The default bug view has changed. See this FAQ.

Crashing in nsCParserNode::GetNodeType, with strict DOCTYPE and unclosed tags [@ nsCParserNode::GetNodeType]

VERIFIED FIXED

Status

()

Core
HTML: Parser
P3
critical
VERIFIED FIXED
17 years ago
8 years ago

People

(Reporter: Jeffrey Baker, Assigned: harishd)

Tracking

({crash, testcase, topcrash})

Trunk
crash, testcase, topcrash
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [nsbeta3+]fix in hand, crash signature, URL)

Attachments

(3 attachments)

(Reporter)

Description

17 years ago
Mozilla crashes on the valid HTML file that I will attach herein.  Stack trace:

#0  0x40a8078c in nsCParserNode::GetNodeType (this=0x85e64d8) at
nsParserNode.cpp:232
#1  0x4179e7eb in HTMLContentSink::CloseContainer (this=0x86a77f8,
aNode=@0x85e64d8) at nsHTMLContentSink.cpp:3013
#2  0x40a70975 in CElement::CloseContainer (this=0x80ea958, aNode=0x85e64d8,
aTag=eHTMLTag_p, aContext=0x8617490, aSink=0x86a77f8) at COtherElements.h:321
#3  0x40a7087f in CElement::CloseContainerInContext (this=0x80ea958,
aNode=0x85e64d8, aTag=eHTMLTag_p, aContext=0x8617490, aSink=0x86a77f8) at
COtherElements.h:349
#4  0x40a6e629 in CElement::HandleStartToken (this=0x80ea958, aNode=0x85e6400,
aTag=eHTMLTag_form, aContext=0x8617490, aSink=0x86a77f8) at
COtherElements.h:2771
#5  0x40a6fe45 in COtherDTD::HandleStartToken (this=0x8677480, aToken=0x86d52a8)
at COtherDTD.cpp:784
#6  0x40a6f8e2 in COtherDTD::HandleToken (this=0x8677480, aToken=0x86d52a8,
aParser=0x86a7058) at COtherDTD.cpp:584
#7  0x40a6f5ec in COtherDTD::BuildModel (this=0x8677480, aParser=0x86a7058,
aTokenizer=0x85e1880, anObserver=0x0, aSink=0x86a77f8) at COtherDTD.cpp:479
#8  0x40a7c97f in nsParser::BuildModel (this=0x86a7058) at nsParser.cpp:1978
#9  0x40a7c715 in nsParser::ResumeParse (this=0x86a7058, allowIteration=1,
aIsFinalChunk=0) at nsParser.cpp:1859
#10 0x40a7d4da in nsParser::OnDataAvailable (this=0x86a7058, channel=0x85c2dd0,
aContext=0x0, pIStream=0x8611630, sourceOffset=0, aLength=230) at
nsParser.cpp:2309
#11 0x410ab8c2 in nsDocumentOpenInfo::OnDataAvailable (this=0x85df370,
aChannel=0x85c2dd0, aCtxt=0x0, inStr=0x8611630, sourceOffset=0, count=230) at
nsURILoader.cpp:251
#12 0x409af641 in nsFileChannel::OnDataAvailable (this=0x85c2dd0,
transportChannel=0x85e1f88, context=0x0, aIStream=0x8611630, aSourceOffset=0,
aLength=230) at nsFileChannel.cpp:673
#13 0x4093ab8c in nsOnDataAvailableEvent::HandleEvent (this=0x41d02e38) at
nsAsyncStreamListener.cpp:400
#14 0x40939dff in nsStreamListenerEvent::HandlePLEvent (aEvent=0x41d02e60) at
nsAsyncStreamListener.cpp:97
#15 0x4011e80f in PL_HandleEvent (self=0x41d02e60) at plevent.c:587
#16 0x4011e6b1 in PL_ProcessPendingEvents (self=0x80ab6d0) at plevent.c:528
#17 0x40120431 in nsEventQueueImpl::ProcessPendingEvents (this=0x80ab698) at
nsEventQueue.cpp:356
#18 0x40bccbcc in event_processor_callback (data=0x80ab698, source=8,
condition=GDK_INPUT_READ) at nsAppShell.cpp:158
#19 0x40bcc80b in our_gdk_io_invoke (source=0x82084f0, condition=G_IO_IN,
data=0x82084e0) at nsAppShell.cpp:58
#20 0x40d8920e in g_io_unix_dispatch (source_data=0x8208508,
current_time=0xbffff680, user_data=0x82084e0) at giounix.c:135
#21 0x40d8a717 in g_main_dispatch (dispatch_time=0xbffff680) at gmain.c:656
#22 0x40d8acdb in g_main_iterate (block=1, dispatch=1) at gmain.c:877
#23 0x40d8ae59 in g_main_run (loop=0x8208550) at gmain.c:935
#24 0x40cb9069 in gtk_main () at gtkmain.c:476
#25 0x40bcd2b5 in nsAppShell::Run (this=0x80f41f8) at nsAppShell.cpp:335
#26 0x406a7290 in nsAppShellService::Run (this=0x80f3010) at
nsAppShellService.cpp:378
#27 0x8055374 in main1 (argc=1, argv=0xbffff964, nativeApp=0x0) at
nsAppRunner.cpp:958
#28 0x8055a48 in main (argc=1, argv=0xbffff964) at nsAppRunner.cpp:1139
#29 0x4036a2e7 in __libc_start_main () from /lib/libc.so.6

This occurs on every build after 2000-08-30-15 on Linux.  cc harishd because he
diddled in this code at the right time re: Bug 46702.
(Reporter)

Comment 1

17 years ago
Keywordage.
Severity: normal → critical
Keywords: crash, nsbeta3, testcase
(Reporter)

Comment 2

17 years ago
Created attachment 13849 [details]
Minimal valid testcase

Comment 3

17 years ago
Unable to reproduce crash on 083111 Win98.
(Reporter)

Comment 4

17 years ago
I apologize.  I uploaded the wrong testcase.  The second testcase really does
crash repeatably.
(Reporter)

Comment 5

17 years ago
Created attachment 13861 [details]
Real testcase this time
(Assignee)

Comment 6

17 years ago
*** Bug 50964 has been marked as a duplicate of this bug. ***
(Assignee)

Comment 7

17 years ago
Created attachment 13867 [details] [diff] [review]
Proposed patch..
(Assignee)

Comment 8

17 years ago
The problem is that in COtherElements the node that got recycled was being 
referenced!

Rickg, could you please review the patch? Thanx
(Reporter)

Comment 9

17 years ago
Harishd, I applied you patch to source pulled 2000-09-01-06.  It applies,
compiles, and fixes the crash.  However, I get a new compiler warning:

COtherElements.h: In method `nsresult CElement::CloseContainerInContext(class
nsIParserNode *, enum nsHTMLTag, class nsDTDContext *, class nsIHTMLContentSink
*)':
In file included from COtherDTD.cpp:82:
COtherElements.h:344: warning: unused variable `nsresult result'

I don't see any reason for the result variable, either.  You don't use it or
return it.  It seems vestigial.
(Assignee)

Comment 10

17 years ago
Ya, I was planning on using that variable then decided not to..but then forgot
to remove it!!! Thanx for the heads up Jeffrey.
(Reporter)

Comment 11

17 years ago
This was also seen on Win2k.
OS: Linux → All
(Reporter)

Comment 12

17 years ago
*** Bug 51071 has been marked as a duplicate of this bug. ***
(Reporter)

Comment 13

17 years ago
*** Bug 51183 has been marked as a duplicate of this bug. ***
(Reporter)

Comment 14

17 years ago
*** Bug 51162 has been marked as a duplicate of this bug. ***

Comment 15

17 years ago
I probably have a dupe of this bug. CCing myself so I can check after fix goes
in.

Comment 16

17 years ago
*** Bug 51217 has been marked as a duplicate of this bug. ***

Comment 17

17 years ago
*** Bug 51219 has been marked as a duplicate of this bug. ***
(Reporter)

Comment 18

17 years ago
*** Bug 51234 has been marked as a duplicate of this bug. ***

Comment 19

17 years ago
Changing Summary to make easier to find(it's getting lots of dups)
Summary: Crashing in nsCParserNode::GetNodeType → Crashing in nsCParserNode::GetNodeType, with strict DOCTYPE and unclosed tags

Updated

17 years ago
Keywords: mostfreq
Adding topcrash keyword.  This is #5 on today's list of top crashes for the past
week (in n.p.m.crash-data).  (And #1 and #4 are fixed.)
Keywords: topcrash
(Reporter)

Comment 21

17 years ago
*** Bug 51243 has been marked as a duplicate of this bug. ***
(Reporter)

Comment 22

17 years ago
*** Bug 51257 has been marked as a duplicate of this bug. ***
Another example of this is http://www.mozart-oz.org/ . This starts with
<!doctype html public "-//w3c//dtd html 4.0 transitional//en"> .
PC/Linux build 2000090308.
*** Bug 51200 has been marked as a duplicate of this bug. ***
*** Bug 51173 has been marked as a duplicate of this bug. ***

Comment 26

17 years ago
*** Bug 51277 has been marked as a duplicate of this bug. ***

Comment 27

17 years ago
It should be but it wasn't (I don't have perms but bugzilla doesn't seem to
check before making the annotation above).
*** Bug 51277 has been marked as a duplicate of this bug. ***

Comment 29

17 years ago
*** Bug 51293 has been marked as a duplicate of this bug. ***
(Reporter)

Comment 30

17 years ago
*** Bug 51310 has been marked as a duplicate of this bug. ***
(Reporter)

Comment 31

17 years ago
*** Bug 51310 has been marked as a duplicate of this bug. ***
(Reporter)

Comment 32

17 years ago
*** Bug 51290 has been marked as a duplicate of this bug. ***
(Reporter)

Comment 33

17 years ago
*** Bug 51302 has been marked as a duplicate of this bug. ***

Comment 34

17 years ago
Here's another testcase (not that it's really needed):
http://www.davidkrause.com/~david/crash.html

Also, just a reminder that we're going to need to check each of these dups once
this is fixed to make sure nothing slipped through the cracks.

Comment 35

17 years ago
*** Bug 51344 has been marked as a duplicate of this bug. ***

Updated

17 years ago

Comment 36

17 years ago
*** Bug 51356 has been marked as a duplicate of this bug. ***
(Reporter)

Comment 37

17 years ago
*** Bug 51332 has been marked as a duplicate of this bug. ***
(Reporter)

Comment 38

17 years ago
Harishd has the probable fix for this.  We are accumulating more and more
duplicate bug reports everyday.  Since this crash is so frequent, this is
preventing everyday use, and also most likely masking other bugs.

I have this fixed in my tree, but people who test with the nightlies do not have
that remedy.  I would be very appreciative if someone could review this patch
ASAP, and if leger or whomever could please come along and nsbeta3+ this bug.
Whiteboard: fix in hand

Updated

17 years ago
Keywords: review
Whiteboard: fix in hand → fix in hand [needs review]

Comment 39

17 years ago
nisheeth, i summon thee to review harish's patch.

harish, i implore you to find a reviewer if nisheeth/rickg cannot be found (and,
maybe, take ownership of the bug!)

Comment 40

17 years ago
Only code written by Netscapers requires an nsbeta3+ for checkin; anyone can
checkin this patch with module owner review and approval from brendan or waterson.

Comment 41

17 years ago
But Harish wrote the code, and he's a netscape employee...
(Assignee)

Comment 42

17 years ago
Reassigning to myself. Got the patch reviewed by nisheeth. Will checkin first
thing in the morning after comprehensive ( walking top 100 sites ) testing.
Assignee: rickg → harishd

Updated

17 years ago
Keywords: review → approval
Whiteboard: fix in hand [needs review] → fix in hand [should be + by pdt since a netscape employee intends to check this in]

Comment 43

17 years ago
Putting on [nsbeta3+] radar.
Whiteboard: fix in hand [should be + by pdt since a netscape employee intends to check this in] → [nsbeta3+]fix in hand [should be + by pdt since a netscape employee intends to check this in]

Comment 44

17 years ago
Bug asserts iteslf on Mac versions, crashes repetedly, reccommend changing
platform to 'all'
(Reporter)

Updated

17 years ago
Hardware: PC → All

Comment 45

17 years ago
thank you
Status: NEW → ASSIGNED
Whiteboard: [nsbeta3+]fix in hand [should be + by pdt since a netscape employee intends to check this in] → [nsbeta3+]fix in hand

Comment 46

17 years ago
*** Bug 51369 has been marked as a duplicate of this bug. ***

Comment 47

17 years ago
*** Bug 51394 has been marked as a duplicate of this bug. ***

Comment 48

17 years ago
*** Bug 51402 has been marked as a duplicate of this bug. ***

Comment 49

17 years ago
*** Bug 51383 has been marked as a duplicate of this bug. ***

Comment 50

17 years ago
*** Bug 51458 has been marked as a duplicate of this bug. ***
(Assignee)

Comment 51

17 years ago
Will checkin as soon as the tree opens today.
(Assignee)

Comment 52

17 years ago
*** Bug 51542 has been marked as a duplicate of this bug. ***

Comment 53

17 years ago
I'm absolutely dead in the water today with this crash.  I'll try your patch...

Comment 54

17 years ago
so far, this patch is working for me.  no more crashes!
(Assignee)

Comment 55

17 years ago
Fix is in. Everyone should be happy :-)

Good...marking FIXED.
Status: ASSIGNED → RESOLVED
Last Resolved: 17 years ago
(Assignee)

Comment 56

17 years ago
*** Bug 51204 has been marked as a duplicate of this bug. ***

Comment 57

17 years ago
How did you manage to resolve this bug w/o it getting marked as fixed? 
[Reopening to reresolve as fixed - please excuse the spam]
Status: RESOLVED → REOPENED

Comment 58

17 years ago
Trying to resolve as Fixed
Status: REOPENED → RESOLVED
Last Resolved: 17 years ago17 years ago
Resolution: --- → FIXED
(Reporter)

Comment 59

17 years ago
*** Bug 51647 has been marked as a duplicate of this bug. ***
(Reporter)

Comment 60

17 years ago
*** Bug 51654 has been marked as a duplicate of this bug. ***

Comment 61

17 years ago
*** Bug 51819 has been marked as a duplicate of this bug. ***

Comment 62

17 years ago
*** Bug 51818 has been marked as a duplicate of this bug. ***
(Reporter)

Comment 63

17 years ago
*** Bug 51864 has been marked as a duplicate of this bug. ***
(Reporter)

Comment 64

17 years ago
I verified every URL and testcase attached to this bug and its duplicates.  None
of them crashed on Linux build 2000-09-08-06.  The fact that I could visit every
one of these URLs, and then back-button through them without crashing is an
unexpected testament to Mozilla's current quality.

http://bugzilla.mozilla.org/showattachment.cgi?attach_id=14260
http://www.la-sorciere.de/Wine-HOWTO/index.html
http://www.lokigames.com/
http://people.netscape.com/ftang/number/test/armenian.html
http://blanalex.dyndns.org/
http://studweb.euv-frankfurt-o.de/twardoch/f/en/charsets/html4_0unicode2_0.html
http://bugzilla.mozilla.org/showattachment.cgi?attach_id=14096
http://www.psu.edu/ur/directory/
http://www.physik.fu-berlin.de/~fsi/statistik.html
http://www.gnu.org/software/hurd/
http://www.mihalis.org/Laurent/cv_lc.html
http://www.kde.org/announcements/k2launchpad.html
http://johnandlucy.com/crash.html
http://www.davidkrause.com/~david/crash.html
http://www.lowfield.co.uk/archers/
http://bugzilla.mozilla.org/showattachment.cgi?attach_id=13998
http://www.amd.com/news/corppr/20152.html
http://www.nemesis.se/about_site
http://www.swiss.ai.mit.edu/~rms/anti-posco/
http://www.amd.com/products/cpg/athlon/benchmarks/benchmarks.html
http://www.nemesis.se/clients/
http://bugzilla.mozilla.org/showattachment.cgi?attach_id=13960
http://www.lokigames.com/products/sc3k/
http://www.mozart-oz.org/
http://www.htmlhelp.org/reference/html40/deprecated.html
http://www.gtk.org/~otaylor/gtk/gobject/
http://www.strusel007.de/linux/xawtv/
http://bugzilla.mozilla.org/showattachment.cgi?attach_id=13953
http://www.w3.org/StyleSheets/Core/preview
http://bugzilla.mozilla.org/showattachment.cgi?attach_id=13888
http://www.richinstyle.com/bugs/ie5demo.html
http://www.americangreetings.com/
http://bugzilla.mozilla.org/showattachment.cgi?attach_id=13861
http://bugzilla.mozilla.org/showattachment.cgi?attach_id=13849
http://www.northernsun.com/

Comment 65

17 years ago
[@ nsCParserNode::GetNodeType]
Summary: Crashing in nsCParserNode::GetNodeType, with strict DOCTYPE and unclosed tags → Crashing in nsCParserNode::GetNodeType, with strict DOCTYPE and unclosed tags [@ nsCParserNode::GetNodeType]

Comment 66

17 years ago
*** Bug 51818 has been marked as a duplicate of this bug. ***
I checked the links as well, on NT, and did not get a crash. However, I got 
unrelated assertion on two of them:

http://studweb.euv-frankfurt-o.de/twardoch/f/en/charsets/html4_0unicode2_0.html
http://www.physik.fu-berlin.de/~fsi/statistik.html

I will see if there are bugs on them and file new ones if not.

But, since Jeffrey passed the list on Linux and I passed the list on NT I am 
marking this verified.
Status: RESOLVED → VERIFIED

Comment 68

8 years ago
Crashtest added as part of http://hg.mozilla.org/mozilla-central/rev/5a6def05ccbc
Flags: in-testsuite+
Crash Signature: [@ nsCParserNode::GetNodeType]
You need to log in before you can comment on or make changes to this bug.