Closed Bug 269801 Opened 20 years ago Closed 20 years ago

crash when I open www.plaster.neostrada.pl [@ DoDeletingFrameSubtree]

Categories

(Core :: Layout: Images, Video, and HTML Frames, defect)

Product:
Core
Component:
Layout: Images, Video, and HTML Frames
Version:
1.7 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 271338

People

(Reporter: wiktor, Unassigned)

References

(
URL
)

Details

(Keywords: crash, qawanted, Whiteboard: 1.7/aviary only, trunk is OK)

Crash Data

Attachments

(1 file)

Test case
184 bytes, text/html
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041108 Firefox/1.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041108 Firefox/1.0

When I open www.plaster.neostrada.pl, firefox crash and show me message window
with text "Read Error". I think this is bug in Firefox. Page have a lot of forms
and form elements, as buttons, maybe this is cause of crash.

Reproducible: Always
Steps to Reproduce:
1.(Try) open www.plaster.neostrada.pl


Actual Results:  
crash firefox

Expected Results:  
open page
Didn't crash at first for me, but I clicked one of the buttons (DISNEY), got a
404, and then crashed when I hit the back button.

talkback incident 1950397. Also found other incidents for the same URL:
1941248
1940072
1940062
1940056

All 5 crashes appear to be using WinXP SP2, if that makes any difference, and
one of the e-mail addresses was from neostrada.pl itself.

They do not all have the same stack. Three (including mine) have 4 calls to
DoDeletingFrameSubtree at the top, one is in nsBlockFrame::ReflowFloat, and one
is in nsFrameManager::ReResolveStyleContext.  Four of the crashes seem to be
while running JS, the nsBlockFrame one has no JS on the stack.

All of these crashes were on November 14, did neostrada change their site? There
were four older crashes, three at www.neostrada.pl (one on linux) and one at
www.bosbest.neostrada.pl

Confirming.
In a debug build I get a whole bunch of "Don't call me!: 'Error'" assertions
from nsDOMClassInfo.cpp line 2726 (more than a dozen) while drawing the page,
and boatloads of NS_ENSURE_TRUE(shell) failed warnings from
nsImageLoadingContent.cpp line 648 (and other similar). The page didn't
completely render, then crashed.

Tried again with similar warnings asserts, but got further (I think all the
controls on the page rendered). Then I started seeing assertions from
nsFrameManager.cpp line 783: "frame was not removed from primary frame map
before destruction or was readded to map after being removed: 'Not Reached'" --
at least a couple dozen of those then crash.
Status: UNCONFIRMED → NEW
Ever confirmed: true
I get the same crash in Mozilla 1.7.3 (TB 1951243). Could not crash a trunk
1.8a5 build, and saw some DHTML "falling stars" animation that never showed up
in the 1.7/aviary builds.
-> Browser (crash is in layout).

It's not immediatly obvious that this is exploitable. It does appear to be
jumping off into nowhere using freed objects though, so maybe.
Assignee: firefox → nobody
Component: General → Layout: HTML Frames
Product: Firefox → Browser
QA Contact: firefox.general → core.layout.html-frames
Version: unspecified → 1.7 Branch
This needs a minimal-ish testcase for triggering those asserts (which are
probably what crash branch; on trunk we take defensive action in addition to
asserting).

This also probably doesn't need to be security sensitive (and isn't likely to
get QA love while it is....)
Keywords: qawanted
(In reply to comment #1)
> All of these crashes were on November 14, did neostrada change their site? There
> were four older crashes, three at www.neostrada.pl (one on linux) and one at
> www.bosbest.neostrada.pl

One moment, please. Www.neostrada.pl is the address of Polish telecom. Pages
*.neostrada.pl are private account of users.
Group: security
Keywords: crash
Whiteboard: 1.7/aviary only, trunk is OK
Didn't get it to crash in:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a6) Gecko/20041215

But it does in:
Mozilla/5.0 (Windows; U; Windows NT 5.1; nl-NL; rv:1.7.5) Gecko/20041202 Firefox/1.0

I'm working on a test case ...
Attached file Test case 

    
  

        Attachment #168887 -
        Attachment description: Test case → www.plaster.neostrada.pl is a real HTML mess. Test case     seems random HTML, but is the extract which makes Firefox crash.

    
  

        Attachment #168887 -
        Attachment description: www.plaster.neostrada.pl is a real HTML mess. Test case     seems random HTML, but is the extract which makes Firefox crash. → Test case

    
    

    
  
timeless said a stack was wanted. See talkback id TB2597790G

    
    

    
  
Incident ID: 2597790
Stack Signature	DoDeletingFrameSubtree() ef5b89b1
Product ID	Firefox10
Build ID	2004110712
Trigger Time	2004-12-17 00:44:10.0
Platform	LinuxIntel
Operating System	Linux 2.6.7
Module	firefox-bin + (00200104)
URL visited	attachment 168887 [details]
User Comments	
Since Last Crash	0 sec
Total Uptime	0 sec
Trigger Reason	SIGSEGV: Segmentation Fault: (signal 11)
Source File, Line No.
/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 9124
Stack Trace 	
DoDeletingFrameSubtree() 
[/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 9124]
DoDeletingFrameSubtree() 
[/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 683]
DoDeletingFrameSubtree() 
[/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 683]
DoDeletingFrameSubtree() 
[/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 683]
DeletingFrameSubtree() 
[/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 9207]
nsCSSFrameConstructor::ContentRemoved() 
[/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 90]
nsCSSFrameConstructor::ContentReplaced() 
[/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 9069]
nsCSSFrameConstructor::WipeContainingBlock() 
[/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 704]
nsCSSFrameConstructor::ContentInserted() 
[/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 8972]
nsCSSFrameConstructor::ContentReplaced() 
[/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 9070]
nsCSSFrameConstructor::WipeContainingBlock() 
[/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 704]
nsCSSFrameConstructor::ContentInserted() 
[/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 8972]
nsCSSFrameConstructor::ContentReplaced() 
[/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 9070]
nsCSSFrameConstructor::WipeContainingBlock() 
[/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 704]
nsCSSFrameConstructor::ContentAppended() 
[/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/layout/html/style/src/nsCSSFrameConstructor.cpp,
line 8363]
PresShell::ContentAppended() 
[/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/layout/html/base/src/nsPresShell.cpp,
line 5221]
nsDocument::ContentAppended() 
[/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/content/base/src/nsDocument.cpp,
line 61]
HTMLContentSink::NotifyAppend() 
[/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/content/html/document/src/nsHTMLContentSink.cpp,
line 4114]
SinkContext::CloseContainer() 
[/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/content/html/document/src/nsHTMLContentSink.cpp,
line 1424]
SinkContext::CloseContainer() 
[/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/content/html/document/src/nsHTMLContentSink.cpp,
line 1457]
CNavDTD::CloseContainer() 
[/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/htmlparser/src/CNavDTD.cpp,
line 3545]
CNavDTD::CloseContainersTo() 
[/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/htmlparser/src/CNavDTD.cpp,
line 3581]
CNavDTD::CloseContainersTo() 
[/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/htmlparser/src/CNavDTD.cpp,
line 3767]
CNavDTD::DidBuildModel() 
[/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/htmlparser/src/CNavDTD.cpp,
line 644]
nsParser::DidBuildModel() 
[/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/htmlparser/src/nsParser.cpp,
line 704]
nsParser::ResumeParse() 
[/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/htmlparser/src/nsParser.cpp,
line 1925]
nsParser::OnStopRequest() 
[/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/htmlparser/src/nsParser.cpp,
line 692]
nsDocumentOpenInfo::OnStopRequest() 
[/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/uriloader/base/nsURILoader.cpp,
line 540]
nsStreamListenerTee::OnStopRequest() 
[/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/netwerk/base/src/nsStreamListenerTee.cpp,
line 66]
nsHttpChannel::OnStopRequest() 
[/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp,
line 606]
nsInputStreamPump::OnStateStop() 
[/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/netwerk/base/src/nsInputStreamPump.cpp,
line 606]
nsInputStreamPump::OnInputStreamReady() 
[/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/netwerk/base/src/nsInputStreamPump.cpp,
line 339]
nsInputStreamReadyEvent::EventHandler()
PL_HandleEvent() 
[/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/xpcom/threads/plevent.c,
line 674]
PL_ProcessPendingEvents() 
[/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/xpcom/threads/plevent.c,
line 608]
nsEventQueueImpl::ProcessPendingEvents() 
[/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/xpcom/threads/nsEventQueue.cpp,
line 395]
event_processor_callback() 
[/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/widget/src/gtk2/nsAppShell.cpp,
line 67]
libglib-2.0.so.0 + 0x4987f (0x405af87f)
libglib-2.0.so.0 + 0x24252 (0x4058a252)
libglib-2.0.so.0 + 0x25348 (0x4058b348)
libglib-2.0.so.0 + 0x25680 (0x4058b680)
libglib-2.0.so.0 + 0x25cc3 (0x4058bcc3)
libgtk-x11-2.0.so.0 + 0x10f923 (0x40299923)
nsAppShell::Run() 
[/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/widget/src/gtk2/nsAppShell.cpp,
line 144]
nsAppShellService::Run() 
[/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/xpfe/appshell/src/nsAppShellService.cpp,
line 495]
xre_main() 
[/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/toolkit/xre/nsAppRunner.cpp,
line 692]
main() 
[/builds/tinderbox/firefox-1.0/Linux_2.4.20-28.8_Clobber/mozilla/browser/app/nsBrowserApp.cpp,
line 59]
libc.so.6 + 0x14ad4 (0x4092cad4)


*** This bug has been marked as a duplicate of 271338 ***
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
Summary: crash when I open www.plaster.neostrada.pl → crash when I open www.plaster.neostrada.pl [@ DoDeletingFrameSubtree]
Crash Signature: [@ DoDeletingFrameSubtree]

    
  
Product: Core → Core Graveyard
Component: Layout: HTML Frames → Layout: Images
Product: Core Graveyard → Core

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: