275089 - Firefox 1.0 crashes when loading some not well formed pages [@ js_LookupPropertyWithFlags]

Status: RESOLVED WORKSFORME

(Core :: General, defect)

Description

[Cédric Corazza]

When I try to load the following pages :
http://www.mozilla.org/projects/rt-messaging/chatzilla/view-swatches.html
http://www.lamastre.com/dossier/ardeche-carte.htm
Firefox crashes.


Mozilla/5.0 (X11; U; Linux i686; fr-FR; rv:1.7.5) Gecko/20041108 Firefox/1.0

Comment 1

[Cédric Corazza]

It also crashes with Konqueror 3.2.3 and Mozilla 1.7.3 under GNU/Linux Mandrake
10.1 (kernel 2.6.3-4mdk)

Comment 2

[Martijn Wargers (dead)]

http://www.mozilla.org/projects/rt-messaging/chatzilla/view-swatches.html
This crashes for me, using a 2004-12-14 trunk build. I'll attach a testcase that
still triggers the crash.
Talkback Id:
http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=TB2609046M


http://www.lamastre.com/dossier/ardeche-carte.htm
This doesn't crash for me. I can see that that page uses Java. It could very
well be the cause of reporter's experience of crashing on that page.

Comment 3

[Martijn Wargers (dead)]

Attachment: Testcase

This testcase came from:
http://www.mozilla.org/projects/rt-messaging/chatzilla/channel-view.html

This is the source:
<html><head>
<script>
document.write ("<LINK REL=StyleSheet
HREF='chrome://chatzilla/content/output-base.css' TYPE='text/css'>");
</script>
<body>
</body></html>

Comment 4

[Cédric Corazza]

Thanks Martijns.
Deactivating Javascript for this address :
http://www.mozilla.org/projects/rt-messaging/chatzilla/view-swatches.html , it
doesn't crash anymore.
and deactivating Java for this one : 
http://www.lamastre.com/dossier/ardeche-carte.htm
doesn't crash Firefox anymore, bur the page is not the one expected.

Comment 5

[Martijn Wargers (dead)]

Testcase doesn't crash for me in:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a) Gecko/20040428
Firefox/0.8.0+ 7:47am
But it crashes for me in:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a) Gecko/20040430
Firefox/0.8.0+ 8:35am
Bonsai link:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2004-04-28+07%3A00%3A00&maxdate=2004-04-30+09%3A00%3A00&cvsroot=%2Fcvsroot

It doesn't crash for me in a Mozilla build of 2004-12-03.

Comment 6

[Martijn Wargers (dead)]

Maybe the checkins from Ben at 2004-04-29 18:46 have got something to do with
it, but - as far as I know - that is not Firefox only code.

Cedric, probably upgrading your Java version will solve the crash you experience
at http://www.lamastre.com/dossier/ardeche-carte.htm

Comment 7

[Cédric Corazza]

Martijn was right :
upgrading to j2re1.4.2_06 fixed the java problem for Firefox, Konqueror and
Mozilla. I was using previously j2re1.4.2_05.

Comment 8

[Worcester12345]

(In reply to comment #0)
> When I try to load the following pages :
> http://www.mozilla.org/projects/rt-messaging/chatzilla/view-swatches.html
> http://www.lamastre.com/dossier/ardeche-carte.htm
> Firefox crashes.
> 
> 
> Mozilla/5.0 (X11; U; Linux i686; fr-FR; rv:1.7.5) Gecko/20041108 Firefox/1.0

First one crashes, second one WFM.

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

Comment 9

[Doron Rosenberg (IBM)]

crash at CNavDTD::BuildModel and is a dupe (see similar dupe bug 256450)

*** This bug has been marked as a duplicate of 156707 ***

Comment 10

[Martijn Wargers (dead)]

Ehm, I think you meant this is a duplicate of bug 220542.

Comment 11

[Martijn Wargers (dead)]

*** This bug has been marked as a duplicate of 220542 ***

Comment 12

[Martijn Wargers (dead)]

I'm reopening this bug. I think it would be better if the mozilla.org website
didn't have a page that crashes it's own product.

Comment 13

[James Ross]

Hmm. http://www.mozilla.org/projects/rt-messaging/chatzilla/view-swatches.html
doesn't crash my official Firefox 1.0 (Mozilla/5.0 (Windows; U; Windows NT 5.0;
en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0) or my trunk Mozilla (Mozilla/5.0
(Windows; U; Windows NT 5.0; en-US; rv:1.8a6) Gecko/20050111) so, um... *shrug*

Martijn, I think it would be better if the bugs that crashed said products were
fixed rather than the website(s). Being unable to crash here, though, I can't
really help.

Comment 14

[Ganesh]

When I make this change 
-        if (!(mFlags & NS_DTD_FLAG_STOP_PARSING)) {
+        if (!(mFlags & NS_DTD_FLAG_STOP_PARSING) && (aTokenizer==oldTokenizer)) {

It doesn't crash anymore. It is in CNavDTD::BuildModel

Comment 15

[Nagappan]

(In reply to comment #14)
> When I make this change 
> -        if (!(mFlags & NS_DTD_FLAG_STOP_PARSING)) {
> +        if (!(mFlags & NS_DTD_FLAG_STOP_PARSING) && (aTokenizer==oldTokenizer)) {
> 
> It doesn't crash anymore. It is in CNavDTD::BuildModel

Ganesh: Please submit the patch here

Comment 16

[Blake Kaplan (:mrbkap) (inactive)]

Can somebody please make sure this bug isn't already fixed. I cannot reproduce
it on a recent CVS build or a nightly.

That patch looks like it will break the output of scripts (document.write()), so
I don't think it's correct.

Comment 17

[Vidar Haarr (not reading bugmail)]

Unable to reproduce on Firefox CVS head from 1 hour ago.

Comment 18

[Martijn Wargers (dead)]

The crash doesn't occur because bug 220542 got fixed. However, I still think
that page of Mozilla should be fixed (Mozilla1.7 still crashes on it)

Comment 19

[Ronald Tilby]

URL and Testcase both WFM using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060602 Minefield/3.0a1 ID:2006060204 [cairo]
Should this bug be closed?

Comment 20

[Reed Loden [:reed]]

wfm

Comment 21

[Jesse Ruderman]

Please file a separate bug in the Websites product if you want http://www.mozilla.org/projects/rt-messaging/chatzilla/view-swatches.html to stop using the chrome: protocol sketchily.