mozilla crashes loading this page

VERIFIED FIXED in mozilla0.9.2

Status

()

Core
HTML: Parser
--
critical
VERIFIED FIXED
17 years ago
17 years ago

People

(Reporter: Aaron Brick, Assigned: harishd)

Tracking

({crash})

Trunk
mozilla0.9.2
crash
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [fix in hand], URL)

Attachments

(4 attachments)

(Reporter)

Description

17 years ago
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux 2.4.4 i586; en-US; rv:0.9+) Gecko/20010522
BuildID:    20010519

whether i refer to it directly or select the link from a list, mozilla
experiences a segfault.


Reproducible: Always
Steps to Reproduce:
1. direct moz to the URL, from the command line or from within the browser.


Actual Results:  Error loading URL
http://www.google.com/search?q=cache:JP9pzNT1ap7:www.radio.freytag.de/medianet/pin_pctv_pro.htm+PCTV+radio&hl=en
: 2152398850
/home/chizor/cvs/mozilla/dist/bin/run-mozilla.sh: line 72:   369 Segmentation
fault      $prog ${1+"$@"}



Expected Results:  opened the page.

Comment 1

17 years ago
Confirming -- All/All - crashing on Win2K too. Below is the stack trace.
It crashes the following line because mSink->mParser is null.
        mSink->mParser->GetDTD(getter_AddRefs(dtd));


SinkContext::FlushTags(int 1) line 1970 + 52 bytes
HTMLContentSink::DidBuildModel(HTMLContentSink * const 0x0471e190, int 0) line 
2427
CNavDTD::DidBuildModel(CNavDTD * const 0x046dcb10, unsigned int 0, int 1, 
nsIParser * 0x0472b970, nsIContentSink * 0x0471e190) line 672 + 14 bytes
nsParser::DidBuildModel(unsigned int 0) line 1438 + 60 bytes
nsParser::ResumeParse(int 1, int 0) line 1895
nsParser::OnDataAvailable(nsParser * const 0x0472b978, nsIRequest * 0x04710ea0, 
nsISupports * 0x00000000, nsIInputStream * 0x046dc9c0, unsigned int 1448, 
unsigned int 5792) line 2325 + 19 bytes
nsDocumentOpenInfo::OnDataAvailable(nsDocumentOpenInfo * const 0x04716750, 
nsIRequest * 0x04710ea0, nsISupports * 0x00000000, nsIInputStream * 0x046dc9c0, 
unsigned int 1448, unsigned int 5792) line 237 + 46 bytes
nsStreamListenerTee::OnDataAvailable(nsStreamListenerTee * const 0x046d4fd0, 
nsIRequest * 0x04710ea0, nsISupports * 0x00000000, nsIInputStream * 0x04718ae0, 
unsigned int 1448, unsigned int 5792) line 56 + 51 bytes
nsHttpChannel::OnDataAvailable(nsHttpChannel * const 0x04710ea4, nsIRequest * 
0x0471d880, nsISupports * 0x00000000, nsIInputStream * 0x04718ae0, unsigned int 
1448, unsigned int 5792) line 2089 + 57 bytes
nsOnDataAvailableEvent::HandleEvent() line 173 + 70 bytes
nsARequestObserverEvent::HandlePLEvent(PLEvent * 0x04753fb4) line 64
PL_HandleEvent(PLEvent * 0x04753fb4) line 590 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x0054ee30) line 520 + 9 bytes
_md_EventReceiverProc(HWND__ * 0x005302f2, unsigned int 49381, unsigned int 0, 
long 5566000) line 1071 + 9 bytes
USER32! 77e148dc()
USER32! 77e14aa7()
USER32! 77e266fd()
nsAppShellService::Run(nsAppShellService * const 0x010c4230) line 418
main1(int 1, char * * 0x00484470, nsISupports * 0x00000000) line 1128 + 32 bytes
main(int 1, char * * 0x00484470) line 1426 + 37 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 77e992a6()
Assignee: asa → harishd
Severity: major → critical
Status: UNCONFIRMED → NEW
Component: Browser-General → Parser
Ever confirmed: true
Keywords: crash
OS: Linux → All
QA Contact: doronr → bsharma
Hardware: PC → All
(Assignee)

Comment 2

17 years ago
Note: The crash happens within the DEBUG code.

Will investigate.
Status: NEW → ASSIGNED
(Assignee)

Comment 3

17 years ago
Created attachment 35970 [details]
reduced testcase
(Assignee)

Comment 4

17 years ago
I see two problems here:

1) DidBuildModel() is getting called twice!!
2) A worng context ( headcontext ) is getting flushed in the sink.

(Assignee)

Comment 5

17 years ago
Setting to m0.9.2 since it does not affect release builds.
Target Milestone: --- → mozilla0.9.2
(Assignee)

Comment 6

17 years ago
Created attachment 36138 [details]
reduced testcase
(Assignee)

Comment 7

17 years ago
Created attachment 36151 [details] [diff] [review]
Patch v1.1 [ DidBuildModel should not happen more than once per document ]
(Assignee)

Comment 8

17 years ago
Created attachment 36152 [details] [diff] [review]
Patch v1.2 [ please ignore my previous patch ]
(Assignee)

Updated

17 years ago
Whiteboard: [fix in hand]

Comment 9

17 years ago
r/sr=vidur
r=heikki

Comment 11

17 years ago
a= asa@mozilla.org for checkin to the trunk.
(on behalf of drivers)
Blocks: 83989
(Assignee)

Comment 12

17 years ago
Fix is in 
Status: ASSIGNED → RESOLVED
Last Resolved: 17 years ago
Resolution: --- → FIXED

Comment 13

17 years ago
Verified on:
build: 2001-07-02-04-Trunk
platform: WinNT

Both the test cases load fine.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.