Closed Bug 59426 Opened 24 years ago Closed 24 years ago

Crash on <applet> Text <p> </applet>

Categories

(Core :: Layout, defect, P1)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
VERIFIED DUPLICATE of bug 57026

People

(Reporter: cks+mozilla, Assigned: waterson)

References

(
URL
)

Details

(Keywords: crash, testcase, topcrash, Whiteboard: fixes available in bug 57026, please checkin for mozilla 0.7)

Attachments

(1 file)

Crash test case
96 bytes, text/html
Details
Build ID: current trunk CVS build on Redhat 6.2 Linux When Mozilla encounters '<applet> text <p> </applet>' it crashes. I will attach the obvious test case shortly. The deadly combination is any text and a <p> (or a </p>); either alone does not cause the crash. The crash happens in more elaborate cases, such as a real applet; it may not happen if the applet is for a plugin that you have installed. This crash is boiled down from the crash that I get when visiting http://ssh.sourceware.net/ when I do not have a JVM plugin installed. Stack backtrace: (gdb) where #0 0x40a6bea9 in nsHTMLContainerFrame::ReparentFrameViewList () from /mnt/mnt/cks/tmp/moz-objdir/dist/bin/components/libgklayout.so #1 0x40b95feb in MoveChildrenTo () from /mnt/mnt/cks/tmp/moz-objdir/dist/bin/components/libgklayout.so #2 0x40bacce6 in nsCSSFrameConstructor::SplitToContainingBlock () from /mnt/mnt/cks/tmp/moz-objdir/dist/bin/components/libgklayout.so #3 0x40ba8c79 in nsCSSFrameConstructor::CantRenderReplacedElement () from /mnt/mnt/cks/tmp/moz-objdir/dist/bin/components/libgklayout.so #4 0x40cb0c3c in StyleSetImpl::CantRenderReplacedElement () from /mnt/mnt/cks/tmp/moz-objdir/dist/bin/components/libgklayout.so #5 0x40a65cc9 in FrameManager::HandlePLEvent () from /mnt/mnt/cks/tmp/moz-objdir/dist/bin/components/libgklayout.so #6 0x400c68ee in PL_HandleEvent () from /mnt/mnt/cks/tmp/moz-objdir/dist/bin/libxpcom.so #7 0x400c6803 in PL_ProcessPendingEvents () from /mnt/mnt/cks/tmp/moz-objdir/dist/bin/libxpcom.so #8 0x400c762a in nsEventQueueImpl::ProcessPendingEvents () from /mnt/mnt/cks/tmp/moz-objdir/dist/bin/libxpcom.so #9 0x404f4eba in event_processor_callback () from /mnt/mnt/cks/tmp/moz-objdir/dist/bin/components/libwidget_gtk.so #10 0x404f4c42 in our_gdk_io_invoke () from /mnt/mnt/cks/tmp/moz-objdir/dist/bin/components/libwidget_gtk.so #11 0x404c3aca in g_io_unix_dispatch () from /usr/lib/libglib-1.2.so.0 ---Type <return> to continue, or q <return> to quit--- #12 0x404c5186 in g_main_dispatch () from /usr/lib/libglib-1.2.so.0 #13 0x404c5751 in g_main_iterate () from /usr/lib/libglib-1.2.so.0 #14 0x404c58f1 in g_main_run () from /usr/lib/libglib-1.2.so.0 #15 0x405b75b9 in gtk_main () from /usr/lib/libgtk-1.2.so.0 #16 0x404f539b in nsAppShell::Run () from /mnt/mnt/cks/tmp/moz-objdir/dist/bin/components/libwidget_gtk.so #17 0x4046aecd in nsAppShellService::Run () from /mnt/mnt/cks/tmp/moz-objdir/dist/bin/components/libnsappshell.so #18 0x804defc in main1 () #19 0x804e4c5 in main () #20 0x402699cb in __libc_start_main (main=0x804e390 <main>, argc=2, argv=0xbfffe744, init=0x804b084 <_init>, fini=0x8054a54 <_fini>, rtld_fini=0x4000ae60 <_dl_fini>, stack_end=0xbfffe73c) at ../sysdeps/generic/libc-start.c:92 Sending to Layout based on the shared libraries involved.
Attached file Crash test case
Confirmed on build 2000110706 linux/Mandrake 7.2
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash
cc:ing waterson because of SplitToContainingBlock on the stack. This is the #2 topcrash on the trunk right now, although there are 2 bugs on it with slightly different descriptions (this one and bug 59163).
Keywords: topcrash
*** Bug 59163 has been marked as a duplicate of this bug. ***
See bug 57026. I've got a patch there that *almost* works. I'll take this bug for now...
Assignee: clayton → waterson
*** Bug 60041 has been marked as a duplicate of this bug. ***
*** Bug 62470 has been marked as a duplicate of this bug. ***
*** Bug 62414 has been marked as a duplicate of this bug. ***
*** Bug 62520 has been marked as a duplicate of this bug. ***
*** Bug 60397 has been marked as a duplicate of this bug. ***
*** Bug 61373 has been marked as a duplicate of this bug. ***
*** Bug 61092 has been marked as a duplicate of this bug. ***
*** Bug 59070 has been marked as a duplicate of this bug. ***
need to address for beta1.
Keywords: mostfreq, nsbeta1
OS: Linux → All
Hardware: PC → All
QA Contact: petersen → lorca
Upon managerial request, adding the "testcase" keyword to 84 open layout bugs that do not have the "testcase" keyword and yet have an attachement with the word "test" in the description field. Apologies for any mistakes.
Keywords: testcase
crashes are P1
Priority: P3 → P1
I posted bug 63707 about <object> element. It looks like a dup of this.
Also noted on http://openprojects.nu/ with offending code being: <OBJECT> <H2>About</H2> </OBJECT>
The latests builds are still crashing on this test case. This had been topcrash #1 some weeks ago, it's one of the most-frequently reported bugs, mozilla 0.7 would be the first major mozilla.org release with this crasher, and it looks like a reviewed (and super-reviewed) patch is available in bug 57026, ready for checkin. Chis: What's the ETA for the landing?
Whiteboard: fixes available in bug 57026, please checkin for mozilla 0.7
*** Bug 64204 has been marked as a duplicate of this bug. ***
I don't think that bug 63707 is a duplicate, just because this bug specifies <p> as a cause for the problem. I'll mark the other as a dependency though...
Actually, sorry for the spam, but I'll mark this as dependent on the other bug...since perhaps the <p> case is a subset of the instances that make bug 63707 occur.
Depends on: 63707
*** Bug 64533 has been marked as a duplicate of this bug. ***
Test case is fixed with checkin for bug 57026. Marking as a dup. *** This bug has been marked as a duplicate of 57026 ***
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → DUPLICATE
VERIFIED. I'm taking your word on this, but I also see that the testcase works without crashing. Of couse, it advises me to go to www.netscape.com to get the plugin downloader plugin, and I can't find it easily (that's annoying). But that's a different story.
Status: RESOLVED → VERIFIED
I just reopened bug 62470 which was marked a dupe of this one. It is not fixed and crashes still on its testcase http://openprojects.nu, offending code being: <A href="about.html"><OBJECT><H2>About</H2></OBJECT></A> Does this justify to reopen this bug as well, or hasn't it been a true duplicate?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: