Closed Bug 18312 Opened 25 years ago Closed 24 years ago

[BLOCK] HTML Reply/quoting of CNN Swedish page containing certain HTML elements leads to infinite loop

Categories

(MailNews Core :: Composition, defect, P3)

Product:
MailNews Core
Component:
Composition
Platform:
x86
Windows NT
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED WORKSFORME

People

(Reporter: momoi, Assigned: mscott)

References

(
URL
)

Details

Attachments

(1 file)

talkback report of netcenter/ja crasher
11.75 KB, text/plain
Details 
** Obseved with 11/8/99 Win32 build (19991108009) **

This bug sounds familiar but just in case there is no outstanding bug
describing this problem, I'll file it.

1. The above Smoketesy.zip file contains 5 msgs.
2. The 3rd msg from top is a JPN message body with an HTML attachment (Netscape
   Home Page which was sent by 4.6 using "Send Page" option).
3. Now display/select this msg on IMAP or POP server. (Note: Observe that
   it displays correctly in body and attachment if you had selected
   Browser's "View | Auto-Detect | Japanese" beforehand. The problem, however,
   occurs whether or not the attachment display is correct.)
4. Now engage Reply / w auto-quoting under HTML mail send option.
5. In the process of assembling this message, Mozilla crashes.
So far I tried the following Netscape Home Pages and
CJK pages cause this crash but Latin 1 page (French Home
Page) does not.

1. http://home.netscape.com/ja    (Japan)
2. http://home.netscape.com/zh/cn  (China)
3. http://home.netscape.com/zh.tw  (Taiwan)
4. http://home.netscape.com/fr  (French Home Page)
QA Contact: lchiang → momoi
Summary: Reply/Quoting an HTML attachment leads to a crash under HTML send option → [Dogfood] Reply/Quoting an HTML attachment leads to a crash under HTML send option
This is one of the basic functionality and so I'm designating it
[Dogfood].
Here's what I get on Talkback for one of my crashes:

Trigger Type:  Program Crash
Trigger Reason:  Access violation
Call Stack:    (Signature = 0x00000000 c64f5270) 0x00000000

nsHTMLDivElement::Release
[d:\builds\seamonkey\mozilla\layout\html\content\src\nsHTMLDivElement.cpp, line
110]
nsGenericHTMLContainerElement::~nsGenericHTMLContainerElement
[d:\builds\seamonkey\mozilla\layout\html\content\src\nsGenericHTMLElement.cpp,
line 2401]
nsBodyInner::~nsBodyInner
[d:\builds\seamonkey\mozilla\layout\html\content\src\nsHTMLBodyElement.cpp,
line 146] nsHTMLBodyElement::`scalar deleting destructor'
nsHTMLTableColGroupElement::Release
[d:\builds\seamonkey\mozilla\layout\html\content\src\nsHTMLTableColGroupElement
.cpp, line 119]
nsGenericHTMLContainerElement::~nsGenericHTMLContainerElement
[d:\builds\seamonkey\mozilla\layout\html\content\src\nsGenericHTMLElement.cpp,
line 2401]
nsHTMLHtmlElement::`scalar deleting destructor'
nsHTMLDivElement::Release
[d:\builds\seamonkey\mozilla\layout\html\content\src\nsHTMLDivElement.cpp, line
110]
nsDocument::~nsDocument
[d:\builds\seamonkey\mozilla\layout\base\src\nsDocument.cpp, line 633]
nsHTMLDocument::~nsHTMLDocument
[d:\builds\seamonkey\mozilla\layout\html\document\src\nsHTMLDocument.cpp, line
264]
nsDocument::Release
[d:\builds\seamonkey\mozilla\layout\base\src\nsDocument.cpp, line 757]
nsHTMLDocument::Release
[d:\builds\seamonkey\mozilla\layout\html\document\src\nsHTMLDocument.cpp, line
300]
nsCOMPtr_base::~nsCOMPtr_base
[d:\builds\seamonkey\mozilla\xpcom\base\nsCOMPtr.cpp, line 45]
DocumentViewerImpl::~DocumentViewerImpl
[d:\builds\seamonkey\mozilla\layout\base\src\nsDocumentViewer.cpp, line 287]

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

See below for the full report:

http://cyclone/reports/incidenttemplate.CFM?reportID=1020&style=0&tc=2&cp=1&ck1
=SNub+trigger+event+time&cd1=1999%2F11%2F09&bbid=534149
The above crash report was generated when I took
the 3rd msg in the Smoketest file and engaged reply/w auto-quote
button on it under HTML mail send option.
Assignee: ducarroz → rhp
I did the following test with a windows build from this morning (should be the
same than the official build of the day) on NT 4.0 sp5 english:

1) With 4.7, load http://home.netscape.com/ja
2) Send page

3) With 5.0, Get message,
4) Select the message sent from 4.7
5) >>>CRASH>>> in nsTableCellFrame* nsCellMap::GetCellInfoAt at line 515.

Reassign to rhp for investigation...
FYI: Today's build on Unix (at least) crash when displaying cnn.com in the browser at the same location I have
reported.
I haven't been able to get this to happen today with my build...win continue
the investigation.

- rhp
Status: NEW → ASSIGNED
Target Milestone: M12
I will update my tree and retest, but I really don't think this is a quoting
problem. The stack trace is crashing in Layout in table code. Is everyone still
seeing this crash?

- rhp
I'm still seeing it on the 2nd Win 32 build of the day. (Build: 1999110911)
I'm seeing this on today's linux 1999110911 build too.
Whiteboard: [PDT+]
Putting on PDT+ radar.
Summary: [Dogfood] Reply/Quoting an HTML attachment leads to a crash under HTML send option → [DOGFOOD] Reply/Quoting an HTML attachment leads to a crash under HTML send option
Ok, I know what this specific bug is...its our old friend the META tag with a
charset specified. Basically, quoting HTML with this line will cause that
document reload and cause us to crash. I can prevent the data we generate from
having META tags (I've done that already) but there is no way to prevent
attachments from doing this.

Akkana: Is there a bug on this already...if so, its a dup, if not, then this is
a new one for Ender.

The stack trace looks like this:

nsDocLoaderImpl::GetContentViewerContainer(nsDocLoaderImpl * const 0x016dfa90,
unsigned int 1242164, nsIContentViewerContainer * * 0x0012e670) line 658 + 5
bytes
nsObserverBase::NotifyWebShell(nsObserverBase * const 0x016d8108, unsigned int
1242164, const char * 0x03c38f00, nsCharsetSource kCharsetFromMetaTag, const
char * 0x03c38e90) line 54 + 20 bytes
nsMetaCharsetObserver::Notify(nsMetaCharsetObserver * const 0x016d8100,
unsigned int 1242164, unsigned int 5, const unsigned short * * 0x0012ed34,
const unsigned short * * 0x0012edfc) line 287 + 36 bytes
nsMetaCharsetObserver::Notify(nsMetaCharsetObserver * const 0x016d8100,
unsigned int 1242164, const unsigned short * 0x0012ecb4, unsigned int 5, const
unsigned short * * 0x0012ed34, const unsigned short * * 0x0012edfc) line 166
nsObserverNotifier::operator()(void * 0x016d8100) line 321 + 47 bytes
nsDeque::FirstThat(nsDequeFunctor & {...}) line 348 + 14 bytes
CObserverService::Notify(nsHTMLTag eHTMLTag_meta, nsIParserNode & {...},
unsigned int 1242164, const char * 0x02194094, nsIParser * 0x03c17b60) line 938
CNavDTD::WillHandleStartTag(CToken * 0x02298630, nsHTMLTag eHTMLTag_meta,
nsCParserNode & {...}) line 1065 + 35 bytes
CNavDTD::HandleStartToken(CToken * 0x02298630) line 1258 + 20 bytes
CNavDTD::HandleToken(CNavDTD * const 0x03c26ba0, CToken * 0x02298630, nsIParser
* 0x03c17b60) line 732 + 12 bytes
CNavDTD::BuildModel(CNavDTD * const 0x03c26ba0, nsIParser * 0x03c17b60,
nsITokenizer * 0x03c34d40, nsITokenObserver * 0x00000000, nsIContentSink *
0x03c218f0) line 529 + 20 bytes
nsParser::BuildModel() line 1030 + 34 bytes
nsParser::ResumeParse(nsIDTD * 0x00000000, int 0) line 956 + 11 bytes
nsParser::Parse(const nsString & {""}, void * 0x0012f434, const nsString &
{"text/html"}, int 0, int 1, eParseMode eParseMode_autodetect) line 837 + 15
bytes
nsParser::ParseFragment(const nsString & {"<!doctype html public "-//w3c//dtd
html 4.0 transitional//en">
<html>
&nbsp;
<br><A HREF="http://people.netscape.com/momoi/"}, void * 0x00000000,
nsITagStack & {...}, unsigned int 0, const nsString & {"text/html"}, eParseMode
eParseMode_autodetect) line 926 + 41 bytes
nsRange::CreateContextualFragment(nsRange * const 0x03c17884, const nsString &
{"<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
&nbsp;
<br><A HREF="http://people.netscape.com/momoi/"}, nsIDOMDocumentFragment * *
0x0012f7f4) line 1845 + 52 bytes
nsHTMLEditor::InsertHTML(nsHTMLEditor * const 0x035fc5a4, const nsString &
{"<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
&nbsp;
<br><A HREF="http://people.netscape.com/momoi/"}) line 1358 + 63 bytes
nsHTMLEditor::InsertAsCitedQuotation(nsHTMLEditor * const 0x035fc5a8, const
nsString & {"<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
&nbsp;
<br><A HREF="http://people.netscape.com/momoi/"}, const nsString & {""}) line
3653 + 20 bytes
nsHTMLEditorLog::InsertAsCitedQuotation(nsHTMLEditorLog * const 0x035fc5a8,
const nsString & {"<!doctype html public "-//w3c//dtd html 4.0
transitional//en">
<html>
&nbsp;
<br><A HREF="http://people.netscape.com/momoi/"}, const nsString & {""}) line
457 + 17 bytes
nsHTMLEditor::InsertAsQuotation(nsHTMLEditor * const 0x035fc5a8, const nsString
& {"<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
&nbsp;
<br><A HREF="http://people.netscape.com/momoi/"}) line 3575 + 23 bytes
nsHTMLEditorLog::InsertAsQuotation(nsHTMLEditorLog * const 0x035fc5a8, const
nsString & {"<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
&nbsp;
<br><A HREF="http://people.netscape.com/momoi/"}) line 421 + 13 bytes
nsEditorShell::InsertAsQuotation(nsEditorShell * const 0x03c26f30, const
unsigned short * 0x036d2d80) line 2135 + 42 bytes
nsMsgCompose::ConvertAndLoadComposeWindow(nsIEditorShell * 0x03c26f30, nsString
{"<br><br>Katsuhiko Momoi wrote:<br><html>"}, nsString {"<!doctype html public
"-//w3c//dtd html 4.0 transitional//en">
<html>
&nbsp;
<br><A HREF="http://people.netscape.com/momoi/"}, nsString ...) line 140
QuotingOutputStreamListener::OnStopRequest(QuotingOutputStreamListener * const
0x03c34bb0, nsIChannel * 0x03b14090, nsIChannel * 0x03b14090, unsigned int 0,
nsIChannel * 0x03b14090) line 970
nsStreamConverter::OnStopRequest(nsStreamConverter * const 0x03b11d70,
nsIChannel * 0x03b10264, nsISupports * 0x03be46f0, unsigned int 0, const
unsigned short * 0x00000000) line 730
nsMsgProtocol::OnStopRequest(nsMsgProtocol * const 0x03b10260, nsIChannel *
0x03b22a50, nsISupports * 0x03be46f0, unsigned int 0, const unsigned short *
0x00000000) line 199 + 74 bytes
nsMailboxProtocol::OnStopRequest(nsMailboxProtocol * const 0x03b10260,
nsIChannel * 0x03b22a50, nsISupports * 0x03be46f0, unsigned int 0, const
unsigned short * 0x00000000) line 177
nsFileChannel::OnStopRequest(nsFileChannel * const 0x03b22a54, nsIChannel *
0x03b248b0, nsISupports * 0x03be46f0, unsigned int 0, const unsigned short *
0x00000000) line 427 + 45 bytes
nsOnStopRequestEvent::HandleEvent(nsOnStopRequestEvent * const 0x03b2c850) line
326
nsStreamListenerEvent::HandlePLEvent(PLEvent * 0x03b29e70) line 173 + 12 bytes
PL_HandleEvent(PLEvent * 0x03b29e70) line 537 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x01082c20) line 498 + 9 bytes
_md_EventReceiverProc(HWND__ * 0x00870b12, unsigned int 49389, unsigned int 0,
long 17312800) line 972 + 9 bytes
USER32! 77e71268()
01082c20()
Adding Rick and Vidur to cc list, since this is happening when ParseFragment is
called on a fragment which contains a meta charset tag, which incorrectly
triggers a reload.

