details
1.78 KB, text/html
Details
608 bytes, text/html
Details
1.21 KB, text/html
Details
1.05 KB, text/html
Details
1.41 KB, text/html
Details
787 bytes, text/html
Details
3.92 KB, text/html
Details
3.18 KB, text/html
Details
(Reporter)

Description

19 years ago
Attempting to view some HTML 4.0 character entities (Misc. Technical)
causes the browser to crash. Additionally, attempting to view a list of
all ISO 8859-1 character entities causes the browser to hang ( ~100% CPU,
nonresponsive ). This latter problem did not exist in M10 and as late as
the 1999-10-25-09-M11 Windows NT nightly binary (possibly later).

The remainder of this report will follow as soon as the testcase attachments
are in place. These testcases are adapted from the Character Entity DTDs
<URL:http://www.w3.org/TR/REC-html40/sgml/entities.html> that
are part of the HTML 4.0 spec. Each testcase is a single table
showing one subsection from one of the three character entity DTDs.

Each line in the tables has three cells, showing the named form of an entity,
the numeric form of an entity, and the DTD-fragment that defines that entity.
(Reporter)

Comment 1

19 years ago
Created attachment 2602 [details]
ISO 8859-1 character entities testcase
(Reporter)

Comment 2

19 years ago
Created attachment 2603 [details]
Latin Extended-B (fnof only) character entity testcase
(Reporter)

Comment 3

19 years ago
Created attachment 2604 [details]
Mathematica Greek character entities testcase
(Reporter)

Comment 4

19 years ago
Created attachment 2605 [details]
General Punctuation character entities testcase
(Reporter)

Comment 5

19 years ago
Created attachment 2606 [details]
Letter-like Symbols character entities testcase
(Reporter)

Comment 6

19 years ago
Created attachment 2607 [details]
Arrows character entities testcase
(Reporter)

Comment 7

19 years ago
Created attachment 2609 [details]
Mathematical Operators character entities testcase
(Reporter)

Comment 8

19 years ago
Created attachment 2610 [details]
Miscellaneous Technical character entities testcase
(Reporter)

Comment 9

19 years ago
Created attachment 2611 [details]
Geometric Shapes (lozenge only) character entity testcase
(Reporter)

Comment 10

19 years ago
Created attachment 2612 [details]
Miscelaneous Symbols char entities testcase
(Reporter)

Comment 11

19 years ago
Created attachment 2613 [details]
C0 Controls and Basic Latin character entities testcase
(Reporter)

Comment 12

19 years ago
Created attachment 2614 [details]
Latin Extended-A (a few) character entities testcase
(Reporter)

Comment 13

19 years ago
Created attachment 2615 [details]
Spacing Modifiers character entities testcase
(Reporter)

Comment 14

19 years ago
Created attachment 2616 [details]
More General Punctuation character entities testcase
(Reporter)

Comment 15

19 years ago
Created attachment 2617 [details]
* Live links to all character entity testcase attachments
(Reporter)

Comment 16

19 years ago
For manageability, the last attachment provides "Live links to all character
entity testcase attachments."

Steps to Reproduce:
1. View the "ISO 8859-1 character entities testcase."
2. Use Task Manager to end the Mozilla task. Restart Mozilla.
3. View the "Miscellaneous Technical character entities testcase."

Actual Results:
In step 1, the browser hangs, unsing close to 100% CPU and not responding
to the user of the MS-Windows.
In step 3, the browser crashes before the testcase is displayed.

Expected Results:
The testcases all display.

Tested With:
Windows NT 4.0sp3, mozilla.exe, 1999-11-03-13-M11 nightly binary.
Version 2.75 of the Times New Roman font was installed
(downloaded from the Microsoft TrueType core fonts for the Web site,
<URL:http://www.microsoft.com/typography/fontpack/default.htm>)

Works correctly with:
Netscape Navigator 4.7 on NT and Internet Explorer 5 on NT
Both display all of the testcases, showing all the holes in their
HTML 4.0 character entities support.

Additional Information:
The "ISO 8859-1 character entities testcase" displayed properly with M10
and with nightly binaries at least as late as 1999-10-25-09-M11 on NT.
The "More General Punctuation character entities testcase" crashed
the 1999-10-25-09-M11 nightly binary on Windows NT.
(Reporter)

Updated

19 years ago
Blocks: 17962
(Reporter)

Comment 17

19 years ago
The culprits in the "Miscellaneous Technical" testcase appear to be &lang;
and &rang; - the left and right angle characters. Here is a DTD snippet:

<!ENTITY lang     CDATA "&#9001;" -- left-pointing angle bracket = bra, U+2329
ISOtech -->
<!-- lang is NOT the same character as U+003C 'less than or U+2039 'single
left-pointing angle quotation mark' -->

<!ENTITY rang     CDATA "&#9002;" -- right-pointing angle bracket = ket, U+232A
ISOtech -->
<!-- rang is NOT the same character as U+003E 'greater than' or U+203A 'single
right-pointing angle quotation mark' -->

... almost certainly, however, the proper glyphs to use will be the same as
those for &lt; and &gt; repectively - at least as a fallback position if
&#9001; and &#9002; are not available in the character set already in use.

Updated

19 years ago
Assignee: ftang → kipp

Comment 18

19 years ago
When I try to load the "ISO 8859-1 character entities testcase."  page I got an
assertion first
nsDebug::Assertion(char * 0x01ae00e0, char * 0x01ae00c0, char * 0x01ae008c, int
0x00000e0f) line 280 + 13 bytes
nsBlockFrame::DoReflowInlineFrames(nsBlockReflowState & {...}, nsLineLayout &
{...}, nsLineBox * 0x02114280, int * 0x0012cd54, unsigned char * 0x0012cbf4)
line 3599 + 38 bytes
nsBlockFrame::DoReflowInlineFramesAuto(nsBlockReflowState & {...}, nsLineBox *
0x02114280, int * 0x0012cd54, unsigned char * 0x0012cbf4) line 3487 + 34 bytes
nsBlockFrame::ReflowInlineFrames(nsBlockReflowState & {...}, nsLineBox *
0x02114280, int * 0x0012cd54) line 3435 + 24 bytes
nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineBox * 0x02114280, int
* 0x0012cd54, int 0x00000000) line 2662 + 20 bytes
nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2422 + 27 bytes
nsBlockFrame::Reflow(nsBlockFrame * const 0x021141b0, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int &
0x00000000) line 1486 + 15 bytes
nsContainerFrame::ReflowChild(nsIFrame * 0x021141b0, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int &
0x00000000) line 367 + 31 bytes
nsTableCellFrame::Reflow(nsTableCellFrame * const 0x02114120, nsIPresContext &
{...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned
int & 0x00000000) line 650
nsContainerFrame::ReflowChild(nsIFrame * 0x02114120, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int &
0x00000000) line 367 + 31 bytes
nsTableRowFrame::InitialReflow(nsTableRowFrame * const 0x02198460,
nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, RowReflowState & {...},
unsigned int & 0x00000000, nsTableCellFrame * 0x00000000, int 0x00000001) line
1036 + 34 bytes
nsTableRowFrame::Reflow(nsTableRowFrame * const 0x02198460, nsIPresContext &
{...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned
int & 0x00000000) line 1428 + 35 bytes
nsContainerFrame::ReflowChild(nsIFrame * 0x02198460, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int &
0x00000000) line 367 + 31 bytes
nsTableRowGroupFrame::ReflowMappedChildren(nsTableRowGroupFrame * const
0x02055f90, nsIPresContext & {...}, nsHTMLReflowMetrics & {...},
RowGroupReflowState & {...}, unsigned int & 0x00000000, nsTableRowFrame *
0x00000000, nsReflowReason eReflowReason_Incremental, int 0x00000001, int
0x00000001) line 456 + 34 bytes
nsTableRowGroupFrame::IR_TargetIsMe(nsTableRowGroupFrame * const 0x02055f90,
nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, RowGroupReflowState &
{...}, unsigned int & 0x00000000) line 1315 + 41 bytes
nsTableRowGroupFrame::IncrementalReflow(nsTableRowGroupFrame * const 0x02055f90,
nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, RowGroupReflowState &
{...}, unsigned int & 0x00000000) line 1106 + 31 bytes
nsTableRowGroupFrame::Reflow(nsTableRowGroupFrame * const 0x02055f90,
nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState &
{...}, unsigned int & 0x00000000) line 1022 + 31 bytes
nsContainerFrame::ReflowChild(nsIFrame * 0x02055f90, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int &
0x00000000) line 367 + 31 bytes
nsTableFrame::IR_TargetIsChild(nsTableFrame * const 0x020558f0, nsIPresContext &
{...}, nsHTMLReflowMetrics & {...}, InnerTableReflowState & {...}, unsigned int
& 0x00000000, nsIFrame * 0x02055f90) line 2349 + 34 bytes
nsTableFrame::IncrementalReflow(nsTableFrame * const 0x020558f0, nsIPresContext
& {...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned
int & 0x00000000) line 2181 + 41 bytes
nsTableFrame::Reflow(nsTableFrame * const 0x020558f0, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int &
0x00000000) line 1222 + 31 bytes
nsContainerFrame::ReflowChild(nsIFrame * 0x020558f0, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int &
0x00000000) line 367 + 31 bytes
nsTableOuterFrame::IR_InnerTableReflow(nsTableOuterFrame * const 0x02055870,
nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, OuterTableReflowState &
{...}, unsigned int & 0x00000000) line 578 + 34 bytes
nsTableOuterFrame::IR_TargetIsInnerTableFrame(nsTableOuterFrame * const
0x02055870, nsIPresContext & {...}, nsHTMLReflowMetrics & {...},
OuterTableReflowState & {...}, unsigned int & 0x00000000) line 373 + 31 bytes
nsTableOuterFrame::IR_TargetIsChild(nsTableOuterFrame * const 0x02055870,
nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, OuterTableReflowState &
{...}, unsigned int & 0x00000000, nsIFrame * 0x020558f0) line 346 + 31 bytes
nsTableOuterFrame::IncrementalReflow(nsTableOuterFrame * const 0x02055870,
nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, OuterTableReflowState &
{...}, unsigned int & 0x00000000) line 329 + 35 bytes
nsTableOuterFrame::Reflow(nsTableOuterFrame * const 0x02055870, nsIPresContext &
{...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned
int & 0x00000000) line 850 + 31 bytes
nsBlockReflowContext::ReflowBlock(nsIFrame * 0x02055870, const nsRect & {...},
int 0x00000000, int 0x00000000, int 0x00000001, nsMargin & {...}, unsigned int &
0x00000000) line 248 + 45 bytes
nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & {...}, nsLineBox *
0x0207eb80, int * 0x0012e714) line 3223 + 59 bytes
nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineBox * 0x0207eb80, int
* 0x0012e714, int 0x00000001) line 2611 + 20 bytes
nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2422 + 27 bytes
nsBlockFrame::Reflow(nsBlockFrame * const 0x02054390, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int &
0x00000000) line 1486 + 15 bytes
nsBlockReflowContext::ReflowBlock(nsIFrame * 0x02054390, const nsRect & {...},
int 0x00000001, int 0x00000000, int 0x00000001, nsMargin & {...}, unsigned int &
0x00000000) line 248 + 45 bytes
nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & {...}, nsLineBox *
0x0207eec0, int * 0x0012efa0) line 3223 + 59 bytes
nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineBox * 0x0207eec0, int
* 0x0012efa0, int 0x00000001) line 2611 + 20 bytes
nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2422 + 27 bytes
nsBlockFrame::Reflow(nsBlockFrame * const 0x02053870, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int &
0x00000000) line 1486 + 15 bytes
nsAreaFrame::Reflow(nsAreaFrame * const 0x02053870, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int &
0x00000000) line 285 + 25 bytes
nsContainerFrame::ReflowChild(nsIFrame * 0x02053870, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int &
0x00000000) line 367 + 31 bytes
RootFrame::Reflow(RootFrame * const 0x020c5ef0, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int &
0x00000000) line 328
nsContainerFrame::ReflowChild(nsIFrame * 0x020c5ef0, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int &
0x00000000) line 367 + 31 bytes
nsScrollFrame::Reflow(nsScrollFrame * const 0x020c5520, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int &
0x00000000) line 617
nsContainerFrame::ReflowChild(nsIFrame * 0x020c5520, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int &
0x00000000) line 367 + 31 bytes
ViewportFrame::Reflow(ViewportFrame * const 0x020c5d90, nsIPresContext & {...},
nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int &
0x00000000) line 510
nsHTMLReflowCommand::Dispatch(nsHTMLReflowCommand * const 0x02119ec0,
nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsSize & {...},
nsIRenderingContext & {...}) line 136
PresShell::ProcessReflowCommands(PresShell * const 0x02043eb0) line 1456
PresShell::ExitReflowLock(PresShell * const 0x02043eb0) line 675
PresShell::ContentAppended(PresShell * const 0x02043eb8, nsIDocument *
0x0210e940, nsIContent * 0x020cdf2c, int 0x00000007) line 1893
nsDocument::ContentAppended(nsDocument * const 0x0210e940, nsIContent *
0x020cdf2c, int 0x00000007) line 1510
nsHTMLDocument::ContentAppended(nsHTMLDocument * const 0x0210e940, nsIContent *
0x020cdf2c, int 0x00000007) line 994
HTMLContentSink::NotifyAppend(nsIContent * 0x020cdf2c, int 0x00000007) line 3474
SinkContext::FlushTags() line 1726
HTMLContentSink::WillInterrupt(HTMLContentSink * const 0x02110c00) line 2050
CNavDTD::WillInterruptParse(CNavDTD * const 0x020443f0) line 3144 + 27 bytes
nsParser::ResumeParse(nsIDTD * 0x00000000, int 0x00000000) line 1003
nsParser::OnDataAvailable(nsParser * const 0x011e5c6c, nsIChannel * 0x02112d30,
nsISupports * 0x00000000, nsIInputStream * 0x0204b628, unsigned int 0x00000000,
unsigned int 0x00000ab4) line 1335 + 19 bytes
nsDocumentBindInfo::OnDataAvailable(nsDocumentBindInfo * const 0x02112ba0,
nsIChannel * 0x02112d30, nsISupports * 0x00000000, nsIInputStream * 0x0204b628,
unsigned int 0x00000000, unsigned int 0x00000ab4) line 1216 + 32 bytes
nsChannelListener::OnDataAvailable(nsChannelListener * const 0x021a01d0,
nsIChannel * 0x02112d30, nsISupports * 0x00000000, nsIInputStream * 0x0204b628,
unsigned int 0x00000000, unsigned int 0x00000ab4) line 1402
nsHTTPResponseListener::OnDataAvailable(nsHTTPResponseListener * const
0x0204b5c0, nsIChannel * 0x0210b1f0, nsISupports * 0x02112d30, nsIInputStream *
0x0204b628, unsigned int 0x000005b4, unsigned int 0x00000ab4) line 171 + 47
bytes
nsOnDataAvailableEvent::HandleEvent(nsOnDataAvailableEvent * const 0x020fcf30)
line 413
nsStreamListenerEvent::HandlePLEvent(PLEvent * 0x020fcf80) line 169 + 12 bytes
PL_HandleEvent(PLEvent * 0x020fcf80) line 537 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x00cb5fb0) line 498 + 9 bytes
_md_EventReceiverProc(void * 0x023e0260, unsigned int 0x0000c0e1, unsigned int
0x00000000, long 0x00cb5fb0) line 972 + 9 bytes
USER32! 77e5111a()

