Closed Bug 341359 Opened 13 years ago Closed 13 years ago

Crash [@ SinkContext::FlushTags] with malformed html, with javascript disabled, using noscript, table, frameset, meta


(Core :: HTML: Parser, defect, P1, critical)






(Reporter: martijn.martijn, Assigned: mrbkap)



(5 keywords, Whiteboard: [patch])

Crash Data


(4 files)

See upcoming testcase which crashes Mozilla when js is turned off.
The testcase consists of this:

Talkback ID: TB19806713M
SinkContext::FlushTags   HTMLContentSink::DidBuildModel   CNavDTD::DidBuildModel

By the way, there is another regression, between 2005-09-08 and 2005-09-11, where the testcase starts showing up having a black background:
Probably a regression from bug 307821, might be useful to know.
This regressed between 2005-11-01 and 2005-11-03:
I think a regression from bug 314759.
Attached patch Potential fixSplinter Review
This doesn't allow noscript in the head at all, so it'll be moved into the body, and we won't crash.
Attachment #225596 - Flags: superreview?(bugmail)
Attachment #225596 - Flags: review?(bugmail)
Comment on attachment 225596 [details] [diff] [review]
Potential fix


(though really you should be the one to a+ it since you're the owner)
Attachment #225596 - Flags: superreview?(bugmail)
Attachment #225596 - Flags: superreview+
Attachment #225596 - Flags: review?(bugmail)
Attachment #225596 - Flags: review+
Attachment #225596 - Flags: approval-branch-1.8.1+
Testcase is now wfm with current trunk build. Fixed by bug 333497? Is the patch still necessary?
(In reply to comment #6)
> Testcase is now wfm with current trunk build. Fixed by bug 333497? Is the patch
> still necessary?

Yeah, we should get this patch in on the branch at the very least since bug 333497 won't go in there.
OS: Windows XP → All
Priority: -- → P1
Hardware: PC → All
Whiteboard: [patch]
Target Milestone: --- → mozilla1.9alpha
Comment on attachment 225596 [details] [diff] [review]
Potential fix

I was tardy in getting this into the branch, re-requesting approval.
Attachment #225596 - Flags: approval1.8.1?
This got checked in as part of bug 333497.
Closed: 13 years ago
Resolution: --- → FIXED
Comment on attachment 225596 [details] [diff] [review]
Potential fix

a=darin on behalf of drivers
Attachment #225596 - Flags: approval1.8.1? → approval1.8.1+
This is now fixed on the 1.8 branch.
Keywords: fixed1.8.1
Flags: blocking1.8.0.7?
Comment on attachment 225596 [details] [diff] [review]
Potential fix

approved for 1.8.0 branch, a=dveditz for drivers
Attachment #225596 - Flags: approval1.8.0.7+
Flags: blocking1.8.0.7?
Flags: blocking1.8.0.7+
Flags: blocking1.7.14?
Flags: blocking-aviary1.0.9?
Fixed on the 1.8.0 branch.
Keywords: fixed1.8.0.7
The "Another uminimised file that is probably this bug" is crashing for me on branch and 1.8.1 branch, with a stacktrace that is similar to bug 344300. (secondary testcase) still causing a crash on Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv: Gecko/20060831 Firefox/

Re-opening this bug.
Resolution: FIXED → ---
as per comment #14, the testcase that is still crashing is considered to be bug 344300.  verification for this bug should only be done with the first testcase.

sorry for the confusion.

re-marking this bug fixed.
Closed: 13 years ago13 years ago
Resolution: --- → FIXED
Blocks: 448634
No longer blocks: 448634
Crash Signature: [@ SinkContext::FlushTags]
You need to log in before you can comment on or make changes to this bug.