Perhaps the parser should ignore meta charset tags when parsing fragments -- or
will that cause problems for people who want to be able to paste html with a
different charset than the one currently in the document?
Akkana: who do you think this should be assigned to...its a PDT+ bug and the
fix lives in layout.

- rhp
I really don't know -- I've sent mail to Rick, Vidur and Ftang asking them to
take a look at the bug and venture an opinion.
Whiteboard: [PDT+] → [PDT+] Need Gecko help
Whiteboard: [PDT+] Need Gecko help → [PDT+] rickg to make it not crash; real fix after t'giving
Assignee: rhp → rickg
Status: ASSIGNED → NEW
Hi Rick,
Since we have a plan for this bug, I figured I would update it and pass it over
to you. Then, when you are done, you can pass it to Akkana for her API updates
and finally back to me for the insert call changes.

After you fix the crash, we should probably take it off of the PDT radar.

Thanks for the help!

- rhp

Here is the plan of attack:


Here's the problem as far as I can tell:

Rich wants to insert an HTML fragment into an existing document for the purpose
of block quoting. The fragment he's inserting contains
a <meta> tag with a charset specifier. (Note: The parsing engine has observers
for tags, and the i18n library ties into this notification
system for the purpose of charset detection). When ParseFragment() is called,
the <meta> tag is observed by the i18n library, which
detects the charset specifier. As a result, the i18n library tells the parser
to stop loading the document, and then it tells the webshell to
reload the document using a different charset.
Since this was a fragment and not a document, we get a crash, though I didn't
check into why we are crashing exactly.

The solution: First, we'll disable <meta> observation on HTML fragments.
Second, we need to extend the ParseFragment() api to
include a charset specifier. Anyone who wants to call this method will need to
determine the charset of the fragment in advance. Frank
Tang has a few i18n library calls to do this: nsIPlatformCharset() and
nsICharsetDetector().

I'll be out the rest of this week, but I'll add a quick hack tonight to disable
notification when ParseFragment() is called. When I return, I'll
extend the API to require a charset specifier. Akkana will need to update her
calls to ParseFragment() to include a charset.
I don't know what an HTML fragment really is, but should it be including
<HEAD> info?  <META> tags are only legal in the HTML head and not in the body.
Whiteboard: [PDT+] rickg to make it not crash; real fix after t'giving → [PDT-] rickg to make it not crash; real fix after t'giving
We believe this is fixed. Should not crash anymore.  Please re-test.  Putting on
 PDT-.  Please remove this if crash still occurs.
Assignee: rickg → rhp
This has been fixed for some time. BobJ: <META...> should only occur in the
head, but a tremendous amount of HTML on the web has them appearing virtually
anywhere in the document, and it's something we must support. I've broadened the
parseFragment() api, but not provided an implementation as of yet. Reassigning
back to rich.
Status: NEW → ASSIGNED
Target Milestone: M12 → M13
Since the crashing nature of this has been fixed, I'm moving to M13 and I will
work on using the new API.

- rhp
Summary: [DOGFOOD] Reply/Quoting an HTML attachment leads to a crash under HTML send option → [DOGFOOD] Need to parse any quoted HTML and pass in charset for insert operation
** Checked with 12/6/99 Win32 build  **

The crash bug does occur if the auto-detction module for Japanese is turned. Without the auto-detection
module tunred off, the crash does not occur. The steps to reproduce this problem are as follows.

