Closed Bug 188278 Opened 22 years ago Closed 22 years ago

Mozilla crashes upon loading encoded text

Categories

(Core :: DOM: HTML Parser, defect, P2)

x86
Windows XP
defect

Tracking

()

RESOLVED FIXED
mozilla1.3beta

People

(Reporter: raccettura, Assigned: harishd)

References

()

Details

(Keywords: hang, Whiteboard: [fix in hand])

Attachments

(1 file, 1 obsolete file)

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2.1) Gecko/20021130 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2.1) Gecko/20021130 I wask working on a php script when I found out that the following string loaded by mozilla results in a crash (when not surrounded by any HTML). An example is the link I made. The script outputs ONLY the text below. &#114:&#111:&#098:&#101:&#114:&#116:&# Reproducible: Always Steps to Reproduce: 1. Load URL Actual Results: Mozilla hung. It took my system (Thinkpad 1.8GHz P4 w/512MB RAM) about 4 minutes to get the Task Manager open. Despite it didn't render completely, I was able to see that the Available system memory dropped down to 4000k, and the Paging file was off the chart. CPU wasn't to bad. But my hard drive was burning. My guess is there is a memory leak or something. Expected Results: Should have displayed output without stress.
confirming with todays win2k trunk build : NTDLL! 778cbc99() NTDLL! 778cbd4e() NTDLL! 778cbbb3() _heap_alloc_base(unsigned int 4912) line 200 _heap_alloc_dbg(unsigned int 4871, int 1, const char * 0x00000000, int 0) line 378 + 9 bytes _nh_malloc_dbg(unsigned int 4871, int 0, int 1, const char * 0x00000000, int 0) line 248 + 21 bytes malloc(unsigned int 4871) line 130 + 21 bytes PR_Malloc(unsigned int 4871) line 474 + 10 bytes PL_ArenaAllocate(PLArenaPool * 0x03b9865c, unsigned int 40) line 210 + 10 bytes nsFixedSizeAllocator::Alloc(unsigned int 40) line 128 + 73 bytes CToken::operator new(unsigned int 40, nsFixedSizeAllocator & {...}) line 128 nsTokenAllocator::CreateTokenOfType(eHTMLTokenTypes eToken_entity, nsHTMLTag eHTMLTag_entity) line 1362 + 14 bytes nsHTMLTokenizer::ConsumeEntity(unsigned short 38, CToken * & 0x00000000, nsScanner & {...}) line 846 + 15 bytes nsHTMLTokenizer::ConsumeToken(nsHTMLTokenizer * const 0x03baac58, nsScanner & {...}, int & 0) line 504 + 24 bytes nsParser::Tokenize(int 1) line 2545 + 26 bytes nsParser::ResumeParse(int 1, int 1, int 1) line 1772 + 31 bytes nsParser::OnStopRequest(nsParser * const 0x03b98634, nsIRequest * 0x039cce48, nsISupports * 0x00000000, unsigned int 0) line 2453 + 21 bytes nsDocumentOpenInfo::OnStopRequest(nsDocumentOpenInfo * const 0x03aaac50, nsIRequest * 0x039cce48, nsISupports * 0x00000000, unsigned int 0) line 257 nsStreamListenerTee::OnStopRequest(nsStreamListenerTee * const 0x03a84048, nsIRequest * 0x039cce48, nsISupports * 0x00000000, unsigned int 0) line 66 nsHttpChannel::OnStopRequest(nsHttpChannel * const 0x039cce4c, nsIRequest * 0x03aab5ac, nsISupports * 0x00000000, unsigned int 0) line 3020 nsOnStopRequestEvent::HandleEvent() line 213 nsARequestObserverEvent::HandlePLEvent(PLEvent * 0x03ba4edc) line 116 PL_HandleEvent(PLEvent * 0x03ba4edc) line 663 + 10 bytes PL_ProcessPendingEvents(PLEventQueue * 0x00ea6410) line 593 + 9 bytes _md_EventReceiverProc(HWND__ * 0x002e03aa, unsigned int 49372, unsigned int 0, long 15361040) line 1379 + 9 bytes USER32! 77e2a290() USER32! 77e045b1() USER32! 77e0a752() nsAppShellService::Run(nsAppShellService * const 0x00f70f78) line 472 main1(int 2, char * * 0x00276ac8, nsISupports * 0x00276b40) line 1543 + 32 bytes main(int 2, char * * 0x00276ac8) line 1904 + 37 bytes mainCRTStartup() line 338 + 17 bytes KERNEL32! 77e8ca90()
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: hang
Should also note bug 188366
Attached patch patch v1.0 (obsolete) — Splinter Review
Prevent the crash/hang by consuming the entity-look-alike ( &# )as text. That is, what we initially thought of as an entity is not really an entity and hence by returning the result NS_HTMLTOKENS_NOT_AN_ENTITY we consume the markup as text.
Status: NEW → ASSIGNED
Priority: -- → P2
Whiteboard: [fix in hand]
Target Milestone: --- → mozilla1.3beta
Attachment #111089 - Flags: superreview?(jst)
Attachment #111089 - Flags: review?(heikki)
Attached patch patch v1.1Splinter Review
Addressing reviewer's concern.
Attachment #111089 - Flags: superreview?(jst)
Attachment #111089 - Flags: review?(heikki)
Attachment #111090 - Flags: superreview?(jst)
Attachment #111090 - Flags: review?(heikki)
Attachment #111089 - Attachment is obsolete: true
Attachment #111090 - Flags: review?(heikki) → review+
Comment on attachment 111090 [details] [diff] [review] patch v1.1 sr=jst
Attachment #111090 - Flags: superreview?(jst) → superreview+
Fixed.
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: