Closed Bug 536097 Opened 15 years ago Closed 15 years ago

[HTML5][Patch] spinning in nsHtml5TreeBuilder::startTag()?

Categories

(Core :: DOM: HTML Parser, defect, P1)

Product:
Core
Component:
DOM: HTML Parser
Platform:
x86
macOS
Type:
defect

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jrmuizel, Assigned: hsivonen)

Details

Attachments

(2 files, 1 obsolete file)

More defensive fix
1.18 KB, patch
Details | Diff | Splinter Review
Crashtest
886 bytes, patch
jrmuizel
: review+
Details | Diff | Splinter Review
I think this has happened to me a couple of times and seems related to using facebook. Shark gives a call stack of: 98.3% 98.3% nsHtml5TreeBuilder::startTag(nsHtml5ElementName*, nsHtml5HtmlAttributes*, int) 0.0% 98.3% nsHtml5Tokenizer::emitCurrentTagToken(int, int) 0.0% 98.3% nsHtml5Tokenizer::stateLoop(int, unsigned short, int, unsigned short*, int, int, int) 0.0% 98.3% nsHtml5Tokenizer::tokenizeBuffer(nsHtml5UTF16Buffer*) 0.0% 98.3% nsHtml5StreamParser::ParseAvailableData() 0.0% 98.3% nsHtml5StreamParserContinuation::Run() 0.0% 98.3% nsThread::ProcessNextEvent(int, int*) 0.0% 98.3% NS_ProcessNextEvent_P(nsIThread*, int)
Do you mean spinning as in infinite loop or spinning that eventually stops?
Priority: -- → P1
I've never seen it stop, but I haven't waited more than a couple minutes.
For now, I'll assume this is an infinite loop, because finite but long spinning in that method makes no sense.
Happened again when logging out of facebook. Same stack.
Here's a reproducible, though not minimal, test case: http://people.mozilla.org/~jmuizelaar/html5/600.html The test case comes from an ad iframe on facebook.
Keywords: testcase-wanted
Oops sorry about the keyword. Great to have a test case already!
Keywords: testcase-wanted
The test case doesn't appear to spin in startTag but instead it returns to the event loop without completing the load.
It still spins in startTag for me and Joe Drew with trunk. I can try to reduce the test case further if it doesn't work for you.
I've reduced the test case at http://people.mozilla.org/~jmuizelaar/html5/600.html further. The problem seems related to document.write()
The problem here is that the tokenizer emits a start tag token for iframe when the tree builder is in the NS_HTML5TREE_BUILDER_TEXT mode. It should be impossible for the tokenizer to emit a start tag token in that case. The document.write()-related state choreography must be faulty somehow.
Attached patch Fix (obsolete) — Splinter Review
Assignee: nobody → hsivonen
Status: NEW → ASSIGNED
Attachment #431849 - Attachment is obsolete: true
Attached patch CrashtestSplinter Review
Thanks for catching this!
Attachment #431866 - Flags: review?(jmuizelaar)
Flags: in-testsuite?
Summary: [HTML5] spinning in nsHtml5TreeBuilder::startTag()? → [HTML5][Patch] spinning in nsHtml5TreeBuilder::startTag()?
Attachment #431866 - Flags: review?(jmuizelaar) → review+
http://hg.mozilla.org/mozilla-central/rev/d2dfc88b95d0 http://hg.mozilla.org/mozilla-central/rev/6ff8448d081e
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Flags: in-testsuite? → in-testsuite+
Resolution: --- → FIXED
See Also: http://www.w3.org/Bugs/Public/show_bug.cgi?id=8375
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: