Last Comment Bug 489322 - 3.0.10 pre crashes with HTML validator when viewing source [@ @0x0 | nsTextFrame::ClearTextRun() ]
: 3.0.10 pre crashes with HTML validator when viewing source [@ @0x0 | nsTextFr...
Status: RESOLVED FIXED
: crash, crashreportid, regression, topcrash, verified1.9.0.10, verified1.9.0.11
Product: Core
Classification: Components
Component: Layout (show other bugs)
: 1.9.0 Branch
: All All
: -- critical with 7 votes (vote)
: ---
Assigned To: Daniel Holbert [:dholbert]
:
Mentors:
http://www.google.com/
: 489509 489568 489621 489783 489790 (view as bug list)
Depends on: CVE-2009-1313
Blocks: 431260
  Show dependency treegraph
 
Reported: 2009-04-21 05:11 PDT by mgueury
Modified: 2011-06-09 14:58 PDT (History)
29 users (show)
samuel.sidler+old: blocking1.9.0.10+
dveditz: blocking1.9.0.11+
dveditz: wanted1.9.0.x+
dholbert: in‑testsuite?
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
reduced testcase (17 bytes, text/html)
2009-04-22 23:40 PDT, Daniel Holbert [:dholbert]
no flags Details

Description mgueury 2009-04-21 05:11:06 PDT
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10pre) Gecko/2009042005 GranParadiso/3.0.10pre
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10pre) Gecko/2009042005 GranParadiso/3.0.10pre

On Windows, I got reports from 2 users using the HTML Validator extension with the 3.0.10pre.  With this version, and it seems with 3.0.8 pre and 3.0.9 pre, Firefox crashes when viewing the pages source.

I am the extension author.

Such problem does not happen with production builds (yet).

Reproducible: Always

Steps to Reproduce:
1. Download ftp://ftp.mozilla.org/pub/firefox/nightly/latest-mozilla1.9.0/firefox-3.0.10pre.en-US.win32.zip
and unzip the file.
2. Start Firefox 
3. Install the HTML validator (the version is not really important) 0.855 here
   http://users.skynet.be/mgueury/mozilla/download.html
4. restart Firefox
5. Go to www.google.com
6; View Source -> crash
Actual Results:  
Crash

Expected Results:  
No crash

It is happening only in pre build ? 

After debugging the tidySource.js file.
I found that it crashes when putting a color on the lines of the HTML source where there is a HTML error.

The procedure is called - colorizeLines.
The way this procedure works is that it changes the DOM of the HTML source of the HTML...

Workaround
----------
There is an option in the HTML validator to disable it :
- Options 
  - Hightlight lines with errors.

When uncheked it works again, meaning that the problem is well in the DOM javascript API used by colorizeLines
Comment 1 Ria Klaassen (not reading all bugmail) 2009-04-21 12:28:29 PDT
Confirmed with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10pre) Gecko/2009042105 GranParadiso/3.0.10pre

http://crash-stats.mozilla.com/report/index/7123be51-c9f0-465f-a18f-8535b2090421?p=1
Comment 2 Matthias Versen [:Matti] 2009-04-21 14:17:57 PDT
0  	 	@0x0  	
1 	xul.dll 	nsTextFrame::ClearTextRun 	mozilla/layout/generic/nsTextFrameThebes.cpp:3503
2 	xul.dll 	BuildTextRunsScanner::AssignTextRun 	mozilla/layout/generic/nsTextFrameThebes.cpp:1835
3 	xul.dll 	BuildTextRunsScanner::BuildTextRunForFrames 	mozilla/layout/generic/nsTextFrameThebes.cpp:1716
4 	xul.dll 	BuildTextRunsScanner::FlushFrames 	mozilla/layout/generic/nsTextFrameThebes.cpp:1119
5 	xul.dll 	xul.dll@0x2c1bcb 	
6 	xul.dll 	xul.dll@0x2c1c54 	
7 	xul.dll 	xul.dll@0x2c1c54 	
8 	xul.dll 	BuildTextRuns 	mozilla/layout/generic/nsTextFrameThebes.cpp:1036
9 	xul.dll 	nsTextFrame::EnsureTextRun 	mozilla/layout/generic/nsTextFrameThebes.cpp:1859
10 	xul.dll 	nsTextFrame::Reflow 	mozilla/layout/generic/nsTextFrameThebes.cpp:5535
11 	xul.dll 	nsLineLayout::ReflowFrame 	mozilla/layout/generic/nsLineLayout.cpp:859
Comment 3 Gérard Talbot 2009-04-21 20:05:29 PDT
Marc Gueury,

I use your excellent extension and I now believe that my bug 489509 may be in fact a DUPlicate of this bug 489322.

Adding crashreportid keyword

regards, Gérard
Comment 4 Gérard Talbot 2009-04-21 20:25:25 PDT
> It is happening only in pre build ? 

When following the steps to reproduce you provided with Firefox 3.0.9 rv:1.9.0.9 build 2009040821 (XP Pro SP3 here), I crashed (see bug 489509 for more info on this).

Using View/source view (Ctrl+U) will not crash on any/all webpages: like you say, the webpage must have errors and hightlight lines with errors option should be checked.

regards, Gérard
Comment 5 Gérard Talbot 2009-04-21 20:26:14 PDT
*** Bug 489509 has been marked as a duplicate of this bug. ***
Comment 6 pd 2009-04-21 22:34:09 PDT
Firefox 3.0.9 downloaded in the background and installed when I restarted. Ordinarily I think that is a brilliant thing, but this time, because of this bug, it's corrupting my ability to work.

Confirmation crash reports:

http://crash-stats.mozilla.com/report/index/e5e76111-98f2-4785-9fe6-ba0582090421
http://crash-stats.mozilla.com/report/index/49a91d2b-b49c-4316-957e-d2c9b2090421
http://crash-stats.mozilla.com/report/index/87a98e87-4982-488f-8c11-6a2c72090421
http://crash-stats.mozilla.com/report/index/68ed2a47-4f54-4196-bdbb-2e2782090421

I installed the latest 0.8.5.5 version from the author's site because it's newer than the AMO version (typical) however this also caused the same crash.
Comment 7 Richard Reijmers 2009-04-22 04:52:51 PDT
Confirmed with Firefox 3.0.9 and HTML Validator 0.8.5.2 & 0.8.5.5
When viewing source, application crashes.
Comment 8 Samuel Sidler (old account; do not CC) 2009-04-22 06:45:51 PDT
Need a regression range here...

Rey: Do we have contacts with the HTML Validator team? We should probably work with them on a workaround since 3.0.10 won't be for another month.
Comment 9 Rey Bango 2009-04-22 07:13:21 PDT
Sam, the originator of this bug is the add-on's author. His name is Marc Gueury.
Comment 10 mgueury 2009-04-22 10:40:33 PDT
I am the extension author. I am sorry but I am quite lost in what to do to avoid the flood of mails I get...

This code that cause problems in the extension was working from
Firefox 1.0 until 3.0.8. And unhappily, 3.0.9 crashes as well as 3.0.10 pre.... 

The bug is not in my side and the only thing I can do is to disable
the highlighting of the lines with HTML errors :/

Without better solution and due to the urgency, I have released on my website As well as on addons.mozilla.org a version 0.856 that disables this feature. 

Unhappily, 0.856 is not reviewed yet in addons.mozilla.org:
> https://addons.mozilla.org/en-US/firefox/addon/249

DO YOU KNOW A WAY TO SPEED THE REVIEW ? 

Thanks a lot,

Marc
Comment 11 Markus 2009-04-22 11:27:00 PDT
I first found this behavior in version 3.0.8pre, maybe this information helps to track down the bug.

Markus
Comment 12 David Baron :dbaron: ⌚️UTC+8 (review requests must explain patch) 2009-04-22 11:43:44 PDT
If somebody does a binary search of nightly builds (look in the directories ending in "-mozilla1.9.0" in the month subdirectories of http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2009/ ) to figure out which day the problem started, that would be likely to help.  If you do this... say (1) what platform you were testing, (2) which build was the last one without the problem, and (3) which build was the first one with the problem.  (And, if you want to be even more precise, you can give the SourceStamp line from the application.ini file along with (2) and (3).)
Comment 13 Daniel Veditz [:dveditz] 2009-04-22 11:44:53 PDT
3.0.8pre became 3.0.9... There weren't really "pre" builds of what became the
actual 3.0.8 release, it was an emergency release based off the 3.0.7 release
with a couple of fixes. The "3.0.8" we were working on was renamed to 3.0.9 to
make room for that release.

But that does pin the time frame down to before the rename.
Comment 14 Daniel Veditz [:dveditz] 2009-04-22 11:55:01 PDT
It's a new topcrash, too. Hard to believe all those people are using HTML Validator.

http://crash-stats.mozilla.com/topcrasher/byversion/Firefox/3.0.9
Comment 15 Mihai Iorga 2009-04-22 12:15:42 PDT
@Daniel Veditz - HTML Tidy it's the best thing created for webmasters!
thanks Marc Gueury, but you really need to solve this thing, I'll turn back to 3.0.8, i can't even browse a website without that addon ....
Comment 16 Samuel Sidler (old account; do not CC) 2009-04-22 13:01:17 PDT
I haven't gone back for a full regression range yet, but I'd guess bug 431260 or bug 444027, both of which landed in the cycle. If someone can verify by checking the February 26 build to the February 27 build, that'd be great.
Comment 17 Al Billings [:abillings] 2009-04-22 13:05:06 PDT
I'm looking...
Comment 18 Rey Bango 2009-04-22 13:08:07 PDT
(In reply to comment #10)
> ...Without better solution and due to the urgency, I have released on my website
> As well as on addons.mozilla.org a version 0.856 that disables this feature. 
> 
> Unhappily, 0.856 is not reviewed yet in addons.mozilla.org:
> > https://addons.mozilla.org/en-US/firefox/addon/249
> 
> DO YOU KNOW A WAY TO SPEED THE REVIEW ? 
> 
> Thanks a lot,
> 
> Marc

I've pushed your update through.
Comment 19 Andrei Stoica 2009-04-22 13:09:33 PDT
I have chosen to downgrade Firefox, i prefer having HTML Validator rather than FF 3.0.9.  Hope u solve this soon. THX!
Comment 20 Samuel Sidler (old account; do not CC) 2009-04-22 13:14:39 PDT
(In reply to comment #16)
> I haven't gone back for a full regression range yet, but I'd guess bug 431260
> or bug 444027, both of which landed in the cycle. If someone can verify by
> checking the February 26 build to the February 27 build, that'd be great.

That range is indeed true.
Comment 21 Al Billings [:abillings] 2009-04-22 13:26:32 PDT
Andrei, if you get the new version of the validator, it doesn't crash...

Sam,

Doesn't crash in  Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.8pre) Gecko/2009022606 GranParadiso/3.0.8pre (.NET CLR 3.5.30729).

Crashes in  Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.8pre) Gecko/2009022606 GranParadiso/3.0.8pre (.NET CLR 3.5.30729).
Comment 22 Al Billings [:abillings] 2009-04-22 13:27:32 PDT
Er... it crashes in Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.8pre) Gecko/2009022706 GranParadiso/3.0.8pre (.NET CLR 3.5.30729).

Bad clipboard.
Comment 23 Robert O'Callahan (:roc) (Exited; email my personal email if necessary) 2009-04-22 15:36:50 PDT
mgueury: can you extract the code from tidySource.js into a testcase which crashes by itself?
Comment 24 Daniel Holbert [:dholbert] 2009-04-22 16:20:20 PDT
I can't reproduce this in a debug build on Linux, but I *can* reproduce it 100% reliably in an optimized build. (using HTML Validator version 0.8.5.4 from the download URL in comment 0)

I tried viewing source of google.com and also the default Firefox start pages, http://www.mozilla.org/projects/granparadiso/ and http://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

Crash reports links below.  They're all crashes at random addresses while inside of nsTextFrame::ClearTextRun() (usually 0xaf******).  In the third Firefox3.0.9 crash below, the random address actually appears to map to an address in one of my font files, "DejaVuSans-Bold.ttf@0x61f1e".

