341359 - Crash [@ SinkContext::FlushTags] with malformed html, with javascript disabled, using noscript, table, frameset, meta

Status: RESOLVED FIXED

(Core :: DOM: HTML Parser, defect, P1)

Description

[Martijn Wargers (dead)]

See upcoming testcase which crashes Mozilla when js is turned off.
The testcase consists of this:
<noscript>
<table>
<frameset>
<meta>

Talkback ID: TB19806713M
SinkContext::FlushTags   HTMLContentSink::DidBuildModel   CNavDTD::DidBuildModel

By the way, there is another regression, between 2005-09-08 and 2005-09-11, where the testcase starts showing up having a black background:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2005-09-08+08&maxdate=2005-09-11+09&cvsroot=%2Fcvsroot
Probably a regression from bug 307821, might be useful to know.
This regressed between 2005-11-01 and 2005-11-03:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2005-11-01+07&maxdate=2005-11-03+07&cvsroot=%2Fcvsroot
I think a regression from bug 314759.

Comment 1

[Martijn Wargers (dead)]

Attachment: testcase (crashes on load when js is turned off)

Comment 2

[Martijn Wargers (dead)]

Attachment: Original file where the testcase is derived from

Comment 3

[Martijn Wargers (dead)]

Attachment: Another uminimised file that is probably this bug

Comment 4

[Blake Kaplan (:mrbkap) (inactive)]

Attachment: Potential fix

This doesn't allow noscript in the head at all, so it'll be moved into the body, and we won't crash.

Comment 5

[Jonas Sicking (:sicking) No longer reading bugmail consistently]

Comment on attachment 225596 [details] [diff] [review]
Potential fix

r+sr+a=sicking

(though really you should be the one to a+ it since you're the owner)

Comment 6

[Martijn Wargers (dead)]

Testcase is now wfm with current trunk build. Fixed by bug 333497? Is the patch still necessary?

Comment 7

[Blake Kaplan (:mrbkap) (inactive)]

(In reply to comment #6)
> Testcase is now wfm with current trunk build. Fixed by bug 333497? Is the patch
> still necessary?

Yeah, we should get this patch in on the branch at the very least since bug 333497 won't go in there.

Comment 8

[Blake Kaplan (:mrbkap) (inactive)]

Comment on attachment 225596 [details] [diff] [review]
Potential fix

I was tardy in getting this into the branch, re-requesting approval.

Comment 9

[Blake Kaplan (:mrbkap) (inactive)]

This got checked in as part of bug 333497.

Comment 10

[Darin Fisher]

Comment on attachment 225596 [details] [diff] [review]
Potential fix

a=darin on behalf of drivers

Comment 11

[Blake Kaplan (:mrbkap) (inactive)]

This is now fixed on the 1.8 branch.

Comment 12

[Daniel Veditz [:dveditz]]

Comment on attachment 225596 [details] [diff] [review]
Potential fix

approved for 1.8.0 branch, a=dveditz for drivers

Comment 13

[Blake Kaplan (:mrbkap) (inactive)]

Fixed on the 1.8.0 branch.

Comment 14

[Martijn Wargers (dead)]

The "Another uminimised file that is probably this bug" is crashing for me on 1.8.0.7 branch and 1.8.1 branch, with a stacktrace that is similar to bug 344300.

Comment 15

[alice nodelman [:alice] [:anode]]

https://bugzilla.mozilla.org/attachment.cgi?id=225412&action=view (secondary testcase) still causing a crash on Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.7) Gecko/20060831 Firefox/1.5.0.7.

Re-opening this bug.

Comment 16

[alice nodelman [:alice] [:anode]]

as per comment #14, the testcase that is still crashing is considered to be bug 344300.  verification for this bug should only be done with the first testcase.

sorry for the confusion.

re-marking this bug fixed.