Last Comment Bug 312704 - crash [@ nsNodeInfoManager::GetTextNodeInfo] on ebay page with JavaScript off
: crash [@ nsNodeInfoManager::GetTextNodeInfo] on ebay page with JavaScript off
Status: RESOLVED FIXED
: crash, fixed1.8.0.7, fixed1.8.1
Product: Core
Classification: Components
Component: DOM (show other bugs)
: Trunk
: All All
P1 critical (vote)
: mozilla1.9alpha1
Assigned To: Blake Kaplan (:mrbkap)
: Hixie (not reading bugmail)
: Andrew Overholt [:overholt]
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2005-10-17 06:00 PDT by Christian Eyrich
Modified: 2006-09-13 16:55 PDT (History)
4 users (show)
darin.moz: blocking1.8.1+
dveditz: blocking1.8.0.5-
dveditz: blocking1.8.0.7+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Minimal-ish testcase for the asserts I see (124 bytes, text/html)
2006-06-07 15:33 PDT, Boris Zbarsky [:bz] (still a bit busy)
no flags Details
Assertion that catches the first place things go wrong (1.08 KB, patch)
2006-06-07 15:54 PDT, Boris Zbarsky [:bz] (still a bit busy)
mrbkap: review+
jonas: superreview+
Details | Diff | Splinter Review
Proposed fix (1.75 KB, patch)
2006-06-07 16:17 PDT, Blake Kaplan (:mrbkap)
bzbarsky: review+
jonas: superreview+
dveditz: approval1.8.0.7+
Details | Diff | Splinter Review

Description User image Christian Eyrich 2005-10-17 06:00:07 PDT
Crash after clicking on "Continue>" button on ebay's "Review Your Purchase"
after selecting a payment method. It crashes when status bar displays "read
secureinclude.ebaystatic.com".

But it only crashes if JavaScript is switched *off* (javascript.enabled = false)
or is prohibited for the page via policies.

It crashes with Firefox Trunk Win 20051016, Seamonkey Trunk Win 20051013 and
Seamonkey Trunk Linux 20051016.

Talkback ID's for this are:
Seamonkey Win:
TB10733074Y, TB10733077G, TB10733304Z, TB10733396Q, TB10734827Y, TB10735665G
Firefox Win:
TB10762793X, TB10763001M
Comment 1 User image Martijn Wargers [:mwargers] 2005-10-17 08:01:31 PDT
From talkback ID TB10733074Y:

nsNodeInfoManager::GetTextNodeInfo 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsNodeInfoManager.cpp,
line 272]
SinkContext::FlushText 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/document/src/nsHTMLContentSink.cpp,
line 1816]
SinkContext::FlushText 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/document/src/nsHTMLContentSink.cpp,
line 1802]
SinkContext::FlushTags 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/document/src/nsHTMLContentSink.cpp,
line 1720]
HTMLContentSink::BeginUpdate 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/document/src/nsHTMLContentSink.cpp,
line 3996]
nsXULElement::SetAttr 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/xul/content/src/nsXULElement.cpp,
line 1292]
nsGfxScrollFrameInner::SetAttribute 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/generic/nsGfxScrollFrame.cpp,
line 2504]
nsGfxScrollFrameInner::LayoutScrollbars 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/generic/nsGfxScrollFrame.cpp,
line 2386]
nsHTMLScrollFrame::Reflow 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/generic/nsGfxScrollFrame.cpp,
line 833]
nsContainerFrame::ReflowChild 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/generic/nsContainerFrame.cpp,
line 891]
ViewportFrame::Reflow 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/generic/nsViewportFrame.cpp,
line 239]
PresShell::InitialReflow 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/base/nsPresShell.cpp,
line 2762]
nsContentSink::StartLayout 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsContentSink.cpp,
line 898]
HTMLContentSink::StartLayout 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/html/document/src/nsHTMLContentSink.cpp,
line 3525]
CNavDTD::DidBuildModel 
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/parser/htmlparser/src/CNavDTD.cpp,
line 598]
Comment 2 User image Boris Zbarsky [:bz] (still a bit busy) 2006-04-21 22:38:31 PDT
Is this still reproducible with current trunk?
Comment 3 User image Christian Eyrich 2006-06-06 06:25:57 PDT
(In reply to comment #2)
> Is this still reproducible with current trunk?

Yes, just crashed again with 2006060110, see TB19557959M.
Comment 4 User image Boris Zbarsky [:bz] (still a bit busy) 2006-06-06 08:45:04 PDT
Hmm, ok.  What are the steps to reproduce?  Assume that you're telling someone who has never used eBay (good assumption in this case) and who doesn't want to spend time hunting all over the eBay UI for the right things to click (also a good assumption).

Is an eBay account or something like that needed to reproduce?
Comment 5 User image Christian Eyrich 2006-06-07 02:51:41 PDT
(In reply to comment #4)
> Hmm, ok.  What are the steps to reproduce?  Assume that you're telling someone
> who has never used eBay (good assumption in this case) and who doesn't want to
> spend time hunting all over the eBay UI for the right things to click (also a
> good assumption).
> 
> Is an eBay account or something like that needed to reproduce?

Unfortunatelly yes, since it happens in the confirm shipping and payment steps after buying something.
But I'll nevertheless describe the steps:
1. After buying something, visit the items page.
2. Click on the "Pay now" button on the top of the page
3. On the next "Review Your Purchase" page, click on "Continue" button on the bottom of the page
4. Boom

Again, only if JS is off.
Comment 6 User image Boris Zbarsky [:bz] (still a bit busy) 2006-06-07 15:33:05 PDT
Created attachment 224771 [details]
Minimal-ish testcase for the asserts I see

I suspect that fixing these asserts will fix the crash.
Comment 7 User image Boris Zbarsky [:bz] (still a bit busy) 2006-06-07 15:54:53 PDT
Created attachment 224776 [details] [diff] [review]
Assertion that catches the first place things go wrong
Comment 8 User image Blake Kaplan (:mrbkap) 2006-06-07 16:17:26 PDT
Created attachment 224781 [details] [diff] [review]
Proposed fix

This should fix the crashes by not allowing <noscript> to be a child of the <html>. Instead, we'll open the <head> for it, and the <link> will be processed in the same context as the noscript.
Comment 9 User image Boris Zbarsky [:bz] (still a bit busy) 2006-06-07 16:22:51 PDT
Comment on attachment 224781 [details] [diff] [review]
Proposed fix

Looks good, and fixes the crash.

I think we want to take this on branches...
Comment 10 User image Jonas Sicking (:sicking) No longer reading bugmail consistently 2006-06-07 18:05:21 PDT
Comment on attachment 224781 [details] [diff] [review]
Proposed fix

I am very worried though that we'll get a repeat of the <object> crashes. But if you say that things should be more stable now...

Actually, maybe it'd be a good idea to reenable <object> in head since that'd give better testing to the same codepaths.
Comment 11 User image Blake Kaplan (:mrbkap) 2006-06-07 18:22:37 PDT
Fix checked into the trunk. Boris will have to remember to check the assertion fix in.
Comment 12 User image Boris Zbarsky [:bz] (still a bit busy) 2006-06-07 21:29:29 PDT
Checked in the assertion.
Comment 13 User image Jonas Sicking (:sicking) No longer reading bugmail consistently 2006-06-09 14:34:06 PDT
What do we want to do about the branch here? The patch is fairly risky given that similar changes for <object> caused crashes. Are the fixes for the <object> related problems checked in to all braches?

Could we maybe disallow noscript inside <head> in addition to disallowing the 'anywhere' flag? At least for branch?

In any case, anything we want for 1.8.0.x would have to go on 1.8.1 first to allow baking.
Comment 14 User image Daniel Veditz [:dveditz] 2006-06-13 14:26:27 PDT
No answer to comment 13, no 1.8 branch landing, looks like a minus for this release.
Comment 15 User image David Baron :dbaron: ⌚️UTC-8 2006-06-28 18:50:02 PDT
Did you want to request 1.8 branch approval?
Comment 16 User image Blake Kaplan (:mrbkap) 2006-07-06 12:33:39 PDT
I checked this patch + the patch for bug 341359 into the 1.8 branch.
Comment 17 User image Daniel Veditz [:dveditz] 2006-08-09 14:59:47 PDT
Comment on attachment 224781 [details] [diff] [review]
Proposed fix

approved for 1.8.0 branch, a=dveditz for drivers
Comment 18 User image Blake Kaplan (:mrbkap) 2006-08-16 11:31:45 PDT
Fixed on the 1.8.0 branch.
Comment 19 User image alice nodelman [:alice] [:anode] 2006-09-13 16:55:42 PDT
I was unable to generate the original crash.  Could the creator of this bug please attempt to verify the fix with a nightly build?

Note You need to log in before you can comment on or make changes to this bug.