Closed Bug 188278 Opened 18 years ago Closed 18 years ago

Mozilla crashes upon loading encoded text

Categories

(Core :: DOM: HTML Parser, defect, P2)

x86
Windows XP
defect

Tracking

()

RESOLVED FIXED
mozilla1.3beta

People

(Reporter: raccettura, Assigned: harishd)

References

()

Details

(Keywords: hang, Whiteboard: [fix in hand])

Attachments

(1 file, 1 obsolete file)

781 bytes, patch
hjtoi-bugzilla
: review+
Details | Diff | Splinter Review
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2.1) Gecko/20021130
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2.1) Gecko/20021130

I wask working on a php script when I found out that the following string loaded
by mozilla results in a crash (when not surrounded by any HTML).

An example is the link I made.  The script outputs ONLY the text below.
&#114:&#111:&#098:&#101:&#114:&#116:&#

Reproducible: Always

Steps to Reproduce:
1.  Load URL

Actual Results:  
Mozilla hung.  It took my system (Thinkpad 1.8GHz P4 w/512MB RAM) about 4
minutes to get the Task Manager open.  Despite it didn't render completely, I
was able to see that the Available system memory dropped down to 4000k, and the
Paging file was off the chart.  CPU wasn't to bad.  But my hard drive was
burning.  My guess is there is a memory leak or something.

Expected Results:  
Should have displayed output without stress.
confirming with todays win2k trunk build :
NTDLL! 778cbc99()
NTDLL! 778cbd4e()
NTDLL! 778cbbb3()
_heap_alloc_base(unsigned int 4912) line 200
_heap_alloc_dbg(unsigned int 4871, int 1, const char * 0x00000000, int 0) line
378 + 9 bytes
_nh_malloc_dbg(unsigned int 4871, int 0, int 1, const char * 0x00000000, int 0)
line 248 + 21 bytes
malloc(unsigned int 4871) line 130 + 21 bytes
PR_Malloc(unsigned int 4871) line 474 + 10 bytes
PL_ArenaAllocate(PLArenaPool * 0x03b9865c, unsigned int 40) line 210 + 10 bytes
nsFixedSizeAllocator::Alloc(unsigned int 40) line 128 + 73 bytes
CToken::operator new(unsigned int 40, nsFixedSizeAllocator & {...}) line 128
nsTokenAllocator::CreateTokenOfType(eHTMLTokenTypes eToken_entity, nsHTMLTag
eHTMLTag_entity) line 1362 + 14 bytes
nsHTMLTokenizer::ConsumeEntity(unsigned short 38, CToken * & 0x00000000,
nsScanner & {...}) line 846 + 15 bytes
nsHTMLTokenizer::ConsumeToken(nsHTMLTokenizer * const 0x03baac58, nsScanner &
{...}, int & 0) line 504 + 24 bytes
nsParser::Tokenize(int 1) line 2545 + 26 bytes
nsParser::ResumeParse(int 1, int 1, int 1) line 1772 + 31 bytes
nsParser::OnStopRequest(nsParser * const 0x03b98634, nsIRequest * 0x039cce48,
nsISupports * 0x00000000, unsigned int 0) line 2453 + 21 bytes
nsDocumentOpenInfo::OnStopRequest(nsDocumentOpenInfo * const 0x03aaac50,
nsIRequest * 0x039cce48, nsISupports * 0x00000000, unsigned int 0) line 257
nsStreamListenerTee::OnStopRequest(nsStreamListenerTee * const 0x03a84048,
nsIRequest * 0x039cce48, nsISupports * 0x00000000, unsigned int 0) line 66
nsHttpChannel::OnStopRequest(nsHttpChannel * const 0x039cce4c, nsIRequest *
0x03aab5ac, nsISupports * 0x00000000, unsigned int 0) line 3020
nsOnStopRequestEvent::HandleEvent() line 213
nsARequestObserverEvent::HandlePLEvent(PLEvent * 0x03ba4edc) line 116
PL_HandleEvent(PLEvent * 0x03ba4edc) line 663 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x00ea6410) line 593 + 9 bytes
_md_EventReceiverProc(HWND__ * 0x002e03aa, unsigned int 49372, unsigned int 0,
long 15361040) line 1379 + 9 bytes
USER32! 77e2a290()
USER32! 77e045b1()
USER32! 77e0a752()
nsAppShellService::Run(nsAppShellService * const 0x00f70f78) line 472
main1(int 2, char * * 0x00276ac8, nsISupports * 0x00276b40) line 1543 + 32 bytes
main(int 2, char * * 0x00276ac8) line 1904 + 37 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 77e8ca90()
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: hang
Should also note bug 188366
Attached patch patch v1.0 (obsolete) — Splinter Review
Prevent the crash/hang by consuming the entity-look-alike ( &# )as text. That
is, what we initially thought of as an entity is not really an entity and hence
by returning the result NS_HTMLTOKENS_NOT_AN_ENTITY we consume the markup as
text.
Status: NEW → ASSIGNED
Priority: -- → P2
Whiteboard: [fix in hand]
Target Milestone: --- → mozilla1.3beta
Attachment #111089 - Flags: superreview?(jst)
Attachment #111089 - Flags: review?(heikki)
Attached patch patch v1.1Splinter Review
Addressing reviewer's concern.
Attachment #111089 - Flags: superreview?(jst)
Attachment #111089 - Flags: review?(heikki)
Attachment #111090 - Flags: superreview?(jst)
Attachment #111090 - Flags: review?(heikki)
Attachment #111089 - Attachment is obsolete: true
Attachment #111090 - Flags: review?(heikki) → review+
Comment on attachment 111090 [details] [diff] [review]
patch v1.1

sr=jst
Attachment #111090 - Flags: superreview?(jst) → superreview+
Fixed.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.