Last Comment Bug 50994 - Crashing in nsCParserNode::GetNodeType, with strict DOCTYPE and unclosed tags [@ nsCParserNode::GetNodeType]
: Crashing in nsCParserNode::GetNodeType, with strict DOCTYPE and unclosed tags...
Status: VERIFIED FIXED
[nsbeta3+]fix in hand
: crash, testcase, topcrash
Product: Core
Classification: Components
Component: HTML: Parser (show other bugs)
: Trunk
: All All
: P3 critical (vote)
: ---
Assigned To: harishd
: Jan Carpenter
Mentors:
http://www.northernsun.com/
: 50964 51071 51162 51173 51183 51200 51204 51217 51219 51234 51243 51257 51277 51290 51293 51302 51310 51332 51344 51356 51369 51383 51394 51402 51458 51542 51647 51654 51818 51819 51864 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2000-08-31 17:48 PDT by Jeffrey Baker
Modified: 2009-02-10 01:37 PST (History)
17 users (show)
jruderman: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Minimal valid testcase (223 bytes, text/html)
2000-08-31 17:51 PDT, Jeffrey Baker
no flags Details
Real testcase this time (235 bytes, text/html)
2000-08-31 20:41 PDT, Jeffrey Baker
no flags Details
Proposed patch.. (1.46 KB, patch)
2000-09-01 06:21 PDT, harishd
no flags Details | Diff | Review

Description Jeffrey Baker 2000-08-31 17:48:30 PDT
Mozilla crashes on the valid HTML file that I will attach herein.  Stack trace:

#0  0x40a8078c in nsCParserNode::GetNodeType (this=0x85e64d8) at
nsParserNode.cpp:232
#1  0x4179e7eb in HTMLContentSink::CloseContainer (this=0x86a77f8,
aNode=@0x85e64d8) at nsHTMLContentSink.cpp:3013
#2  0x40a70975 in CElement::CloseContainer (this=0x80ea958, aNode=0x85e64d8,
aTag=eHTMLTag_p, aContext=0x8617490, aSink=0x86a77f8) at COtherElements.h:321
#3  0x40a7087f in CElement::CloseContainerInContext (this=0x80ea958,
aNode=0x85e64d8, aTag=eHTMLTag_p, aContext=0x8617490, aSink=0x86a77f8) at
COtherElements.h:349
#4  0x40a6e629 in CElement::HandleStartToken (this=0x80ea958, aNode=0x85e6400,
aTag=eHTMLTag_form, aContext=0x8617490, aSink=0x86a77f8) at
COtherElements.h:2771
#5  0x40a6fe45 in COtherDTD::HandleStartToken (this=0x8677480, aToken=0x86d52a8)
at COtherDTD.cpp:784
#6  0x40a6f8e2 in COtherDTD::HandleToken (this=0x8677480, aToken=0x86d52a8,
aParser=0x86a7058) at COtherDTD.cpp:584
#7  0x40a6f5ec in COtherDTD::BuildModel (this=0x8677480, aParser=0x86a7058,
aTokenizer=0x85e1880, anObserver=0x0, aSink=0x86a77f8) at COtherDTD.cpp:479
#8  0x40a7c97f in nsParser::BuildModel (this=0x86a7058) at nsParser.cpp:1978
#9  0x40a7c715 in nsParser::ResumeParse (this=0x86a7058, allowIteration=1,
aIsFinalChunk=0) at nsParser.cpp:1859
#10 0x40a7d4da in nsParser::OnDataAvailable (this=0x86a7058, channel=0x85c2dd0,
aContext=0x0, pIStream=0x8611630, sourceOffset=0, aLength=230) at
nsParser.cpp:2309
#11 0x410ab8c2 in nsDocumentOpenInfo::OnDataAvailable (this=0x85df370,
aChannel=0x85c2dd0, aCtxt=0x0, inStr=0x8611630, sourceOffset=0, count=230) at
nsURILoader.cpp:251
#12 0x409af641 in nsFileChannel::OnDataAvailable (this=0x85c2dd0,
transportChannel=0x85e1f88, context=0x0, aIStream=0x8611630, aSourceOffset=0,
aLength=230) at nsFileChannel.cpp:673
#13 0x4093ab8c in nsOnDataAvailableEvent::HandleEvent (this=0x41d02e38) at
nsAsyncStreamListener.cpp:400
#14 0x40939dff in nsStreamListenerEvent::HandlePLEvent (aEvent=0x41d02e60) at
nsAsyncStreamListener.cpp:97
#15 0x4011e80f in PL_HandleEvent (self=0x41d02e60) at plevent.c:587
#16 0x4011e6b1 in PL_ProcessPendingEvents (self=0x80ab6d0) at plevent.c:528
#17 0x40120431 in nsEventQueueImpl::ProcessPendingEvents (this=0x80ab698) at
nsEventQueue.cpp:356
#18 0x40bccbcc in event_processor_callback (data=0x80ab698, source=8,
condition=GDK_INPUT_READ) at nsAppShell.cpp:158
#19 0x40bcc80b in our_gdk_io_invoke (source=0x82084f0, condition=G_IO_IN,
data=0x82084e0) at nsAppShell.cpp:58
#20 0x40d8920e in g_io_unix_dispatch (source_data=0x8208508,
current_time=0xbffff680, user_data=0x82084e0) at giounix.c:135
#21 0x40d8a717 in g_main_dispatch (dispatch_time=0xbffff680) at gmain.c:656
#22 0x40d8acdb in g_main_iterate (block=1, dispatch=1) at gmain.c:877
#23 0x40d8ae59 in g_main_run (loop=0x8208550) at gmain.c:935
#24 0x40cb9069 in gtk_main () at gtkmain.c:476
#25 0x40bcd2b5 in nsAppShell::Run (this=0x80f41f8) at nsAppShell.cpp:335
#26 0x406a7290 in nsAppShellService::Run (this=0x80f3010) at
nsAppShellService.cpp:378
#27 0x8055374 in main1 (argc=1, argv=0xbffff964, nativeApp=0x0) at
nsAppRunner.cpp:958
#28 0x8055a48 in main (argc=1, argv=0xbffff964) at nsAppRunner.cpp:1139
#29 0x4036a2e7 in __libc_start_main () from /lib/libc.so.6

This occurs on every build after 2000-08-30-15 on Linux.  cc harishd because he
diddled in this code at the right time re: Bug 46702.
Comment 1 Jeffrey Baker 2000-08-31 17:49:05 PDT
Keywordage.
Comment 2 Jeffrey Baker 2000-08-31 17:51:56 PDT
Created attachment 13849 [details]
Minimal valid testcase
Comment 3 Stephen Koren 2000-08-31 18:19:39 PDT
Unable to reproduce crash on 083111 Win98.
Comment 4 Jeffrey Baker 2000-08-31 20:40:44 PDT
I apologize.  I uploaded the wrong testcase.  The second testcase really does
crash repeatably.
Comment 5 Jeffrey Baker 2000-08-31 20:41:15 PDT
Created attachment 13861 [details]
Real testcase this time
Comment 6 harishd 2000-09-01 06:20:01 PDT
*** Bug 50964 has been marked as a duplicate of this bug. ***
Comment 7 harishd 2000-09-01 06:21:14 PDT
Created attachment 13867 [details] [diff] [review]
Proposed patch..
Comment 8 harishd 2000-09-01 06:22:17 PDT
The problem is that in COtherElements the node that got recycled was being 
referenced!

Rickg, could you please review the patch? Thanx
Comment 9 Jeffrey Baker 2000-09-01 09:43:50 PDT
Harishd, I applied you patch to source pulled 2000-09-01-06.  It applies,
compiles, and fixes the crash.  However, I get a new compiler warning:

COtherElements.h: In method `nsresult CElement::CloseContainerInContext(class
nsIParserNode *, enum nsHTMLTag, class nsDTDContext *, class nsIHTMLContentSink
*)':
In file included from COtherDTD.cpp:82:
COtherElements.h:344: warning: unused variable `nsresult result'

I don't see any reason for the result variable, either.  You don't use it or
return it.  It seems vestigial.
Comment 10 harishd 2000-09-01 10:11:14 PDT
Ya, I was planning on using that variable then decided not to..but then forgot
to remove it!!! Thanx for the heads up Jeffrey.
Comment 11 Jeffrey Baker 2000-09-01 22:17:14 PDT
This was also seen on Win2k.
Comment 12 Jeffrey Baker 2000-09-01 22:17:24 PDT
*** Bug 51071 has been marked as a duplicate of this bug. ***
Comment 13 Jeffrey Baker 2000-09-02 20:04:53 PDT
*** Bug 51183 has been marked as a duplicate of this bug. ***
Comment 14 Jeffrey Baker 2000-09-02 20:08:08 PDT
*** Bug 51162 has been marked as a duplicate of this bug. ***
Comment 15 Paul McGarry 2000-09-02 20:09:38 PDT
I probably have a dupe of this bug. CCing myself so I can check after fix goes
in.
Comment 16 R.K.Aa. 2000-09-03 05:23:18 PDT
*** Bug 51217 has been marked as a duplicate of this bug. ***
Comment 17 R.K.Aa. 2000-09-03 06:59:10 PDT
*** Bug 51219 has been marked as a duplicate of this bug. ***
Comment 18 Jeffrey Baker 2000-09-03 15:42:23 PDT
*** Bug 51234 has been marked as a duplicate of this bug. ***
Comment 19 Uriel 2000-09-03 17:15:25 PDT
Changing Summary to make easier to find(it's getting lots of dups)
Comment 20 David Baron :dbaron: ⌚️UTC-7 (review requests must explain patch) 2000-09-03 19:08:01 PDT
Adding topcrash keyword.  This is #5 on today's list of top crashes for the past
week (in n.p.m.crash-data).  (And #1 and #4 are fixed.)
Comment 21 Jeffrey Baker 2000-09-03 20:27:13 PDT
*** Bug 51243 has been marked as a duplicate of this bug. ***
Comment 22 Jeffrey Baker 2000-09-03 22:39:37 PDT
*** Bug 51257 has been marked as a duplicate of this bug. ***
Comment 23 Andreas Franke (gone) 2000-09-03 23:31:18 PDT
Another example of this is http://www.mozart-oz.org/ . This starts with
<!doctype html public "-//w3c//dtd html 4.0 transitional//en"> .
PC/Linux build 2000090308.
Comment 24 Andreas Franke (gone) 2000-09-03 23:46:32 PDT
*** Bug 51200 has been marked as a duplicate of this bug. ***
Comment 25 Andreas Franke (gone) 2000-09-04 00:05:05 PDT
*** Bug 51173 has been marked as a duplicate of this bug. ***
Comment 26 Paul McGarry 2000-09-04 04:19:04 PDT
*** Bug 51277 has been marked as a duplicate of this bug. ***
Comment 27 Paul McGarry 2000-09-04 04:22:40 PDT
It should be but it wasn't (I don't have perms but bugzilla doesn't seem to
check before making the annotation above).
Comment 28 Andreas Franke (gone) 2000-09-04 16:01:17 PDT
*** Bug 51277 has been marked as a duplicate of this bug. ***
Comment 29 R.K.Aa. 2000-09-04 16:46:19 PDT
*** Bug 51293 has been marked as a duplicate of this bug. ***
Comment 30 Jeffrey Baker 2000-09-04 19:59:58 PDT
*** Bug 51310 has been marked as a duplicate of this bug. ***
Comment 31 Jeffrey Baker 2000-09-04 20:00:52 PDT
*** Bug 51310 has been marked as a duplicate of this bug. ***
Comment 32 Jeffrey Baker 2000-09-04 20:05:02 PDT
*** Bug 51290 has been marked as a duplicate of this bug. ***
Comment 33 Jeffrey Baker 2000-09-04 20:22:09 PDT
*** Bug 51302 has been marked as a duplicate of this bug. ***
Comment 34 David Krause 2000-09-05 00:30:59 PDT
Here's another testcase (not that it's really needed):
http://www.davidkrause.com/~david/crash.html

Also, just a reminder that we're going to need to check each of these dups once
this is fixed to make sure nothing slipped through the cracks.
Comment 35 Blake Ross 2000-09-05 08:14:55 PDT
*** Bug 51344 has been marked as a duplicate of this bug. ***
Comment 36 David Krause 2000-09-05 10:01:24 PDT
*** Bug 51356 has been marked as a duplicate of this bug. ***
Comment 37 Jeffrey Baker 2000-09-05 10:25:23 PDT
*** Bug 51332 has been marked as a duplicate of this bug. ***
Comment 38 Jeffrey Baker 2000-09-05 10:36:35 PDT
Harishd has the probable fix for this.  We are accumulating more and more
duplicate bug reports everyday.  Since this crash is so frequent, this is
preventing everyday use, and also most likely masking other bugs.

I have this fixed in my tree, but people who test with the nightlies do not have
that remedy.  I would be very appreciative if someone could review this patch
ASAP, and if leger or whomever could please come along and nsbeta3+ this bug.
Comment 39 Daniel (Leaf) Nunes 2000-09-05 16:14:16 PDT
nisheeth, i summon thee to review harish's patch.

harish, i implore you to find a reviewer if nisheeth/rickg cannot be found (and,
maybe, take ownership of the bug!)
Comment 40 Peter Trudelle 2000-09-05 16:55:26 PDT
Only code written by Netscapers requires an nsbeta3+ for checkin; anyone can
checkin this patch with module owner review and approval from brendan or waterson.
Comment 41 Blake Ross 2000-09-05 17:01:30 PDT
But Harish wrote the code, and he's a netscape employee...
Comment 42 harishd 2000-09-05 17:17:10 PDT
Reassigning to myself. Got the patch reviewed by nisheeth. Will checkin first
thing in the morning after comprehensive ( walking top 100 sites ) testing.
Comment 43 leger 2000-09-05 17:34:36 PDT
Putting on [nsbeta3+] radar.
Comment 44 Bradley Hart 2000-09-05 17:38:35 PDT
Bug asserts iteslf on Mac versions, crashes repetedly, reccommend changing
platform to 'all'
Comment 45 timeless 2000-09-05 17:51:04 PDT
thank you
Comment 46 Blake Ross 2000-09-05 18:26:52 PDT
*** Bug 51369 has been marked as a duplicate of this bug. ***
Comment 47 Blake Ross 2000-09-05 18:29:56 PDT
*** Bug 51394 has been marked as a duplicate of this bug. ***
Comment 48 Blake Ross 2000-09-05 18:33:20 PDT
*** Bug 51402 has been marked as a duplicate of this bug. ***
Comment 49 Blake Ross 2000-09-05 18:35:11 PDT
*** Bug 51383 has been marked as a duplicate of this bug. ***
Comment 50 Mike Young 2000-09-05 19:12:15 PDT
*** Bug 51458 has been marked as a duplicate of this bug. ***
Comment 51 harishd 2000-09-06 10:00:52 PDT
Will checkin as soon as the tree opens today.
Comment 52 harishd 2000-09-06 11:16:14 PDT
*** Bug 51542 has been marked as a duplicate of this bug. ***
Comment 53 buster 2000-09-06 11:45:59 PDT
I'm absolutely dead in the water today with this crash.  I'll try your patch...
Comment 54 buster 2000-09-06 11:52:14 PDT
so far, this patch is working for me.  no more crashes!
Comment 55 harishd 2000-09-06 13:54:31 PDT
Fix is in. Everyone should be happy :-)

Good...marking FIXED.
Comment 56 harishd 2000-09-06 15:52:33 PDT
*** Bug 51204 has been marked as a duplicate of this bug. ***
Comment 57 timeless 2000-09-06 16:11:19 PDT
How did you manage to resolve this bug w/o it getting marked as fixed? 
[Reopening to reresolve as fixed - please excuse the spam]
Comment 58 timeless 2000-09-06 16:11:52 PDT
Trying to resolve as Fixed
Comment 59 Jeffrey Baker 2000-09-06 19:39:29 PDT
*** Bug 51647 has been marked as a duplicate of this bug. ***
Comment 60 Jeffrey Baker 2000-09-06 20:10:42 PDT
*** Bug 51654 has been marked as a duplicate of this bug. ***
Comment 61 Frank Tang 2000-09-07 18:13:54 PDT
*** Bug 51819 has been marked as a duplicate of this bug. ***
Comment 62 Diego 2000-09-07 18:20:00 PDT
*** Bug 51818 has been marked as a duplicate of this bug. ***
Comment 63 Jeffrey Baker 2000-09-08 08:58:13 PDT
*** Bug 51864 has been marked as a duplicate of this bug. ***
Comment 64 Jeffrey Baker 2000-09-08 10:43:48 PDT
I verified every URL and testcase attached to this bug and its duplicates.  None
of them crashed on Linux build 2000-09-08-06.  The fact that I could visit every
one of these URLs, and then back-button through them without crashing is an
unexpected testament to Mozilla's current quality.

http://bugzilla.mozilla.org/showattachment.cgi?attach_id=14260
http://www.la-sorciere.de/Wine-HOWTO/index.html
http://www.lokigames.com/
http://people.netscape.com/ftang/number/test/armenian.html
http://blanalex.dyndns.org/
http://studweb.euv-frankfurt-o.de/twardoch/f/en/charsets/html4_0unicode2_0.html
http://bugzilla.mozilla.org/showattachment.cgi?attach_id=14096
http://www.psu.edu/ur/directory/
http://www.physik.fu-berlin.de/~fsi/statistik.html
http://www.gnu.org/software/hurd/
http://www.mihalis.org/Laurent/cv_lc.html
http://www.kde.org/announcements/k2launchpad.html
http://johnandlucy.com/crash.html
http://www.davidkrause.com/~david/crash.html
http://www.lowfield.co.uk/archers/
http://bugzilla.mozilla.org/showattachment.cgi?attach_id=13998
http://www.amd.com/news/corppr/20152.html
http://www.nemesis.se/about_site
http://www.swiss.ai.mit.edu/~rms/anti-posco/
http://www.amd.com/products/cpg/athlon/benchmarks/benchmarks.html
http://www.nemesis.se/clients/
http://bugzilla.mozilla.org/showattachment.cgi?attach_id=13960
http://www.lokigames.com/products/sc3k/
http://www.mozart-oz.org/
http://www.htmlhelp.org/reference/html40/deprecated.html
http://www.gtk.org/~otaylor/gtk/gobject/
http://www.strusel007.de/linux/xawtv/
http://bugzilla.mozilla.org/showattachment.cgi?attach_id=13953
http://www.w3.org/StyleSheets/Core/preview
http://bugzilla.mozilla.org/showattachment.cgi?attach_id=13888
http://www.richinstyle.com/bugs/ie5demo.html
http://www.americangreetings.com/
http://bugzilla.mozilla.org/showattachment.cgi?attach_id=13861
http://bugzilla.mozilla.org/showattachment.cgi?attach_id=13849
http://www.northernsun.com/

Comment 65 Jay Patel [:jay] 2000-09-08 15:25:29 PDT
[@ nsCParserNode::GetNodeType]
Comment 66 David Krause 2000-09-08 22:00:21 PDT
*** Bug 51818 has been marked as a duplicate of this bug. ***
Comment 67 Heikki Toivonen (remove -bugzilla when emailing directly) 2000-09-27 17:33:21 PDT
I checked the links as well, on NT, and did not get a crash. However, I got 
unrelated assertion on two of them:

http://studweb.euv-frankfurt-o.de/twardoch/f/en/charsets/html4_0unicode2_0.html
http://www.physik.fu-berlin.de/~fsi/statistik.html

I will see if there are bugs on them and file new ones if not.

But, since Jeffrey passed the list on Linux and I passed the list on NT I am 
marking this verified.
Comment 68 Jesse Ruderman 2009-02-10 01:37:47 PST
Crashtest added as part of http://hg.mozilla.org/mozilla-central/rev/5a6def05ccbc

Note You need to log in before you can comment on or make changes to this bug.