Closed Bug 3308 Opened 26 years ago Closed 26 years ago

<head><img ..> crashes the viewer

Categories

(Core :: DOM: HTML Parser, defect, P2)

x86
Linux
defect

Tracking

()

VERIFIED FIXED

People

(Reporter: igor, Assigned: rickg)

Details

The following (broken) HTML crashes the viewer: <head> <img src="http://www.mozilla.org/images/logo-star.gif"> Adding <body> after the <head> fixes the problem. My guess is that the parser does not open the <body> when it sees the <img> element, so the while loop in CNavDTD::ReduceContextStackFor (frame 8) runs out of elements calling CloseTopmostContainer() (frame 7). This is the stack trace: #0 0x40dbc601 in kill () #1 0x40dbc42f in gsignal () #2 0x40dbd64f in abort () #3 0x40a387ea in PR_Abort () at prlog.c:461 #4 0x40a072dc in nsDebug::Abort ( aFile=0x4063b120 "../../../htmlparser/src/CNavDTD.cpp", aLine=2477) at ../../../xpcom/src/nsDebug.cpp:91 #5 0x40a07344 in nsDebug::Break ( aFile=0x4063b120 "../../../htmlparser/src/CNavDTD.cpp", aLine=2477) at ../../../xpcom/src/nsDebug.cpp:106 #6 0x40a073b5 in nsDebug::PreCondition ( aStr=0x4063b0e0 "Error: invalid tag stack position", aExpr=0x4063b2ae "mBodyContext->GetCount() > 0", aFile=0x4063b120 "../../../htmlparser/src/CNavDTD.cpp", aLine=2477) at ../../../xpcom/src/nsDebug.cpp:118 #7 0x4061fac2 in CNavDTD::CloseTopmostContainer (this=0x81bd1c8) at ../../../htmlparser/src/CNavDTD.cpp:2477 #8 0x4061ff78 in CNavDTD::ReduceContextStackFor (this=0x81bd1c8, aChildTag=eHTMLTag_img) at ../../../htmlparser/src/CNavDTD.cpp:2622 #9 0x4061beba in CNavDTD::HandleDefaultStartToken (this=0x81bd1c8, aToken=0x81bdf80, aChildTag=eHTMLTag_img, aNode=@0xbffff350) at ../../../htmlparser/src/CNavDTD.cpp:888 #10 0x4061c50d in CNavDTD::HandleStartToken (this=0x81bd1c8, aToken=0x81bdf80) ---Type <return> to continue, or q <return> to quit--- at ../../../htmlparser/src/CNavDTD.cpp:1054 #11 0x4061a71d in NavDispatchTokenHandler (aToken=0x81bdf80, aDTD=0x81bd1c8) at ../../../htmlparser/src/CNavDTD.cpp:251 #12 0x4062dbb8 in CTokenHandler::operator() (this=0x81d3c28, aToken=0x81bdf80, aDTD=0x81bd1c8) at ../../../htmlparser/src/nsTokenHandler.cpp:80 #13 0x4061b6a8 in CNavDTD::HandleToken (this=0x81bd1c8, aToken=0x81bdf80, aParser=0x81af5e0) at ../../../htmlparser/src/CNavDTD.cpp:598 #14 0x4061b356 in CNavDTD::BuildModel (this=0x81bd1c8, aParser=0x81af5e0, aTokenizer=0x81f5ec8, anObserver=0x0, aSink=0x81af668) at ../../../htmlparser/src/CNavDTD.cpp:505 #15 0x4062ab23 in nsParser::BuildModel (this=0x81af5e0) at ../../../htmlparser/src/nsParser.cpp:717 #16 0x4062a9f8 in nsParser::ResumeParse (this=0x81af5e0, aDefaultDTD=0x0) at ../../../htmlparser/src/nsParser.cpp:669 #17 0x4062af92 in nsParser::OnDataAvailable (this=0x81af5e0, aURL=0x817fbc8, pIStream=0x81acf90, aLength=63) at ../../../htmlparser/src/nsParser.cpp:881 #18 0x400200bf in nsDocumentBindInfo::OnDataAvailable (this=0x817fa88, aURL=0x817fbc8, aStream=0x81acf90, aLength=63) at ../../../webshell/src/nsDocLoader.cpp:1694 #19 0x407c12a7 in stub_put_block (stream=0x81acf68, buffer=0x8083dd8 "<head>\n<img src=\"http://www.mozilla.org/images/logo-star.gif\">\nkground-color:rgb(206, 207, 206);\n color:black;\n}\n\ninput[type=reset].rollover {\n}\n\ninput[type=reset].pressed {\n border-style : inset;\n}"...,---Type <return> to continue, or q <return> to quit--- length=63) at ../../../network/module/nsStubContext.cpp:647 #20 0x40748ede in net_read_file_chunk (cur_entry=0x8180508) at ../../../../network/protocol/file/mkfile.c:956 #21 0x40749969 in net_ProcessFile (cur_entry=0x8180508) at ../../../../network/protocol/file/mkfile.c:1327 #22 0x407e8c67 in NET_ProcessNet (ready_fd=0x0, fd_type=1) at ../../../network/main/mkgeturl.c:3367 #23 0x407f1f85 in NET_PollSockets () at ../../../network/main/mkselect.c:298 #24 0x407b92c2 in nsNetlibService::NetPollSocketsCallback (aTimer=0x8206fc8, aClosure=0x8079910) at ../../../network/module/nsNetService.cpp:1217 #25 0x405f51f5 in TimerImpl::FireTimeout (this=0x8206fc8) at ../../../../base/src/gtk/nsTimer.cpp:73 #26 0x405f57a2 in nsTimerExpired (aCallData=0x8206fc8) at ../../../../base/src/gtk/nsTimer.cpp:188 #27 0x40c68af1 in g_timeout_dispatch (source_data=0x8206ed0, current_time=0xbffff9f0, user_data=0x8206fc8) at gmain.c:1122 #28 0x40c67db2 in g_main_dispatch (current_time=0xbffff9f0) at gmain.c:640 #29 0x40c682a1 in g_main_iterate (block=1, dispatch=1) at gmain.c:829 #30 0x40c68451 in g_main_run (loop=0x817fb10) at gmain.c:887 #31 0x40b44db9 in gtk_main () at gtkmain.c:457 #32 0x40055831 in nsAppShell::Run (this=0x8097928) at ../../../../widget/src/gtk/nsAppShell.cpp:145 #33 0x8053392 in nsNativeViewerApp::Run (this=0x8093938) ---Type <return> to continue, or q <return> to quit--- at ../../../../webshell/tests/viewer/nsGTKMain.cpp:42 #34 0x8053624 in main (argc=2, argv=0xbffffab4) at ../../../../webshell/tests/viewer/nsGTKMain.cpp:97
Status: NEW → ASSIGNED
QA Contact: 3847 → 4141
Status: ASSIGNED → RESOLVED
Closed: 26 years ago
Resolution: --- → FIXED
Fixed by changes to elementtable.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.