1. The above Smoketesy.zip file contains 5 msgs.
2. The 3rd msg from top is a JPN message body with an HTML attachment (Netscape
   Home Page which was sent by 4.6 using "Send Page" option).
3. On the Browser window, select "View | Auto-Detect | Japanese".
4. Now back to Mail, select the 3rd msg on IMAP or POP server.
   occurs whether or not the attachment display is correct.)
5. Now engage Reply / w auto-quoting under HTML mail send option.
6. In the process of assembling this message, Mozilla crashes.

Note: Turn off Japanese auto-detection by choosing "View | Auto-Detect | off". Then follow steps 4 and 5. The
         crash does not occur.
Apparently the reason that the crash does not occur when the auto-detection is turned off
is that quoting of Japanese attachment does not occur in that case -- this could be another bug.
Naoki was able to reproduce this problem with non-Japanese page and without
the auto-detect module turned on.

To reproduce with a Swedish page:

1. Using 4.x, send this page to yourself:

   http://cnn.passagen.se/ekonomi/article.jhtml?articleID=556254

2. receive it with Mozilla.
3. Don't have any auto-detect module turned. Then engage reply button.
4. This should lead to a crash.

Here's Naoki's Talkback incident report:

--------------------------------------------------

Trigger Type:  Program Crash

 Trigger Reason:  Access violation

 Call Stack:    (Signature = nsBlockFrame::DoRemoveFrame 0f2762ae)

      nsBlockFrame::DoRemoveFrame

[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 4816]

      nsBlockFrame::DeleteChildsNextInFlow

[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 4833]

      nsBlockReflowContext::ReflowBlock

[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockReflowContext.cpp, line 354]

      nsBlockFrame::ReflowBlockFrame

[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 3260]

      nsBlockFrame::ReflowLine

[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 2630]

      nsBlockFrame::ReflowDirtyLines

[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 2437]

      nsBlockFrame::Reflow

[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 1491]

      nsBlockReflowContext::ReflowBlock

[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockReflowContext.cpp, line 260]

      nsBlockFrame::ReflowBlockFrame

[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 3260]

      nsBlockFrame::ReflowLine

[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 2630]

      nsBlockFrame::ReflowDirtyLines

[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 2437]

      nsBlockFrame::Reflow

[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 1491]

      nsAreaFrame::Reflow

[d:\builds\seamonkey\mozilla\layout\html\base\src\nsAreaFrame.cpp, line 275]

      nsContainerFrame::ReflowChild

[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line 628]

      RootFrame::Reflow

[d:\builds\seamonkey\mozilla\layout\html\base\src\nsHTMLFrame.cpp, line 334]

      nsContainerFrame::ReflowChild

[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line 628]

      nsScrollPortFrame::Reflow

[d:\builds\seamonkey\mozilla\layout\html\base\src\nsScrollPortFrame.cpp, line 405]

      nsContainerFrame::ReflowChild

[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line 628]

      nsGfxScrollFrameInner::ReflowFrame

[d:\builds\seamonkey\mozilla\layout\html\base\src\nsGfxScrollFrame.cpp, line 1197]

      nsGfxScrollFrameInner::ReflowScrollArea

[d:\builds\seamonkey\mozilla\layout\html\base\src\nsGfxScrollFrame.cpp, line 1262]

      nsGfxScrollFrame::Reflow

[d:\builds\seamonkey\mozilla\layout\html\base\src\nsGfxScrollFrame.cpp, line 469]

      nsContainerFrame::ReflowChild

[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line 628]

      ViewportFrame::Reflow

[d:\builds\seamonkey\mozilla\layout\html\base\src\nsViewportFrame.cpp, line 527]

      nsHTMLReflowCommand::Dispatch

[d:\builds\seamonkey\mozilla\layout\html\base\src\nsHTMLReflowCommand.cpp, line 145]

      PresShell::ProcessReflowCommands

[d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 1706]

      PresShell::ExitReflowLock

[d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 766]

      PresShell::ContentAppended

[d:\builds\seamonkey\mozilla\layout\html\base\src\nsPresShell.cpp, line 2160]

      nsDocument::ContentAppended
                                                                                        [d:\builds\seamonkey\mozilla\layout\base\src\nsDocument.cpp,
line 1545]

      nsHTMLDocument::ContentAppended

[d:\builds\seamonkey\mozilla\layout\html\document\src\nsHTMLDocument.cpp, line 1041]

      nsGenericHTMLContainerElement::AppendChildTo

[d:\builds\seamonkey\mozilla\layout\html\content\src\nsGenericHTMLElement.cpp, line 2963]

      nsGenericHTMLContainerElement::InsertBefore

[d:\builds\seamonkey\mozilla\layout\html\content\src\nsGenericHTMLElement.cpp, line 2618]

      nsHTMLTableElement::InsertBefore

[d:\builds\seamonkey\mozilla\layout\html\content\src\nsHTMLTableElement.cpp, line 120]

