Closed
Bug 76200
Opened 24 years ago
Closed 24 years ago
Mail crashes after opening HTML message with corrupted img field (very long ALT and no SRC)
Categories
(MailNews Core :: Backend, defect, P2)
Tracking
(Not tracked)
VERIFIED
FIXED
mozilla0.9
People
(Reporter: piskozub, Assigned: sspitzer)
References
Details
(Keywords: regression, Whiteboard: [nsbeta1+])
Attachments
(4 files)
858 bytes,
text/html
|
Details | |
3.12 KB,
patch
|
Details | Diff | Splinter Review | |
584 bytes,
patch
|
Details | Diff | Splinter Review | |
1.02 KB,
patch
|
Details | Diff | Splinter Review |
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Win 9x 4.90; en-US; rv:0.8.1+) Gecko/20010416
BuildID: 2001041604
Today Win32 installer build crashes on a messagge with all the text as a very
long IMG ALT field with no actual SRC in the field. I'll attach the culprit
HTML. This is a recent regression, I read and deleted this piece of SPAM with
20010411 morning build with no problem
Reproducible: Always
Steps to Reproduce:
1. Send this attached crap to yourself
2. Try to read the message
3. Crash
Actual Results: Crash (after marking the message as read)
Expected Results: Message opens showing anythng (the message is actually empty
except for the long IMG ALT field.
I mart this critical as this may lead to a very simple Denial of Service attack
Reporter | ||
Comment 1•24 years ago
|
||
Reporter | ||
Updated•24 years ago
|
Keywords: regression
Reporter | ||
Comment 2•24 years ago
|
||
More comment: Today build 20010416 crashes with an exception in necko.dll. The
above mentioned 20010411 crashed today on the message with gklayout.dll error
(however I am sure I read this message earlier with that build on another host).
Mozilla 0.8.1 does not crash showing an empty message (pretty reasonable) while
Netscape 4.77 shows the broken image icon with all the ALT text as one long line
(correct but not necessary reasonable).
This means that:
- this is the new MailNews branch error
- something in the last four days made it even worse (crash every time, instead
of intermittant)
Comment 3•24 years ago
|
||
-> Composition
Oh, and BTW, I don't think this is related to the MailNews branch since that
didn't change Composition/Viewing of messages as far as I know.
Component: Mail Window Front End → Composition
Reporter | ||
Comment 4•24 years ago
|
||
You may be right but this HTML shows OK in a browser window. Therefore I assumed
(maybe wrong) that it has something to do with MailNews and as Mozilla 0.8.1
does not have it, the new branch seemed the best usual suspect.
Comment 5•24 years ago
|
||
Since this is composer/HTML-renderer, maybe Editor has something to do with it?
CC beppe and brade
Assignee | ||
Comment 6•24 years ago
|
||
accepting.
it's a mail backend problem.
excellent bug report, Jacek
Status: UNCONFIRMED → ASSIGNED
Component: Composition → Mail Back End
Ever confirmed: true
Assignee | ||
Comment 7•24 years ago
|
||
here's the stack
the crasher is because mScheme is null.
nsStdURL::SchemeIs(nsStdURL * const 0x08acf900, const char * 0x025e29c8, int *
0x0012ed4c) line 312 + 12 bytes
nsMsgMailNewsUrl::SchemeIs(nsMsgMailNewsUrl * const 0x08acf984, const char *
0x025e29c8, int * 0x0012ed4c) line 486
GetCacheSession(nsIURI * 0x08acf984, nsICacheSession * * 0x0012ed9c) line 82
imgCache::Get(nsIURI * 0x08acf984, imgRequest * * 0x0012ef3c,
nsICacheEntryDescriptor * * 0x0012eed4) line 183 + 33 bytes
imgLoader::LoadImage(imgLoader * const 0x025ae920, nsIURI * 0x08acf984,
nsILoadGroup * 0x06bb5db0, imgIDecoderObserver * 0x08aceca0, nsISupports *
0x066bbb70, imgIRequest * * 0x072e4fb4) line 78 + 40 bytes
nsImageFrame::Init(nsImageFrame * const 0x072e4f20, nsIPresContext * 0x066bbb70,
nsIContent * 0x08a41500, nsIFrame * 0x072e4e48, nsIStyleContext * 0x08acd6f0,
nsIFrame * 0x00000000) line 291 + 111 bytes
