Closed Bug 48856 Opened 24 years ago Closed 24 years ago

Crash in page with <EMBED> element

Categories

(Core Graveyard :: Plug-ins, defect, P3)

Product:
Core Graveyard
Component:
Plug-ins
Platform:
x86
Linux
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: saari, Assigned: serhunt)

References

(
URL
)

Details

(Keywords: crash, testcase, Whiteboard: [nsbeta3+], suntrak-n6-highp)

Attachments

(1 file)

Crasher testcase
234 bytes, text/html
Details 
1) go to www.lear2000.com
2) click on the View Site button
3) crashes on linux. console says
Inside nsPluginHostImpl::FindStoppedPluginForURL...
ASSERTION: null string key: 'mStr" file nsHashTable.cpp line 388
Break: nsHashtable.cpp, line 388
This is crashing on the EMBED element, which of course doesn't exist in any HTML
recommendation:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
			"http://www.w3.org/TR/REC-html40/loose.dtd">
<HTML>
    <HEAD>
        <TITLE>Mozilla Bug 48856</TITLE>
	</HEAD>
    <BODY>
        <EMBED></EMBED>
    </BODY>
</HTML>

If the doctype is Strict, Mozilla doesn't crash.
Severity: normal → critical
Keywords: crash
Attached file Crasher testcase 

    
  
Keywords: testcase

    
    

    
  
Another testcase in the wild: http://www.techpages.com/

    
    

    
  
*** Bug 49047 has been marked as a duplicate of this bug. ***

    
    

    
  
Changing lame summary
Summary: Crash loading page → Crash in page with <EMBED> element

    
    

    
  
*** Bug 49123 has been marked as a duplicate of this bug. ***

    
    

    
  
We are crashing in nsCStringKey::nsCStringKey.  Back trace from Linux
2000-08-15-09:

#0  0x403a157f in strlen () from /lib/libc.so.6
#1  0x400557d2 in nsCRT::strlen (s=0x0) at ../../../dist/include/nsCRT.h:136
#2  0x400cefdb in nsCStringKey::nsCStringKey (this=0xbfffc5f4, str=0x0,
strLen=-1, ownsStr=0) at nsHashtable.cpp:390
#3  0x40fd3cb2 in DisplayNoDefaultPluginDialog (mimeType=0x0) at
nsPluginHostImpl.cpp:175
#4  0x40fd89cc in nsPluginHostImpl::InstantiateEmbededPlugin (this=0x8138cf8,
aMimeType=0x0, aURL=0x85cdc70, aOwner=0x86fb070) at nsPluginHostImpl.cpp:1928
#5  0x4157e691 in nsObjectFrame::InstantiatePlugin (this=0x86e58e0,
aPresContext=0x85b3010, aMetrics=@0xbfffcb70, aReflowState=@0xbfffcbac,
aPluginHost=0x8138cfc, aMimetype=0x0, aURL=0x85cdc70) at nsObjectFrame.cpp:900
#6  0x4157e020 in nsObjectFrame::Reflow (this=0x86e58e0, aPresContext=0x85b3010,
aMetrics=@0xbfffcb70, aReflowState=@0xbfffcbac, aStatus=@0xbfffcccc) at
nsObjectFrame.cpp:776
#7  0x41578872 in nsLineLayout::ReflowFrame (this=0xbfffcd6c, aFrame=0x86e58e0,
aNextRCFrame=0xbfffd5ec, aReflowStatus=@0xbfffcccc, aMetrics=0x0,
aPushedFrame=@0xbfffccc8) at nsLineLayout.cpp:935
#8  0x41540339 in nsBlockFrame::ReflowInlineFrame (this=0x86e5808,
aState=@0xbfffd574, aLineLayout=@0xbfffcd6c, aLine=0x86e5964, aFrame=0x86e58e0,
aLineReflowStatus=0xbfffcd1b "") at nsBlockFrame.cpp:4335
#9  0x41540026 in nsBlockFrame::DoReflowInlineFrames (this=0x86e5808,
aState=@0xbfffd574, aLineLayout=@0xbfffcd6c, aLine=0x86e5964,
aKeepReflowGoing=0xbfffd318, aLineReflowStatus=0xbfffd1e7 "\002",
aUpdateMaximumWidth=0, aDamageDirtyArea=1) at nsBlockFrame.cpp:4220
#10 0x4153fe32 in nsBlockFrame::DoReflowInlineFramesAuto (this=0x86e5808,
aState=@0xbfffd574, aLine=0x86e5964, aKeepReflowGoing=0xbfffd318,
aLineReflowStatus=0xbfffd1e7 "\002", aUpdateMaximumWidth=0, aDamageDirtyArea=1)
at nsBlockFrame.cpp:4154
#11 0x4153fc2e in nsBlockFrame::ReflowInlineFrames (this=0x86e5808,
aState=@0xbfffd574, aLine=0x86e5964, aKeepReflowGoing=0xbfffd318,
aDamageDirtyArea=1, aUpdateMaximumWidth=0) at nsBlockFrame.cpp:4101
#12 0x4153e167 in nsBlockFrame::ReflowLine (this=0x86e5808, aState=@0xbfffd574,
aLine=0x86e5964, aKeepReflowGoing=0xbfffd318, aDamageDirtyArea=1) at
nsBlockFrame.cpp:3236
#13 0x4153d65e in nsBlockFrame::ReflowDirtyLines (this=0x86e5808,
aState=@0xbfffd574) at nsBlockFrame.cpp:2925
#14 0x4153b0a0 in nsBlockFrame::Reflow (this=0x86e5808, aPresContext=0x85b3010,
aMetrics=@0xbfffdaf4, aReflowState=@0xbfffd888, aStatus=@0xbfffd9ec) at
nsBlockFrame.cpp:1729
#15 0x41546b3a in nsBlockReflowContext::DoReflowBlock (this=0xbfffdab4,
aReflowState=@0xbfffd888, aReason=eReflowReason_Incremental, aFrame=0x86e5808,
aSpace=@0xbfffd9f8, aApplyTopMargin=1, aPrevBottomMargin=0,
aIsAdjacentWithTop=1, aComputedOffsets=@0xbfffda08,
aFrameReflowStatus=@0xbfffd9ec) at nsBlockReflowContext.cpp:561
#16 0x415464f7 in nsBlockReflowContext::ReflowBlock (this=0xbfffdab4,
aFrame=0x86e5808, aSpace=@0xbfffd9f8, aApplyTopMargin=1, aPrevBottomMargin=0,
aIsAdjacentWithTop=1, aComputedOffsets=@0xbfffda08,
aFrameReflowStatus=@0xbfffd9ec) at nsBlockReflowContext.cpp:331
#17 0x4153f449 in nsBlockFrame::ReflowBlockFrame (this=0x86e5780,
aState=@0xbfffdec0, aLine=0x86e587c, aKeepReflowGoing=0xbfffdc64) at
nsBlockFrame.cpp:3854
#18 0x4153dd38 in nsBlockFrame::ReflowLine (this=0x86e5780, aState=@0xbfffdec0,
aLine=0x86e587c, aKeepReflowGoing=0xbfffdc64, aDamageDirtyArea=1) at
nsBlockFrame.cpp:3118
#19 0x4153d65e in nsBlockFrame::ReflowDirtyLines (this=0x86e5780,
aState=@0xbfffdec0) at nsBlockFrame.cpp:2925
#20 0x4153b0a0 in nsBlockFrame::Reflow (this=0x86e5780, aPresContext=0x85b3010,
aMetrics=@0xbfffe278, aReflowState=@0xbfffe1d4, aStatus=@0xbfffe578) at
nsBlockFrame.cpp:1729
#21 0x4154b059 in nsContainerFrame::ReflowChild (this=0x86e4aac,
aKidFrame=0x86e5780, aPresContext=0x85b3010, aDesiredSize=@0xbfffe278,
aReflowState=@0xbfffe1d4, aX=0, aY=0, aFlags=0, aStatus=@0xbfffe578) at
nsContainerFrame.cpp:693
#22 0x41564a8f in CanvasFrame::Reflow (this=0x86e4aac, aPresContext=0x85b3010,
aDesiredSize=@0xbfffe544, aReflowState=@0xbfffe380, aStatus=@0xbfffe578) at
nsHTMLFrame.cpp:301
#23 0x417bca48 in nsBoxToBlockAdaptor::Reflow (this=0x86e5718,
aState=@0xbfffe960, aPresContext=0x85b3010, aDesiredSize=@0xbfffe544,
aReflowState=@0xbfffea7c, aStatus=@0xbfffe578, aX=0, aY=0, aWidth=9735,
aHeight=10395, aMoveFrame=1) at nsBoxToBlockAdaptor.cpp:811
#24 0x417bc1cf in nsBoxToBlockAdaptor::DoLayout (this=0x86e5718,
aState=@0xbfffe960) at nsBoxToBlockAdaptor.cpp:484
#25 0x417b98c8 in nsBox::Layout (this=0x86e5718, aState=@0xbfffe960) at
nsBox.cpp:1000
#26 0x417a2725 in nsScrollBoxFrame::DoLayout (this=0x86e4b8c,
aState=@0xbfffe960) at nsScrollBoxFrame.cpp:375
#27 0x417b98c8 in nsBox::Layout (this=0x86e4bc4, aState=@0xbfffe960) at
nsBox.cpp:1000
#28 0x417beca4 in nsContainerBox::LayoutChildAt (aState=@0xbfffe960,
aBox=0x86e4bc4, aRect=@0xbfffe874) at nsContainerBox.cpp:593
#29 0x415a8c89 in nsGfxScrollFrameInner::LayoutBox (this=0x861d030,
aState=@0xbfffe960, aBox=0x86e4bc4, aRect=@0xbfffe874) at
nsGfxScrollFrame.cpp:1063
#30 0x415a8ef3 in nsGfxScrollFrameInner::Layout (this=0x861d030,
aState=@0xbfffe960) at nsGfxScrollFrame.cpp:1143
#31 0x415a8ce3 in nsGfxScrollFrame::DoLayout (this=0x86e4ae4,
aState=@0xbfffe960) at nsGfxScrollFrame.cpp:1071
#32 0x417b98c8 in nsBox::Layout (this=0x86e4b20, aState=@0xbfffe960) at
nsBox.cpp:1000
#33 0x417cda9c in nsBoxFrame::Reflow (this=0x86e4ae8, aPresContext=0x85b3010,
aDesiredSize=@0xbfffeb28, aReflowState=@0xbfffea7c, aStatus=@0xbfffec78) at
nsBoxFrame.cpp:775
#34 0x415a7fb5 in nsGfxScrollFrame::Reflow (this=0x86e4ae4,
aPresContext=0x85b3010, aDesiredSize=@0xbfffeb28, aReflowState=@0xbfffea7c,
aStatus=@0xbfffec78) at nsGfxScrollFrame.cpp:775
#35 0x4154b059 in nsContainerFrame::ReflowChild (this=0x86e4a70,
aKidFrame=0x86e4ae8, aPresContext=0x85b3010, aDesiredSize=@0xbfffeb28,
aReflowState=@0xbfffea7c, aX=0, aY=0, aFlags=0, aStatus=@0xbfffec78) at
nsContainerFrame.cpp:693
#36 0x415a5d17 in ViewportFrame::Reflow (this=0x86e4a70, aPresContext=0x85b3010,
aDesiredSize=@0xbfffecec, aReflowState=@0xbfffebd4, aStatus=@0xbfffec78) at
nsViewportFrame.cpp:545
#37 0x4156639d in nsHTMLReflowCommand::Dispatch (this=0x860f1b8,
aPresContext=0x85b3010, aDesiredSize=@0xbfffecec, aMaxSize=@0xbfffeccc,
aRendContext=@0x86fd260) at nsHTMLReflowCommand.cpp:144
#38 0x4158e2eb in PresShell::ProcessReflowCommands (this=0x8693838,
aInterruptible=0) at nsPresShell.cpp:4238
#39 0x4158bf86 in PresShell::FlushPendingNotifications (this=0x8693838) at
nsPresShell.cpp:3327
#40 0x4158e08e in PresShell::DidCauseReflow (this=0x8693838) at
nsPresShell.cpp:4187
#41 0x4158c35c in PresShell::ContentAppended (this=0x8693838,
aDocument=0x86c5100, aContainer=0x8622710, aNewIndexInContainer=0) at
nsPresShell.cpp:3432
#42 0x418176af in nsDocument::ContentAppended (this=0x86c5100,
aContainer=0x8622710, aNewIndexInContainer=0) at nsDocument.cpp:1870
#43 0x41688b96 in nsHTMLDocument::ContentAppended (this=0x86c5100,
aContainer=0x8622710, aNewIndexInContainer=0) at nsHTMLDocument.cpp:1195
#44 0x4167c8c5 in HTMLContentSink::NotifyAppend (this=0x8675a40,
aContainer=0x8622710, aStartIndex=0) at nsHTMLContentSink.cpp:4351
#45 0x4167413f in SinkContext::FlushTags (this=0x86d0d88, aNotify=1) at
nsHTMLContentSink.cpp:1988
#46 0x416770de in HTMLContentSink::CloseBody (this=0x8675a40, aNode=@0x81f69f0)
at nsHTMLContentSink.cpp:2800
#47 0x411553f2 in CNavDTD::CloseBody (this=0x85c25d8, aNode=0x81f69f0) at
CNavDTD.cpp:2916
#48 0x41155bda in CNavDTD::CloseContainer (this=0x85c25d8, aNode=0x81f69f0,
aTarget=eHTMLTag_body, aClosedByStartTag=0) at CNavDTD.cpp:3232
#49 0x41155d41 in CNavDTD::CloseContainersTo (this=0x85c25d8, anIndex=1,
aTarget=eHTMLTag_body, aClosedByStartTag=0) at CNavDTD.cpp:3289
#50 0x4115607b in CNavDTD::CloseContainersTo (this=0x85c25d8,
aTarget=eHTMLTag_body, aClosedByStartTag=0) at CNavDTD.cpp:3446
#51 0x41150bd3 in CNavDTD::DidBuildModel (this=0x85c25d8, anErrorCode=0,
aNotifySink=1, aParser=0x8674f78, aSink=0x8675a40) at CNavDTD.cpp:563
#52 0x41165792 in nsParser::DidBuildModel (this=0x8674f78, anErrorCode=0) at
nsParser.cpp:1389
#53 0x4116675e in nsParser::ResumeParse (this=0x8674f78, allowIteration=1,
aIsFinalChunk=1) at nsParser.cpp:1900
#54 0x41167527 in nsParser::OnStopRequest (this=0x8674f78, channel=0x85cdeb8,
aContext=0x0, status=0, aMsg=0x401698e4) at nsParser.cpp:2353
#55 0x40f6dcb3 in nsDocumentOpenInfo::OnStopRequest (this=0x85ce090,
aChannel=0x85cdeb8, aCtxt=0x0, aStatus=0, errorMsg=0x401698e4) at
nsURILoader.cpp:266
#56 0x40e1f792 in nsHTTPFinalListener::OnStopRequest (this=0x85ce3f0,
aChannel=0x85cdeb8, aContext=0x0, aStatus=0, aStatusArg=0x401698e4) at
nsHTTPResponseListener.cpp:1191
#57 0x40ded843 in InterceptStreamListener::OnStopRequest (this=0x86d7b88,
channel=0x85cdeb8, ctxt=0x0, aStatus=0, aStatusArg=0x401698e4) at
nsCachedNetData.cpp:1185
#58 0x40e13c1a in nsHTTPChannel::ResponseCompleted (this=0x85cdeb8,
aListener=0x86d7b88, aStatus=0, aStatusArg=0x401698e4) at nsHTTPChannel.cpp:1761
#59 0x40e1e4d8 in nsHTTPServerListener::OnStopRequest (this=0x86ae910,
channel=0x86b419c, i_pContext=0x85cdeb8, i_Status=0, aStatusArg=0x401698e4) at
nsHTTPResponseListener.cpp:719
#60 0x40db5d76 in nsOnStopRequestEvent::HandleEvent (this=0x86e88b0) at
nsAsyncStreamListener.cpp:301
#61 0x40db5317 in nsStreamListenerEvent::HandlePLEvent (aEvent=0x86e88e8) at
nsAsyncStreamListener.cpp:97
#62 0x4011730f in PL_HandleEvent (self=0x86e88e8) at plevent.c:587
#63 0x401171b1 in PL_ProcessPendingEvents (self=0x80d3078) at plevent.c:528
#64 0x40118f31 in nsEventQueueImpl::ProcessPendingEvents (this=0x80d3050) at
nsEventQueue.cpp:356
#65 0x409deec8 in event_processor_callback (data=0x80d3050, source=8,
condition=GDK_INPUT_READ) at nsAppShell.cpp:158
#66 0x409deb07 in our_gdk_io_invoke (source=0x81b22b0, condition=G_IO_IN,
data=0x81b22a0) at nsAppShell.cpp:58
#67 0x40b9920e in g_io_unix_dispatch (source_data=0x81b22c8,
current_time=0xbffff61c, user_data=0x81b22a0) at giounix.c:135
#68 0x40b9a717 in g_main_dispatch (dispatch_time=0xbffff61c) at gmain.c:656
#69 0x40b9acdb in g_main_iterate (block=1, dispatch=1) at gmain.c:877
#70 0x40b9ae59 in g_main_run (loop=0x81b2310) at gmain.c:935
#71 0x40acc069 in gtk_main () at gtkmain.c:476
#72 0x409df5b1 in nsAppShell::Run (this=0x810afe8) at nsAppShell.cpp:335
#73 0x40510388 in nsAppShellService::Run (this=0x810f738) at
nsAppShellService.cpp:378
#74 0x805558c in main1 (argc=2, argv=0xbffff924, nativeApp=0x0) at
nsAppRunner.cpp:943
#75 0x8055c70 in main (argc=2, argv=0xbffff924) at nsAppRunner.cpp:1123
#76 0x4035e2e7 in __libc_start_main () from /lib/libc.so.6

warren@netscape.com was last seen diddling in this code.  CC'ing him.  Looks
like your patch for bug 48458 would address this problem (mimeType = 0x0).  Dupe
if you wanna.

    
    

    
  
Actually, per warren's comments, it isn't valid to pass
nsCStringKey::nsCStringKey a null string.  un-spamming him.

    
    

    
  
*** Bug 48969 has been marked as a duplicate of this bug. ***

    
    

    
  
the callstack in bug 48458 doesn't really resemble this one, does it (due to
lack of detail)?

But the patch over there absolutely does address this crash (and dupe bug 48969).


    
    

    
  
nominating for nsbeta3.  this happens on other pages too...  if we just fail to
load the plugin, thats fine, but we shouldn't crash.
Keywords: nsbeta3

    
    

    
  
Andrei, this looks like a pretty easy thing to fix. Can you check it out and 
advise so we can approve or deny it?

    
    

    
  
Easy fix, marking nsbeta3+. Andrei, let's get this in right away.
Status: NEW → ASSIGNED
Whiteboard: [nsbeta3+]

    
    

    
  
Patch is in.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED

    
    

    
  
verified on build 2000082110m18
Status: RESOLVED → VERIFIED

    
  
Whiteboard: [nsbeta3+] → [nsbeta3+] suntrak-n6-highp

    
  
Whiteboard: [nsbeta3+] suntrak-n6-highp → [nsbeta3+], suntrak-n6-highp

    
    

    
  
Crashtest added as part of http://hg.mozilla.org/mozilla-central/rev/5a6def05ccbc
Flags: in-testsuite+

    
  
Product: Core → Core Graveyard

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: