Mozilla hangs on this URL - edge case where BR won't fit on a line

VERIFIED FIXED in M18

Status

()

Core
Layout
P1
critical
VERIFIED FIXED
17 years ago
9 years ago

People

(Reporter: rcummins, Assigned: buster)

Tracking

({crash, testcase})

Trunk
crash, testcase
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: nsbeta3+, URL)

Attachments

(1 attachment)

(Reporter)

Description

17 years ago
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Win95; en-US; m18) Gecko/20000822
BuildID:    2000082404

Originally discovered that http://www.fish.state.pa.us/ caused Mozilla to lock
up.  Two days later I have narrowed the problem down to this snippet of HTML:

<div style="margin-bottom: -1">
<img height=1>
</div>
<table align=left>
 <td>
  <table>
   <td>
  </table>
 </td>
 <td>
  <table cols=2>
   <td>
  </table>
 </td>
</table>
<br clear="left">

...which has been posted to http://www.burlco.lib.nj.us/moz/lock/
Agreed, this is not the best HTML, but it certainly should not lock up the
browser.  If any of the tags are removed, or any option of any tag is removed,
Mozilla will not lock up.  This is also reproducible using RH Linux 6.2 and
build 2000082404.  Sorry if this is already in Bugzilla, but not having the
slightest clue what could be wrong made it hard to search for an existing bug.

Reproducible: Always
Steps to Reproduce:
1. Visit http://www.burlco.lib.nj.us/moz/lock/


Actual Results:  Mozilla locks up.

Expected Results:  Mozilla should not lock up.

Comment 1

17 years ago
over to HTML Element
Assignee: asa → clayton
Status: UNCONFIRMED → NEW
Component: Browser-General → HTML Element
Ever confirmed: true
QA Contact: doronr → petersen

Comment 2

17 years ago
Also on Linux.  Keywordage.
Keywords: crash, testcase
OS: Windows 98 → All

Comment 3

17 years ago
According to the debugger:

nsBlockReflowContext: TableOuter(table)(1)@0x87a108c metrics=1073741824,22!
Block(td)(1)@0x87a1004: line=0x87a13fc xmost=1073741824
Block(body)(1)@0x87a3b34: yikes! spinning on a line over 1000 times!

Program received signal SIGABRT, Aborted.
0x4036e1a1 in kill () from /lib/libc.so.6
(gdb) where
#0  0x4036e1a1 in kill () from /lib/libc.so.6
#1  0x402bdd2a in pthread_kill (thread=1024, signo=6) at signals.c:64
#2  0x402be0af in raise (sig=6) at signals.c:191
#3  0x4036f3cf in abort () from /lib/libc.so.6
#4  0x4027b58a in PR_Abort () at prlog.c:442
#5  0x40128d51 in nsDebug::Abort (aFile=0x416662e6 "nsBlockFrame.cpp",
aLine=4124) at nsDebug.cpp:374
#6  0x4127707a in nsBlockFrame::ReflowInlineFrames (this=0x87a3b34,
aState=@0xbfffd58c, aLine=0x87a1684, aKeepReflowGoing=0xbfffd330,
aDamageDirtyArea=1, aUpdateMaximumWidth=0) at nsBlockFrame.cpp:4124
#7  0x41275537 in nsBlockFrame::ReflowLine (this=0x87a3b34, aState=@0xbfffd58c,
aLine=0x87a1684, aKeepReflowGoing=0xbfffd330, aDamageDirtyArea=1) at
nsBlockFrame.cpp:3247
#8  0x41274a2e in nsBlockFrame::ReflowDirtyLines (this=0x87a3b34,
aState=@0xbfffd58c) at nsBlockFrame.cpp:2936
#9  0x41272440 in nsBlockFrame::Reflow (this=0x87a3b34, aPresContext=0x86b11f8,
aMetrics=@0xbfffdb0c, aReflowState=@0xbfffd8a0, aStatus=@0xbfffda04) at
nsBlockFrame.cpp:1729
#10 0x4127df2e in nsBlockReflowContext::DoReflowBlock (this=0xbfffdacc,
aReflowState=@0xbfffd8a0, aReason=eReflowReason_Incremental, aFrame=0x87a3b34,
aSpace=@0xbfffda10, aApplyTopMargin=1, aPrevBottomMargin=0,
aIsAdjacentWithTop=1, aComputedOffsets=@0xbfffda20,
aFrameReflowStatus=@0xbfffda04) at nsBlockReflowContext.cpp:561
#11 0x4127d8eb in nsBlockReflowContext::ReflowBlock (this=0xbfffdacc,
aFrame=0x87a3b34, aSpace=@0xbfffda10, aApplyTopMargin=1, aPrevBottomMargin=0,
aIsAdjacentWithTop=1, aComputedOffsets=@0xbfffda20,
aFrameReflowStatus=@0xbfffda04) at nsBlockReflowContext.cpp:331
#12 0x4127683d in nsBlockFrame::ReflowBlockFrame (this=0x87a3ae8,
aState=@0xbfffded8, aLine=0x87a3b80, aKeepReflowGoing=0xbfffdc7c) at
nsBlockFrame.cpp:3867
#13 0x41275108 in nsBlockFrame::ReflowLine (this=0x87a3ae8, aState=@0xbfffded8,
aLine=0x87a3b80, aKeepReflowGoing=0xbfffdc7c, aDamageDirtyArea=1) at
nsBlockFrame.cpp:3129
#14 0x41274a2e in nsBlockFrame::ReflowDirtyLines (this=0x87a3ae8,
aState=@0xbfffded8) at nsBlockFrame.cpp:2936
#15 0x41272440 in nsBlockFrame::Reflow (this=0x87a3ae8, aPresContext=0x86b11f8,
aMetrics=@0xbfffe290, aReflowState=@0xbfffe1ec, aStatus=@0xbfffe590) at
nsBlockFrame.cpp:1729
#16 0x4128244d in nsContainerFrame::ReflowChild (this=0x87a2e14,
aKidFrame=0x87a3ae8, aPresContext=0x86b11f8, aDesiredSize=@0xbfffe290,
aReflowState=@0xbfffe1ec, aX=0, aY=0, aFlags=0, aStatus=@0xbfffe590) at
nsContainerFrame.cpp:693
#17 0x4129be83 in CanvasFrame::Reflow (this=0x87a2e14, aPresContext=0x86b11f8,
aDesiredSize=@0xbfffe55c, aReflowState=@0xbfffe398, aStatus=@0xbfffe590) at
nsHTMLFrame.cpp:301
#18 0x414fba48 in nsBoxToBlockAdaptor::Reflow (this=0x87a3a80,
aState=@0xbfffe978, aPresContext=0x86b11f8, aDesiredSize=@0xbfffe55c,
aReflowState=@0xbfffea94, aStatus=@0xbfffe590, aX=0, aY=0, aWidth=12078,
aHeight=9603, aMoveFrame=1) at nsBoxToBlockAdaptor.cpp:811
#19 0x414fb1cf in nsBoxToBlockAdaptor::DoLayout (this=0x87a3a80,
aState=@0xbfffe978) at nsBoxToBlockAdaptor.cpp:484
#20 0x414f88c8 in nsBox::Layout (this=0x87a3a80, aState=@0xbfffe978) at
nsBox.cpp:1000
#21 0x414e137d in nsScrollBoxFrame::DoLayout (this=0x87a2ef4,
aState=@0xbfffe978) at nsScrollBoxFrame.cpp:375
#22 0x414f88c8 in nsBox::Layout (this=0x87a2f2c, aState=@0xbfffe978) at
nsBox.cpp:1000
#23 0x414fdce4 in nsContainerBox::LayoutChildAt (aState=@0xbfffe978,
aBox=0x87a2f2c, aRect=@0xbfffe88c) at nsContainerBox.cpp:593
#24 0x412e02e9 in nsGfxScrollFrameInner::LayoutBox (this=0x86d80d8,
aState=@0xbfffe978, aBox=0x87a2f2c, aRect=@0xbfffe88c) at
nsGfxScrollFrame.cpp:1063
#25 0x412e0553 in nsGfxScrollFrameInner::Layout (this=0x86d80d8,
aState=@0xbfffe978) at nsGfxScrollFrame.cpp:1143
#26 0x412e0343 in nsGfxScrollFrame::DoLayout (this=0x87a2e4c,
aState=@0xbfffe978) at nsGfxScrollFrame.cpp:1071
#27 0x414f88c8 in nsBox::Layout (this=0x87a2e88, aState=@0xbfffe978) at
nsBox.cpp:1000
#28 0x4150cd44 in nsBoxFrame::Reflow (this=0x87a2e50, aPresContext=0x86b11f8,
aDesiredSize=@0xbfffeb40, aReflowState=@0xbfffea94, aStatus=@0xbfffec90) at
nsBoxFrame.cpp:771
#29 0x412df615 in nsGfxScrollFrame::Reflow (this=0x87a2e4c,
aPresContext=0x86b11f8, aDesiredSize=@0xbfffeb40, aReflowState=@0xbfffea94,
aStatus=@0xbfffec90) at nsGfxScrollFrame.cpp:775
#30 0x4128244d in nsContainerFrame::ReflowChild (this=0x87a2dd8,
aKidFrame=0x87a2e50, aPresContext=0x86b11f8, aDesiredSize=@0xbfffeb40,
aReflowState=@0xbfffea94, aX=0, aY=0, aFlags=0, aStatus=@0xbfffec90) at
nsContainerFrame.cpp:693
#31 0x412dd377 in ViewportFrame::Reflow (this=0x87a2dd8, aPresContext=0x86b11f8,
aDesiredSize=@0xbfffed04, aReflowState=@0xbfffebec, aStatus=@0xbfffec90) at
nsViewportFrame.cpp:545
#32 0x4129d791 in nsHTMLReflowCommand::Dispatch (this=0x86cefa8,
aPresContext=0x86b11f8, aDesiredSize=@0xbfffed04, aMaxSize=@0xbfffece4,
aRendContext=@0x86a61d8) at nsHTMLReflowCommand.cpp:144
#33 0x412c54ff in PresShell::ProcessReflowCommands (this=0x8697608,
aInterruptible=0) at nsPresShell.cpp:4245
#34 0x412c3216 in PresShell::FlushPendingNotifications (this=0x8697608) at
nsPresShell.cpp:3333
#35 0x412c52a2 in PresShell::DidCauseReflow (this=0x8697608) at
nsPresShell.cpp:4194
#36 0x412c35ec in PresShell::ContentAppended (this=0x8697608,
aDocument=0x8679708, aContainer=0x8687bd0, aNewIndexInContainer=0) at
nsPresShell.cpp:3438
#37 0x41558e2f in nsDocument::ContentAppended (this=0x8679708,
aContainer=0x8687bd0, aNewIndexInContainer=0) at nsDocument.cpp:1878
#38 0x413c367a in nsHTMLDocument::ContentAppended (this=0x8679708,
aContainer=0x8687bd0, aNewIndexInContainer=0) at nsHTMLDocument.cpp:1305
#39 0x413b6791 in HTMLContentSink::NotifyAppend (this=0x879f6c8,
aContainer=0x8687bd0, aStartIndex=0) at nsHTMLContentSink.cpp:4362
#40 0x413adedf in SinkContext::FlushTags (this=0x87a0688, aNotify=1) at
nsHTMLContentSink.cpp:1989
#41 0x413b0f96 in HTMLContentSink::CloseBody (this=0x879f6c8, aNode=@0x81fb660)
at nsHTMLContentSink.cpp:2806
#42 0x40c7763a in CNavDTD::CloseBody (this=0x86d5f80, aNode=0x81fb660) at
CNavDTD.cpp:2926
#43 0x40c77e22 in CNavDTD::CloseContainer (this=0x86d5f80, aNode=0x81fb660,
aTarget=eHTMLTag_body, aClosedByStartTag=0) at CNavDTD.cpp:3242
#44 0x40c77f89 in CNavDTD::CloseContainersTo (this=0x86d5f80, anIndex=1,
aTarget=eHTMLTag_body, aClosedByStartTag=0) at CNavDTD.cpp:3299
#45 0x40c782c3 in CNavDTD::CloseContainersTo (this=0x86d5f80,
aTarget=eHTMLTag_body, aClosedByStartTag=0) at CNavDTD.cpp:3456
#46 0x40c72e03 in CNavDTD::DidBuildModel (this=0x86d5f80, anErrorCode=0,
aNotifySink=1, aParser=0x87812a8, aSink=0x879f6c8) at CNavDTD.cpp:563
#47 0x40c8788a in nsParser::DidBuildModel (this=0x87812a8, anErrorCode=0) at
nsParser.cpp:1389
#48 0x40c88856 in nsParser::ResumeParse (this=0x87812a8, allowIteration=1,
aIsFinalChunk=1) at nsParser.cpp:1895
#49 0x40c8961f in nsParser::OnStopRequest (this=0x87812a8, channel=0x8601350,
aContext=0x0, status=0, aMsg=0x40170844) at nsParser.cpp:2348
#50 0x408f2d2f in nsDocumentOpenInfo::OnStopRequest (this=0x8601500,
aChannel=0x8601350, aCtxt=0x0, aStatus=0, errorMsg=0x40170844) at
nsURILoader.cpp:266
#51 0x408008f6 in nsHTTPFinalListener::OnStopRequest (this=0x87783d0,
aChannel=0x8601350, aContext=0x0, aStatus=0, aStatusArg=0x40170844) at
nsHTTPResponseListener.cpp:1155
#52 0x407ce0cb in InterceptStreamListener::OnStopRequest (this=0x87a1b78,
channel=0x8601350, ctxt=0x0, aStatus=0, aStatusArg=0x40170844) at
nsCachedNetData.cpp:1185
#53 0x407f4c3a in nsHTTPChannel::ResponseCompleted (this=0x8601350,
aListener=0x87a1b78, aStatus=0, aStatusArg=0x40170844) at nsHTTPChannel.cpp:1783
#54 0x407ff7c0 in nsHTTPServerListener::OnStopRequest (this=0x8795290,
channel=0x879276c, i_pContext=0x8601350, i_Status=0, aStatusArg=0x40170844) at
nsHTTPResponseListener.cpp:725
#55 0x4079585e in nsOnStopRequestEvent::HandleEvent (this=0x8781b40) at
nsAsyncStreamListener.cpp:301
#56 0x40794dff in nsStreamListenerEvent::HandlePLEvent (aEvent=0x8781b78) at
nsAsyncStreamListener.cpp:97
#57 0x4011d2a3 in PL_HandleEvent (self=0x8781b78) at plevent.c:587
#58 0x4011d145 in PL_ProcessPendingEvents (self=0x807fba8) at plevent.c:528
#59 0x4011eec5 in nsEventQueueImpl::ProcessPendingEvents (this=0x807fb80) at
nsEventQueue.cpp:356
#60 0x40ecefe4 in event_processor_callback (data=0x807fb80, source=8,
condition=GDK_INPUT_READ) at nsAppShell.cpp:158
#61 0x40ecec23 in our_gdk_io_invoke (source=0x817a4b8, condition=G_IO_IN,
data=0x817a4a8) at nsAppShell.cpp:58
#62 0x4063f20e in g_io_unix_dispatch (source_data=0x817a4d0,
current_time=0xbffff634, user_data=0x817a4a8) at giounix.c:135
#63 0x40640717 in g_main_dispatch (dispatch_time=0xbffff634) at gmain.c:656
#64 0x40640cdb in g_main_iterate (block=1, dispatch=1) at gmain.c:877
#65 0x40640e59 in g_main_run (loop=0x817a518) at gmain.c:935
#66 0x4056f069 in gtk_main () at gtkmain.c:476
#67 0x40ecf6cd in nsAppShell::Run (this=0x81b7560) at nsAppShell.cpp:335
#68 0x41e613e8 in nsAppShellService::Run (this=0x81c44b0) at
nsAppShellService.cpp:378
#69 0x80553c8 in main1 (argc=1, argv=0xbffff924, nativeApp=0x0) at
nsAppRunner.cpp:958
#70 0x8055a9c in main (argc=1, argv=0xbffff924) at nsAppRunner.cpp:1139
#71 0x403682e7 in __libc_start_main () from /lib/libc.so.6

Over to HTML tables?
Dividing up claytons bugs to triage.
Assignee: clayton → rods

Comment 5

17 years ago
I still need to look at this one.

Comment 6

17 years ago
putting on nsbeta3 radar because it is a crasher
Keywords: nsbeta3
Target Milestone: --- → M18

Comment 7

17 years ago
http://www.fish.state.pa.us/ does not crash win98 2000090108, but the testcase
does crash me.

Updated

17 years ago
Keywords: nsbeta3

Updated

17 years ago
Status: NEW → ASSIGNED

Comment 8

17 years ago
Created attachment 14036 [details]
small example that makes it crash

Comment 9

17 years ago
I cleaned up the html a little, putting in <tr> balancing and it still crashes. 
I took out the align=left and it works or removing the second cell makes it 
work.

Definitely a layout issue, look like it could be a floater issue. Nominating 
because of crash (crashes because of an abort, because it would loop forever)
Assignee: rods → karnaze
Status: ASSIGNED → NEW
Keywords: nsbeta3

Comment 10

17 years ago
Steve, when the table is not floated in the attachment, there is no crash.
Assignee: karnaze → buster
Whiteboard: nsbeta3+
(Assignee)

Comment 11

17 years ago
bring it!
Status: NEW → ASSIGNED
(Assignee)

Updated

17 years ago
Whiteboard: nsbeta3+ → nsbeta3+ [fix in hand]
(Assignee)

Comment 12

17 years ago
I have a potential fix for this.  Regression testing now...

Comment 13

17 years ago
massive update for QA contact.
QA Contact: petersen → lorca
(Assignee)

Comment 14

17 years ago
fix checked in 9/11/00
r=karnaze
Summary: Mozilla hangs on this URL → Mozilla hangs on this URL - edge case where BR won't fit on a line
Whiteboard: nsbeta3+ [fix in hand] → nsbeta3+
(Assignee)

Comment 15

17 years ago
really marking fixed this time
Status: ASSIGNED → RESOLVED
Last Resolved: 17 years ago
Priority: P3 → P1
Hardware: PC → All
Resolution: --- → FIXED

Comment 16

17 years ago
Checked in MacOS 9 PR2 for regression and verfied working in 2000-09-13-13.
Status: RESOLVED → VERIFIED
SPAM. HTML Element component deprecated, changing component to Layout. See bug
88132 for details.
Component: HTML Element → Layout

Comment 18

9 years ago
Crashtest added as part of http://hg.mozilla.org/mozilla-central/rev/5a6def05ccbc
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.