Closed
Bug 31089
Opened 25 years ago
Closed 24 years ago
Oakland Tribute crashes in HTMLContentSink::AddLeaf
Categories
(Core :: Networking, defect, P3)
Core
Networking
Tracking
()
VERIFIED
FIXED
M15
People
(Reporter: elig, Assigned: andreas.otte)
References
()
Details
(Keywords: crash)
Attachments
(1 file)
|
1.35 KB,
patch
|
Details | Diff | Splinter Review |
Displaying the above URL crashes all of the 3.8.00 builds (Win32/Mac OS/Linux) immediately and with 100% reproducibility. Unable to find bug with this stack crawl, so submitting in case it's an unknown crash. Incident ID is TB6524256H. Sorry, no page decomposition. PowerPC illegal instruction at FFC10000 _RelString+0045C Calling chain using A6/R1 links Back chain ISA Caller 00000000 PPC 0D3A0EA4 0586A5C0 PPC 0D3901C4 main+0016C 0586A530 PPC 0D38FB0C main1(int, char**, nsISplashScreen*)+00624 0586A440 PPC 0D014188 nsAppShellService::Run()+14188 0586A400 PPC 0C28F80C nsAppShell::Run()+00038 0586A3B0 PPC 0C28FF2C nsMacMessagePump::DoMessagePump()+0003C 0586A360 PPC 0C290200 nsMacMessagePump::DispatchEvent(int, EventRecord*)+00174 0586A310 PPC 0D0E9874 Repeater::DoRepeaters(const EventRecord&)+00030 0586A2D0 PPC 0C275364 nsMacNSPREventQueueHandler::RepeatAction(const EventRecord&)+000 BC 0586A250 PPC 0D209410 nsEventQueueImpl::ProcessPendingEvents()+000E4 0586A1F0 PPC 0D209410 nsEventQueueImpl::ProcessPendingEvents()+000E4 0586A190 PPC 0D209410 nsEventQueueImpl::ProcessPendingEvents()+000E4 0586A130 PPC 0D209410 nsEventQueueImpl::ProcessPendingEvents()+000E4 0586A0D0 PPC 0D209410 nsEventQueueImpl::ProcessPendingEvents()+000E4 0586A070 PPC 0D209364 nsEventQueueImpl::ProcessPendingEvents()+00038 0586A010 PPC 0D262AF4 PL_ProcessPendingEvents+0004C 05869FD0 PPC 0D262BDC PL_HandleEvent+00020 05869F90 PPC 0C669E7C nsStreamListenerEvent::HandlePLEvent(PLEvent*)+69E7C 05869F50 PPC 0C66AFE4 nsOnDataAvailableEvent::HandleEvent()+6AFE4 05869F00 PPC 0CE29BD0 nsHTTPServerListener::OnDataAvailable(nsIChannel*, nsISupports*, nsIInputStream*, unsigned int, unsigned int)+29BD0 05869E70 PPC 0C64CC3C InterceptStreamListener::OnDataAvailable(nsIChannel*, nsISupport s*, nsIInputStream*, unsigned int, unsigned int)+4CC3C 05869E20 PPC 0C37BF0C nsDocumentOpenInfo::OnDataAvailable(nsIChannel*, nsISupports*, n sIInputStream*, unsigned int, unsigned int)+7BF0C 05869DE0 PPC 0CE512B8 nsParser::OnDataAvailable(nsIChannel*, nsISupports*, nsIInputStr eam*, unsigned int, unsigned int)+512B8 05869CE0 PPC 0CE507D4 nsParser::ResumeParse(nsIDTD*, int)+507D4 05869C90 PPC 0CE5098C nsParser::BuildModel()+5098C 05869C40 PPC 0CE3A2E0 CNavDTD::BuildModel(nsIParser*, nsITokenizer*, nsITokenObserver* , nsIContentSink*)+3A2E0 05869BD0 PPC 0CE3A994 CNavDTD::HandleToken(CToken*, nsIParser*)+3A994 05869B40 PPC 0CE3BEB4 CNavDTD::HandleStartToken(CToken*)+3BEB4 05869AE0 PPC 0CE3F6D4 CNavDTD::AddHeadLeaf(nsIParserNode*)+3F6D4 058699E0 PPC 0CE3F308 CNavDTD::AddLeaf(const nsIParserNode*)+3F308 05869970 PPC 0CA49448 HTMLContentSink::AddLeaf(const nsIParserNode&)+49448 Closing log
Either content sink or parser. I'm guessing parser. If it's a content sink issue, then reassign to Vidur
Assignee: troy → rickg
Component: Layout → Parser
QA Contact: petersen → janc
This is crashing in the sink with the following stack track strace. Harish:
please take a look.