      InsertElementTxn::Do
                                                                                        [d:\builds\seamonkey\mozilla\editor\base\InsertElementTxn.cpp,
line 106]

      nsTransactionItem::Do

[d:\builds\seamonkey\mozilla\editor\txmgr\src\nsTransactionItem.cpp, line 108]

      nsTransactionManager::BeginTransaction

[d:\builds\seamonkey\mozilla\editor\txmgr\src\nsTransactionManager.cpp, line 1035]

      nsTransactionManager::Do

[d:\builds\seamonkey\mozilla\editor\txmgr\src\nsTransactionManager.cpp, line 124]

      nsEditor::Do
                                                                                        [d:\builds\seamonkey\mozilla\editor\base\nsEditor.cpp, line 393]

      nsEditor::InsertNode
                                                                                        [d:\builds\seamonkey\mozilla\editor\base\nsEditor.cpp, line 980]

      nsHTMLEditor::InsertHTML
                                                                                        [d:\builds\seamonkey\mozilla\editor\base\nsHTMLEditor.cpp,
line 1438]

      nsHTMLEditor::InsertAsCitedQuotation
                                                                                        [d:\builds\seamonkey\mozilla\editor\base\nsHTMLEditor.cpp,
line 3792]

      nsHTMLEditorLog::InsertAsCitedQuotation
                                                                                        [d:\builds\seamonkey\mozilla\editor\base\nsHTMLEditorLog.cpp,
line 463]

      nsHTMLEditor::InsertAsQuotation
                                                                                        [d:\builds\seamonkey\mozilla\editor\base\nsHTMLEditor.cpp,
line 3684]

      nsHTMLEditorLog::InsertAsQuotation
                                                                                        [d:\builds\seamonkey\mozilla\editor\base\nsHTMLEditorLog.cpp,
line 423]

      nsEditorShell::InsertAsQuotation
                                                                                        [d:\builds\seamonkey\mozilla\editor\base\nsEditorShell.cpp, line
1975]

      nsMsgCompose::ConvertAndLoadComposeWindow

[d:\builds\seamonkey\mozilla\mailnews\compose\src\nsMsgCompose.cpp, line 246]

      QuotingOutputStreamListener::OnStopRequest

[d:\builds\seamonkey\mozilla\mailnews\compose\src\nsMsgCompose.cpp, line 1172]

      nsStreamConverter::OnStopRequest

[d:\builds\seamonkey\mozilla\mailnews\mime\src\nsStreamConverter.cpp, line 736]

      nsOnStopRequestEvent::HandleEvent

[d:\builds\seamonkey\mozilla\netwerk\base\src\nsAsyncStreamListener.cpp, line 279]

      nsStreamListenerEvent::HandlePLEvent

[d:\builds\seamonkey\mozilla\netwerk\base\src\nsAsyncStreamListener.cpp, line 94]

      PL_HandleEvent
                                                                                        [plevent.c, line 523]

      _md_EventReceiverProc
                                                                                        [plevent.c, line 951]

      USER32.dll + 0x1250 (0x77e71250)

--------------------------------------------------
Is this the same bug?
The Swedish page mentioned above (1) does not have any <META> tags, and
(2)it uses <LAYER> tags...

<LAYER> tags are not supported right now, but they shouldn't shouldn't
cause a crash (if that ***is*** the problem).
*** Bug 21218 has been marked as a duplicate of this bug. ***
With linux 121411-M12 build, the crash still happens when replying in plain text
mode with charset auto detector turned on. When the charset auto detector is
turned off, the crash doesn't happen either in plain text or HTML mode.
On 12/14/99 Win32 M12 build (1999121408), I can also reproduce
this problem under plain text send option only  with the Auto-Detect
(Japanese) turned on. When it is off, the attachment does not
get quoted and so apparently avoids this crash.
Do you (ji and momoi) have stack traces for your crashes?  Or, are they the
same as the ones already in the bug report?

Is crashing on quote replies with Japanese auto-detect on, a dogfood problem?
Seems like this is the normal state for users reading/writing Japanese email.
This was demoted when we thought the crashing was fixed, if we need to
reconsider, please clear "[PDT-]" from the Whiteboard and explain why.

Also, I'm confused by the symptom and the analyis. Why would whether Japanese
auto-detect is on or off, affect the pasting of a fragment?  No matter what
was detected, aren't we always going to include a META tag in the pasted
fragment?
Here's the dump I got today with 12/14/99 Win32 build using the
steps I described above. Does not look the same as the one before.

-------------------------
Trigger Type:  Program Crash

 Trigger Reason:  Access violation

 Call Stack:    (Signature = nsDocLoaderImpl::GetContentViewerContainer
eec3f3d3)

   nsDocLoaderImpl::GetContentViewerContainer

[d:\builds\seamonkey\mozilla\webshell\src\nsDocLoader.cpp, line 810]

   nsObserverBase::NotifyWebShell

[d:\builds\seamonkey\mozilla\intl\chardet\src\nsObserverBase.cpp, line 60]

   nsMetaCharsetObserver::Notify

[d:\builds\seamonkey\mozilla\intl\chardet\src\nsMetaCharsetObserver.cpp, line
267]

   nsMetaCharsetObserver::Notify

[d:\builds\seamonkey\mozilla\intl\chardet\src\nsMetaCharsetObserver.cpp, line
145]

   nsObserverNotifier::operator()

[d:\builds\seamonkey\mozilla\htmlparser\src\nsDTDUtils.h, line 322]

   nsDeque::FirstThat

[d:\builds\seamonkey\mozilla\xpcom\ds\nsDeque.cpp, line 365]

   CObserverService::Notify

[d:\builds\seamonkey\mozilla\htmlparser\src\nsDTDUtils.cpp, line 928]

   CNavDTD::WillHandleStartTag

[d:\builds\seamonkey\mozilla\htmlparser\src\CNavDTD.cpp, line 1101]

   CNavDTD::HandleStartToken

[d:\builds\seamonkey\mozilla\htmlparser\src\CNavDTD.cpp, line 1286]

   CNavDTD::HandleToken

[d:\builds\seamonkey\mozilla\htmlparser\src\CNavDTD.cpp, line 764]

   CNavDTD::BuildModel

[d:\builds\seamonkey\mozilla\htmlparser\src\CNavDTD.cpp, line 528]

   nsParser::BuildModel

[d:\builds\seamonkey\mozilla\htmlparser\src\nsParser.cpp, line 1044]

   nsParser::ResumeParse

[d:\builds\seamonkey\mozilla\htmlparser\src\nsParser.cpp, line 968]

   nsParser::Parse

[d:\builds\seamonkey\mozilla\htmlparser\src\nsParser.cpp, line 845]

   ConvertBufToPlainText

[d:\builds\seamonkey\mozilla\mailnews\compose\src\nsMsgCompUtils.cpp, line 1952]

   QuotingOutputStreamListener::ConvertToPlainText

[d:\builds\seamonkey\mozilla\mailnews\compose\src\nsMsgCompose.cpp, line 1049]

   QuotingOutputStreamListener::OnStopRequest

[d:\builds\seamonkey\mozilla\mailnews\compose\src\nsMsgCompose.cpp, line 1161]

   nsStreamConverter::OnStopRequest

[d:\builds\seamonkey\mozilla\mailnews\mime\src\nsStreamConverter.cpp, line 736]

   nsOnStopRequestEvent::HandleEvent

[d:\builds\seamonkey\mozilla\netwerk\base\src\nsAsyncStreamListener.cpp, line
279]

   nsStreamListenerEvent::HandlePLEvent

[d:\builds\seamonkey\mozilla\netwerk\base\src\nsAsyncStreamListener.cpp, line
94]

   PL_HandleEvent
                                                  [plevent.c, line 523]

   _md_EventReceiverProc
                                                  [plevent.c, line 951]

   USER32.dll + 0x1186 (0x77e41186)

----------------------------------------------
The crashes we are seeing recently may not be related to
the original bug I reported. If so, we probably should create
another bug for this latetr problem.
Create a new bug please.
Eventually, we will scan the data to insert for the charset and pass that in to
the insert call. No META tags.

- rhp
The crashing part of this bug seems like a beta stopper.
This bug got too cluttered with 3 different types of crash reports.
So, let me sort these out here as of 12/23/99 Win32 M13 build.

There are 3 types of crashes reported in this bug:

1. The original crash bug whose stack trace shows: nsHTMLDivElement::Release
   as the beginning line.
   This was obtained with HTML send option and no auto-detection modules ON.
   This crash no longer occurs with the above M13 build.

2. The 2nd type of crash was mentioned bv rhp. This involves:

   nsDocLoaderImpl::GetContentViewerContainer

   this still occurs when the 3rd Intl Smoketest msg is replied using
   Plain text option on with the Japanese auto-detection ON.
   This crash will not happen if HTML option used or if
   the auto-detection is OFF. The latter is because wuoting of
   the attachment does not occur under that condition.

   I and also ji recently reported this crash with M12 release build.

3. The 3rd type of crash was originally found by nhotta
   and was reported here by me. ducarroz's example
   also seems to be this one. This one involves:

   nsBlockFrame::DoRemoveFrame

   and ths still occurs with the above M13 build. I have a
   crash report today which looks exactly like the one
   mentioned in my comment on 12/6/99.

I don't think it wise to deal with all these bugs under one
umbrella given the differences in stack traces.

Since the original bug is gone now (type 1 above), I want to
suggest that we keep this bug for Type 2. I'll file a new bug
for Type 3.

Here's a fresh stack trace on this bug produced by attaching the CNN page
to mail and then reply/quoting with Mozilla, and here's how to reproduce
this crash:


1. Using 4.x, send this page to yourself:

   http://cnn.passagen.se/ekonomi/article.jhtml?articleID=556254

2. receive it with Mozilla.
3. Don't have any auto-detect module turned. Then engage reply button.
4. This should lead to a crash.

