XUL crash with <html:object> with bogus type attribute [@ nsBlockBandData::Init ]

RESOLVED WORKSFORME

Status

()

Core
Layout
--
critical
RESOLVED WORKSFORME
13 years ago
7 years ago

People

(Reporter: mig, Unassigned)

Tracking

({crash, qawanted})

1.7 Branch
x86
Windows XP
crash, qawanted
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(1 attachment)

465 bytes, application/vnd.mozilla.xul+xml
Details
(Reporter)

Description

13 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6 (ax)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6 (ax)

If an <html:object> in a XUL document carries a type attribute that cannot be
resolved by the plugin finder, the mozzy gets the crashy.

For instance, this line will always immediately crash the browser:
<html:object id="thecrashy" width="0" height="0" type="See Mozzy crash.  Crash,
Mozzy, crash!"/>

Amusingly, if you give the width and height to be nonzero, the app will still
crash but it will first hang around frozen with a wait-cursor for 30 or so
seconds.  Possibly different bugs, but one will lead to the other, I'm sure.

Reproducible: Always

Steps to Reproduce:
1. Make a XUL document with a bad <html:object>
2. Load it
3. Cry

Actual Results:  
I cried.

Expected Results:  
Other than crash?

This is a bit more difficult to call.  Obviously, if the plugin finder can't
find there should be some sort of feedback -- and if your object has no size
then that feedback won't be visible in the screen.

Outside of writing a whole big chunk of UI to give unknown plugin alerts in
their own windows, I'd say the best you can do is fail silently and leave lots
of useful info in the stdout/js consoles.

Talkback reports: TB7752978H, TB7752964H, TB7752958M, TB7752709G

These are for both sized and unsized attempts at testing my crash_object.xul
file (which I'll attach as soon as I'm done with Mr Bug Wizard here).

I assume because it's an actual crash that it should be "critical" severity, but
this is obviously arguable given it's in such a small, "unused," corner of the
codebase.
(Reporter)

Comment 1

13 years ago
Created attachment 190292 [details]
Crash yer mozzy.
Component: Plugin Finder Service → Layout
Product: Firefox → Core
QA Contact: plugin.finder → layout
Version: unspecified → 1.7 Branch
nsBlockBandData::Init 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsBlockBandData.cpp,
line 70]
nsBlockFrame::Reflow 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsBlockFrame.cpp,
line 688]
nsContainerFrame::ReflowChild 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsContainerFrame.cpp,
line 982]
nsObjectFrame::HandleChild 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsObjectFrame.cpp,
line 1514]
nsObjectFrame::Reflow 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsObjectFrame.cpp,
line 1117]
nsBoxToBlockAdaptor::Reflow 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxToBlockAdaptor.cpp,
line 884]
nsBoxToBlockAdaptor::DoLayout 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxToBlockAdaptor.cpp,
line 626]
nsBox::Layout 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBox.cpp,
line 1016]
nsContainerBox::DoLayout 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsContainerBox.cpp,
line 610]
nsBox::Layout 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBox.cpp,
line 1016]
nsContainerBox::DoLayout 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsContainerBox.cpp,
line 610]
nsBox::Layout 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBox.cpp,
line 1016]
nsContainerBox::DoLayout 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsContainerBox.cpp,
line 610]
nsBox::Layout 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBox.cpp,
line 1016]
nsRootBoxFrame::Reflow 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsRootBoxFrame.cpp,
line 240]
nsContainerFrame::ReflowChild 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsContainerFrame.cpp,
line 982]
ViewportFrame::Reflow 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsViewportFrame.cpp,
line 249]
PresShell::ResizeReflow 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsPresShell.cpp,
line 2936]
PresShell::ResizeReflow 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsPresShell.cpp,
line 6147]
nsViewManager::SetWindowDimensions 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp,
line 687]
nsViewManager::DispatchEvent 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp,
line 1871]
HandleEvent 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/view/src/nsView.cpp,
line 77]
nsWindow::DispatchEvent 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 1067]
nsWindow::OnResize 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 5114]
nsWindow::ProcessMessage 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 4284]
nsWindow::WindowProc 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 1349]
USER32.dll + 0x8734 (0x77d48734)
USER32.dll + 0xd05b (0x77d4d05b)
USER32.dll + 0xb4c0 (0x77d4b4c0)
USER32.dll + 0xd0a5 (0x77d4d0a5)
ntdll.dll + 0xeae3 (0x7c90eae3)
DocumentViewerImpl::SetBounds 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/content/base/src/nsDocumentViewer.cpp,
line 1477]
nsSubDocumentFrame::Reflow 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/document/src/nsFrameFrame.cpp,
line 422]
nsBoxToBlockAdaptor::Reflow 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxToBlockAdaptor.cpp,
line 884]
nsBoxToBlockAdaptor::DoLayout 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBoxToBlockAdaptor.cpp,
line 626]
nsBox::Layout 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBox.cpp,
line 1016]
nsContainerBox::DoLayout 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsContainerBox.cpp,
line 610]
nsBox::Layout 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBox.cpp,
line 1016]
nsContainerBox::DoLayout 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsContainerBox.cpp,
line 610]
nsDeckFrame::DoLayout 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsDeckFrame.cpp,
line 303]
nsBox::Layout 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBox.cpp,
line 1016]
nsContainerBox::DoLayout 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsContainerBox.cpp,
line 610]
nsBox::Layout 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBox.cpp,
line 1016]
nsContainerBox::DoLayout 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsContainerBox.cpp,
line 610]
nsBox::Layout 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBox.cpp,
line 1016]
nsContainerBox::DoLayout 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsContainerBox.cpp,
line 610]
nsBox::Layout 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBox.cpp,
line 1016]
nsContainerBox::DoLayout 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsContainerBox.cpp,
line 610]
nsBox::Layout 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBox.cpp,
line 1016]
nsContainerBox::DoLayout 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsContainerBox.cpp,
line 610]
nsBox::Layout 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBox.cpp,
line 1016]
nsContainerBox::DoLayout 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsContainerBox.cpp,
line 610]
nsBox::Layout 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsBox.cpp,
line 1016]
nsRootBoxFrame::Reflow 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/xul/base/src/nsRootBoxFrame.cpp,
line 240]
nsContainerFrame::ReflowChild 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsContainerFrame.cpp,
line 982]
ViewportFrame::Reflow 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsViewportFrame.cpp,
line 249]
IncrementalReflow::Dispatch 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsPresShell.cpp,
line 904]
PresShell::ProcessReflowCommands 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsPresShell.cpp,
line 6401]
PresShell::FlushPendingNotifications 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsPresShell.cpp,
line 5114]
nsEventStateManager::FlushPendingEvents 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/content/events/src/nsEventStateManager.cpp,
line 4654]
nsEventStateManager::PreHandleEvent 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/content/events/src/nsEventStateManager.cpp,
line 443]
PresShell::HandleEventInternal 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsPresShell.cpp,
line 6056]
PresShell::HandleEvent 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/layout/html/base/src/nsPresShell.cpp,
line 5921]
nsViewManager::HandleEvent 
[c:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp,
line 2321]
Keywords: crash
Summary: XUL crash with <html:object> with bogus type attribute → XUL crash with <html:object> with bogus type attribute [@ nsBlockBandData::Init ]
Is this a problem with Deer Park alpha 2?
Keywords: qawanted

Comment 4

13 years ago
(In reply to comment #3)
> Is this a problem with Deer Park alpha 2?

not a Deer Park problem.

crash Mozilla/5.0 (Windows; U; Win98; de-DE; rv:1.7.10) Gecko/20050715 Firefox/1.0.6

wfm Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8b4) Gecko/20050724 Firefox/1.0+

wfm Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8b4) Gecko/20050723 SeaMonkey/1.0a


http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=TB7763128G

29 Talkbacks:
http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=1&searchby=stacksig&match=contains&searchfor=+nsBlockBandData%3A%3AInit&vendor=All&product=All&platform=All&buildid=&sdate=&stime=&edate=&etime=&sortby=bbid

MacOSX:
http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=7247780
If this is branch-only, then it's a pretty low priority unless there's a
security issue here or this is a topcrash....
Wontfix on 1.7 branch.  Worksforme on trunk.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → WORKSFORME
(Assignee)

Updated

7 years ago
Crash Signature: [@ nsBlockBandData::Init ]
You need to log in before you can comment on or make changes to this bug.