Closed Bug 48427 Opened 25 years ago Closed 25 years ago

Crashing opening this site

Categories

(Core :: Layout, defect, P3)

Product:
Core
Component:
Layout
Platform:
x86
Windows ME
Type:
defect

Tracking

()

Status:
VERIFIED DUPLICATE of bug 49122

People

(Reporter: ezh, Assigned: waterson)

References

(
URL
)

Details

(Keywords: crash, testcase)

Attachments

(1 file)

minimized testcase
69 bytes, text/html
Details
Tried about 10 times. Every attempt has ended with crash.
Keywords: crash
Sorry, forgot - tested with 2000081008 on winMe
crashes for me, too. testcase coming
Assignee: asa → gagan
Component: Browser-General → Networking
Keywords: makingtest
QA Contact: doronr → tever
OK, unbelievably, this is the minimized testcase: <form> <table><td><map name="w"><area></map><img usemap="#w"></form> Removing ANYTHING from the testcase will prevent the crash. Note that I realize there's improper HTML there (like missing closing tags), but even with those in, it crashes -- so I removed them.
URL: www.ixbt.ruhttp://www.ixbt.ru
Keywords: makingtesttestcase
Attached file minimized testcase
my stack trace from talkback nsQueryInterface::operator()[...\xpcom\base\nsCOMPtr.cpp,line37] nsCOMPtr_base::assign_from_helper[...\xpcom\base\nsCOMPtr.cpp,line66] nsGenericElement::SetDocument[...\layout\base\src\nsGenericElement.cpp,line1294] nsGenericHTMLElement::SetDocument[...\layout\html\content\src\nsGenericHTMLElement.cpp,line966] nsHTMLIsIndexElement::SetDocument[...\layout\html\content\src\nsHTMLIsIndexElement.cpp,line65] nsGenericElement::SetDocumentInChildrenOf[...\layout\base\src\nsGenericElement.cpp,line1235] nsGenericElement::SetDocument[...\layout\base\src\nsGenericElement.cpp,line1326] nsGenericHTMLElement::SetDocument[...\layout\html\content\src\nsGenericHTMLElement.cpp,line966] nsHTMLMapElement::SetDocument[...\layout\html\content\src\nsHTMLMapElement.cpp,line276] nsGenericElement::SetDocumentInChildrenOf[...\layout\base\src\nsGenericElement.cpp,line1235] nsGenericElement::SetDocument[...\layout\base\src\nsGenericElement.cpp,line1326] nsGenericHTMLElement::SetDocument[...\layout\html\content\src\nsGenericHTMLElement.cpp,line966] nsHTMLIsIndexElement::SetDocument[...\layout\html\content\src\nsHTMLIsIndexElement.cpp,line65] nsGenericElement::SetDocumentInChildrenOf[...\layout\base\src\nsGenericElement.cpp,line1235] nsGenericElement::SetDocument[...\layout\base\src\nsGenericElement.cpp,line1326] nsGenericHTMLElement::SetDocument[...\layout\html\content\src\nsGenericHTMLElement.cpp,line966] nsHTMLIsIndexElement::SetDocument[...\layout\html\content\src\nsHTMLIsIndexElement.cpp,line65] nsGenericElement::SetDocumentInChildrenOf[...\layout\base\src\nsGenericElement.cpp,line1235] nsGenericElement::SetDocument[...\layout\base\src\nsGenericElement.cpp,line1326] nsGenericHTMLElement::SetDocument[...\layout\html\content\src\nsGenericHTMLElement.cpp,line966] nsHTMLIsIndexElement::SetDocument[...\layout\html\content\src\nsHTMLIsIndexElement.cpp,line65] nsGenericElement::SetDocumentInChildrenOf[...\layout\base\src\nsGenericElement.cpp,line1235] nsGenericElement::SetDocument[...\layout\base\src\nsGenericElement.cpp,line1326] nsGenericHTMLElement::SetDocument[...\layout\html\content\src\nsGenericHTMLElement.cpp,line966] nsHTMLIsIndexElement::SetDocument[...