Closed Bug 286733 Opened 19 years ago Closed 19 years ago

crash: nightly crash with form and embedded table. SinkContext::Begin

Categories

(Core :: DOM: HTML Parser, defect)

Product:
Core
Component:
DOM: HTML Parser
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: taviso, Assigned: mrbkap)

References

Details

(4 keywords)

Attachments

(4 files, 2 obsolete files)

Crash stack
4.16 KB, text/plain
Details
Minimal testcase (CRASH)
98 bytes, text/html
Details
Testcase #2 - the <TR> case (CRASH)
102 bytes, text/html
Details
alternative approach
3.64 KB, patch
jst
: review+
rbs
: superreview+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050305 Firefox/1.0.1
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050305 Firefox/1.0.1

testcase attached seems to crash nightly.

Reproducible: Always
Attached file testcase (obsolete) — 

    
  
Keywords: crash, 
          
            testcase

    
  
Severity: normal → critical

    
    

    
  

      
      
      
      

        Attached file
          
        Crash stack
      

    


  
Assignee: nobody → parser
Component: Layout → HTML: Parser
QA Contact: layout → mrbkap

    
    

    
  
TB4435667K (Linux)
TB4435581W (Windows)

This is reliably reproduced on Linux, in windows I'm told it happens sometimes, 
but everytime if you use:

start->run->mozilla https://bugzilla.mozilla.org/attachment.cgi?id=177869
Keywords: regression
Summary: nightly crash, form with table. → crash: nightly crash with form and embedded table. SinkContext::Begin

    
    

    
  
Regression window: 2005-01-25-06 -- 2005-01-26-06 (possibly bug 147446?)

    
    

    
  
Yep, backing out bug 147446 fixes it...
Assignee: parser → mats.palmgren

    
    

    
  


  
<TABLE>
<FRAMESET><FRAME></FRAMESET>
<TR><TD><TABLE>
	  <TR><BR><TD><MAP><TABLE><BR></MAP>

        Attachment #177869 -
        Attachment is obsolete: true

    
    

    
  


  
This also crash after backing out bug 147446, so the problem was also present
after bug 58942. If I add back eHTMLTag_map to gTRKids this crash also goes
away. It's almost the same as the last testcase - just added a <TR>:

<TABLE>
<FRAMESET><FRAME></FRAMESET>
<TR><TD><TABLE>
	  <TR><BR><TD><MAP><TABLE><TR><BR></MAP>

-----------------------------------^^

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Patch rev. 1 (obsolete)
        — Splinter Review
      

    


  
Removing 'eHTMLTag_map' from 'gHtmlKids' fixes all the crashes -
I have to admit I don't understand exactly why though...

        Attachment #177916 -
        Flags: review?(mrbkap)

    
    

    
  
Comment on attachment 177916 [details] [diff] [review]
Patch rev. 1

I don't think this fixes the root cause of this bug. Actually, I think the root
cause is mentioned in bug 269095 comment 10.

I think mBodyContext->mContextTopIndex is getting modified to point to a
removed element (see CNavDTD::HandleOmittedTag and then look at
http://lxr.mozilla.org/seamonkey/source/parser/htmlparser/src/CNavDTD.cpp#2012)
. Note that mBodyContext->mContextTopIndex is not modified, leaving it pointing
to a closed index.

I'll attach a patch that fixes this bug, and handles
mBodyContext->mContextTopIndex more properly.

        Attachment #177916 -
        Flags: review?(mrbkap) → review-

    
    

    
  


  
This patch should apply from mozilla/parser/htmlparser. It works as described
above.

        Attachment #177930 -
        Flags: review?(jst)

    
    

    
  
Comment on attachment 177930 [details] [diff] [review]
alternative approach

Seems reasonable. r=jst

        Attachment #177930 -
        Flags: review?(jst) → review+
Assignee: mats.palmgren → mrbkap

    
  

        Attachment #177930 -
        Flags: superreview?(rbs)

    
  
Status: NEW → ASSIGNED

    
  

        Attachment #177916 -
        Attachment is obsolete: true

    
  
Flags: blocking1.8b2?

    
    

    
  
Comment on attachment 177930 [details] [diff] [review]
alternative approach

sr=rbs

        Attachment #177930 -
        Flags: superreview?(rbs) → superreview+

    
    

    
  
Fix checked in.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED

    
  
Flags: blocking1.8b2?

    
    

    
  
Verified FIXED: all testcases work for me here now with build 2005-04-10-05 on
Windows XP Seamonkey trunk.
Status: RESOLVED → VERIFIED
Blocks: 269095
Flags: blocking1.7.13+
Flags: blocking-aviary1.0.8+

    
    

    
  
verified fixed on the 1.0.1 branch using Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20060210 Firefox/1.0.7. I loaded the testcases and no crash. Adding keyword.
Keywords: fixed-aviary1.0.8verified-aviary1.0.8

    
    

    
  
verified fixed using Mozilla 1.7.12 Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20060210. No crash with testcases. Adding keyword.
Keywords: fixed1.7.13verified1.7.13

    
    

    
  
parser/htmlparser/tests/crashtests/286733-1.html
parser/htmlparser/tests/crashtests/286733-2.html
http://hg.mozilla.org/mozilla-central/rev/b0337b6287f3
Flags: in-testsuite+

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: