Last Comment Bug 341359 - Crash [@ SinkContext::FlushTags] with malformed html, with javascript disabled, using noscript, table, frameset, meta
: Crash [@ SinkContext::FlushTags] with malformed html, with javascript disable...
Status: RESOLVED FIXED
[patch]
: crash, fixed1.8.0.7, fixed1.8.1, regression, testcase
Product: Core
Classification: Components
Component: HTML: Parser (show other bugs)
: Trunk
: All All
: P1 critical (vote)
: mozilla1.9alpha1
Assigned To: Blake Kaplan (:mrbkap)
:
: Andrew Overholt [:overholt]
Mentors:
Depends on:
Blocks: 314759
  Show dependency treegraph
 
Reported: 2006-06-13 03:02 PDT by Martijn Wargers [:mwargers] (not working for Mozilla)
Modified: 2011-06-13 10:01 PDT (History)
3 users (show)
dveditz: blocking1.7.14?
dveditz: blocking‑aviary1.0.9?
dveditz: blocking1.8.0.7+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
testcase (crashes on load when js is turned off) (39 bytes, text/html)
2006-06-13 03:03 PDT, Martijn Wargers [:mwargers] (not working for Mozilla)
no flags Details
Original file where the testcase is derived from (19.54 KB, text/html)
2006-06-13 03:05 PDT, Martijn Wargers [:mwargers] (not working for Mozilla)
no flags Details
Another uminimised file that is probably this bug (19.56 KB, text/html)
2006-06-13 03:47 PDT, Martijn Wargers [:mwargers] (not working for Mozilla)
no flags Details
Potential fix (1.35 KB, patch)
2006-06-14 10:59 PDT, Blake Kaplan (:mrbkap)
jonas: review+
jonas: superreview+
jonas: approval‑branch‑1.8.1+
dveditz: approval1.8.0.7+
darin.moz: approval1.8.1+
Details | Diff | Splinter Review

Description Martijn Wargers [:mwargers] (not working for Mozilla) 2006-06-13 03:02:18 PDT
See upcoming testcase which crashes Mozilla when js is turned off.
The testcase consists of this:
<noscript>
<table>
<frameset>
<meta>

Talkback ID: TB19806713M
SinkContext::FlushTags   HTMLContentSink::DidBuildModel   CNavDTD::DidBuildModel

By the way, there is another regression, between 2005-09-08 and 2005-09-11, where the testcase starts showing up having a black background:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2005-09-08+08&maxdate=2005-09-11+09&cvsroot=%2Fcvsroot
Probably a regression from bug 307821, might be useful to know.
This regressed between 2005-11-01 and 2005-11-03:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2005-11-01+07&maxdate=2005-11-03+07&cvsroot=%2Fcvsroot
I think a regression from bug 314759.
Comment 1 Martijn Wargers [:mwargers] (not working for Mozilla) 2006-06-13 03:03:48 PDT
Created attachment 225407 [details]
testcase (crashes on load when js is turned off)
Comment 2 Martijn Wargers [:mwargers] (not working for Mozilla) 2006-06-13 03:05:03 PDT
Created attachment 225408 [details]
Original file where the testcase is derived from
Comment 3 Martijn Wargers [:mwargers] (not working for Mozilla) 2006-06-13 03:47:34 PDT
Created attachment 225412 [details]
Another uminimised file that is probably this bug
Comment 4 Blake Kaplan (:mrbkap) 2006-06-14 10:59:25 PDT
Created attachment 225596 [details] [diff] [review]
Potential fix

This doesn't allow noscript in the head at all, so it'll be moved into the body, and we won't crash.
Comment 5 Jonas Sicking (:sicking) No longer reading bugmail consistently 2006-06-14 22:47:50 PDT
Comment on attachment 225596 [details] [diff] [review]
Potential fix

r+sr+a=sicking

(though really you should be the one to a+ it since you're the owner)
Comment 6 Martijn Wargers [:mwargers] (not working for Mozilla) 2006-06-23 21:25:33 PDT
Testcase is now wfm with current trunk build. Fixed by bug 333497? Is the patch still necessary?
Comment 7 Blake Kaplan (:mrbkap) 2006-06-23 21:27:12 PDT
(In reply to comment #6)
> Testcase is now wfm with current trunk build. Fixed by bug 333497? Is the patch
> still necessary?

Yeah, we should get this patch in on the branch at the very least since bug 333497 won't go in there.
Comment 8 Blake Kaplan (:mrbkap) 2006-06-23 21:28:03 PDT
Comment on attachment 225596 [details] [diff] [review]
Potential fix

I was tardy in getting this into the branch, re-requesting approval.
Comment 9 Blake Kaplan (:mrbkap) 2006-06-26 09:46:42 PDT
This got checked in as part of bug 333497.
Comment 10 Darin Fisher 2006-06-26 10:40:35 PDT
Comment on attachment 225596 [details] [diff] [review]
Potential fix

a=darin on behalf of drivers
Comment 11 Blake Kaplan (:mrbkap) 2006-07-06 12:33:57 PDT
This is now fixed on the 1.8 branch.
Comment 12 Daniel Veditz [:dveditz] 2006-08-11 11:58:28 PDT
Comment on attachment 225596 [details] [diff] [review]
Potential fix

approved for 1.8.0 branch, a=dveditz for drivers
Comment 13 Blake Kaplan (:mrbkap) 2006-08-16 11:34:54 PDT
Fixed on the 1.8.0 branch.
Comment 14 Martijn Wargers [:mwargers] (not working for Mozilla) 2006-08-30 14:59:02 PDT
The "Another uminimised file that is probably this bug" is crashing for me on 1.8.0.7 branch and 1.8.1 branch, with a stacktrace that is similar to bug 344300.
Comment 15 alice nodelman [:alice] [:anode] 2006-09-05 18:24:48 PDT
https://bugzilla.mozilla.org/attachment.cgi?id=225412&action=view (secondary testcase) still causing a crash on Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.7) Gecko/20060831 Firefox/1.5.0.7.

Re-opening this bug.
Comment 16 alice nodelman [:alice] [:anode] 2006-09-05 18:32:40 PDT
as per comment #14, the testcase that is still crashing is considered to be bug 344300.  verification for this bug should only be done with the first testcase.

sorry for the confusion.

re-marking this bug fixed.

Note You need to log in before you can comment on or make changes to this bug.