nsCSSFrameConstructor::InitAndRestoreFrame(nsIPresContext * 0x066bbb70,
nsFrameConstructorState & {...}, nsIContent * 0x08a41500, nsIFrame * 0x072e4e48,
nsIStyleContext * 0x08acd6f0, nsIFrame * 0x00000000, nsIFrame * 0x072e4f20) line
6663 + 32 bytes
nsCSSFrameConstructor::ConstructFrameByTag(nsIPresShell * 0x066ae490,
nsIPresContext * 0x066bbb70, nsFrameConstructorState & {...}, nsIContent *
0x08a41500, nsIFrame * 0x072e4e48, nsIAtom * 0x0173df40 {"img"}, int 3,
nsIStyleContext * 0x08acd6f0, nsFrameItems & {...}) line 4926
nsCSSFrameConstructor::ConstructFrameInternal(nsIPresShell * 0x066ae490,
nsIPresContext * 0x066bbb70, nsFrameConstructorState & {...}, nsIContent *
0x08a41500, nsIFrame * 0x072e4e48, nsIAtom * 0x0173df40 {"img"}, int 3,
nsIStyleContext * 0x08acd6f0, nsFrameItems & {...}, int 0) line 7181 + 52 bytes
nsCSSFrameConstructor::ConstructFrame(nsIPresShell * 0x066ae490, nsIPresContext
* 0x066bbb70, nsFrameConstructorState & {...}, nsIContent * 0x08a41500, nsIFrame
* 0x072e4e48, nsFrameItems & {...}) line 7091 + 56 bytes
nsCSSFrameConstructor::ContentAppended(nsCSSFrameConstructor * const 0x066a8460,
nsIPresContext * 0x066bbb70, nsIContent * 0x06bcac00, int 0) line 8083
StyleSetImpl::ContentAppended(StyleSetImpl * const 0x066a8520, nsIPresContext *
0x066bbb70, nsIContent * 0x06bcac00, int 0) line 1241
PresShell::ContentAppended(PresShell * const 0x066ae498, nsIDocument *
0x089ae6d0, nsIContent * 0x06bcac00, int 0) line 4534 + 46 bytes
nsDocument::ContentAppended(nsDocument * const 0x089ae6d0, nsIContent *
0x06bcac00, int 0) line 1537
nsHTMLDocument::ContentAppended(nsHTMLDocument * const 0x089ae6d0, nsIContent *
0x06bcac00, int 0) line 1281 + 17 bytes
HTMLContentSink::NotifyAppend(nsIContent * 0x06bcac00, int 0) line 4574
SinkContext::FlushTags(int 1) line 2046
HTMLContentSink::CloseBody(HTMLContentSink * const 0x066eceb0, const
nsIParserNode & {...}) line 2902
CNavDTD::CloseBody(const nsIParserNode * 0x071fc4b8) line 3134 + 31 bytes
CNavDTD::CloseContainer(const nsCParserNode * 0x071fc4b8, nsHTMLTag
eHTMLTag_body, int 0) line 3532 + 12 bytes
CNavDTD::CloseContainersTo(int 1, nsHTMLTag eHTMLTag_body, int 0) line 3593 + 20
bytes
CNavDTD::CloseContainersTo(nsHTMLTag eHTMLTag_body, int 0) line 3750 + 20 bytes
CNavDTD::DidBuildModel(CNavDTD * const 0x06b8d9f0, unsigned int 0, int 1,
nsIParser * 0x089af3f0, nsIContentSink * 0x066eceb0) line 579
nsParser::DidBuildModel(unsigned int 0) line 1419 + 60 bytes
nsParser::ResumeParse(int 1, int 1) line 1958
nsParser::OnStopRequest(nsParser * const 0x089af3f8, nsIRequest * 0x089a1094,
nsISupports * 0x0557eea0, unsigned int 0) line 2399 + 19 bytes
nsDocumentOpenInfo::OnStopRequest(nsDocumentOpenInfo * const 0x089ad3f0,
nsIRequest * 0x089a1094, nsISupports * 0x0557eea0, unsigned int 0) line 277
nsStreamConverter::OnStopRequest(nsStreamConverter * const 0x089ad340,
nsIRequest * 0x089a1094, nsISupports * 0x0557eea0, unsigned int 0) line 1013
nsDocumentOpenInfo::OnStopRequest(nsDocumentOpenInfo * const 0x089a2cb0,
nsIRequest * 0x089a1094, nsISupports * 0x0557eea0, unsigned int 0) line 277
nsMsgProtocol::OnStopRequest(nsMsgProtocol * const 0x089a1090, nsIRequest *
0x089a2884, nsISupports * 0x0557eea0, unsigned int 0) line 271 + 88 bytes
nsMailboxProtocol::OnStopRequest(nsMailboxProtocol * const 0x089a1090,
nsIRequest * 0x089a2884, nsISupports * 0x0557eea0, unsigned int 0) line 204
nsOnStopRequestEvent::HandleEvent() line 159
nsARequestObserverEvent::HandlePLEvent(PLEvent * 0x089a20c4) line 64
PL_HandleEvent(PLEvent * 0x089a20c4) line 588 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x00a0a990) line 518 + 9 bytes
_md_EventReceiverProc(HWND__ * 0x0047069e, unsigned int 49422, unsigned int 0,
long 10529168) line 1069 + 9 bytes
USER32! 77e71820
Comment 8•24 years ago
|
||
Seth, I can fix it if it's just a matter of bullet-proofing..?
Updated•24 years ago
|
Assignee | ||
Comment 9•24 years ago
|
||
the lack of the src attribute (I bet the same thing would happen if we had
src="") on the image gets eventually gets us to the point where
nsScriptSecurityManager::GetCodebasePrincipal() calls NS_NewURI() with
"mailbox://"
line 821, nsScriptSecurityManager.cpp:
rv = NS_NewURI(getter_AddRefs(newURI), originUrl, nsnull)
I think this might be a parser bug.
we could fix necko or mailnews to not crash in the mailbox:// case, but I think
something bigger is broken.
mstoltz / harishd / mscott, any comments?
Assignee | ||
Comment 10•24 years ago
|
||
harishd, see #66673
I think it is related.
Assignee | ||
Comment 11•24 years ago
|
||
I take that back. I was looking at the wrong thing. "mailbox://" is ok, the
problem comes from nsImageFrame::Init() calling NS_NewURI() with "".
it may still be parser related, I don't know enough about this.
here's the stack that includes that call to NS_NewURI()
nsMsgMailNewsUrl::nsMsgMailNewsUrl() line 46
nsMailboxUrl::nsMailboxUrl() line 129 + 27 bytes
nsMailboxUrlConstructor(nsISupports * 0x00000000, const nsID & {...}, void * *
0x0012ee9c) line 49 + 87 bytes
nsGenericFactory::CreateInstance(nsGenericFactory * const 0x066b20f0,
nsISupports * 0x00000000, const nsID & {...}, void * * 0x0012ee9c) line 56
nsComponentManagerImpl::CreateInstance(nsComponentManagerImpl * const
0x009552f0, const nsID & {...}, nsISupports * 0x00000000, const nsID & {...},
void * * 0x0012ee9c) line 1199 + 24 bytes
nsComponentManager::CreateInstance(const nsID & {...}, nsISupports * 0x00000000,
const nsID & {...}, void * * 0x0012ee9c) line 82
nsMailboxService::NewURI(nsMailboxService * const 0x066b3e6c, const char *
0x04e5a030, nsIURI * 0x066c8bc4, nsIURI * * 0x0012f064) line 399 + 43 bytes
nsIOService::NewURI(const char * 0x04e5a030, nsIURI * 0x066c8bc4, nsIURI * *
0x0012f064, nsIProtocolHandler * * 0x00000000) line 288 + 35 bytes
nsIOService::NewURI(nsIOService * const 0x0181bb80, const char * 0x04e5a030,
nsIURI * 0x066c8bc4, nsIURI * * 0x0012f064) line 296
NS_NewURI(nsIURI * * 0x0012f064, const char * 0x04e5a030, nsIURI * 0x066c8bc4,
nsIIOService * 0x0181bb80) line 77 + 24 bytes
NS_NewURI(nsIURI * * 0x0012f064, const nsAString & {...}, nsIURI * 0x066c8bc4,
nsIIOService * 0x00000000) line 89 + 21 bytes
nsImageFrame::Init(nsImageFrame * const 0x0128bf48, nsIPresContext * 0x064e41f0,
nsIContent * 0x04e5a060, nsIFrame * 0x013002d8, nsIStyleContext * 0x04e5a760,
nsIFrame * 0x00000000) line 290 + 56 bytes
nsCSSFrameConstructor::InitAndRestoreFrame(nsIPresContext * 0x064e41f0,
nsFrameConstructorState & {...}, nsIContent * 0x04e5a060, nsIFrame * 0x013002d8,
nsIStyleContext * 0x04e5a760, nsIFrame * 0x00000000, nsIFrame * 0x0128bf48) line
6663 + 32 bytes
nsCSSFrameConstructor::ConstructFrameByTag(nsIPresShell * 0x065120f0,
nsIPresContext * 0x064e41f0, nsFrameConstructorState & {...}, nsIContent *
0x04e5a060, nsIFrame * 0x013002d8, nsIAtom * 0x0184c140 {"img"}, int 3,
nsIStyleContext * 0x04e5a760, nsFrameItems & {...}) line 4926
nsCSSFrameConstructor::ConstructFrameInternal(nsIPresShell * 0x065120f0,
nsIPresContext * 0x064e41f0, nsFrameConstructorState & {...}, nsIContent *
0x04e5a060, nsIFrame * 0x013002d8, nsIAtom * 0x0184c140 {"img"}, int 3,
