194329 - crash in [@ SinkContext::AddComment]

Status: RESOLVED FIXED

(Core :: DOM: HTML Parser, defect, P1)

Description

[Andrew Schultz]

from bug 188474
------- Additional Comment #21 From Jay Patel  2003-02-18 13:18 -------

Reopening for now to see what everyone else thinks...but I just crashed with a
similar stacktrace going to
http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=3008284272&category=15046 .

--------------------------------------

I'll attach a testcase for the new URL.  It appears to be different than the one
from bug 188474.  Loading the testcase in a debug build produces these
assertions before crashing:

###!!! ASSERTION: leaf w/o container: 'mStackPos > 0', file
nsHTMLContentSink.cpp, line 2220
###!!! ASSERTION: container w/o parent: 'mStackPos > 0', file
nsHTMLContentSink.cpp, line 1680

Comment 1

[Andrew Schultz]

Attachment: testcase

crashes linux trunk build 20030220

Comment 2

[Andrew Schultz]

Attachment: stacktrace

Comment 3

[Andrew Schultz]

backing out bug 187790 fixes the crash and assertions

Comment 4

[Hermann Schwab]

crash on testcase:
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.3b) Gecko/20030221
Talkback couldn´t connect to server, also doesn´t show details.

Comment 5

[harishd]

Andrew: Thanks for the testcase. I was able to crash as well. Will take a look
today.

Comment 6

[Jay Patel [:jay]]

Making topcrash+ since we have a reproducible testcase.

Comment 7

[harishd]

Attachment: patch v1.0

Problem: The head context, that was opened up by <script>, did not get closed
before handling the document.write content ( which is just </div> in the
testcase provided ). This caused the head context's stack position to be
altered.

Fix: Check if the current context is head context, by calling
CloseHeadContext(), before closing a container.

Comment 8

[harishd]

Attachment: patc v1.1

This patch prevents <script> from opening up a head context - happened only if
a <head> was found after <body> ( not sure why we had to do that. I tracked it
down to revision 3.263 of CNavDTD but the checkin comment was not of any help )
- if <script> were to be in the body context; for compatibility we allow
<script> to appear anywhere in the document. I'll have to run parser regression
tests to confirm this patch.

Comment 9

[Jay Patel [:jay]]

Any chance of getting this into Mozilla 1.3?  It's topcrash #10 with Mozilla 1.3
Beta.  Should we nominate it?

Comment 10

[harishd]

Comment on attachment 115557 [details] [diff] [review]
patc v1.1

Passed parser regression tests.

Comment 11

[Johnny Stenback (:jst)]

Comment on attachment 115557 [details] [diff] [review]
patc v1.1

sr=jst.

I think it would be worth adding some assertions and some more band-aid code to
the sink though to deal with possibly similar errors that could creep up.
Please file a new bug on making sure the sink plays nicer and doesn't drop
errors like it does today (I have a patch that fixes part of this already, let
me know when you've filed a bug and I'll attach it).

Comment 12

[Asa Dotzler [:asa]]

With a fix in hand, setting to blocking 1.3 with the hope that we can get this
into the branch for the release.

Comment 13

[Asa Dotzler [:asa]]

Comment on attachment 115557 [details] [diff] [review]
patc v1.1

a=asa (on behalf of drivers) for checkin to the 1.3 branch.

Comment 14

[harishd]

Fixed on the trunk and branch.

Comment 15

[Matthias Versen [:Matti]]

*** Bug 196762 has been marked as a duplicate of this bug. ***

Comment 16

[Jay Patel [:jay]]

*** Bug 196762 has been marked as a duplicate of this bug. ***

Comment 17

[Jesse Ruderman]

Crashtest added as part of http://hg.mozilla.org/mozilla-central/rev/afc662d52ab1