Firefox 3.0.9:
http://crash-stats.mozilla.com/report/index/fd3456ab-156f-49ee-9c6b-6335b2090422
http://crash-stats.mozilla.com/report/index/496f027f-9da2-4625-8f57-277fb2090422
http://crash-stats.mozilla.com/report/index/d72d8155-fd20-4115-a953-d49b72090422
http://crash-stats.mozilla.com/report/index/8d9cda89-7271-423b-9c05-41a3c2090422

latest-mozilla1.9.0 nightly:
http://crash-stats.mozilla.com/report/index/abf58b09-875d-49a5-af71-c702d2090422
http://crash-stats.mozilla.com/report/index/f01ade56-4b67-4932-956b-5089f2090422

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.9) Gecko/2009040820 Firefox/3.0.9
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.10pre) Gecko/2009042204 GranParadiso/3.0.10pre
Comment 25 admin 2009-04-22 19:16:09 PDT
*** Bug 489568 has been marked as a duplicate of this bug. ***
Comment 26 Andrei Stoica 2009-04-22 20:51:14 PDT
Firefox updated itself to 3.0.9 and i had to get new version. I don't notice any diffrence though..
Comment 27 Daniel Holbert [:dholbert] 2009-04-22 23:22:37 PDT
FWIW, I think we have a fix for this in bug 489647.  Stay tuned...
Comment 28 Daniel Holbert [:dholbert] 2009-04-22 23:40:21 PDT
Created attachment 374229 [details]
reduced testcase

Here's a reduced testcase that reproduces the bug under Linux, when doing a View-Source with HTML Validator 0.854 installed in Firefox 3.0.9.
Comment 29 Brian Polidoro 2009-04-23 06:30:51 PDT
*** Bug 489783 has been marked as a duplicate of this bug. ***
Comment 30 Marien Zwart 2009-04-23 06:58:56 PDT
*** Bug 489790 has been marked as a duplicate of this bug. ***
Comment 31 Brian Polidoro 2009-04-23 07:15:18 PDT
*** Bug 489621 has been marked as a duplicate of this bug. ***
Comment 32 Mihai Iorga 2009-04-23 07:16:21 PDT
@Daniel Holbert - oh yea .... more restricted pages ... :|
Comment 33 Samuel Sidler (old account; do not CC) 2009-04-23 09:59:19 PDT
Assigning this to dholbert since he has a fix.
Comment 34 Samuel Sidler (old account; do not CC) 2009-04-23 10:48:58 PDT
This will be fixed in a soon-coming Firefox 3.0.10 release.
Comment 35 Daniel Veditz [:dveditz] 2009-04-23 13:11:34 PDT
The fix in bug 489647 has landed.
Comment 36 Daniel Veditz [:dveditz] 2009-04-23 13:15:00 PDT
This turned out to be a regression from bug 431260
Comment 37 Rey Bango 2009-04-23 14:06:13 PDT
Sweet! So this will be in 3.0.10?
Comment 38 Samuel Sidler (old account; do not CC) 2009-04-23 14:09:59 PDT
Yes.
Comment 39 Al Billings [:abillings] 2009-04-23 17:01:29 PDT
Verified fixed on Linux in 1.9.0.10 with Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.10) Gecko/2009042315 Firefox/3.0.10. 

I will mark it verified1.9.0.10 when I can check on Windows as well.
Comment 40 Markus 2009-04-23 22:31:04 PDT
Checked on Windows with version Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)

Validator version 0.8.5.2 since in 0.8.5.6 the "mark line" feature seems to be completely disabled although there is a check box...

All clear ;-)
Comment 41 Al Billings [:abillings] 2009-04-24 11:50:44 PDT
Verified on Windows XP: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729).
Comment 42 Samuel Sidler (old account; do not CC) 2009-04-27 13:21:24 PDT
Marc: This problem is now fixed in Firefox 3.0.10, which is being released today, specifically for this crash. It typically takes 5-8 days for the bulk of Firefox users to upgrade. You can probably return your extension to the normal, fully functional version in a few days. Thanks for reporting the problem!
Comment 43 mgueury 2009-04-27 14:34:48 PDT
Thanks a lot your work. I will release a new version re-enabling the line highlighting in the next days.
Comment 44 Mihai Iorga 2009-05-03 01:12:59 PDT
Hey ... common Marc, the 3.0.10 it has been released. Why don't you make the update? I downgraded to 0.855 and everything works fine :) you should to the same
Comment 45 Al Billings [:abillings] 2009-05-15 14:44:41 PDT
Verified for 1.9.0.11 as well with Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.11pre) Gecko/2009051404 GranParadiso/3.0.11pre.

Note You need to log in before you can comment on or make changes to this bug.