188474 - M130B Trunk crash [@ SinkContext::AddComment ]

Status: VERIFIED WORKSFORME

(Core :: DOM: HTML Parser, defect)

Description

[Henrik Gemal]

going to:
http://nyhedsgrupper.tdconline.dk
crashes mozilla

20030109 on WinXP

Comment 1

[Olivier Cahagne]

confirming using build 2003010808 on Win2k: TB16006921X.

Comment 2

[Boris Zbarsky [:bzbarsky]]

stephend, could you get the stack?

Comment 3

[Olivier Cahagne]

Attachment: Reduced (HTML) testcase

This testcase crashes, note however that loading
http://nyhedsgrupper.tdconline.dk/usenet.js directly in browser also crashes
Mozilla.
Maybe a document.write() regression ?

Comment 4

[Olivier Cahagne]

Comment on attachment 111156 [details]
Reduced (HTML) testcase

sorry for the spam, this testcase crashed for me when loading usenet.js from
local file, does not crash when loading usenet.js from external server. Will
try to reduce the JS in a next testcase.

Comment 5

[Olivier Cahagne]

Attachment: Reduced testcase crashes Mozilla 20030108 (and 09)

This time, reduced testcase.

Comment 6

[Ruslan Ismailov]

Hmm. Reduced testcase crash me on WinXP with Mozilla/5.0 (Windows; U; Windows NT
5.1; en-US; rv:1.3b) Gecko/20030109, but initial site not.

Not crashed with Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.2.1) Gecko/20021130
on Win98.

BTW, I think div foo could be removed, and a comment from header.

Comment 7

[Adrian Ulrich]

Both testcases are also working (= NO crash) with mozilla 20021211 on NT 4..

Comment 8

[Hermann Schwab]

Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.3b) Gecko/20030108
TB16012223E,  TB16012435E,  TB16012910H, TB16013392H

All talkbacks but one from original URL, last talkback from fresh booted
Win98SE, fresh started mozilla.
One talkback from crash at closing mozilla:
After crash restarted mozilla to copy data (bug-# and URL),
the sent talkback, closed that newly opened mozilla, crash.

Comment 9

[Hermann Schwab]

Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.3b) Gecko/20030108
TB16013751Z 2nd reduced testcase

Comment 10

[Olivier Cahagne]

must be dupe of bug 185073.

Comment 11

[Andrew Schultz]

URL and testcase workforme with linux cvs trunk from yesterday.

patch for bug 185073 was checked in this morning (4:30AM).  you might try a
build from today.

Comment 12

[Hermann Schwab]

Regression between Jan, 3rd and Jan 4th

Build ID 2003010304
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.3b) Gecko/20030103 is ok

Build ID 2003010408
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.3b) Gecko/20030104 crashes 

TB16014329K, TB16015761W, TB16015876H 

Comment 13

[Hermann Schwab]

Works for me now, Build ID 2003011004
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.3b) Gecko/20030110

Comment 14

[Harshal Pradhan]

Im not sure that this was the same as bug 185073.
I dont crash in my current cvs debug build, both with and without the patch from
that bug.  So, really cant say without looking at a stack or further investigation.

Comment 15

[Olivier Cahagne]

also crashes Linux build 20030109, not 20030110.
OS -> All.

Comment 16

[stephend@netscape.com (gone - use stephen.donner@gmail.com instead)]

SinkContext::AddComment
[c:/builds/seamonkey/mozilla/content/html/document/src/nsHTMLContentSink.cpp,
line 1955]
HTMLContentSink::AddComment
[c:/builds/seamonkey/mozilla/content/html/document/src/nsHTMLContentSink.cpp,
line 3673]
CNavDTD::HandleCommentToken
[c:/builds/seamonkey/mozilla/htmlparser/src/CNavDTD.cpp, line 2256]
CNavDTD::HandleToken [c:/builds/seamonkey/mozilla/htmlparser/src/CNavDTD.cpp,
line 963] 

Comment 17

[Boris Zbarsky [:bzbarsky]]

To parser.  I bet this _is_ a dup of bug 185073 -- the parent we are trying to
append to is garbage when I crash....

Note that whether the crash happens depends on what random memory the parent
pointer is pointing to, so some people may not see this _every_ time.

In any case, I crash on the testcase with builds up to this morning; this
morning's build does _not_ crash.

Comment 18

[harishd]

WFM in 20030110.

Comment 19

[Henrik Gemal]

v

Comment 20

[Jay Patel [:jay]]

Adding topcrash keyword for future reference...this *was* a topcrasher on the
MozillaTrunk.  No crashes reported after builds from 1/10.

Comment 21

[Jay Patel [:jay]]

Reopening for now to see what everyone else thinks...but I just crashed with a
similar stacktrace going to
http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=3008284272&category=15046 .

Here is my incident:
Incident ID 17300619
Stack Signature 	SinkContext::AddComment 3aeac5d5
Email Address 	jpatel@netscape.com
Product ID 	MozillaTrunk
Build ID 	2003021008
Trigger Time 	2003-02-18 13:09:11
Platform 	Win32
Operating System 	Windows NT 5.1 build 2600
Module 	gklayout.dll
URL visited 
http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=3008284272&category=15046
User Comments 	Just cut and pasted the URL and tried to load. Crashed immediately.
Trigger Reason 	Access violation
Source File Name 
c:/builds/seamonkey/mozilla/content/html/document/src/nsHTMLContentSink.cpp
Trigger Line No. 	1957
Stack Trace 	
SinkContext::AddComment
[c:/builds/seamonkey/mozilla/content/html/document/src/nsHTMLContentSink.cpp,
line 1957]
HTMLContentSink::AddComment
[c:/builds/seamonkey/mozilla/content/html/document/src/nsHTMLContentSink.cpp,
line 3677]
CNavDTD::HandleCommentToken
[c:/builds/seamonkey/mozilla/htmlparser/src/CNavDTD.cpp, line 2243]
CNavDTD::HandleToken [c:/builds/seamonkey/mozilla/htmlparser/src/CNavDTD.cpp,
line 961]
CNavDTD::BuildModel [c:/builds/seamonkey/mozilla/htmlparser/src/CNavDTD.cpp,
line 528]
nsParser::BuildModel [c:/builds/seamonkey/mozilla/htmlparser/src/nsParser.cpp,
line 1909]
nsParser::ResumeParse [c:/builds/seamonkey/mozilla/htmlparser/src/nsParser.cpp,
line 1773]
nsParser::ContinueParsing
[c:/builds/seamonkey/mozilla/htmlparser/src/nsParser.cpp, line 1390]
HTMLContentSink::ScriptEvaluated
[c:/builds/seamonkey/mozilla/content/html/document/src/nsHTMLContentSink.cpp,
line 5595]
nsScriptLoader::FireScriptEvaluated
[c:/builds/seamonkey/mozilla/content/base/src/nsScriptLoader.cpp, line 533]
nsScriptLoader::ProcessRequest
[c:/builds/seamonkey/mozilla/content/base/src/nsScriptLoader.cpp, line 492]
nsScriptLoader::OnStreamComplete
[c:/builds/seamonkey/mozilla/content/base/src/nsScriptLoader.cpp, line 832]
nsStreamLoader::OnStopRequest
[c:/builds/seamonkey/mozilla/netwerk/base/src/nsStreamLoader.cpp, line 144]
nsStreamListenerTee::OnStopRequest
[c:/builds/seamonkey/mozilla/netwerk/base/src/nsStreamListenerTee.cpp, line 66]
nsHttpChannel::OnStopRequest
[c:/builds/seamonkey/mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp, line 2951]
nsInputStreamPump::OnStateStop
[c:/builds/seamonkey/mozilla/netwerk/base/src/nsInputStreamPump.cpp, line 468]
nsInputStreamPump::OnInputStreamReady
[c:/builds/seamonkey/mozilla/netwerk/base/src/nsInputStreamPump.cpp, line 321]
nsInputStreamReadyEvent::EventHandler
[c:/builds/seamonkey/mozilla/xpcom/io/nsStreamUtils.cpp, line 112]
PL_HandleEvent [c:/builds/seamonkey/mozilla/xpcom/threads/plevent.c, line 664]
PL_ProcessPendingEvents [c:/builds/seamonkey/mozilla/xpcom/threads/plevent.c,
line 597]
_md_EventReceiverProc [c:/builds/seamonkey/mozilla/xpcom/threads/plevent.c, line
1386]
USER32.dll + 0x3d91 (0x77d43d91)
USER32.dll + 0x3df7 (0x77d43df7)
nsAppShellService::Run
[c:/builds/seamonkey/mozilla/xpfe/appshell/src/nsAppShellService.cpp, line 480]
main1 [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1289]
main [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1639]
WinMain [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1660]
WinMainCRTStartup()
kernel32.dll + 0x214c7 (0x77e814c7) 


If that is the same crash, I can add more Talkback data.  But since the testcase
attached no longer crashes, let me know if I should log a new bug.  Thanks.

Comment 22

[Andrew Schultz]

filed bug 194329 for the new crash (it appears to be different)

re-resolving WFM

Comment 23

[Jay Patel [:jay]]

v.wfm.

Comment 24

[Jesse Ruderman]

Crashtest added as part of http://hg.mozilla.org/mozilla-central/rev/afc662d52ab1