nsIStyleContext * 0x04e5a760, nsFrameItems & {...}, int 0) line 7181 + 52 bytes
nsCSSFrameConstructor::ConstructFrame(nsIPresShell * 0x065120f0, nsIPresContext
* 0x064e41f0, nsFrameConstructorState & {...}, nsIContent * 0x04e5a060, nsIFrame
* 0x013002d8, nsFrameItems & {...}) line 7091 + 56 bytes
nsCSSFrameConstructor::ContentAppended(nsCSSFrameConstructor * const 0x06512480,
nsIPresContext * 0x064e41f0, nsIContent * 0x06519c50, int 1) line 8083
StyleSetImpl::ContentAppended(StyleSetImpl * const 0x065133c0, nsIPresContext *
0x064e41f0, nsIContent * 0x06519c50, int 1) line 1241
PresShell::ContentAppended(PresShell * const 0x065120f8, nsIDocument *
0x066d2ce0, nsIContent * 0x06519c50, int 1) line 4534 + 46 bytes
nsDocument::ContentAppended(nsDocument * const 0x066d2ce0, nsIContent *
0x06519c50, int 1) line 1537
nsHTMLDocument::ContentAppended(nsHTMLDocument * const 0x066d2ce0, nsIContent *
0x06519c50, int 1) line 1281 + 17 bytes
HTMLContentSink::NotifyAppend(nsIContent * 0x06519c50, int 1) line 4574
SinkContext::FlushTags(int 1) line 2046
HTMLContentSink::CloseBody(HTMLContentSink * const 0x066d3150, const
nsIParserNode & {...}) line 2902
CNavDTD::CloseBody(const nsIParserNode * 0x0122a0f0) line 3134 + 31 bytes
CNavDTD::CloseContainer(const nsCParserNode * 0x0122a0f0, nsHTMLTag
eHTMLTag_body, int 0) line 3532 + 12 bytes
CNavDTD::CloseContainersTo(int 1, nsHTMLTag eHTMLTag_body, int 0) line 3593 + 20
bytes
CNavDTD::CloseContainersTo(nsHTMLTag eHTMLTag_body, int 0) line 3750 + 20 bytes
CNavDTD::DidBuildModel(CNavDTD * const 0x0651ee40, unsigned int 0, int 1,
nsIParser * 0x066d39b0, nsIContentSink * 0x066d3150) line 579
nsParser::DidBuildModel(unsigned int 0) line 1419 + 60 bytes
nsParser::ResumeParse(int 1, int 1) line 1958
nsParser::OnStopRequest(nsParser * const 0x066d39b8, nsIRequest * 0x066c8504,
nsISupports * 0x066c8bc0, unsigned int 0) line 2399 + 19 bytes
nsDocumentOpenInfo::OnStopRequest(nsDocumentOpenInfo * const 0x066d1af0,
nsIRequest * 0x066c8504, nsISupports * 0x066c8bc0, unsigned int 0) line 277
nsStreamConverter::OnStopRequest(nsStreamConverter * const 0x066d1a40,
nsIRequest * 0x066c8504, nsISupports * 0x066c8bc0, unsigned int 0) line 1013
nsDocumentOpenInfo::OnStopRequest(nsDocumentOpenInfo * const 0x066c9fb0,
nsIRequest * 0x066c8504, nsISupports * 0x066c8bc0, unsigned int 0) line 277
nsMsgProtocol::OnStopRequest(nsMsgProtocol * const 0x066c8500, nsIRequest *
0x066c8d54, nsISupports * 0x066c8bc0, unsigned int 0) line 271 + 88 bytes
nsMailboxProtocol::OnStopRequest(nsMailboxProtocol * const 0x066c8500,
nsIRequest * 0x066c8d54, nsISupports * 0x066c8bc0, unsigned int 0) line 204
nsOnStopRequestEvent::HandleEvent() line 159
nsARequestObserverEvent::HandlePLEvent(PLEvent * 0x066ccc04) line 64
PL_HandleEvent(PLEvent * 0x066ccc04) line 588 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x00a0a990) line 518 + 9 bytes
_md_EventReceiverProc(HWND__ * 0x10bb0116, unsigned int 49422, unsigned int 0,
long 10529168) line 1069 + 9 bytes
USER32! 77e71820()
00a0a990()
Assignee | ||
Comment 12•24 years ago
|
||
I think we need some layout help on this one. (cc'ing pavlov, since it is img
related)
1) it looks like in the general case we don't display the internal "broken
image" gif. is there a bug on that?
2) <img> without a src attribute or src="" should show the broken image gif.
Where would that happen? Can this check happen at nsImageFrame.cpp? something
like:
Index: html/base/src/nsImageFrame.cpp
===================================================================
RCS file: /cvsroot/mozilla/layout/html/base/src/nsImageFrame.cpp,v
retrieving revision 1.161
diff -u -w -r1.161 nsImageFrame.cpp
--- nsImageFrame.cpp 2001/04/11 08:12:10 1.161
+++ nsImageFrame.cpp 2001/04/16 22:50:16
@@ -287,6 +287,12 @@
mCanSendLoadEvent = PR_TRUE;
nsCOMPtr<nsIURI> srcURI;
+
+ // if src == "", there is nothing to load
+ if (src.Length() == 0) {
+ src = NS_LITERAL_STRING("chrome://communicator/skin/broken.gif").get()
;
+ }
+
NS_NewURI(getter_AddRefs(srcURI), src, baseURL);
il->LoadImage(srcURI, loadGroup, mListener, aPresContext, getter_AddRefs(mIma
geRequest));
// if the image was found in the cache, it is possible that LoadImage will re
sult in a call to OnStartContainer()
Comment 13•24 years ago
|
||
if the source is broken, then it should fall through just like broken images and
get replaced by the alt text. we shouldn't special case url in the image frame,
and we certainly shouldn't have a hardcoded chrome:// image in there.
Comment 14•24 years ago
|
||
i have to be able to call NewURI with "" since the baseurl should be merged in
with it (and i suppose the base url could be an image url...)
Comment 15•24 years ago
|
||
bug 72447 is also due to SchemeIs crashing when mScheme is null.
I think we need to fix this in necko to say the scheme isn't whatever since the
scheme is null (i suppose unless you pass in a null scheme.. heh)
Assignee | ||
Comment 16•24 years ago
|
||
pavlov: what do we show if there isn't any alt text? do we ever show that
internal "broken image" image anymore?
I'll go work on bullet proofing necko to handle this case and attach a patch.
Comment 17•24 years ago
|
||
we change the frame into a tiny textnode. hixie says this is the correct
behavior.
Assignee | ||
Comment 18•24 years ago
|
||
simply bullet proofing necko will lead to asserts and then a crash in layout.
here's the crash:
nsImageFrame::Paint(nsImageFrame * const 0x01219ce8, nsIPresContext *
0x067fe430, nsIRenderingContext & {...}, const nsRect & {x=0 y=0 width=9000
height=9000}, nsFramePaintLayer eFramePaintLayer_Underlay) line 985 + 53 bytes
nsContainerFrame::PaintChild(nsIPresContext * 0x067fe430, nsIRenderingContext &
{...}, const nsRect & {x=-120 y=-120 width=19140 height=12705}, nsIFrame *
0x01219ce8, nsFramePaintLayer eFramePaintLayer_Underlay) line 208
nsBlockFrame::PaintChildren(nsIPresContext * 0x067fe430, nsIRenderingContext &
{...}, const nsRect & {x=-120 y=-120 width=19140 height=12705},
nsFramePaintLayer eFramePaintLayer_Underlay) line 6594
nsBlockFrame::Paint(nsBlockFrame * const 0x01219c10, nsIPresContext *
0x067fe430, nsIRenderingContext & {...}, const nsRect & {x=-120 y=-120
width=19140 height=12705}, nsFramePaintLayer eFramePaintLayer_Underlay) line
6472
nsContainerFrame::PaintChild(nsIPresContext * 0x067fe430, nsIRenderingContext &
{...}, const nsRect & {x=0 y=0 width=19140 height=12705}, nsIFrame * 0x01219c10,
nsFramePaintLayer eFramePaintLayer_Underlay) line 208
nsBlockFrame::PaintChildren(nsIPresContext * 0x067fe430, nsIRenderingContext &
{...}, const nsRect & {x=0 y=0 width=19140 height=12705}, nsFramePaintLayer
eFramePaintLayer_Underlay) line 6594
nsBlockFrame::Paint(nsBlockFrame * const 0x01219b88, nsIPresContext *
0x067fe430, nsIRenderingContext & {...}, const nsRect & {x=0 y=0 width=19140
height=12705}, nsFramePaintLayer eFramePaintLayer_Underlay) line 6472
nsContainerFrame::PaintChild(nsIPresContext * 0x067fe430, nsIRenderingContext &
{...}, const nsRect & {x=0 y=0 width=19140 height=12705}, nsIFrame * 0x01219b88,
nsFramePaintLayer eFramePaintLayer_Underlay) line 208
nsContainerFrame::PaintChildren(nsIPresContext * 0x067fe430, nsIRenderingContext
& {...}, const nsRect & {x=0 y=0 width=19140 height=12705}, nsFramePaintLayer
eFramePaintLayer_Underlay) line 152
nsHTMLContainerFrame::Paint(nsHTMLContainerFrame * const 0x01218e24,
nsIPresContext * 0x067fe430, nsIRenderingContext & {...}, const nsRect & {x=0
y=0 width=19140 height=12705}, nsFramePaintLayer eFramePaintLayer_Underlay) line
108
PresShell::Paint(PresShell * const 0x0676d1a4, nsIView * 0x05275270,
nsIRenderingContext & {...}, const nsRect & {x=0 y=0 width=19140 height=12705})
line 4945 + 34 bytes
nsView::Paint(nsView * const 0x05275270, nsIRenderingContext & {...}, const
nsRect & {x=0 y=0 width=19140 height=12705}, unsigned int 128, int & 268592757)
line 275
nsViewManager::RenderDisplayListElement(DisplayListElement2 * 0x05e8f6c0,
nsIRenderingContext & {...}) line 1394
nsViewManager::RenderViews(nsIView * 0x04d81ed0, nsIRenderingContext & {...},
const nsRect & {x=0 y=0 width=19140 height=12705}, int & 0) line 1319
nsViewManager::Refresh(nsIView * 0x04d81ed0, nsIRenderingContext * 0x05e8f950,
const nsRect * 0x0012f694 {x=0 y=0 width=19140 height=12705}, unsigned int 1)
line 885
nsViewManager::DispatchEvent(nsViewManager * const 0x0676e030, nsGUIEvent *
0x0012f7d4, nsEventStatus * 0x0012f6d8) line 1913
HandleEvent(nsGUIEvent * 0x0012f7d4) line 68
nsWindow::DispatchEvent(nsWindow * const 0x04d83164, nsGUIEvent * 0x0012f7d4,
nsEventStatus & nsEventStatus_eIgnore) line 701 + 10 bytes
nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012f7d4, nsEventStatus &
nsEventStatus_eIgnore) line 727
nsWindow::OnPaint() line 3831 + 28 bytes
nsWindow::ProcessMessage(unsigned int 15, unsigned int 0, long 0, long *
0x0012fbb4) line 2838 + 17 bytes
nsWindow::WindowProc(HWND__ * 0x000508da, unsigned int 15, unsigned int 0, long
0) line 956 + 27 bytes
USER32! 77e719d0()
USER32! 77e71982()
NTDLL! 77f763a3()
pavlov, do you want this bad boy?
Comment 19•24 years ago
|
||
*** Bug 74035 has been marked as a duplicate of this bug. ***
Comment 20•24 years ago
|
||
why is it crashing there? null pointer ?
Assignee | ||
Comment 21•24 years ago
|
||
yes, the mImageRequest is null.
Comment 22•24 years ago
|
||
maybe i'm blind, but everything in that function looks like it should check for
mImageRequest being null.
Comment 23•24 years ago
|
||
Comment 24•24 years ago
|
||
with this patch, i don't see how it can crash from mImageRequest being null...
although, i still don't see how it would crash in nsImageFrame::Paint without
this patch.
Comment 25•24 years ago
|
||
Did this make it in? If not will the patch make it in for 0.9? cc'ing varada
so he can mark some bugs as dups that I think have a similar stack trace.
Assignee | ||
Comment 26•24 years ago
|
||
I've rebuilt and I'm not seeing this crasher anymore. I do get an assert in
IOService because the scheme is empty, but I can live with that:
NTDLL! 77f7629c()
nsDebug::Assertion(const char * 0x016c03d4, const char * 0x016c03cc, const char
* 0x016c0394, int 219) line 286 + 13 bytes
nsDebug::WarnIfFalse(const char * 0x016c03d4, const char * 0x016c03cc, const
char * 0x016c0394, int 219) line 392 + 21 bytes
nsIOService::GetProtocolHandler(nsIOService * const 0x01523f30, const char *
0x00000000, nsIProtocolHandler * * 0x0012edd4) line 219 + 32 bytes
nsIOService::NewChannelFromURI(nsIOService * const 0x01523f30, nsIURI *
0x04c1e984, nsIChannel * * 0x0012eee4) line 309 + 46 bytes
imgLoader::LoadImage(imgLoader * const 0x023988a0, nsIURI * 0x04c1e984,
nsILoadGroup * 0x07145050, imgIDecoderObserver * 0x04c1fc80, nsISupports *
0x075099d0, imgIRequest * * 0x0586ae0c) line 117 + 69 bytes
nsImageFrame::Init(nsImageFrame * const 0x0586ad78, nsIPresContext * 0x075099d0,
nsIContent * 0x04c1eb90, nsIFrame * 0x0586aca0, nsIStyleContext * 0x04c1fdf0,
nsIFrame * 0x00000000) line 303 + 111 bytes
nsCSSFrameConstructor::InitAndRestoreFrame(nsIPresContext * 0x075099d0,
nsFrameConstructorState & {...}, nsIContent * 0x04c1eb90, nsIFrame * 0x0586aca0,
nsIStyleContext * 0x04c1fdf0, nsIFrame * 0x00000000, nsIFrame * 0x0586ad78) line
6663 + 32 bytes
nsCSSFrameConstructor::ConstructFrameByTag(nsIPresShell * 0x07484540,
nsIPresContext * 0x075099d0, nsFrameConstructorState & {...}, nsIContent *
0x04c1eb90, nsIFrame * 0x0586aca0, nsIAtom * 0x01552780 {"img"}, int 3,
nsIStyleContext * 0x04c1fdf0, nsFrameItems & {...}) line 4926
nsCSSFrameConstructor::ConstructFrameInternal(nsIPresShell * 0x07484540,
nsIPresContext * 0x075099d0, nsFrameConstructorState & {...}, nsIContent *
0x04c1eb90, nsIFrame * 0x0586aca0, nsIAtom * 0x01552780 {"img"}, int 3,
nsIStyleContext * 0x04c1fdf0, nsFrameItems & {...}, int 0) line 7181 + 52 bytes
nsCSSFrameConstructor::ConstructFrame(nsIPresShell * 0x07484540, nsIPresContext
* 0x075099d0, nsFrameConstructorState & {...}, nsIContent * 0x04c1eb90, nsIFrame
* 0x0586aca0, nsFrameItems & {...}) line 7091 + 56 bytes
nsCSSFrameConstructor::ContentAppended(nsCSSFrameConstructor * const 0x074848d0,
nsIPresContext * 0x075099d0, nsIContent * 0x074945a0, int 0) line 8083
StyleSetImpl::ContentAppended(StyleSetImpl * const 0x07484a00, nsIPresContext *
0x075099d0, nsIContent * 0x074945a0, int 0) line 1241
PresShell::ContentAppended(PresShell * const 0x07484548, nsIDocument *
0x07503290, nsIContent * 0x074945a0, int 0) line 4724 + 46 bytes
nsDocument::ContentAppended(nsDocument * const 0x07503290, nsIContent *
0x074945a0, int 0) line 1537
nsHTMLDocument::ContentAppended(nsHTMLDocument * const 0x07503290, nsIContent *
0x074945a0, int 0) line 1294 + 17 bytes
HTMLContentSink::NotifyAppend(nsIContent * 0x074945a0, int 0) line 4574
SinkContext::FlushTags(int 1) line 2046
HTMLContentSink::CloseBody(HTMLContentSink * const 0x07505610, const
nsIParserNode & {...}) line 2902
CNavDTD::CloseBody(const nsIParserNode * 0x0580d4b8) line 3134 + 31 bytes
CNavDTD::CloseContainer(const nsCParserNode * 0x0580d4b8, nsHTMLTag
eHTMLTag_body, int 0) line 3532 + 12 bytes
CNavDTD::CloseContainersTo(int 1, nsHTMLTag eHTMLTag_body, int 0) line 3593 + 20
bytes
CNavDTD::CloseContainersTo(nsHTMLTag eHTMLTag_body, int 0) line 3750 + 20 bytes
CNavDTD::DidBuildModel(CNavDTD * const 0x0748e900, unsigned int 0, int 1,
nsIParser * 0x07505ec0, nsIContentSink * 0x07505610) line 579
nsParser::DidBuildModel(unsigned int 0) line 1418 + 60 bytes
nsParser::ResumeParse(int 1, int 1) line 1901
nsParser::OnStopRequest(nsParser * const 0x07505ec8, nsIRequest * 0x074fae74,
nsISupports * 0x065e2e50, unsigned int 0) line 2342 + 19 bytes
nsDocumentOpenInfo::OnStopRequest(nsDocumentOpenInfo * const 0x074fa4c0,
nsIRequest * 0x074fae74, nsISupports * 0x065e2e50, unsigned int 0) line 277
nsStreamConverter::OnStopRequest(nsStreamConverter * const 0x074fa410,
nsIRequest * 0x074fae74, nsISupports * 0x065e2e50, unsigned int 0) line 1013
nsMsgProtocol::OnStopRequest(nsMsgProtocol * const 0x074fae70, nsIRequest *
0x074fa624, nsISupports * 0x065e2e50, unsigned int 0) line 271 + 88 bytes
nsMailboxProtocol::OnStopRequest(nsMailboxProtocol * const 0x074fae70,
nsIRequest * 0x074fa624, nsISupports * 0x065e2e50, unsigned int 0) line 204
nsOnStopRequestEvent::HandleEvent() line 159
nsARequestObserverEvent::HandlePLEvent(PLEvent * 0x074fb314) line 64
PL_HandleEvent(PLEvent * 0x074fb314) line 588 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x00a0ad80) line 518 + 9 bytes
_md_EventReceiverProc(HWND__ * 0x000d00da, unsigned int 49337, unsigned int 0,
long 10530176) line 1069 + 9 bytes
USER32! 77e71820()
00a0ad80()
I'm checking if I've got patches from pavlov in my tree that need to be checked
in. if yes, I'll attach them here. if no, I'll mark this fixed.
Assignee | ||
Comment 27•24 years ago
|
||
I have one fix in my tree that needs to be checked in.
it's a bullet proofing fix to nsStdURL.cpp to allow for the case where scheme is
null.
here it comes, can I get a review?
Assignee | ||
Comment 28•24 years ago
|
||
Assignee | ||
Comment 29•24 years ago
|
||
adding darin and valeski to the cc list, for review of the netwerk change.
Comment 30•24 years ago
|
||
r/sr=darin on the mScheme check... but please make sure the indentation is
consistent ;-)
Assignee | ||
Comment 31•24 years ago
|
||
will do on the indentation. once I get this landed, I'll log a bug on the
remaining assertion.
Assignee | ||
Comment 32•24 years ago
|
||
this has r=mscott. waiting for drivers@mozilla.org
Comment 33•24 years ago
|
||
actually, mScheme is not allowed to be null. see
http://bugzilla.mozilla.org/show_bug.cgi?id=73845. for now, the null checks
above necko are the solution (until 73845 is fixed). please do not add this
check to nsStdURL as it will hide the real problem.
Assignee | ||
Comment 34•24 years ago
|
||
ok, I'll work on the caller.
Assignee | ||
Comment 35•24 years ago
|
||
here comes the patch. we should remove this extra string copy when #73845 gets
fixed.
Depends on: 73845
Assignee | ||
Comment 36•24 years ago
|
||
Comment 37•24 years ago
|
||
r=mscott
Comment 38•24 years ago
|
||
r=valeski on the ::SchemeIs() call in mail/news (4/18/01 16:19 patch).
Comment 39•24 years ago
|
||
a=blizzard for 0.9
Assignee | ||
Comment 40•24 years ago
|
||
fixed.
thanks blizzard.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 41•24 years ago
|
||
*** Bug 74840 has been marked as a duplicate of this bug. ***
Comment 42•24 years ago
|
||
*** Bug 76706 has been marked as a duplicate of this bug. ***
Assignee | ||
Comment 43•24 years ago
|
||
*** Bug 76667 has been marked as a duplicate of this bug. ***
Assignee | ||
Comment 44•24 years ago
|
||
note, messages with img tags without src attributes and with relative src
attributes caused this problem.
examples:
<img alt="foo">
<img src="foo.gif" alt="foo">
Comment 45•24 years ago
|
||
*** Bug 76387 has been marked as a duplicate of this bug. ***
Comment 46•24 years ago
|
||
Using build 2001-05-03 on win, mac and linux, I opened the attachment and did a
send page to myself. I opened the mail msg without crashing. I did not see the
problem back with build 4-16 so I'm not sure if this is all I need to do to test
this. I will check some of the duplicates too to see if those are also fixed.
If the reporter could check this to that would be great.
Reporter | ||
Comment 47•24 years ago
|
||
Yes, this bug is a history for me, too. Marking VERIFIED.
Status: RESOLVED → VERIFIED
Comment 48•24 years ago
|
||
Thanks!
Updated•20 years ago
|
Product: MailNews → Core
Updated•16 years ago
|
Product: Core → MailNews Core
You need to log in
before you can comment on or make changes to this bug.
Description
•