265761 - crash with malformed html

Status: RESOLVED WORKSFORME

(Core :: Layout, defect)

Description

[tstststst]

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3) Gecko/20041022 Firefox/1.0
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3) Gecko/20041022 Firefox/1.0

Tonight's firefox build on linux and 1.0PR1 on Windows crashes reproducably
under at the given URL

Reproducible: Always
Steps to Reproduce:
1. go to titus-stahl.ecommunics.org/TB1476484Z.html
2.
3.

Actual Results:  
Firefox crashes

Expected Results:  
Firefox doesn't crash

Talkback ID TB1476484Z

Comment 1

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

Attachment: fix crash in DEBUG-only code

The only crash I saw after loading the page in question for a few minutes was
in debug-only code, and this fixes it.

Comment 2

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

Comment on attachment 163170 [details] [diff] [review]
fix crash in DEBUG-only code

May as well at least land this on the trunk (IntTagToStringTag seems to return
null for the userdefined enum.	Should we fix that instead?)

Comment 3

[Brendt Hess]

Bug confirmed on 1.0PR1

Mozilla/5.0 (Windows; U; Windows NT 5.0; rv:1.7.3) Gecko/20040913 Firefox/0.10.1
Windows 2000 

Had a few tabs open, went to site, and crashed.  Sent talkback, but I neglected
to get the ID (and I am not sure how to get the info back up on FF).

Comment 4

[Johnny Stenback (:jst)]

Comment on attachment 163170 [details] [diff] [review]
fix crash in DEBUG-only code

r+sr=jst

Comment 5

[Peter van der Woude [:Peter6]]

setting->NEW

Comment 6

[Ben Fowler]

Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8a5) Gecko/20041107
Firefox/0.9.1+

This didn't crash for me, I left it running for several hours, evincing 2
MB of some seriously weird HTML.

Is there known to be a fix in? 

Mac OS X running under MOL, so there may have been less than the usual risk
of memory depletion

Comment 7

[Ben Fowler]

Attachment: backtrace

Reported using: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b)
Gecko/20050209 Firefox/1.0+

Crash occurred in MAS of that date

Crashes are still possible.

I also get these ASSERTIONS
###!!! ASSERTION: failed to load URL: 'NS_SUCCEEDED(rv)', file
../../../../../../src/content/html/content/src/nsGenericHTMLElement.cpp, line
3456
###!!! ASSERTION: illegal height for combined area: 'aCombinedArea.height >=
0', file ../../../../src/layout/generic/nsLineBox.cpp, line 480

and many WARNINGS.

I assume that the URL given generates HTML with random attributes and other
values.

Comment 8

[Ben Fowler]

Attachment: backtrace

This bug appears to be still in, there are some minor changes to the backtrace,

but I suspect that the crash is the same.

Comment 9

[Adam Guthrie]

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9a1) Gecko/20051128 Firefox/1.6a1

I don't get a crash here. CPU skyrockets and I get lots of assertions; e.g. 

###!!! ASSERTION: bad width: 'Not Reached', file /moz/mozilla/layout/generic/nsLineLayout.cpp, line 247,

but it doesn't crash and I /am/ able to click the back button and navigate away from the page.

Comment 10

[Martijn Wargers (dead)]

The url testcase doesn't seem to be there anymore.

Comment 11

[Tyler Downer [He/Him]]

still valid with 3.5.2 or later?

Comment 12

[tstststst]

no, sorry, testcase was lost - but telling from the age of the bug it should probably be invalid anyway.

Comment 13

[Tyler Downer [He/Him]]

Well, take a leap and say WFM.