Closed Bug 17958 Opened 25 years ago Closed 25 years ago

Crash or hang on display of some HTML 4 character entities

Categories

(Core :: Layout, defect, P3)

Product:
Core
Component:
Layout
Platform:
x86
Windows NT
Type:
defect

Tracking

()

Status:
VERIFIED WORKSFORME

People

(Reporter: sidr, Assigned: buster)

References

Details

Attachments

(15 files)

ISO 8859-1 character entities testcase
16.28 KB, text/html
Details
Latin Extended-B (fnof only) character entity testcase
644 bytes, text/html
Details
Mathematica Greek character entities testcase
8.61 KB, text/html
Details
General Punctuation character entities testcase
1.54 KB, text/html
Details
Letter-like Symbols character entities testcase
1.50 KB, text/html
Details
Arrows character entities testcase
2.65 KB, text/html
Details
Mathematical Operators character entities testcase
7.30 KB, text/html
Details
Miscellaneous Technical character entities testcase
1.78 KB, text/html
Details
Geometric Shapes (lozenge only) character entity testcase
608 bytes, text/html
Details
Miscelaneous Symbols char entities testcase
1.21 KB, text/html
Details
C0 Controls and Basic Latin character entities testcase
1.05 KB, text/html
Details
Latin Extended-A (a few) character entities testcase
1.41 KB, text/html
Details
Spacing Modifiers character entities testcase
787 bytes, text/html
Details
More General Punctuation character entities testcase
3.92 KB, text/html
Details
* Live links to all character entity testcase attachments
3.18 KB, text/html
Details
Attempting to view some HTML 4.0 character entities (Misc. Technical) causes the browser to crash. Additionally, attempting to view a list of all ISO 8859-1 character entities causes the browser to hang ( ~100% CPU, nonresponsive ). This latter problem did not exist in M10 and as late as the 1999-10-25-09-M11 Windows NT nightly binary (possibly later). The remainder of this report will follow as soon as the testcase attachments are in place. These testcases are adapted from the Character Entity DTDs <URL:http://www.w3.org/TR/REC-html40/sgml/entities.html> that are part of the HTML 4.0 spec. Each testcase is a single table showing one subsection from one of the three character entity DTDs. Each line in the tables has three cells, showing the named form of an entity, the numeric form of an entity, and the DTD-fragment that defines that entity.
For manageability, the last attachment provides "Live links to all character entity testcase attachments." Steps to Reproduce: 1. View the "ISO 8859-1 character entities testcase." 2. Use Task Manager to end the Mozilla task. Restart Mozilla. 3. View the "Miscellaneous Technical character entities testcase." Actual Results: In step 1, the browser hangs, unsing close to 100% CPU and not responding to the user of the MS-Windows. In step 3, the browser crashes before the testcase is displayed. Expected Results: The testcases all display. Tested With: Windows NT 4.0sp3, mozilla.exe, 1999-11-03-13-M11 nightly binary. Version 2.75 of the Times New Roman font was installed (downloaded from the Microsoft TrueType core fonts for the Web site, <URL:http://www.microsoft.com/typography/fontpack/default.htm>) Works correctly with: Netscape Navigator 4.7 on NT and Internet Explorer 5 on NT Both display all of the testcases, showing all the holes in their HTML 4.0 character entities support. Additional Information: The "ISO 8859-1 character entities testcase" displayed properly with M10 and with nightly binaries at least as late as 1999-10-25-09-M11 on NT. The "More General Punctuation character entities testcase" crashed the 1999-10-25-09-M11 nightly binary on Windows NT.
Blocks: 17962
