Closed
Bug 194329
Opened 22 years ago
Closed 22 years ago
crash in [@ SinkContext::AddComment]
Categories
(Core :: DOM: HTML Parser, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla1.4alpha
People
(Reporter: ajschult784, Assigned: harishd)
References
()
Details
(4 keywords, Whiteboard: [fixed on the trunk and branch] fixed1.3)
Crash Data
Attachments
(3 files, 1 obsolete file)
274 bytes,
text/html
|
Details | |
3.31 KB,
text/plain
|
Details | |
2.18 KB,
patch
|
hjtoi-bugzilla
:
review+
jst
:
superreview+
asa
:
approval1.3+
|
Details | Diff | Splinter Review |
from bug 188474 ------- Additional Comment #21 From Jay Patel 2003-02-18 13:18 ------- Reopening for now to see what everyone else thinks...but I just crashed with a similar stacktrace going to http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=3008284272&category=15046 . -------------------------------------- I'll attach a testcase for the new URL. It appears to be different than the one from bug 188474. Loading the testcase in a debug build produces these assertions before crashing: ###!!! ASSERTION: leaf w/o container: 'mStackPos > 0', file nsHTMLContentSink.cpp, line 2220 ###!!! ASSERTION: container w/o parent: 'mStackPos > 0', file nsHTMLContentSink.cpp, line 1680
Reporter | ||
Comment 1•22 years ago
|
||
crashes linux trunk build 20030220
Reporter | ||
Comment 2•22 years ago
|
||
Reporter | ||
Comment 3•22 years ago
|
||
backing out bug 187790 fixes the crash and assertions
Keywords: regression,
testcase
Comment 4•22 years ago
|
||
crash on testcase: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.3b) Gecko/20030221 Talkback couldn´t connect to server, also doesn´t show details.
Status: NEW → ASSIGNED
Priority: -- → P1
Target Milestone: --- → mozilla1.4alpha
Andrew: Thanks for the testcase. I was able to crash as well. Will take a look today.
Comment 6•22 years ago
|
||
Making topcrash+ since we have a reproducible testcase.
Problem: The head context, that was opened up by <script>, did not get closed before handling the document.write content ( which is just </div> in the testcase provided ). This caused the head context's stack position to be altered. Fix: Check if the current context is head context, by calling CloseHeadContext(), before closing a container.
This patch prevents <script> from opening up a head context - happened only if a <head> was found after <body> ( not sure why we had to do that. I tracked it down to revision 3.263 of CNavDTD but the checkin comment was not of any help ) - if <script> were to be in the body context; for compatibility we allow <script> to appear anywhere in the document. I'll have to run parser regression tests to confirm this patch.
Attachment #115443 -
Attachment is obsolete: true
Comment 9•22 years ago
|
||
Any chance of getting this into Mozilla 1.3? It's topcrash #10 with Mozilla 1.3 Beta. Should we nominate it?
Assignee | ||
Comment 10•22 years ago
|
||
Comment on attachment 115557 [details] [diff] [review] patc v1.1 Passed parser regression tests.
Attachment #115557 -
Flags: superreview?(jst)
Attachment #115557 -
Flags: review?(heikki)
Comment 11•22 years ago
|
||
Comment on attachment 115557 [details] [diff] [review] patc v1.1 sr=jst. I think it would be worth adding some assertions and some more band-aid code to the sink though to deal with possibly similar errors that could creep up. Please file a new bug on making sure the sink plays nicer and doesn't drop errors like it does today (I have a patch that fixes part of this already, let me know when you've filed a bug and I'll attach it).
Attachment #115557 -
Flags: superreview?(jst) → superreview+
Comment 12•22 years ago
|
||
With a fix in hand, setting to blocking 1.3 with the hope that we can get this into the branch for the release.
Flags: blocking1.3? → blocking1.3+
Updated•22 years ago
|
Attachment #115557 -
Flags: review?(heikki) → review+
Comment 13•22 years ago
|
||
Comment on attachment 115557 [details] [diff] [review] patc v1.1 a=asa (on behalf of drivers) for checkin to the 1.3 branch.
Attachment #115557 -
Flags: approval1.3+
Assignee | ||
Comment 14•22 years ago
|
||
Fixed on the trunk and branch.
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Whiteboard: [fixed on the trunk] → [fixed on the trunk and branch]
Updated•22 years ago
|
Whiteboard: [fixed on the trunk and branch] → [fixed on the trunk and branch] fixed1.3
Comment 15•21 years ago
|
||
*** Bug 196762 has been marked as a duplicate of this bug. ***
Comment 16•21 years ago
|
||
*** Bug 196762 has been marked as a duplicate of this bug. ***
Comment 17•15 years ago
|
||
Crashtest added as part of http://hg.mozilla.org/mozilla-central/rev/afc662d52ab1
Flags: in-testsuite+
Updated•13 years ago
|
Crash Signature: [@ SinkContext::AddComment]
You need to log in
before you can comment on or make changes to this bug.
Description
•