-----------------------------------------------------

Trigger Type:  Program Crash
Trigger Reason:  Access violation
Call Stack:    (Signature = nsBlockFrame::DoRemoveFrame b3e6130d)
nsBlockFrame::DoRemoveFrame
[d:\builds\seamonkey\mozilla\layout\html\base\src\ns  BlockFrame.cpp, line
4809]
nsBlockFrame::DeleteChildsNextInFlow
[d:\builds\seamonkey\mozilla\layout\html\ba  se\src\nsBlockFrame.cpp, line
4826]
nsBlockReflowContext::ReflowBlock
[d:\builds\seamonkey\mozilla\layout\html\base\  src\nsBlockReflowContext.cpp,
line 354]
nsBlockFrame::ReflowBlockFrame
[d:\builds\seamonkey\mozilla\layout\html\base\src  \nsBlockFrame.cpp, line
3251]
nsBlockFrame::ReflowLine
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlo  ckFrame.cpp, line
2621]
nsBlockFrame::ReflowDirtyLines
[d:\builds\seamonkey\mozilla\layout\html\base\sr  c\nsBlockFrame.cpp, line
2428]
nsBlockFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFr  ame.cpp, line
1492]
nsBlockReflowContext::ReflowBlock
[d:\builds\seamonkey\mozilla\layout\html\base\  src\nsBlockReflowContext.cpp,
line 260]
nsBlockFrame::ReflowBlockFrame
[d:\builds\seamonkey\mozilla\layout\html\base\src  \nsBlockFrame.cpp, line
3251]
nsBlockFrame::ReflowLine
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlo  ckFrame.cpp, line
2621]
nsBlockFrame::ReflowDirtyLines
[d:\builds\seamonkey\mozilla\layout\html\base\src  \nsBlockFrame.cpp, line
2428]
nsBlockFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFr  ame.cpp, line
1492]
nsAreaFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsAreaFram  e.cpp, line 275]
nsContainerFrame::ReflowChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\  nsContainerFrame.cpp, line
644]
RootFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsHTMLFrame.  cpp, line 334]
nsContainerFrame::ReflowChild
[d:\builds\seamonkey\mozilla\layout\html\base\src  \nsContainerFrame.cpp, line
644]
nsScrollPortFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsSc  rollPortFrame.cpp, line
405]
nsContainerFrame::ReflowChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\  nsContainerFrame.cpp, line
644]
nsGfxScrollFrameInner::ReflowFrame
[d:\builds\seamonkey\mozilla\layout\html\bas  e\src\nsGfxScrollFrame.cpp, line
1254]
nsGfxScrollFrameInner::ReflowScrollArea
[d:\builds\seamonkey\mozilla\layout\htm  l\base\src\nsGfxScrollFrame.cpp, line
1319]
nsGfxScrollFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsGfx  ScrollFrame.cpp, line
521]
nsContainerFrame::ReflowChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\  nsContainerFrame.cpp, line
644]
ViewportFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsViewpo  rtFrame.cpp, line
527]
nsHTMLReflowCommand::Dispatch
[d:\builds\seamonkey\mozilla\layout\html\base\src\  nsHTMLReflowCommand.cpp,
line 145]
PresShell::ProcessReflowCommands
[d:\builds\seamonkey\mozilla\layout\html\base\  src\nsPresShell.cpp, line 1842]
PresShell::ExitReflowLock
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsP  resShell.cpp, line 825]
PresShell::ContentAppended
[d:\builds\seamonkey\mozilla\layout\html\base\src\ns  PresShell.cpp, line 2296]
nsDocument::ContentAppended
[d:\builds\seamonkey\mozilla\layout\base\src\nsDocu  ment.cpp, line 1545]
nsHTMLDocument::ContentAppended
[d:\builds\seamonkey\mozilla\layout\html\documen  t\src\nsHTMLDocument.cpp,
line 1110]
nsGenericContainerElement::AppendChildTo
[d:\builds\seamonkey\mozilla\layout\b  ase\src\nsGenericElement.cpp, line 2146]
nsGenericHTMLContainerElement::InsertBefore
[d:\builds\seamonkey\mozilla\layout\
html\content\src\nsGenericHTMLElement.cpp, line 2618]
nsHTMLTableCellElement::InsertBefore
[d:\builds\seamonkey\mozilla\layout\html\c
ontent\src\nsHTMLTableCellElement.cpp]
InsertElementTxn::Do
[d:\builds\seamonkey\mozilla\editor\base\InsertElementTxn.c  pp, line 106]
nsTransactionItem::Do
[d:\builds\seamonkey\mozilla\editor\txmgr\src\nsTransactio  nItem.cpp, line
108]
nsTransactionManager::BeginTransaction
[d:\builds\seamonkey\mozilla\editor\txm  gr\src\nsTransactionManager.cpp, line
1035]
nsTransactionManager::Do
[d:\builds\seamonkey\mozilla\editor\txmgr\src\nsTransa  ctionManager.cpp, line
124]
nsEditor::Do [d:\builds\seamonkey\mozilla\editor\base\nsEditor.cpp, line 395]
  nsEditor::InsertNode  [d:\builds\seamonkey\mozilla\editor\base\nsEditor.cpp,
l  ine 993]
nsHTMLEditor::InsertHTML
[d:\builds\seamonkey\mozilla\editor\base\nsHTMLEditor.c  pp, line 1493]
nsHTMLEditor::InsertAsCitedQuotation
[d:\builds\seamonkey\mozilla\editor\base\ns  HTMLEditor.cpp, line 3864]
nsHTMLEditorLog::InsertAsCitedQuotation
[d:\builds\seamonkey\mozilla\editor\base  \nsHTMLEditorLog.cpp, line 463]
nsHTMLEditor::InsertAsQuotation
[d:\builds\seamonkey\mozilla\editor\base\nsHTML  Editor.cpp, line 3755]
nsHTMLEditorLog::InsertAsQuotation
[d:\builds\seamonkey\mozilla\editor\base\nsH  TMLEditorLog.cpp, line 423]
nsEditorShell::InsertAsQuotation
[d:\builds\seamonkey\mozilla\editor\base\nsEdi  torShell.cpp, line 2002]
nsMsgCompose::ConvertAndLoadComposeWindow
[d:\builds\seamonkey\mozilla\mailnews\  compose\src\nsMsgCompose.cpp, line 246]
QuotingOutputStreamListener::OnStopRequest
[d:\builds\seamonkey\mozilla\mailnews  \compose\src\nsMsgCompose.cpp, line
1172]
nsStreamConverter::OnStopRequest
[d:\builds\seamonkey\mozilla\mailnews\mime\src\  nsStreamConverter.cpp, line
744]
nsOnStopRequestEvent::HandleEvent
[d:\builds\seamonkey\mozilla\netwerk\base\src  \nsAsyncStreamListener.cpp, line
279]
nsStreamListenerEvent::HandlePLEvent
[d:\builds\seamonkey\mozilla\netwerk\base\  src\nsAsyncStreamListener.cpp, line
94]
PL_HandleEvent [plevent.c, line 523]
_md_EventReceiverProc [plevent.c, line 951]
USER32.dll + 0x1186 (0x77e41186)
-----------------------------------------------------
I'm sorry, what I mean to say above is that we keep this bug
for Type 3 crash - CNN Swedish page bug, and file a new
one for Type 2 as analyzed by Rich. I'll do the latter now.
Assignee: rhp → rickg
URL: http://rocknroll/users/momoi/publish/...http://cnn.passagen.se/ekonomi/articl...
Status: ASSIGNED → NEW
Summary: [DOGFOOD] Need to parse any quoted HTML and pass in charset for insert operation → [DOGFOOD] HTML Reply/quoting of CNN Swedish page containing certain HTML elements leads to a crash
Whiteboard: [PDT-] rickg to make it not crash; real fix after t'giving
The reason I'm suggesting to keep this bug for type 3 crash is
that both type 3 and the original crash bug seem to have something
to do with parsing HTML elements. This is thus not rhp's bug any more.

The original bug seems to have been fixed. See for example
 -- rickg@netscape.com  1999-12-05 17:25 -- comment.

But a simialr bug crashing bugs still exists as caused by
replying to a msg which contains CNN Swedish page as an
attachment as described in -- momoi@netscape.com  1999-12-25 02:22 --
along with the crash report. (See the updated URL above also.)

I therefore corrected the summary line and now send it to
rickg.

The Type 2 bug under the Plain Text mail send option and reply/quoting
an atatched document which contains an meta charset tag was filed
as Bug 22655 and assigned to rhp.

As this is a crasher, this should be marked [Beta stopper].
Whiteboard: [PDT-]
I'll render a preliminary PDT- for the team. This does not appear to be a
pervasive problem that precludes use be dedicated dogfood eaters.  If I'm
underastimating the impact, please delete the PDT annotation, and add a comment
to explain the broader impact.
Thanks,
Jim
Assignee: rickg → troy
Troy -- is the block frame crash below something you can address?  Thanks.
Assignee: troy → kipp
Block/inline bug
Summary: [DOGFOOD] HTML Reply/quoting of CNN Swedish page containing certain HTML elements leads to a crash → [BLOCK] [DOGFOOD] HTML Reply/quoting of CNN Swedish page containing certain HTML elements leads to a crash
any chance of getting a simpler test case, especially one that doesn't involve
mail?  I've had trouble getting into mail the past few days.  Today, I can't log
on.  No matter what I try, it tells me my password is invalid.
Assignee: kipp → buster
assigning to myself
I don't see this crash today (winNT, debug build, source pulled 1/12/00pm).  Can
you verify that it still crashes?

What I see is the page loads into the reply compose window, but it continually
reloads because of the ad banner.  That's a URL loader bug for travis or mscott,
probably.
I don't see a crash with 1/11/00 Win32 build, either.
(We haven't had a good mail build since that time to
display and let alone reply to a msg.)

The infinite loop is there, however.

Ehat would be the best thing to do here? Keep it open
and monitor it while working on the loop problem?
Assignee: buster → mscott
Summary: [BLOCK] [DOGFOOD] HTML Reply/quoting of CNN Swedish page containing certain HTML elements leads to a crash → [BLOCK] [DOGFOOD] HTML Reply/quoting of CNN Swedish page containing certain HTML elements leads to infinite loop
The crash is gone, replaced by an infinite loop that seems to be triggered by
the ad banner.  Reassigning to mscott, maybe a URL loading problem?  cc'ing
travis and rpotts.
wow, this is a long bug report...Kat, can you summarize for me what is still
causing a problem? (i.e. what I need to do to see it) Thanks!
Target Milestone: M13 → M14
I'll take a look at this in M14....
When I do send page from 4.5 then turn around and get the message in 5.0 and
then reply to it, the quoting in 5.0 only shows the url, it doesn't try to
layout the page in the reply window. So I don't see an infinite loading loop
here. I wonder what I'm doing wrong.

I don't we'll be able to see what the current status of this bug is until Bug 23931
is fixed. That bug makes it impossible to quote HTML attachment material at present.
The dependency is now marked.
Depends on: 23931
Putting dogfood in the keyword field.
Keywords: dogfood
Summary: [BLOCK] [DOGFOOD] HTML Reply/quoting of CNN Swedish page containing certain HTML elements leads to infinite loop → [BLOCK] HTML Reply/quoting of CNN Swedish page containing certain HTML elements leads to infinite loop
Moving my remaining M14 bugs to M15 which is the next targeted milestone.
Target Milestone: M14 → M15
bulk move to M16. Not an M15 stopper.  If you disagree, pls comment in bug and 
cc: selmer@netscape.com
Target Milestone: M15 → M16
Is this still dogfood??
Whiteboard: [PDT-]
** Checked with 5/20/2000 Win32 build **

The crash was real problem for M15/Beta1/NS PR1 builds.
With todya's build above, I ran through all the cases I have
which induced this crash (type 3 above) and none is causing
the crash described in this report any more. 

I'm happy to say that this is now "Worksforme".
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → WORKSFORME
Verified as Worksforme with the above Win32 build.
Status: RESOLVED → VERIFIED
Product: MailNews → Core
Product: Core → MailNews Core
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: