Closed Bug 272647 Opened 20 years ago Closed 20 years ago

Malformed HTML causes crash Mozilla suite in [@ HTMLContentSink::BeginContext][@ nsCSSFrameConstructor::GetFrameFor]

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Version:
1.7 Branch
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED WORKSFORME

People

(Reporter: phceac, Unassigned)

References

(
URL
)

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(1 file)

testcase from the reporter
227 bytes, text/html
Details 
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3) Gecko/20040927
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3) Gecko/20040927

The 18 lines of malformed html below causes segmentation fault in Mozilla 1.7.3
on Linux (built on Gentoo).
Also occurs on Mozilla build 1.7.3 on Windows XP
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20040910

I assume there is a common problem.



Reproducible: Always
Steps to Reproduce:
1. Save HTML (below) to file.html
2. Run mozilla file.html
3. Wait for the segmentation fault

html is below. I tried to reduce it further, but most changes seemed to remove
the problem.
========begin html========
<html>
 <header>
  <title>Defects </title>
 </header>
<body>
<center><table>
<caption>
</caption>

<p>
<caption>
</tr></td>
</center>
<center><table>
<td><tr>
delete me and the problem goes away
</body>
</html>
========end html========
Actual Results:  
Mozilla window (sometimes) appears, followed by segfault.







See Talkback (Windows XP) TB2288018G

Typical StackTrace from Linux below:
#0  0x408af751 in kill () from /lib/libc.so.6
#1  0x40127ca1 in pthread_kill () from /lib/libpthread.so.0
#2  0x4012801b in raise () from /lib/libpthread.so.0
#3  0x41bb23ca in NSGetModule () from /usr/lib/mozilla/components/libprofile.so
#4  0x4012adc5 in __pthread_sighandler () from /lib/libpthread.so.0
#5  <signal handler called>
#6  0x088e193b in ?? ()
#7  0x088593a9 in ?? ()
#8  0x41361d2b in nsCSSFrameConstructor::GetFrameFor(nsIPresShell*,
nsIPresContext*, nsIContent*) () from /usr/lib/mozilla/components/libgklayout.so
#9  0x4136571c in nsCSSFrameConstructor::ContentInserted(nsIPresContext*,
nsIContent*, nsIFrame*, nsIContent*, int, nsILayoutHistoryState*, int) ()
   from /usr/lib/mozilla/components/libgklayout.so
#10 0x41300f2e in PresShell::ContentInserted(nsIDocument*, nsIContent*,
nsIContent*, int) () from /usr/lib/mozilla/components/libgklayout.so
#11 0x4144ceca in nsDocument::ContentInserted(nsIContent*, nsIContent*, int) ()
   from /usr/lib/mozilla/components/libgklayout.so
#12 0x415c535e in nsHTMLDocument::ContentInserted(nsIContent*, nsIContent*, int)
() from /usr/lib/mozilla/components/libgklayout.so
#13 0x415bc011 in HTMLContentSink::NotifyInsert(nsIContent*, nsIContent*, int)
    () from /usr/lib/mozilla/components/libgklayout.so
#14 0x415b4bd8 in SinkContext::DidAddContent(nsIContent*, int) ()
   from /usr/lib/mozilla/components/libgklayout.so
#15 0x415b60ab in SinkContext::FlushText(int*, int) ()
   from /usr/lib/mozilla/components/libgklayout.so
#16 0x415b8370 in non-virtual thunk to HTMLContentSink::BeginContext(int) ()
   from /usr/lib/mozilla/components/libgklayout.so
#17 0x08858830 in ?? ()


gdb disassembly output at 0x415b8370 in the last valid function suggest to me
that the crash happens just after call to SinkContext::FlushText().
0x415b8368 <_ZThn76_N15HTMLContentSink12BeginContextEi+152>:    mov    %eax,(%esp,1)
0x415b836b <_ZThn76_N15HTMLContentSink12BeginContextEi+155>:    call  
0x415b5e20 <_ZN11SinkContext9FlushTextEPii>
0x415b8370 <_ZThn76_N15HTMLContentSink12BeginContextEi+160>:    movl  
$0x0,0xffffffc8(%ebp)
wfm with Mozilla/5.0 (Windows; U; Windows NT 5.0; de-DE; rv:1.8a6) Gecko/20041126

Can you please retest with Mozilla1.8a5 or later builds ?
Keywords: crash
wfm Firefox 1.0 (Mozilla1.7.5)
wfm Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8a6) Gecko/20041130
I crash with 1.7.3, but trunk build 2004120106 works fine

Charlie: please resolve as WORKSFORME unless you can reproduce this with a trunk
build
Keywords: testcase
Version: Trunk → 1.7 Branch
Summary: Malformed HTML causes crash Mozilla suite in HTMLContentSink::BeginContext → Malformed HTML causes crash Mozilla suite in [@ HTMLContentSink::BeginContext][@ nsCSSFrameConstructor::GetFrameFor]
I guess thats fixed by bug 265181
Excellent.  Worked out how to get 1.8a5 to run.  
wfm - There is no crash. 
Mozilla is good and getting better. Thanks to all.
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → WORKSFORME
Thanks for your time to test 1.8a5 !

Verified
Status: RESOLVED → VERIFIED
layout/base/crashtests/272647-1.html
http://hg.mozilla.org/mozilla-central/rev/b0337b6287f3
Flags: in-testsuite+
Crash Signature: [@ HTMLContentSink::BeginContext] [@ nsCSSFrameConstructor::GetFrameFor]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: