Crash [@ SinkContext::FlushTags] with malformed html, with javascript disabled, using noscript, table, frameset, meta

RESOLVED FIXED in mozilla1.9alpha1

Status

()

Core
HTML: Parser
P1
critical
RESOLVED FIXED
11 years ago
6 years ago

People

(Reporter: Martijn Wargers (dead), Assigned: mrbkap)

Tracking

(5 keywords)

Trunk
mozilla1.9alpha1
crash, fixed1.8.0.7, fixed1.8.1, regression, testcase
Points:
---
Bug Flags:
blocking1.7.14 ?
blocking-aviary1.0.9 ?
blocking1.8.0.7 +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [patch], crash signature)

Attachments

(4 attachments)

(Reporter)

Description

11 years ago
See upcoming testcase which crashes Mozilla when js is turned off.
The testcase consists of this:
<noscript>
<table>
<frameset>
<meta>

Talkback ID: TB19806713M
SinkContext::FlushTags   HTMLContentSink::DidBuildModel   CNavDTD::DidBuildModel

By the way, there is another regression, between 2005-09-08 and 2005-09-11, where the testcase starts showing up having a black background:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2005-09-08+08&maxdate=2005-09-11+09&cvsroot=%2Fcvsroot
Probably a regression from bug 307821, might be useful to know.
This regressed between 2005-11-01 and 2005-11-03:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2005-11-01+07&maxdate=2005-11-03+07&cvsroot=%2Fcvsroot
I think a regression from bug 314759.
(Reporter)

Comment 1

11 years ago
Created attachment 225407 [details]
testcase (crashes on load when js is turned off)
(Reporter)

Comment 2

11 years ago
Created attachment 225408 [details]
Original file where the testcase is derived from
(Reporter)

Comment 3

11 years ago
Created attachment 225412 [details]
Another uminimised file that is probably this bug
(Assignee)

Comment 4

11 years ago
Created attachment 225596 [details] [diff] [review]
Potential fix

This doesn't allow noscript in the head at all, so it'll be moved into the body, and we won't crash.
Attachment #225596 - Flags: superreview?(bugmail)
Attachment #225596 - Flags: review?(bugmail)
Comment on attachment 225596 [details] [diff] [review]
Potential fix

r+sr+a=sicking

(though really you should be the one to a+ it since you're the owner)
Attachment #225596 - Flags: superreview?(bugmail)
Attachment #225596 - Flags: superreview+
Attachment #225596 - Flags: review?(bugmail)
Attachment #225596 - Flags: review+
Attachment #225596 - Flags: approval-branch-1.8.1+
(Reporter)

Comment 6

11 years ago
Testcase is now wfm with current trunk build. Fixed by bug 333497? Is the patch still necessary?
(Assignee)

Comment 7

11 years ago
(In reply to comment #6)
> Testcase is now wfm with current trunk build. Fixed by bug 333497? Is the patch
> still necessary?

Yeah, we should get this patch in on the branch at the very least since bug 333497 won't go in there.
Status: NEW → ASSIGNED
OS: Windows XP → All
Priority: -- → P1
Hardware: PC → All
Whiteboard: [patch]
Target Milestone: --- → mozilla1.9alpha
(Assignee)

Comment 8

11 years ago
Comment on attachment 225596 [details] [diff] [review]
Potential fix

I was tardy in getting this into the branch, re-requesting approval.
Attachment #225596 - Flags: approval1.8.1?
(Assignee)

Comment 9

11 years ago
This got checked in as part of bug 333497.
Status: ASSIGNED → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED

Comment 10

11 years ago
Comment on attachment 225596 [details] [diff] [review]
Potential fix

a=darin on behalf of drivers
Attachment #225596 - Flags: approval1.8.1? → approval1.8.1+
(Assignee)

Comment 11

11 years ago
This is now fixed on the 1.8 branch.
Keywords: fixed1.8.1
Flags: blocking1.8.0.7?
Comment on attachment 225596 [details] [diff] [review]
Potential fix

approved for 1.8.0 branch, a=dveditz for drivers
Attachment #225596 - Flags: approval1.8.0.7+
Flags: blocking1.8.0.7?
Flags: blocking1.8.0.7+
Flags: blocking1.7.14?
Flags: blocking-aviary1.0.9?
(Assignee)

Comment 13

11 years ago
Fixed on the 1.8.0 branch.
Keywords: fixed1.8.0.7
(Reporter)

Comment 14

11 years ago
The "Another uminimised file that is probably this bug" is crashing for me on 1.8.0.7 branch and 1.8.1 branch, with a stacktrace that is similar to bug 344300.
https://bugzilla.mozilla.org/attachment.cgi?id=225412&action=view (secondary testcase) still causing a crash on Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.7) Gecko/20060831 Firefox/1.5.0.7.

Re-opening this bug.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
as per comment #14, the testcase that is still crashing is considered to be bug 344300.  verification for this bug should only be done with the first testcase.

sorry for the confusion.

re-marking this bug fixed.
Status: REOPENED → RESOLVED
Last Resolved: 11 years ago11 years ago
Resolution: --- → FIXED

Updated

8 years ago
Blocks: 448634
(Reporter)

Updated

8 years ago
No longer blocks: 448634
Crash Signature: [@ SinkContext::FlushTags]
You need to log in before you can comment on or make changes to this bug.