Closed Bug 182531 Opened 22 years ago Closed 22 years ago

crash with @import in userContent.css

Categories

(Core :: CSS Parsing and Computation, defect)

Product:
Core
Component:
CSS Parsing and Computation
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: jsmolens+mozilla, Assigned: bzbarsky)

Details

(Keywords: crash) 

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.2) Gecko/20021121
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.2) Gecko/20021121

When trying an @import url("my_url");, Mozilla 1.2 crashes when the semicolon is
included at the end of the line in my profile's userContent.css file.  The
contents of my userContent.css file are below:
 
-- Chop here --
@import url("http://www.rabidpenguin.org/insider/userContent.css");

img[onLoad*="window.open"]
{
	display: none !important;
	visibility: none !important;
}

embed[type="application/x-shockwave-flash"] { 
  display: none !important;
  visibility: hidden !important;
}

[src*="adx"],
[src*="ads"],
[src*="/banner/"],
[
 { 
/*  display: none !important;
  visibility: hidden !important; */
  -moz-outline: medium dotted blue;
  -moz-opacity: 8%;
}

-- Unchop here --

The contents of the URL http://www.rabidpenguin.org/insider/userContent.css
are below:

-- Chop here --
embed[type="application/x-shockwave-flash"] { 
  display: none !important;
  visibility: hidden !important;
}

img[onLoad*="window.open"]
{
  display: none !important;
  visibility: hidden !important;
}

[src*="/adx/"],
[src*="/ads/"],
[src*="/adv/"],
[src*="/viewad/"],
[src*="doubleclick.net"],
[src*="doubleclick.com"],
[href*="doubleclick.net"],
[href*="doubleclick.com"],
[href*="atdmt.com"],
[href*="bluestreak.com"],
[src*="/banner/"]
 { 
  -moz-outline: medium dotted blue;
  -moz-opacity: 8%;
}

/* the other way */
/*
/*  display: none !important;
  visibility: hidden !important; */

*/
-- Unchop here --

Reproducible: Always

Steps to Reproduce:
1. Enter a userContent.css file as shown above, possibly substituting the remote
CSS URL for another webserver's URL over which you have control and making sure
that page is accessable.
2. Start Mozilla, observe crash.

Actual Results:  
Mozilla crashes with a memory exception.

Expected Results:  
Imported the CSS file at the URL and parsed it as per the CSS specifications.
Crash is at instruction address 0x61250d1b, failed memory read at 0x4a
Are we attempting to synchronously load the stylesheet via HTTP?  Also, doesn't
the @import not work when there's no semicolon?
> Are we attempting to synchronously load the stylesheet via HTTP?  Also, doesn't

> the @import not work when there's no semicolon?

@import is ignored when there is no semicolon.  I believe this is correct
behavior.  
So the summary of the bug really doesn't have anything to do with a semicolon,
only the presence of a correct @import rule.
Summary: crash when @import in userContent.css has a semicolon at the end of the line → crash with @import in userContent.css
Keywords: crash
First, the warnings I get:
WARNING: CSSLoaderImpl::LoadSheet: Load of URL
'http://www.rabidpenguin.org/insider/userContent.css' failed.  Error code:
16385, file e:/MozDev/mozilla/mozilla/content/html/style/src/nsCSSLoader.cpp,
line 1562
CSS Error (file:///D:/blablah/chrome/userContent.css :6.17): Error in parsing
value for property 'visibility'.  Declaration dropped.
CSS Error (file:///D:/blablah/chrome/userContent.css :18.2): Expected attribute
name or namespace but found '{'.  Selector expected.  Ruleset ignored due to bad
selector.

-----
Next, the stack trace (Win2k)
nsHttpHandler::RedirectionLimit() line 90 + 10 bytes
nsHttpChannel::nsHttpChannel() line 79 + 591 bytes
nsHttpHandler::NewProxiedChannel(nsHttpHandler * const 0x00f56c30, nsIURI *
0x04b5e3d0, nsIProxyInfo * 0x00000000, nsIChannel * * 0x0012afb4) line 1898 + 30
bytes
nsIOService::NewChannelFromURI(nsIOService * const 0x00f63e00, nsIURI *
0x04b5e3d0, nsIChannel * * 0x0012afb4) line 512 + 49 bytes
NS_NewChannel(nsIChannel * * 0x0012b0cc, nsIURI * 0x04b5e3d0, nsIIOService *
0x00f63e00, nsILoadGroup * 0x03d2e188, nsIInterfaceRequestor * 0x03d25dc8,
unsigned int 524288) line 164 + 20 bytes
nsDocShell::DoURILoad(nsIURI * 0x04b5e3d0, nsIURI * 0x00000000, nsISupports *
0x02f1f2b8, nsIInputStream * 0x00000000, nsIInputStream * 0x00000000, int 1,
nsIDocShell * * 0x00000000, nsIRequest * * 0x00000000) line 5169 + 91 bytes
nsDocShell::InternalLoad(nsDocShell * const 0x03d25da0, nsIURI * 0x04b5e3d0,
nsIURI * 0x00000000, nsISupports * 0x00000000, int 1, const unsigned short *
0x04b5e5b8, nsIInputStream * 0x00000000, nsIInputStream * 0x00000000, unsigned
int 1, nsISHEntry * 0x00000000, int 1, nsIDocShell * * 0x00000000, nsIRequest *
* 0x00000000) line 5083 + 51 bytes
nsDocShell::LoadURI(nsDocShell * const 0x03d25da0, nsIURI * 0x04b5e3d0,
nsIDocShellLoadInfo * 0x04b5e550, unsigned int 0, int 1) line 725 + 73 bytes
nsDocShell::LoadURI(nsDocShell * const 0x03d25db0, const unsigned short *
0x04b5bc50, unsigned int 0, nsIURI * 0x00000000, nsIInputStream * 0x00000000,
nsIInputStream * 0x00000000) line 2445 + 38 bytes
XPTC_InvokeByIndex(nsISupports * 0x03d25db0, unsigned int 8, unsigned int 5,
nsXPTCVariant * 0x0012b71c) line 106
XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode
CALL_METHOD) line 2016 + 42 bytes
XPC_WN_CallMethod(JSContext * 0x01492378, JSObject * 0x04b24118, unsigned int 5,
long * 0x04b11188, long * 0x0012b9cc) line 1283 + 14 bytes
js_Invoke(JSContext * 0x01492378, unsigned int 5, unsigned int 0) line 839 + 23
bytes
js_Interpret(JSContext * 0x01492378, long * 0x0012c2e8) line 2803 + 15 bytes
js_Invoke(JSContext * 0x01492378, unsigned int 1, unsigned int 0) line 856 + 13
bytes
js_Interpret(JSContext * 0x01492378, long * 0x0012cbb8) line 2803 + 15 bytes
js_Invoke(JSContext * 0x01492378, unsigned int 2, unsigned int 2) line 856 + 13
bytes
fun_apply(JSContext * 0x01492378, JSObject * 0x03144698, unsigned int 2, long *
0x04b10fec, long * 0x0012cce0) line 1552 + 15 bytes
js_Invoke(JSContext * 0x01492378, unsigned int 2, unsigned int 0) line 839 + 23
bytes
js_Interpret(JSContext * 0x01492378, long * 0x0012d5fc) line 2803 + 15 bytes
js_Invoke(JSContext * 0x01492378, unsigned int 1, unsigned int 2) line 856 + 13
bytes
js_InternalInvoke(JSContext * 0x01492378, JSObject * 0x03144698, long 78537416,
unsigned int 0, unsigned int 1, long * 0x0012d85c, long * 0x0012d72c) line 931 +
20 bytes
JS_CallFunctionValue(JSContext * 0x01492378, JSObject * 0x03144698, long
78537416, unsigned int 1, long * 0x0012d85c, long * 0x0012d72c) line 3431 + 31 bytes
nsJSContext::CallEventHandler(nsJSContext * const 0x014919b0, void * 0x03144698,
void * 0x04ae62c8, unsigned int 1, void * 0x0012d85c, int * 0x0012d860, int 0)
line 1041 + 33 bytes
nsJSEventListener::HandleEvent(nsJSEventListener * const 0x04b13be0, nsIDOMEvent
* 0x04b105d8) line 182 + 77 bytes
nsXBLPrototypeHandler::ExecuteHandler(nsXBLPrototypeHandler * const 0x03cb54e0,
nsIDOMEventReceiver * 0x03d543f8, nsIDOMEvent * 0x04b105d8) line 458
DoKey(nsIAtom * 0x0152c498, nsIXBLPrototypeHandler * 0x03cb54e0, nsIDOMEvent *
0x04b105d8, nsIDOMEventReceiver * 0x03d543f8) line 108
nsXBLKeyHandler::KeyPress(nsXBLKeyHandler * const 0x03d54440, nsIDOMEvent *
0x04b105d8) line 123 + 40 bytes
nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x02e9e3d8,
nsIPresContext * 0x0157ba50, nsEvent * 0x0012f7b4, nsIDOMEvent * * 0x0012f028,
nsIDOMEventTarget * 0x04b091d0, unsigned int 4, nsEventStatus * 0x0012f5ec) line
1659 + 41 bytes
nsXULElement::HandleDOMEvent(nsXULElement * const 0x02e9e370, nsIPresContext *
0x0157ba50, nsEvent * 0x0012f7b4, nsIDOMEvent * * 0x0012f028, unsigned int 4,
nsEventStatus * 0x0012f5ec) line 3400
nsXULElement::HandleDOMEvent(nsXULElement * const 0x03d5eac8, nsIPresContext *
0x0157ba50, nsEvent * 0x0012f7b4, nsIDOMEvent * * 0x0012f028, unsigned int 4,
nsEventStatus * 0x0012f5ec) line 3380
nsXULElement::HandleDOMEvent(nsXULElement * const 0x03d5e158, nsIPresContext *
0x0157ba50, nsEvent * 0x0012f7b4, nsIDOMEvent * * 0x0012f028, unsigned int 4,
nsEventStatus * 0x0012f5ec) line 3380
nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x03d5e3c8,
nsIPresContext * 0x0157ba50, nsEvent * 0x0012f7b4, nsIDOMEvent * * 0x0012f028,
unsigned int 7, nsEventStatus * 0x0012f5ec) line 2046
nsHTMLInputElement::HandleDOMEvent(nsHTMLInputElement * const 0x03d5e3c8,
nsIPresContext * 0x0157ba50, nsEvent * 0x0012f7b4, nsIDOMEvent * * 0x00000000,
unsigned int 1, nsEventStatus * 0x0012f5ec) line 1423 + 29 bytes
PresShell::HandleEventInternal(nsEvent * 0x0012f7b4, nsIView * 0x01595040,
unsigned int 1, nsEventStatus * 0x0012f5ec) line 6211 + 47 bytes
PresShell::HandleEvent(PresShell * const 0x01595874, nsIView * 0x01595040,
nsGUIEvent * 0x0012f7b4, nsEventStatus * 0x0012f5ec, int 1, int & 1) line 6134 +
25 bytes
nsViewManager::HandleEvent(nsView * 0x01595040, nsGUIEvent * 0x0012f7b4, int 0)
line 2163
nsView::HandleEvent(nsViewManager * 0x01594e20, nsGUIEvent * 0x0012f7b4, int 0)
line 304
nsViewManager::DispatchEvent(nsViewManager * const 0x01594e20, nsGUIEvent *
0x0012f7b4, nsEventStatus * 0x0012f724) line 1943 + 23 bytes
HandleEvent(nsGUIEvent * 0x0012f7b4) line 83
nsWindow::DispatchEvent(nsWindow * const 0x015950dc, nsGUIEvent * 0x0012f7b4,
nsEventStatus & nsEventStatus_eIgnore) line 1069 + 10 bytes
nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012f7b4) line 1090
nsWindow::DispatchKeyEvent(unsigned int 131, unsigned short 0, unsigned int 13,
long 0) line 2948 + 15 bytes
nsWindow::OnChar(unsigned int 13, unsigned int 13, unsigned char 0) line 3143
nsWindow::ProcessMessage(unsigned int 258, unsigned int 13, long 1835009, long *
0x0012fc48) line 3851 + 41 bytes
nsWindow::WindowProc(HWND__ * 0x005d012a, unsigned int 258, unsigned int 13,
long 1835009) line 1338 + 27 bytes
USER32! 77e3a290()
USER32! 77e145b1()
USER32! 77e1a752()
nsAppShellService::Run(nsAppShellService * const 0x00f281d8) line 472
main1(int 3, char * * 0x00276ec0, nsISupports * 0x00276f38) line 1541 + 32 bytes
main(int 3, char * * 0x00276ec0) line 1902 + 37 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 77e9ca90()

-----
Looks like nsHttpChannel::nsHttpChannel() is calling nsHttpHandler::get() which
returns a null pointer, and then does a "->RedirectionLimit()" call on it
> Are we attempting to synchronously load the stylesheet via HTTP?  

Yes, we are.  The user sheets are loaded with LoadAgentSheet and no observer is 
passed, requiring sync load (using NS_OpenURI).

ccing Darin on the http header issue; I won't be able to look at this till 
Monday at least (no tree right now).
I can't seem to be able to reproduce this crash with a current trunk build...
nsHttpChannel::open is unimplemented.  the stack trace seems uninformative.
->bz (CSS loader bugs)
Assignee: dbaron → bzbarsky
Jared, is this still happening?  I recently fixed a bug in the CSSLoader that
could lead to a crash like this one due to a double-free when a channel open
failed (as it would here).  That was bug 186606.  The fix should be in Jan 7 and
later builds; if you could test one of those that would be great.
Marking worksforme, since I have been unabme to reproduce and it should be fixed
by bug 186606.

Jared, please reopen if you are still seeing this in a recent build...
Status: UNCONFIRMED → RESOLVED
Closed: 22 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.