it assert at nsBlockFrame::DoReflowInlineFrames
    NS_ASSERTION(aState.IsImpactedByFloater(),
                 "redo line on totally empty line");


Reassign to kipp. Since he is the last one touch that assert line from cvsblame.

Comment 19

19 years ago
I cannot reproduce the crash he report. I think kipp should try to reprduce the
assert , and probably can get a hint for the hang. Add erik/bobj/msanz to the
cc.

Updated

19 years ago
Assignee: kipp → ftang

Comment 20

19 years ago
Updating to default International Assignee...kipp no longer with us :-(

Updated

19 years ago
Assignee: kipp → ftang

Comment 21

19 years ago
ftang, you need to find a new owner; kipp doesn't work here anymore

Updated

19 years ago
Assignee: ftang → troy

Comment 22

19 years ago
troy- can you handle this ?

Updated

19 years ago
Assignee: troy → kipp
(Reporter)

Comment 23

19 years ago
No crashes or hangs on Win NT or 98 with today's nightly binary displaying any
of the testcases (which together test all of the HTML 4.0 entities).
This bug is really waiting for testing on other platforms to confirm
that it is fixed... sorry, can't test Mac, Linux, or other-nixes here.

Tested with:
1999-12-14-08-M12 nightly binary on Windows NT 4.0sp3
1999-12-14-08-M12 nightly binary on Windows 98 SE
(Assignee)

Updated

19 years ago
Assignee: kipp → buster
(Assignee)

Comment 24

19 years ago
marking WORKSFORME based on my testing and comments by sidr@albedo.net. QA to
verify on all platforms.
(Assignee)

Updated

19 years ago
Status: NEW → RESOLVED
Last Resolved: 19 years ago
Resolution: --- → WORKSFORME
(Assignee)

Comment 25

19 years ago
see previous comment, works fine on 12/20/99 build on window nt.

Updated

19 years ago
Status: RESOLVED → VERIFIED

Comment 26

19 years ago
I verified this in 122011 M12 Win32 build.
(Reporter)

Comment 27

19 years ago
I an not at all sure about verifying this as wfm without testing it on Mac
and at least one *NIX.

During Beta, this could result in any number of uninformative "my page crashed
the browser, bad browser, bad" bug reports if it exists on any platform ...
this is fundamental HTML 4.

Even those who might try to boil down their pages to a testcase are unlikely to
continue until only a single character reference or two remains, and that's
all it takes to trigger this bug in an affected build. Once through the
testcases above on non-Win32 platforms will show whether or not this needs
to be reopened.

Comment 28

19 years ago
Teruko,
 Per last comment, will you have this verified on Mac and Linux too?  Thx.

Comment 29

19 years ago
No crash or hang on any of the testcases with 2000.02.02.09 Linux build running

on RH 6.0.

You need to log in before you can comment on or make changes to this bug.