\layout\html\content\src\nsHTMLIsIndexElement.cpp,line65] nsGenericHTMLContainerElement::RemoveChildAt[...\layout\html\content\src\nsGenericHTMLElement.cpp,line3538] nsHTMLFormElement::RemoveChildAt[...\layout\html\content\src\nsHTMLFormElement.cpp,line94] SinkContext::DemoteContainer[...\layout\html\document\src\nsHTMLContentSink.cpp,line1637] HTMLContentSink::CloseForm[...\layout\html\document\src\nsHTMLContentSink.cpp,line2897] CNavDTD::CloseForm[...\htmlparser\src\CNavDTD.cpp,line2976] CNavDTD::CloseContainer[...\htmlparser\src\CNavDTD.cpp,line3241] CNavDTD::HandleEndToken[...\htmlparser\src\CNavDTD.cpp,line1747] CNavDTD::HandleToken[...\htmlparser\src\CNavDTD.cpp,line770] CNavDTD::BuildModel[...\htmlparser\src\CNavDTD.cpp,line504] CNavDTD::DidBuildModel[...\htmlparser\src\CNavDTD.cpp,line536] nsParser::DidBuildModel[...\htmlparser\src\nsParser.cpp,line1394] nsParser::ResumeParse[...\htmlparser\src\nsParser.cpp,line1914] nsParser::OnStopRequest[...\htmlparser\src\nsParser.cpp,line2361] nsDocumentOpenInfo::OnStopRequest[...\uriloader\base\nsURILoader.cpp,line269] nsHTTPFinalListener::OnStopRequest[...\netwerk\protocol\http\src\nsHTTPResponseListener.cpp,line1193] InterceptStreamListener::OnStopRequest[...\netwerk\cache\mgr\nsCachedNetData.cpp,line1186] nsHTTPChunkConv::OnStopRequest[...\netwerk\streamconv\converters\nsHTTPChunkConv.cpp,line109] nsHTTPChannel::ResponseCompleted[...\netwerk\protocol\http\src\nsHTTPChannel.cpp,line1772] nsHTTPServerListener::OnStopRequest[...\netwerk\protocol\http\src\nsHTTPResponseListener.cpp,line720] nsOnStopRequestEvent::HandleEvent[...\netwerk\base\src\nsAsyncStreamListener.cpp,line302] nsStreamListenerEvent::HandlePLEvent[...\netwerk\base\src\nsAsyncStreamListener.cpp,line106] PL_HandleEvent[...\xpcom\threads\plevent.c,line588] PL_ProcessPendingEvents[...\xpcom\threads\plevent.c,line547] _md_EventReceiverProc[...\xpcom\threads\plevent.c,line1045] USER32.dll+0x1820(0x77e71820)
over to XPCOM for an initial look.
Assignee: gagan → rayw
Component: Networking → XPCOM
QA Contact: tever → leger
Whatever it is, it's certainly not XPCOM. I'll take a look. It's working fine in a Linux build that's two days old, so it may be new.
Assignee: rayw → waterson
Component: XPCOM → Layout
We're down in the bowels of DemoteContainer here, shuffling the content model around. What's happening is that GetPrimaryFrameFor(<area>) is finding what appears to be a deleted frame. In SetDocument(), it tries to QI() this to an nsIAnonymousContentCreator, and crashes in the process. This is a bona fide layout problem. I don't know we're finding a destroyed frame in the pres shell's primary-frame-for map.
Status: NEW → ASSIGNED
Target Milestone: --- → M18
Chris, any idea why the minimized testcase is such a strange mix of elements that all contribute to the crash?
When you have jumbled up, incorrect HTML like that, the HTML parser does the best it can to form a coherent content model from the elements. That sometimes causes elements to be removed, and then re-inserted into the document. That's what's happening here.
See also bug 49122. Doesn't crash in quite the same place, but similar. Testcase on that bug is valid HTML.
*** This bug has been marked as a duplicate of 49122 ***
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → DUPLICATE
vrfy dup
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: