Last Comment Bug 647926 - SM 2.1bx crash [@nsHtml5TreeBuilder]
: SM 2.1bx crash [@nsHtml5TreeBuilder]
Status: RESOLVED WORKSFORME
: crash
Product: Core
Classification: Components
Component: HTML: Parser (show other bugs)
: Trunk
: All All
: -- normal (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-04-05 20:46 PDT by NoOp
Modified: 2011-07-07 20:06 PDT (History)
7 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
.eml attachment for crash testing. (3.24 KB, message/rfc822)
2011-04-06 08:45 PDT, NoOp
no flags Details

Description NoOp 2011-04-05 20:46:09 PDT
User-Agent:       Mozilla/5.0 (X11; Linux i686; rv:2.0b11) Gecko/20110209 Firefox/4.0b11 SeaMonkey/2.1b2
Build Identifier: Mozilla/5.0 (X11; Linux i686; rv:2.0b11) Gecko/20110209 Firefox/4.0b11 SeaMonkey/2.1b2

Build identifier: Mozilla/5.0 (X11; Linux i686; rv:2.0b11)
Gecko/20110209 Firefox/4.0b11 SeaMonkey/2.1b2

Yesterday I forwarded a news.mozilla.support.seamonkey message to myself
(Message-ID: <oO-dnSG81M5ZSwvQnZ2dnUVZ_vydnZ2d@mozilla.org> - Subject:
view headers all option - 04/02/2011 12:57 AM, Stanimir Stamenkov) as an
attachment. Opened the forwarded email and double-clicked the .eml
attachment:

Content-Type: message/rfc822;
 name="Re: view headers all option.eml"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
 filename="Re: view headers all option.eml"

Crashed SM. Send the crash report, reopened SM, repeated, crash. Both
crashes are:

<https://crash-stats.mozilla.com/report/index/bp-cd4fcdb1-fd1b-4430-9d36-91fe32110404>
[SeaMonkey 2.1b2 Crash Report [@ nsHtml5TreeBuilder::currentNode ] ]

<https://crash-stats.mozilla.com/report/index/bp-0d0fc3fe-8ec8-430d-bf7b-9c86b2110404>
[SeaMonkey 2.1b2 Crash Report [@ nsHtml5TreeBuilder::isInForeign ]]

Reproducible: Always

Steps to Reproduce:
1. mozilla.support.seamonkey
Open thread: view headers all option (03/29/2011 - Rick Merrill)
Click on the last msg in that thread: 04/02/2011 12:57 AM, Stanimir
Stamenkov - Message-ID: <oO-dnSG81M5ZSwvQnZ2dnUVZ_vydnZ2d@mozilla.org>

2. Forward Stanimir's message as an attachement (Forward|Attachment).

3. Open the forwarded email & click on the attachment icon (right side
of Subject: header etc). You'll see:
Attachments:
  Re: view header...on.eml (1.4 KB)
double-click 'Re: view header...on.eml (1.4 KB)'
Actual Results:  
Crashes. 
See the thread in mozilla.dev.apps.seamonkey 
Subject: SM 2.1 crashes - nsHtml5TreeBuilder 
Date: Tue, 05 Apr 2011 08:27:14 -0700
for additional details.

Expected Results:  
Opened the .eml in a separate window (as does SeaMonkey 2.0.13).

Additional crash reports:
<https://crash-stats.mozilla.com/report/index/bp-6917e205-0640-49fb-8502-ed1742110405>
<https://crash-stats.mozilla.com/report/index/d2ccab95-cf10-4f76-a181-24ee02110405>
<https://crash-stats.mozilla.com/report/index/bp-efde20bb-df29-4764-a6c5-255d02110405>
<https://crash-stats.mozilla.com/report/index/1a2931ca-3a3d-4795-80a0-9340f2110405>
<https://crash-stats.mozilla.com/report/index/1a2931ca-3a3d-4795-80a0-9340f2110405>
Comment 1 Barry Edwin GIlmour 2011-04-05 21:40:31 PDT
Crash Report as per above, but instead of forwarding it out and back, I only saved the message to Drafts-folder and attempted to open draft-Attachment-eml:

<https://crash-stats.mozilla.com/report/index/bp-9b6b990c-aac1-407b-a2f9-be5762110405>

Mozilla/5.0 (X11; Linux x86_64; rv:2.2a1pre) Gecko/20110331 Firefox/4.2a1pre SeaMonkey/2.2a1pre ID:20110331193613
Comment 2 Henri Sivonen (:hsivonen) 2011-04-05 22:50:20 PDT
I can't find the message in Google group search by message id. Could you please attach the HTML markup in the crashing message here?
Comment 3 Boris Zbarsky [:bz] (Out June 25-July 6) 2011-04-05 23:24:14 PDT
My money is on the EML-to-HTML converter doing something that the HTML5 parser doesn't expect, not on the HTML markup being anything particularly interested...

NoOP, can you just attach the .eml file in question here?
Comment 4 NoOp 2011-04-06 08:45:08 PDT
Created attachment 524191 [details]
.eml attachment for crash testing.
Comment 5 Barry Edwin GIlmour 2011-04-07 20:13:22 PDT
Repeated by duplicating NoOp's test, and actually  forwarded newsgroup-message with eml as Attachment, which also crashed instantly when opening eml-Attachment in SM-2.2a1pre, and got the same crash signatures:-
<https://crash-stats.mozilla.com/report/index/bp-c9d7cbb5-bcf0-40ec-854d-1c7032110405>

The faulty mechanism appears to be unique to the browser's capacity to display the eml-Attachment from within the message.

This is not an insurmountable-problem for me personally, as image and eml Attachments are automatically displayed within the message-pane (below the message), but that ability does seem to prove that the messaging window/pane part of SeaMonkey is not having problems converting and correctly displaying the eml-attachment from within the message.

Nor does SeaMonkey have a problem saving the eml-Attachment as an eml-local-file, and then correctly opening and displaying the file in SeaMonkey's browser-window.

The problem is only when trying to open inside the browser-window, ~ the eml-attachment from within the actual-message. Then, it's an instant crash!

Am I right off-track by suggesting that this does not sound like a eml>HTML conversion problem, but rather a faulty instruction or path that has gone astray, for this particular operation alone?
Comment 6 Henri Sivonen (:hsivonen) 2011-04-08 00:37:27 PDT
(In reply to comment #5)
> The faulty mechanism appears to be unique to the browser's capacity to display
> the eml-Attachment from within the message.

Interesting. Could that code path manage to systematically corrupt the tree builder stack memory in the same way every time?

Is there an easy way to dump the HTML that gets fed to the HTML parser when the .eml is converted to HTML?

Does this crash happen in Thunderbird?
Comment 7 Philip Chee 2011-04-19 19:13:19 PDT
> Does this crash happen in Thunderbird?
Thunderbird doesn't have a browser component like the SeaMonkey Suite does.
Comment 8 NoOp 2011-07-06 12:33:05 PDT
Still crashes SeaMonkey 2.2b2:
<https://crash-stats.mozilla.com/report/index/bp-6e31a14e-440b-4d41-9ecc-7cac82110706>
Comment 9 NoOp 2011-07-06 12:34:00 PDT
Correction: SeaMonkey 2.2b3
Comment 10 Stanimir Stamenkov 2011-07-06 15:48:11 PDT
(In reply to comment #8)
> <https://crash-stats.mozilla.com/report/index/bp-6e31a14e-440b-4d41-9ecc-7cac82110706>

Frame #1:

libxul.so 	nsHtml5TreeBuilder::flushCharacters 	parser/html/nsHtml5TreeBuilder.cpp:3772

appears the same as Frame #0 of <https://crash-stats.mozilla.com/report/index/bp-cfbdec39-a138-4731-a6f9-2e4712110703> which I've reported for Bug 665310.  It would be interesting if you would be able to reproduce with 2.2 final which will include a fix for Bug 665313 (it doesn't mean the crash is fixed, but this issue would need different case to reproduce).
Comment 11 NoOp 2011-07-07 18:36:05 PDT
Resolved in 2.2 final. Just installed & tested:
http://www.seamonkey-project.org/releases/2.2 (linux), double-clicked the eml and it does not crash SM and does open the eml albeit as:
HVlLCAyOSBNYXIgMjAxMSAxODowMjo1MCAtMDQwMCwgL1JpY2sgTWVycmlsbC86Cgo+IFdo
ZW4geW91IFJFY2VpdmUgb25lIG9mIHRoZXNlIHNjYW1zIHlvdSBNQVkgZm9yd2FyZCAoc2Vu
ZCkKPiBpdCB0byBwaGlzaGluZ0BpcnMuZ292IGJ1dCBpdCBpcyBvbmx5IHVzZWZ1bCBpZiB5
b3Ugc2VuZAo+IGZ1bGwgaGVhZGVycy4KPgo+IEluIG90aGVyIHdvcmRzIDotKSB3aGF0IEkg
d2FzIGFza2luZyBpcyBhIG9uZS10aW1lLW9ubHkgImZ1bGwKPiBoZWFkZXJzIiBvcHRpb24g
Zm9yIHN1Y2ggZm9yd2FyZHMuCgpXaGF0J3Mgd3Jvbmcgd2l0aCBGb3J3YXJkIEFzIC0+IEF0
dGFjaG1lbnQ/ICBUaGlzIHdheSB5b3UnbGwgaW5jbHVkZSAKZnVsbCBoZWFkZXJzIGFuZCBm
dWxsIGNvbnRlbnQgaW4gYWRkaXRpb24uICBZb3UnbGwgYmFzaWNhbGx5IGZvcndhcmQgCnRo
ZSBvcmlnaW5hbCBtZXNzYWdlIGludGFjdC4KCi0tIApTdGFuaW1pcgo=

but no more crashes.
Comment 12 Barry Edwin GIlmour 2011-07-07 20:06:55 PDT
Mozilla/5.0 (X11; Linux x86_64; rv:7.0a2) Gecko/20110705 Firefox/7.0a2 SeaMonkey/2.4a2 ID:20110705104517

Many thanks Stan and Karsten.

Confirmed works for me.

forwarded the news.mozilla.support.seamonkey message to myself
(Message-ID: <oO-dnSG81M5ZSwvQnZ2dnUVZ_vydnZ2d@mozilla.org> - Subject:
view headers all option - 04/02/2011 12:57 AM, Stanimir Stamenkov) as an
attachment.

1/ Opened the forwarded .eml attachment via double-clicking: Result = message body opened in new window perfectly.

2/ Opened the forwarded .eml attachment via right-click drop-down-menu: Result = message body opened in new window perfectly.

Note You need to log in before you can comment on or make changes to this bug.