Closed Bug 182531 Opened 22 years ago Closed 22 years ago

crash with @import in userContent.css

Categories

(Core :: CSS Parsing and Computation, defect)

x86
Windows 2000
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: jsmolens+mozilla, Assigned: bzbarsky)

Details

(Keywords: crash)

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.2) Gecko/20021121 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.2) Gecko/20021121 When trying an @import url("my_url");, Mozilla 1.2 crashes when the semicolon is included at the end of the line in my profile's userContent.css file. The contents of my userContent.css file are below: -- Chop here -- @import url("http://www.rabidpenguin.org/insider/userContent.css"); img[onLoad*="window.open"] { display: none !important; visibility: none !important; } embed[type="application/x-shockwave-flash"] { display: none !important; visibility: hidden !important; } [src*="adx"], [src*="ads"], [src*="/banner/"], [ { /* display: none !important; visibility: hidden !important; */ -moz-outline: medium dotted blue; -moz-opacity: 8%; } -- Unchop here -- The contents of the URL http://www.rabidpenguin.org/insider/userContent.css are below: -- Chop here -- embed[type="application/x-shockwave-flash"] { display: none !important; visibility: hidden !important; } img[onLoad*="window.open"] { display: none !important; visibility: hidden !important; } [src*="/adx/"], [src*="/ads/"], [src*="/adv/"], [src*="/viewad/"], [src*="doubleclick.net"], [src*="doubleclick.com"], [href*="doubleclick.net"], [href*="doubleclick.com"], [href*="atdmt.com"], [href*="bluestreak.com"], [src*="/banner/"] { -moz-outline: medium dotted blue; -moz-opacity: 8%; } /* the other way */ /* /* display: none !important; visibility: hidden !important; */ */ -- Unchop here -- Reproducible: Always Steps to Reproduce: 1. Enter a userContent.css file as shown above, possibly substituting the remote CSS URL for another webserver's URL over which you have control and making sure that page is accessable. 2. Start Mozilla, observe crash. Actual Results: Mozilla crashes with a memory exception. Expected Results: Imported the CSS file at the URL and parsed it as per the CSS specifications.
Crash is at instruction address 0x61250d1b, failed memory read at 0x4a
Are we attempting to synchronously load the stylesheet via HTTP? Also, doesn't the @import not work when there's no semicolon?
> Are we attempting to synchronously load the stylesheet via HTTP? Also, doesn't > the @import not work when there's no semicolon? @import is ignored when there is no semicolon. I believe this is correct behavior.
So the summary of the bug really doesn't have anything to do with a semicolon, only the presence of a correct @import rule.
Summary: crash when @import in userContent.css has a semicolon at the end of the line → crash with @import in userContent.css
Keywords: crash
First, the warnings I get: WARNING: CSSLoaderImpl::LoadSheet: Load of URL 'http://www.rabidpenguin.org/insider/userContent.css' failed. Error code: 16385, file e:/MozDev/mozilla/mozilla/content/html/style/src/nsCSSLoader.cpp, line 1562 CSS Error (file:///D:/blablah/chrome/userContent.css :6.17): Error in parsing value for property 'visibility'. Declaration dropped. CSS Error (file:///D:/blablah/chrome/userContent.css :18.2): Expected attribute name or namespace but found '{'. Selector expected. Ruleset ignored due to bad selector. ----- Next, the stack trace (Win2k) nsHttpHandler::RedirectionLimit() line 90 + 10 bytes nsHttpChannel::nsHttpChannel() line 79 + 591 bytes nsHttpHandler::NewProxiedChannel(nsHttpHandler * const 0x00f56c30, nsIURI * 0x04b5e3d0, nsIProxyInfo * 0x00000000, nsIChannel * * 0x0012afb4) line 1898 + 30 bytes nsIOService::NewChannelFromURI(nsIOService * const 0x00f63e00, nsIURI * 0x04b5e3d0, nsIChannel * * 0x0012afb4) line 512 + 49 bytes NS_NewChannel(nsIChannel * * 0x0012b0cc, nsIURI * 0x04b5e3d0, nsIIOService * 0x00f63e00, nsILoadGroup * 0x03d2e188, nsIInterfaceRequestor * 0x03d25dc8, unsigned int 524288) line 164 + 20 bytes nsDocShell::DoURILoad(nsIURI * 0x04b5e3d0, nsIURI * 0x00000000, nsISupports * 0x02f1f2b8, nsIInputStream * 0x00000000, nsIInputStream * 0x00000000, int 1, nsIDocShell * * 0x00000000, nsIRequest * * 0x00000000) line 5169 + 91 bytes nsDocShell::InternalLoad(nsDocShell * const 0x03d25da0, nsIURI * 0x04b5e3d0, nsIURI * 0x00000000, nsISupports * 0x00000000, int 1, const unsigned short * 0x04b5e5b8, nsIInputStream * 0x00000000, nsIInputStream * 0x00000000, unsigned int 1, nsISHEntry * 0x00000000, int 1, nsIDocShell * * 0x00000000, nsIRequest * * 0x00000000) line 5083 + 51 bytes nsDocShell::LoadURI(nsDocShell * const 0x03d25da0, nsIURI * 0x04b5e3d0, nsIDocShellLoadInfo * 0x04b5e550, unsigned int 0, int 1) line 725 + 73 bytes nsDocShell::LoadURI(nsDocShell * const 0x03d25db0, const unsigned short * 0x04b5bc50, unsigned int 0, nsIURI * 0x00000000, nsIInputStream * 0x00000000, nsIInputStream * 0x00000000) line 2445 + 38 bytes XPTC_InvokeByIndex(nsISupports * 0x03d25db0, unsigned int 8, unsigned int 5, nsXPTCVariant * 0x0012b71c) line 106 XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode CALL_METHOD) line 2016 + 42 bytes XPC_WN_CallMethod(JSContext * 0x01492378, JSObject * 0x04b24118, unsigned int 5, long * 0x04b11188, long * 0x0012b9cc) line 1283 + 14 bytes js_Invoke(JSContext * 0x01492378, unsigned int 5, unsigned int 0) line 839 + 23 bytes js_Interpret(JSContext * 0x01492378, long * 0x0012c2e8) line 2803 + 15 bytes js_Invoke(JSContext * 0x01492378, unsigned int 1, unsigned int 0) line 856 + 13 bytes js_Interpret(JSContext * 0x01492378, long * 0x0012cbb8) line 2803 + 15 bytes js_Invoke(JSContext * 0x01492378, unsigned int 2, unsigned int 2) line 856 + 13 bytes fun_apply(JSContext * 0x01492378, JSObject * 0x03144698, unsigned int 2, long * 0x04b10fec, long * 0x0012cce0) line 1552 + 15 bytes js_Invoke(JSContext * 0x01492378, unsigned int 2, unsigned int 0) line 839 + 23 bytes js_Interpret(JSContext * 0x01492378, long * 0x0012d5fc) line 2803 + 15 bytes js_Invoke(JSContext * 0x01492378, unsigned int 1, unsigned int 2) line 856 + 13 bytes js_InternalInvoke(JSContext * 0x01492378, JSObject * 0x03144698, long 78537416, unsigned int 0, unsigned int 1, long * 0x0012d85c, long * 0x0012d72c) line 931 + 20 bytes JS_CallFunctionValue(JSContext * 0x01492378, JSObject * 0x03144698, long 78537416, unsigned int 1, long * 0x0012d85c, long * 0x0012d72c) line 3431 + 31 bytes nsJSContext::CallEventHandler(nsJSContext * const 0x014919b0, void * 0x03144698, void * 0x04ae62c8, unsigned int 1, void * 0x0012d85c, int * 0x0012d860, int 0) line 1041 + 33 bytes nsJSEventListener::HandleEvent(nsJSEventListener * const 0x04b13be0, nsIDOMEvent * 0x04b105d8) line 182 + 77 bytes nsXBLPrototypeHandler::ExecuteHandler(nsXBLPrototypeHandler * const 0x03cb54e0, nsIDOMEventReceiver * 0x03d543f8, nsIDOMEvent * 0x04b105d8) line 458 DoKey(nsIAtom * 0x0152c498, nsIXBLPrototypeHandler * 0x03cb54e0, nsIDOMEvent * 0x04b105d8, nsIDOMEventReceiver * 0x03d543f8) line 108 nsXBLKeyHandler::KeyPress(nsXBLKeyHandler * const 0x03d54440, nsIDOMEvent * 0x04b105d8) line 123 + 40 bytes nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x02e9e3d8, nsIPresContext * 0x0157ba50, nsEvent * 0x0012f7b4, nsIDOMEvent * * 0x0012f028, nsIDOMEventTarget * 0x04b091d0, unsigned int 4, nsEventStatus * 0x0012f5ec) line 1659 + 41 bytes nsXULElement::HandleDOMEvent(nsXULElement * const 0x02e9e370, nsIPresContext * 0x0157ba50, nsEvent * 0x0012f7b4, nsIDOMEvent * * 0x0012f028, unsigned int 4, nsEventStatus * 0x0012f5ec) line 3400 nsXULElement::HandleDOMEvent(nsXULElement * const 0x03d5eac8, nsIPresContext * 0x0157ba50, nsEvent * 0x0012f7b4, nsIDOMEvent * * 0x0012f028, unsigned int 4, nsEventStatus * 0x0012f5ec) line 3380 nsXULElement::HandleDOMEvent(nsXULElement * const 0x03d5e158, nsIPresContext * 0x0157ba50, nsEvent * 0x0012f7b4, nsIDOMEvent * * 0x0012f028, unsigned int 4, nsEventStatus * 0x0012f5ec) line 3380 nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x03d5e3c8, nsIPresContext * 0x0157ba50, nsEvent * 0x0012f7b4, nsIDOMEvent * * 0x0012f028, unsigned int 7, nsEventStatus * 0x0012f5ec) line 2046 nsHTMLInputElement::HandleDOMEvent(nsHTMLInputElement * const 0x03d5e3c8, nsIPresContext * 0x0157ba50, nsEvent * 0x0012f7b4, nsIDOMEvent * * 0x00000000, unsigned int 1, nsEventStatus * 0x0012f5ec) line 1423 + 29 bytes PresShell::HandleEventInternal(nsEvent * 0x0012f7b4, nsIView * 0x01595040, unsigned int 1, nsEventStatus * 0x0012f5ec) line 6211 + 47 bytes PresShell::HandleEvent(PresShell * const 0x01595874, nsIView * 0x01595040, nsGUIEvent * 0x0012f7b4, nsEventStatus * 0x0012f5ec, int 1, int & 1) line 6134 + 25 bytes nsViewManager::HandleEvent(nsView * 0x01595040, nsGUIEvent * 0x0012f7b4, int 0) line 2163 nsView::HandleEvent(nsViewManager * 0x01594e20, nsGUIEvent * 0x0012f7b4, int 0) line 304 nsViewManager::DispatchEvent(nsViewManager * const 0x01594e20, nsGUIEvent * 0x0012f7b4, nsEventStatus * 0x0012f724) line 1943 + 23 bytes HandleEvent(nsGUIEvent * 0x0012f7b4) line 83 nsWindow::DispatchEvent(nsWindow * const 0x015950dc, nsGUIEvent * 0x0012f7b4, nsEventStatus & nsEventStatus_eIgnore) line 1069 + 10 bytes nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012f7b4) line 1090 nsWindow::DispatchKeyEvent(unsigned int 131, unsigned short 0, unsigned int 13, long 0) line 2948 + 15 bytes nsWindow::OnChar(unsigned int 13, unsigned int 13, unsigned char 0) line 3143 nsWindow::ProcessMessage(unsigned int 258, unsigned int 13, long 1835009, long * 0x0012fc48) line 3851 + 41 bytes nsWindow::WindowProc(HWND__ * 0x005d012a, unsigned int 258, unsigned int 13, long 1835009) line 1338 + 27 bytes USER32! 77e3a290() USER32! 77e145b1() USER32! 77e1a752() nsAppShellService::Run(nsAppShellService * const 0x00f281d8) line 472 main1(int 3, char * * 0x00276ec0, nsISupports * 0x00276f38) line 1541 + 32 bytes main(int 3, char * * 0x00276ec0) line 1902 + 37 bytes mainCRTStartup() line 338 + 17 bytes KERNEL32! 77e9ca90() ----- Looks like nsHttpChannel::nsHttpChannel() is calling nsHttpHandler::get() which returns a null pointer, and then does a "->RedirectionLimit()" call on it
> Are we attempting to synchronously load the stylesheet via HTTP? Yes, we are. The user sheets are loaded with LoadAgentSheet and no observer is passed, requiring sync load (using NS_OpenURI). ccing Darin on the http header issue; I won't be able to look at this till Monday at least (no tree right now).
I can't seem to be able to reproduce this crash with a current trunk build...
nsHttpChannel::open is unimplemented. the stack trace seems uninformative.
->bz (CSS loader bugs)
Assignee: dbaron → bzbarsky
Jared, is this still happening? I recently fixed a bug in the CSSLoader that could lead to a crash like this one due to a double-free when a channel open failed (as it would here). That was bug 186606. The fix should be in Jan 7 and later builds; if you could test one of those that would be great.
Marking worksforme, since I have been unabme to reproduce and it should be fixed by bug 186606. Jared, please reopen if you are still seeing this in a recent build...
Status: UNCONFIRMED → RESOLVED
Closed: 22 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.