Closed Bug 502091 Opened 11 years ago Closed 11 years ago

[HTML5] Crash [@ nsContentSink::ProcessHeaderData] with meta in innerHTML

Categories

(Core :: DOM: HTML Parser, defect, critical)

x86
Windows XP
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: martijn.martijn, Assigned: hsivonen)

References

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(3 files, 1 obsolete file)

Attached file testcase
See testcase, which crashes in current trunk build when you have the html5.enable pref set to true.

http://crash-stats.mozilla.com/report/index/e7e913f7-e4e4-41d6-a2b1-43c4f2090702
0  	xul.dll  	nsContentSink::ProcessHeaderData  	 content/base/src/nsContentSink.cpp:531
1 	xul.dll 	nsContentSink::ProcessMETATag 	content/base/src/nsContentSink.cpp:810
2 	xul.dll 	xul.dll@0x9a7adf
nsContentSink wasn't initialized properly in the fragment case. The patch initializes it in ParseFragment() to make sure it's initialized every time the fragment parsing code runs.
Assignee: nobody → hsivonen
Status: NEW → ASSIGNED
Attachment #386712 - Flags: superreview?(mrbkap)
Attachment #386712 - Flags: review?(jonas)
Duplicate of this bug: 502275
I get this crash when I click a new email in my Hotmail Inbox.
Firefox is crashing for me too, when using hotmail.

http://crash-stats.mozilla.com/report/index/82b1940b-6472-44dc-b91d-425512090710
http://crash-stats.mozilla.com/report/index/9e6bf7cc-ef44-4ecb-a2c0-b20d32090710
http://crash-stats.mozilla.com/report/index/8ddc647b-b62a-4fd0-9269-7d5dd2090710

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090710 Minefield/3.6a1pre ID:20090710044907
Attachment #386712 - Flags: superreview?(mrbkap)
Attachment #386712 - Flags: superreview+
Attachment #386712 - Flags: review?(jonas)
Attachment #386712 - Flags: review+
Duplicate of this bug: 503978
Summary: Crash [@ nsContentSink::ProcessHeaderData] with meta in innerHTML → [HTML5] Crash [@ nsContentSink::ProcessHeaderData] with meta in innerHTML
Thanks. Pushed fix without test in order to avoid having testers seeing a known crash. I didn't forget the test.
http://hg.mozilla.org/mozilla-central/rev/439de76c5cc8
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Attached patch mochitest test case (obsolete) — Splinter Review
Here's a test case for this; passes on trunk with html5.enable=true.
Attachment #391478 - Flags: review?(hsivonen)
Update to original test which resets html5.enable to its original value at the end of the test.
Attachment #391478 - Attachment is obsolete: true
Attachment #391679 - Flags: review?(hsivonen)
Attachment #391478 - Flags: review?(hsivonen)
Attachment #391679 - Flags: review?(hsivonen) → review+
Flags: in-testsuite? → in-testsuite+
Depends on: 508867
Blocks: 508867
No longer depends on: 508867
Crash Signature: [@ nsContentSink::ProcessHeaderData]
You need to log in before you can comment on or make changes to this bug.