HTMLContentSink::ProcessSCRIPTTag(const nsIParserNode & {...}) line 4328 + 92
bytes
HTMLContentSink::AddLeaf(HTMLContentSink * const 0x022cfdc0, const nsIParserNode
& {...}) line 2955 + 12 bytes
CNavDTD::AddLeaf(const nsIParserNode * 0x022ea4b0) line 3254 + 22 bytes
CNavDTD::AddHeadLeaf(nsIParserNode * 0x022ea4b0) line 3370 + 17 bytes
CNavDTD::HandleStartToken(CToken * 0x00f79d40) line 1402 + 12 bytes
CNavDTD::HandleToken(CNavDTD * const 0x022ead90, CToken * 0x00f79ba0, nsIParser
* 0x022ce080) line 767 + 12 bytes
CNavDTD::BuildModel(CNavDTD * const 0x022ead90, nsIParser * 0x022ce080,
nsITokenizer * 0x022ea8c0, nsITokenObserver * 0x00000000, nsIContentSink *
0x022cfdc0) line 504 + 20 bytes
nsParser::BuildModel() line 1270 + 34 bytes
nsParser::ResumeParse(nsIDTD * 0x00000000, int 0) line 1167 + 11 bytes
nsParser::OnDataAvailable(nsParser * const 0x022ce084, nsIChannel * 0x00f8f980,
nsISupports * 0x00000000, nsIInputStream * 0x022ce994, unsigned int 0, unsigned
int 1526) line 1565 + 19 bytes
nsDocumentOpenInfo::OnDataAvailable(nsDocumentOpenInfo * const 0x00f8f750,
nsIChannel * 0x00f8f980, nsISupports * 0x00000000, nsIInputStream * 0x022ce994,
unsigned int 0, unsigned int 1526) line 266 + 46 bytes
InterceptStreamListener::OnDataAvailable(InterceptStreamListener * const
0x022ce990, nsIChannel * 0x00f8f980, nsISupports * 0x00000000, nsIInputStream *
0x00f919fc, unsigned int 0, unsigned int 1526) line 1127
nsHTTPServerListener::OnDataAvailable(nsHTTPServerListener * const 0x00f905b0,
nsIChannel * 0x00f90dc4, nsISupports * 0x00f8f980, nsIInputStream * 0x00f919fc,
unsigned int 132, unsigned int 1526) line 343 + 58 bytes
nsOnDataAvailableEvent::HandleEvent(nsOnDataAvailableEvent * const 0x022e90f0)
line 388 + 47 bytes
nsStreamListenerEvent::HandlePLEvent(PLEvent * 0x022e90d0) line 97 + 12 bytes
PL_HandleEvent(PLEvent * 0x022e90d0) line 556 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x00b21ac0) line 501 + 9 bytes
_md_EventReceiverProc(HWND__ * 0x171f05aa, unsigned int 49342, unsigned int 0,
long 11672256) line 1011 + 9 bytes
USER32! 77e71820()
00b21ac0()
Assignee: rickg → harishd
Reduced case: <base href=http://www.newschoice.com/> <html> <frameset> <frame name="CONTENT" src="/ASP-BIN/ContentFrmBldr.asp?PUID=491&FURL=" > </frameset> </html> I think the problem is related to stream loader's refcount. But, anyway, this is happening in the sink. Reassigning bug to jst@netscape.com ( Mr. Content Sink ) for further analysis.
Assignee: harishd → jst
Component: Parser → HTML Element
|
||
Comment 4•24 years ago
|
||
This has nothing with a frameset to do, nor does it have anything to do with the content sink AFAIK. Mozilla crashes when loading the page http://www.newschoice.com/ASP-BIN/ContentFrmBldr.asp?PUID=491&FURL= and it seems like this would be a necko problem, the page contains references to external scripts and the URL used for the scripts are missing the host, here's a sample from the page: <SCRIPT LANGUAGE="JavaScript1.1" SRC="http:///RealMedia/ads/adstream_jx.cgi/www.oaklandtribune-ang.com/entrypage. htm@Frame2"></srcipt> The crash is in NS_NewStreamLoader(), seems like the stream loader is destroyed even if there are pending references to it, I even verified this, the nsStreamLoader created in NS_NewStreamLoader() is destroyed inside the nsStreamLoader's Init() function, while there's a reference to it!!! Reassigning to gagan.
Assignee: jst → gagan
argh... another makeabs url problem->andreas.
Assignee: gagan → andreas.otte
|
Assignee | |
Comment 6•24 years ago
|
||
The URL is not valid, the http protocol needs a host which is not provided in http:///RealMedia/ads/adstream_jx.cgi/www.oaklandtribune-ang.com/entrypage.htm@F rame2"> Granted, it should not crash and we have to check and return NS_ERROR_MALFORMED_URI if we see a http-URL with no host, but unless this is corrected this will never work.
|
|
Assignee | |
Comment 7•24 years ago
|
||
Okay, I have a fix for this. In case we get an empty host (string with len 0) with the nsAuthURLParser (which must have a host) we return NS_ERROR_MALFORMED_URI. This prevents the crash, but the real problem must be somewhere else. Somewhere, someone can't handle an empty host string and does not check for it.
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 8•24 years ago
|
||
|
|
Assignee | |
Comment 9•24 years ago
|
||
changed component to networking
Component: HTML Element → Networking
Target Milestone: --- → M15
|
|
Assignee | |
Comment 10•24 years ago
|
||
fix to prevent the crash checked in.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•