crash with malformed html

RESOLVED WORKSFORME

Status

()

Core
Layout
--
critical
RESOLVED WORKSFORME
13 years ago
8 years ago

People

(Reporter: tstststst, Unassigned)

Tracking

1.0 Branch
x86
Linux
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(2 attachments, 1 obsolete attachment)

(Reporter)

Description

13 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3) Gecko/20041022 Firefox/1.0
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3) Gecko/20041022 Firefox/1.0

Tonight's firefox build on linux and 1.0PR1 on Windows crashes reproducably
under at the given URL

Reproducible: Always
Steps to Reproduce:
1. go to titus-stahl.ecommunics.org/TB1476484Z.html
2.
3.

Actual Results:  
Firefox crashes

Expected Results:  
Firefox doesn't crash

Talkback ID TB1476484Z
Created attachment 163170 [details] [diff] [review]
fix crash in DEBUG-only code

The only crash I saw after loading the page in question for a few minutes was
in debug-only code, and this fixes it.
Comment on attachment 163170 [details] [diff] [review]
fix crash in DEBUG-only code

May as well at least land this on the trunk (IntTagToStringTag seems to return
null for the userdefined enum.	Should we fix that instead?)
Attachment #163170 - Flags: superreview?(jst)
Attachment #163170 - Flags: review?(jst)

Comment 3

13 years ago
Bug confirmed on 1.0PR1

Mozilla/5.0 (Windows; U; Windows NT 5.0; rv:1.7.3) Gecko/20040913 Firefox/0.10.1
Windows 2000 

Had a few tabs open, went to site, and crashed.  Sent talkback, but I neglected
to get the ID (and I am not sure how to get the info back up on FF).
Comment on attachment 163170 [details] [diff] [review]
fix crash in DEBUG-only code

r+sr=jst
Attachment #163170 - Flags: superreview?(jst)
Attachment #163170 - Flags: superreview+
Attachment #163170 - Flags: review?(jst)
Attachment #163170 - Flags: review+
setting->NEW
Status: UNCONFIRMED → NEW
Ever confirmed: true

Comment 6

13 years ago
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8a5) Gecko/20041107
Firefox/0.9.1+

This didn't crash for me, I left it running for several hours, evincing 2
MB of some seriously weird HTML.

Is there known to be a fix in? 

Mac OS X running under MOL, so there may have been less than the usual risk
of memory depletion

Comment 7

13 years ago
Created attachment 175738 [details]
backtrace

Reported using: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b)
Gecko/20050209 Firefox/1.0+

Crash occurred in MAS of that date

Crashes are still possible.

I also get these ASSERTIONS
###!!! ASSERTION: failed to load URL: 'NS_SUCCEEDED(rv)', file
../../../../../../src/content/html/content/src/nsGenericHTMLElement.cpp, line
3456
###!!! ASSERTION: illegal height for combined area: 'aCombinedArea.height >=
0', file ../../../../src/layout/generic/nsLineBox.cpp, line 480

and many WARNINGS.

I assume that the URL given generates HTML with random attributes and other
values.

Comment 8

13 years ago
Created attachment 188169 [details]
backtrace

This bug appears to be still in, there are some minor changes to the backtrace,

but I suspect that the crash is the same.
Attachment #175738 - Attachment is obsolete: true

Comment 9

12 years ago
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9a1) Gecko/20051128 Firefox/1.6a1

I don't get a crash here. CPU skyrockets and I get lots of assertions; e.g. 

###!!! ASSERTION: bad width: 'Not Reached', file /moz/mozilla/layout/generic/nsLineLayout.cpp, line 247,

but it doesn't crash and I /am/ able to click the back button and navigate away from the page.
Version: unspecified → Trunk

Updated

12 years ago
Assignee: bross2 → nobody
Component: General → Layout
Flags: review+
Product: Firefox → Core
QA Contact: general → layout
The url testcase doesn't seem to be there anymore.
still valid with 3.5.2 or later?
Version: Trunk → 1.0 Branch
(Reporter)

Comment 12

8 years ago
no, sorry, testcase was lost - but telling from the age of the bug it should probably be invalid anyway.
Well, take a leap and say WFM.
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.