The culprits in the "Miscellaneous Technical" testcase appear to be &lang; and &rang; - the left and right angle characters. Here is a DTD snippet: <!ENTITY lang CDATA "&#9001;" -- left-pointing angle bracket = bra, U+2329 ISOtech --> <!-- lang is NOT the same character as U+003C 'less than or U+2039 'single left-pointing angle quotation mark' --> <!ENTITY rang CDATA "&#9002;" -- right-pointing angle bracket = ket, U+232A ISOtech --> <!-- rang is NOT the same character as U+003E 'greater than' or U+203A 'single right-pointing angle quotation mark' --> ... almost certainly, however, the proper glyphs to use will be the same as those for &lt; and &gt; repectively - at least as a fallback position if &#9001; and &#9002; are not available in the character set already in use.
Assignee: ftang → kipp
When I try to load the "ISO 8859-1 character entities testcase." page I got an assertion first nsDebug::Assertion(char * 0x01ae00e0, char * 0x01ae00c0, char * 0x01ae008c, int 0x00000e0f) line 280 + 13 bytes nsBlockFrame::DoReflowInlineFrames(nsBlockReflowState & {...}, nsLineLayout & {...}, nsLineBox * 0x02114280, int * 0x0012cd54, unsigned char * 0x0012cbf4) line 3599 + 38 bytes nsBlockFrame::DoReflowInlineFramesAuto(nsBlockReflowState & {...}, nsLineBox * 0x02114280, int * 0x0012cd54, unsigned char * 0x0012cbf4) line 3487 + 34 bytes nsBlockFrame::ReflowInlineFrames(nsBlockReflowState & {...}, nsLineBox * 0x02114280, int * 0x0012cd54) line 3435 + 24 bytes nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineBox * 0x02114280, int * 0x0012cd54, int 0x00000000) line 2662 + 20 bytes nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2422 + 27 bytes nsBlockFrame::Reflow(nsBlockFrame * const 0x021141b0, nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0x00000000) line 1486 + 15 bytes nsContainerFrame::ReflowChild(nsIFrame * 0x021141b0, nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0x00000000) line 367 + 31 bytes nsTableCellFrame::Reflow(nsTableCellFrame * const 0x02114120, nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0x00000000) line 650 nsContainerFrame::ReflowChild(nsIFrame * 0x02114120, nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0x00000000) line 367 + 31 bytes nsTableRowFrame::InitialReflow(nsTableRowFrame * const 0x02198460, nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, RowReflowState & {...}, unsigned int & 0x00000000, nsTableCellFrame * 0x00000000, int 0x00000001) line 1036 + 34 bytes nsTableRowFrame::Reflow(nsTableRowFrame * const 0x02198460, nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0x00000000) line 1428 + 35 bytes nsContainerFrame::ReflowChild(nsIFrame * 0x02198460, nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0x00000000) line 367 + 31 bytes nsTableRowGroupFrame::ReflowMappedChildren(nsTableRowGroupFrame * const 0x02055f90, nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, RowGroupReflowState & {...}, unsigned int & 0x00000000, nsTableRowFrame * 0x00000000, nsReflowReason eReflowReason_Incremental, int 0x00000001, int 0x00000001) line 456 + 34 bytes nsTableRowGroupFrame::IR_TargetIsMe(nsTableRowGroupFrame * const 0x02055f90, nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, RowGroupReflowState & {...}, unsigned int & 0x00000000) line 1315 + 41 bytes nsTableRowGroupFrame::IncrementalReflow(nsTableRowGroupFrame * const 0x02055f90, nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, RowGroupReflowState & {...}, unsigned int & 0x00000000) line 1106 + 31 bytes nsTableRowGroupFrame::Reflow(nsTableRowGroupFrame * const 0x02055f90, nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0x00000000) line 1022 + 31 bytes nsContainerFrame::ReflowChild(nsIFrame * 0x02055f90, nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0x00000000) line 367 + 31 bytes nsTableFrame::IR_TargetIsChild(nsTableFrame * const 0x020558f0, nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, InnerTableReflowState & {...}, unsigned int & 0x00000000, nsIFrame * 0x02055f90) line 2349 + 34 bytes nsTableFrame::IncrementalReflow(nsTableFrame * const 0x020558f0, nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0x00000000) line 2181 + 41 bytes nsTableFrame::Reflow(nsTableFrame * const 0x020558f0, nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0x00000000) line 1222 + 31 bytes nsContainerFrame::ReflowChild(nsIFrame * 0x020558f0, nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0x00000000) line 367 + 31 bytes nsTableOuterFrame::IR_InnerTableReflow(nsTableOuterFrame * const 0x02055870, nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, OuterTableReflowState & {...}, unsigned int & 0x00000000) line 578 + 34 bytes nsTableOuterFrame::IR_TargetIsInnerTableFrame(nsTableOuterFrame * const 0x02055870, nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, OuterTableReflowState & {...}, unsigned int & 0x00000000) line 373 + 31 bytes nsTableOuterFrame::IR_TargetIsChild(nsTableOuterFrame * const 0x02055870, nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, OuterTableReflowState & {...}, unsigned int & 0x00000000, nsIFrame * 0x020558f0) line 346 + 31 bytes nsTableOuterFrame::IncrementalReflow(nsTableOuterFrame * const 0x02055870, nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, OuterTableReflowState & {...}, unsigned int & 0x00000000) line 329 + 35 bytes nsTableOuterFrame::Reflow(nsTableOuterFrame * const 0x02055870, nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0x00000000) line 850 + 31 bytes nsBlockReflowContext::ReflowBlock(nsIFrame * 0x02055870, const nsRect & {...}, int 0x00000000, int 0x00000000, int 0x00000001, nsMargin & {...}, unsigned int & 0x00000000) line 248 + 45 bytes nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & {...}, nsLineBox * 0x0207eb80, int * 0x0012e714) line 3223 + 59 bytes nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineBox * 0x0207eb80, int * 0x0012e714, int 0x00000001) line 2611 + 20 bytes nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2422 + 27 bytes nsBlockFrame::Reflow(nsBlockFrame * const 0x02054390, nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0x00000000) line 1486 + 15 bytes nsBlockReflowContext::ReflowBlock(nsIFrame * 0x02054390, const nsRect & {...}, int 0x00000001, int 0x00000000, int 0x00000001, nsMargin & {...}, unsigned int & 0x00000000) line 248 + 45 bytes nsBlockFrame::ReflowBlockFrame(nsBlockReflowState & {...}, nsLineBox * 0x0207eec0, int * 0x0012efa0) line 3223 + 59 bytes nsBlockFrame::ReflowLine(nsBlockReflowState & {...}, nsLineBox * 0x0207eec0, int * 0x0012efa0, int 0x00000001) line 2611 + 20 bytes nsBlockFrame::ReflowDirtyLines(nsBlockReflowState & {...}) line 2422 + 27 bytes nsBlockFrame::Reflow(nsBlockFrame * const 0x02053870, nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0x00000000) line 1486 + 15 bytes nsAreaFrame::Reflow(nsAreaFrame * const 0x02053870, nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0x00000000) line 285 + 25 bytes nsContainerFrame::ReflowChild(nsIFrame * 0x02053870, nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0x00000000) line 367 + 31 bytes RootFrame::Reflow(RootFrame * const 0x020c5ef0, nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0x00000000) line 328 nsContainerFrame::ReflowChild(nsIFrame * 0x020c5ef0, nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0x00000000) line 367 + 31 bytes nsScrollFrame::Reflow(nsScrollFrame * const 0x020c5520, nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0x00000000) line 617 nsContainerFrame::ReflowChild(nsIFrame * 0x020c5520, nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0x00000000) line 367 + 31 bytes ViewportFrame::Reflow(ViewportFrame * const 0x020c5d90, nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsHTMLReflowState & {...}, unsigned int & 0x00000000) line 510 nsHTMLReflowCommand::Dispatch(nsHTMLReflowCommand * const 0x02119ec0, nsIPresContext & {...}, nsHTMLReflowMetrics & {...}, const nsSize & {...}, nsIRenderingContext & {...}) line 136 PresShell::ProcessReflowCommands(PresShell * const 0x02043eb0) line 1456 PresShell::ExitReflowLock(PresShell * const 0x02043eb0) line 675 PresShell::ContentAppended(PresShell * const 0x02043eb8, nsIDocument * 0x0210e940, nsIContent * 0x020cdf2c, int 0x00000007) line 1893 nsDocument::ContentAppended(nsDocument * const 0x0210e940, nsIContent * 0x020cdf2c, int 0x00000007) line 1510 nsHTMLDocument::ContentAppended(nsHTMLDocument * const 0x0210e940, nsIContent * 0x020cdf2c, int 0x00000007) line 994 HTMLContentSink::NotifyAppend(nsIContent * 0x020cdf2c, int 0x00000007) line 3474 SinkContext::FlushTags() line 1726 HTMLContentSink::WillInterrupt(HTMLContentSink * const 0x02110c00) line 2050 CNavDTD::WillInterruptParse(CNavDTD * const 0x020443f0) line 3144 + 27 bytes nsParser::ResumeParse(nsIDTD * 0x00000000, int 0x00000000) line 1003 nsParser::OnDataAvailable(nsParser * const 0x011e5c6c, nsIChannel * 0x02112d30, nsISupports * 0x00000000, nsIInputStream * 0x0204b628, unsigned int 0x00000000, unsigned int 0x00000ab4) line 1335 + 19 bytes nsDocumentBindInfo::OnDataAvailable(nsDocumentBindInfo * const 0x02112ba0, nsIChannel * 0x02112d30, nsISupports * 0x00000000, nsIInputStream * 0x0204b628, unsigned int 0x00000000, unsigned int 0x00000ab4) line 1216 + 32 bytes nsChannelListener::OnDataAvailable(nsChannelListener * const 0x021a01d0, nsIChannel * 0x02112d30, nsISupports * 0x00000000, nsIInputStream * 0x0204b628, unsigned int 0x00000000, unsigned int 0x00000ab4) line 1402 nsHTTPResponseListener::OnDataAvailable(nsHTTPResponseListener * const 0x0204b5c0, nsIChannel * 0x0210b1f0, nsISupports * 0x02112d30, nsIInputStream * 0x0204b628, unsigned int 0x000005b4, unsigned int 0x00000ab4) line 171 + 47 bytes nsOnDataAvailableEvent::HandleEvent(nsOnDataAvailableEvent * const 0x020fcf30) line 413 nsStreamListenerEvent::HandlePLEvent(PLEvent * 0x020fcf80) line 169 + 12 bytes PL_HandleEvent(PLEvent * 0x020fcf80) line 537 + 10 bytes PL_ProcessPendingEvents(PLEventQueue * 0x00cb5fb0) line 498 + 9 bytes _md_EventReceiverProc(void * 0x023e0260, unsigned int 0x0000c0e1, unsigned int 0x00000000, long 0x00cb5fb0) line 972 + 9 bytes USER32! 77e5111a() it assert at nsBlockFrame::DoReflowInlineFrames NS_ASSERTION(aState.IsImpactedByFloater(), "redo line on totally empty line"); Reassign to kipp. Since he is the last one touch that assert line from cvsblame.
I cannot reproduce the crash he report. I think kipp should try to reprduce the assert , and probably can get a hint for the hang. Add erik/bobj/msanz to the cc.
Assignee: kipp → ftang
Updating to default International Assignee...kipp no longer with us :-(
Assignee: kipp → ftang
ftang, you need to find a new owner; kipp doesn't work here anymore
Assignee: ftang → troy
troy- can you handle this ?
Assignee: troy → kipp
No crashes or hangs on Win NT or 98 with today's nightly binary displaying any of the testcases (which together test all of the HTML 4.0 entities). This bug is really waiting for testing on other platforms to confirm that it is fixed... sorry, can't test Mac, Linux, or other-nixes here. Tested with: 1999-12-14-08-M12 nightly binary on Windows NT 4.0sp3 1999-12-14-08-M12 nightly binary on Windows 98 SE
Assignee: kipp → buster
marking WORKSFORME based on my testing and comments by sidr@albedo.net. QA to verify on all platforms.
Status: NEW → RESOLVED
Closed: 25 years ago
Resolution: --- → WORKSFORME
see previous comment, works fine on 12/20/99 build on window nt.
Status: RESOLVED → VERIFIED
I verified this in 122011 M12 Win32 build.
I an not at all sure about verifying this as wfm without testing it on Mac and at least one *NIX. During Beta, this could result in any number of uninformative "my page crashed the browser, bad browser, bad" bug reports if it exists on any platform ... this is fundamental HTML 4. Even those who might try to boil down their pages to a testcase are unlikely to continue until only a single character reference or two remains, and that's all it takes to trigger this bug in an affected build. Once through the testcases above on non-Win32 platforms will show whether or not this needs to be reopened.
Teruko, Per last comment, will you have this verified on Mac and Linux too? Thx.
No crash or hang on any of the testcases with 2000.02.02.09 Linux build running on RH 6.0.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: