Closed Bug 647926 Opened 13 years ago Closed 13 years ago

SM 2.1bx crash [@nsHtml5TreeBuilder]

Categories

(Core :: DOM: HTML Parser, defect)

Product:
Core
Component:
DOM: HTML Parser
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: glgxg, Unassigned)

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

.eml attachment for crash testing.
3.24 KB, message/rfc822
Details 
User-Agent:       Mozilla/5.0 (X11; Linux i686; rv:2.0b11) Gecko/20110209 Firefox/4.0b11 SeaMonkey/2.1b2
Build Identifier: Mozilla/5.0 (X11; Linux i686; rv:2.0b11) Gecko/20110209 Firefox/4.0b11 SeaMonkey/2.1b2

Build identifier: Mozilla/5.0 (X11; Linux i686; rv:2.0b11)
Gecko/20110209 Firefox/4.0b11 SeaMonkey/2.1b2

Yesterday I forwarded a news.mozilla.support.seamonkey message to myself
(Message-ID: <oO-dnSG81M5ZSwvQnZ2dnUVZ_vydnZ2d@mozilla.org> - Subject:
view headers all option - 04/02/2011 12:57 AM, Stanimir Stamenkov) as an
attachment. Opened the forwarded email and double-clicked the .eml
attachment:

Content-Type: message/rfc822;
 name="Re: view headers all option.eml"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
 filename="Re: view headers all option.eml"

Crashed SM. Send the crash report, reopened SM, repeated, crash. Both
crashes are:

<https://crash-stats.mozilla.com/report/index/bp-cd4fcdb1-fd1b-4430-9d36-91fe32110404>
[SeaMonkey 2.1b2 Crash Report [@ nsHtml5TreeBuilder::currentNode ] ]

<https://crash-stats.mozilla.com/report/index/bp-0d0fc3fe-8ec8-430d-bf7b-9c86b2110404>
[SeaMonkey 2.1b2 Crash Report [@ nsHtml5TreeBuilder::isInForeign ]]

Reproducible: Always

Steps to Reproduce:
1. mozilla.support.seamonkey
Open thread: view headers all option (03/29/2011 - Rick Merrill)
Click on the last msg in that thread: 04/02/2011 12:57 AM, Stanimir
Stamenkov - Message-ID: <oO-dnSG81M5ZSwvQnZ2dnUVZ_vydnZ2d@mozilla.org>

2. Forward Stanimir's message as an attachement (Forward|Attachment).

3. Open the forwarded email & click on the attachment icon (right side
of Subject: header etc). You'll see:
Attachments:
  Re: view header...on.eml (1.4 KB)
double-click 'Re: view header...on.eml (1.4 KB)'
Actual Results:  
Crashes. 
See the thread in mozilla.dev.apps.seamonkey 
Subject: SM 2.1 crashes - nsHtml5TreeBuilder 
Date: Tue, 05 Apr 2011 08:27:14 -0700
for additional details.

Expected Results:  
Opened the .eml in a separate window (as does SeaMonkey 2.0.13).

Additional crash reports:
<https://crash-stats.mozilla.com/report/index/bp-6917e205-0640-49fb-8502-ed1742110405>
<https://crash-stats.mozilla.com/report/index/d2ccab95-cf10-4f76-a181-24ee02110405>
<https://crash-stats.mozilla.com/report/index/bp-efde20bb-df29-4764-a6c5-255d02110405>
<https://crash-stats.mozilla.com/report/index/1a2931ca-3a3d-4795-80a0-9340f2110405>
<https://crash-stats.mozilla.com/report/index/1a2931ca-3a3d-4795-80a0-9340f2110405>
Crash Report as per above, but instead of forwarding it out and back, I only saved the message to Drafts-folder and attempted to open draft-Attachment-eml:

<https://crash-stats.mozilla.com/report/index/bp-9b6b990c-aac1-407b-a2f9-be5762110405>

Mozilla/5.0 (X11; Linux x86_64; rv:2.2a1pre) Gecko/20110331 Firefox/4.2a1pre SeaMonkey/2.2a1pre ID:20110331193613
Status: UNCONFIRMED → NEW
Component: MailNews: General → HTML: Parser
Ever confirmed: true
Keywords: crash
Product: SeaMonkey → Core
QA Contact: mail → parser
Summary: SM 2.1bx crashes - nsHtml5TreeBuilder → SM 2.1bx crash [@nsHtml5TreeBuilder]
Version: unspecified → Trunk
I can't find the message in Google group search by message id. Could you please attach the HTML markup in the crashing message here?
My money is on the EML-to-HTML converter doing something that the HTML5 parser doesn't expect, not on the HTML markup being anything particularly interested...

NoOP, can you just attach the .eml file in question here?

    
    

    
  
Repeated by duplicating NoOp's test, and actually  forwarded newsgroup-message with eml as Attachment, which also crashed instantly when opening eml-Attachment in SM-2.2a1pre, and got the same crash signatures:-
<https://crash-stats.mozilla.com/report/index/bp-c9d7cbb5-bcf0-40ec-854d-1c7032110405>

The faulty mechanism appears to be unique to the browser's capacity to display the eml-Attachment from within the message.

This is not an insurmountable-problem for me personally, as image and eml Attachments are automatically displayed within the message-pane (below the message), but that ability does seem to prove that the messaging window/pane part of SeaMonkey is not having problems converting and correctly displaying the eml-attachment from within the message.

Nor does SeaMonkey have a problem saving the eml-Attachment as an eml-local-file, and then correctly opening and displaying the file in SeaMonkey's browser-window.

The problem is only when trying to open inside the browser-window, ~ the eml-attachment from within the actual-message. Then, it's an instant crash!

Am I right off-track by suggesting that this does not sound like a eml>HTML conversion problem, but rather a faulty instruction or path that has gone astray, for this particular operation alone?

    
    

    
  
(In reply to comment #5)
> The faulty mechanism appears to be unique to the browser's capacity to display
> the eml-Attachment from within the message.

Interesting. Could that code path manage to systematically corrupt the tree builder stack memory in the same way every time?

Is there an easy way to dump the HTML that gets fed to the HTML parser when the .eml is converted to HTML?

Does this crash happen in Thunderbird?

    
    

    
  
> Does this crash happen in Thunderbird?
Thunderbird doesn't have a browser component like the SeaMonkey Suite does.
Crash Signature: [@nsHtml5TreeBuilder]

    
    

    
  
Correction: SeaMonkey 2.2b3

    
    

    
  
(In reply to comment #8)
> <https://crash-stats.mozilla.com/report/index/bp-6e31a14e-440b-4d41-9ecc-7cac82110706>

Frame #1:

libxul.so 	nsHtml5TreeBuilder::flushCharacters 	parser/html/nsHtml5TreeBuilder.cpp:3772

appears the same as Frame #0 of <https://crash-stats.mozilla.com/report/index/bp-cfbdec39-a138-4731-a6f9-2e4712110703> which I've reported for Bug 665310.  It would be interesting if you would be able to reproduce with 2.2 final which will include a fix for Bug 665313 (it doesn't mean the crash is fixed, but this issue would need different case to reproduce).

    
    

    
  
Resolved in 2.2 final. Just installed & tested:
http://www.seamonkey-project.org/releases/2.2 (linux), double-clicked the eml and it does not crash SM and does open the eml albeit as:
HVlLCAyOSBNYXIgMjAxMSAxODowMjo1MCAtMDQwMCwgL1JpY2sgTWVycmlsbC86Cgo+IFdo
ZW4geW91IFJFY2VpdmUgb25lIG9mIHRoZXNlIHNjYW1zIHlvdSBNQVkgZm9yd2FyZCAoc2Vu
ZCkKPiBpdCB0byBwaGlzaGluZ0BpcnMuZ292IGJ1dCBpdCBpcyBvbmx5IHVzZWZ1bCBpZiB5
b3Ugc2VuZAo+IGZ1bGwgaGVhZGVycy4KPgo+IEluIG90aGVyIHdvcmRzIDotKSB3aGF0IEkg
d2FzIGFza2luZyBpcyBhIG9uZS10aW1lLW9ubHkgImZ1bGwKPiBoZWFkZXJzIiBvcHRpb24g
Zm9yIHN1Y2ggZm9yd2FyZHMuCgpXaGF0J3Mgd3Jvbmcgd2l0aCBGb3J3YXJkIEFzIC0+IEF0
dGFjaG1lbnQ/ICBUaGlzIHdheSB5b3UnbGwgaW5jbHVkZSAKZnVsbCBoZWFkZXJzIGFuZCBm
dWxsIGNvbnRlbnQgaW4gYWRkaXRpb24uICBZb3UnbGwgYmFzaWNhbGx5IGZvcndhcmQgCnRo
ZSBvcmlnaW5hbCBtZXNzYWdlIGludGFjdC4KCi0tIApTdGFuaW1pcgo=

but no more crashes.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → WORKSFORME

    
    

    
  
Mozilla/5.0 (X11; Linux x86_64; rv:7.0a2) Gecko/20110705 Firefox/7.0a2 SeaMonkey/2.4a2 ID:20110705104517

Many thanks Stan and Karsten.

Confirmed works for me.

forwarded the news.mozilla.support.seamonkey message to myself
(Message-ID: <oO-dnSG81M5ZSwvQnZ2dnUVZ_vydnZ2d@mozilla.org> - Subject:
view headers all option - 04/02/2011 12:57 AM, Stanimir Stamenkov) as an
attachment.

1/ Opened the forwarded .eml attachment via double-clicking: Result = message body opened in new window perfectly.

2/ Opened the forwarded .eml attachment via right-click drop-down-menu: Result = message body opened in new window perfectly.

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: