Closed
Bug 50994
Opened 24 years ago
Closed 24 years ago
Crashing in nsCParserNode::GetNodeType, with strict DOCTYPE and unclosed tags [@ nsCParserNode::GetNodeType]
Categories
(Core :: DOM: HTML Parser, defect, P3)
Core
DOM: HTML Parser
Tracking
()
VERIFIED
FIXED
People
(Reporter: jwbaker, Assigned: harishd)
References
()
Details
(Keywords: crash, testcase, topcrash, Whiteboard: [nsbeta3+]fix in hand)
Crash Data
Attachments
(3 files)
(deleted),
text/html
|
Details | |
(deleted),
text/html
|
Details | |
(deleted),
patch
|
Details | Diff | Splinter Review |
Mozilla crashes on the valid HTML file that I will attach herein. Stack trace:
#0 0x40a8078c in nsCParserNode::GetNodeType (this=0x85e64d8) at
nsParserNode.cpp:232
#1 0x4179e7eb in HTMLContentSink::CloseContainer (this=0x86a77f8,
aNode=@0x85e64d8) at nsHTMLContentSink.cpp:3013
#2 0x40a70975 in CElement::CloseContainer (this=0x80ea958, aNode=0x85e64d8,
aTag=eHTMLTag_p, aContext=0x8617490, aSink=0x86a77f8) at COtherElements.h:321
#3 0x40a7087f in CElement::CloseContainerInContext (this=0x80ea958,
aNode=0x85e64d8, aTag=eHTMLTag_p, aContext=0x8617490, aSink=0x86a77f8) at
COtherElements.h:349
#4 0x40a6e629 in CElement::HandleStartToken (this=0x80ea958, aNode=0x85e6400,
aTag=eHTMLTag_form, aContext=0x8617490, aSink=0x86a77f8) at
COtherElements.h:2771
#5 0x40a6fe45 in COtherDTD::HandleStartToken (this=0x8677480, aToken=0x86d52a8)
at COtherDTD.cpp:784
#6 0x40a6f8e2 in COtherDTD::HandleToken (this=0x8677480, aToken=0x86d52a8,
aParser=0x86a7058) at COtherDTD.cpp:584
#7 0x40a6f5ec in COtherDTD::BuildModel (this=0x8677480, aParser=0x86a7058,
aTokenizer=0x85e1880, anObserver=0x0, aSink=0x86a77f8) at COtherDTD.cpp:479
#8 0x40a7c97f in nsParser::BuildModel (this=0x86a7058) at nsParser.cpp:1978
#9 0x40a7c715 in nsParser::ResumeParse (this=0x86a7058, allowIteration=1,
aIsFinalChunk=0) at nsParser.cpp:1859
#10 0x40a7d4da in nsParser::OnDataAvailable (this=0x86a7058, channel=0x85c2dd0,
aContext=0x0, pIStream=0x8611630, sourceOffset=0, aLength=230) at
nsParser.cpp:2309
#11 0x410ab8c2 in nsDocumentOpenInfo::OnDataAvailable (this=0x85df370,
aChannel=0x85c2dd0, aCtxt=0x0, inStr=0x8611630, sourceOffset=0, count=230) at
nsURILoader.cpp:251
#12 0x409af641 in nsFileChannel::OnDataAvailable (this=0x85c2dd0,
transportChannel=0x85e1f88, context=0x0, aIStream=0x8611630, aSourceOffset=0,
aLength=230) at nsFileChannel.cpp:673
#13 0x4093ab8c in nsOnDataAvailableEvent::HandleEvent (this=0x41d02e38) at
nsAsyncStreamListener.cpp:400
#14 0x40939dff in nsStreamListenerEvent::HandlePLEvent (aEvent=0x41d02e60) at
nsAsyncStreamListener.cpp:97
#15 0x4011e80f in PL_HandleEvent (self=0x41d02e60) at plevent.c:587
#16 0x4011e6b1 in PL_ProcessPendingEvents (self=0x80ab6d0) at plevent.c:528
#17 0x40120431 in nsEventQueueImpl::ProcessPendingEvents (this=0x80ab698) at
nsEventQueue.cpp:356
#18 0x40bccbcc in event_processor_callback (data=0x80ab698, source=8,
condition=GDK_INPUT_READ) at nsAppShell.cpp:158
#19 0x40bcc80b in our_gdk_io_invoke (source=0x82084f0, condition=G_IO_IN,
data=0x82084e0) at nsAppShell.cpp:58
#20 0x40d8920e in g_io_unix_dispatch (source_data=0x8208508,
current_time=0xbffff680, user_data=0x82084e0) at giounix.c:135
#21 0x40d8a717 in g_main_dispatch (dispatch_time=0xbffff680) at gmain.c:656
#22 0x40d8acdb in g_main_iterate (block=1, dispatch=1) at gmain.c:877
#23 0x40d8ae59 in g_main_run (loop=0x8208550) at gmain.c:935
#24 0x40cb9069 in gtk_main () at gtkmain.c:476
#25 0x40bcd2b5 in nsAppShell::Run (this=0x80f41f8) at nsAppShell.cpp:335
#26 0x406a7290 in nsAppShellService::Run (this=0x80f3010) at
nsAppShellService.cpp:378
#27 0x8055374 in main1 (argc=1, argv=0xbffff964, nativeApp=0x0) at
nsAppRunner.cpp:958
#28 0x8055a48 in main (argc=1, argv=0xbffff964) at nsAppRunner.cpp:1139
#29 0x4036a2e7 in __libc_start_main () from /lib/libc.so.6
This occurs on every build after 2000-08-30-15 on Linux. cc harishd because he
diddled in this code at the right time re: Bug 46702.
Reporter | ||
Comment 1•24 years ago
|
||
Keywordage.
Reporter | ||
Comment 2•24 years ago
|
||
Comment 3•24 years ago
|
||
Unable to reproduce crash on 083111 Win98.
Reporter | ||
Comment 4•24 years ago
|
||
I apologize. I uploaded the wrong testcase. The second testcase really does
crash repeatably.
Reporter | ||
Comment 5•24 years ago
|
||
*** Bug 50964 has been marked as a duplicate of this bug. ***
The problem is that in COtherElements the node that got recycled was being
referenced!
Rickg, could you please review the patch? Thanx
Reporter | ||
Comment 9•24 years ago
|
||
Harishd, I applied you patch to source pulled 2000-09-01-06. It applies,
compiles, and fixes the crash. However, I get a new compiler warning:
COtherElements.h: In method `nsresult CElement::CloseContainerInContext(class
nsIParserNode *, enum nsHTMLTag, class nsDTDContext *, class nsIHTMLContentSink
*)':
In file included from COtherDTD.cpp:82:
COtherElements.h:344: warning: unused variable `nsresult result'
I don't see any reason for the result variable, either. You don't use it or
return it. It seems vestigial.
Assignee | ||
Comment 10•24 years ago
|
||
Ya, I was planning on using that variable then decided not to..but then forgot
to remove it!!! Thanx for the heads up Jeffrey.
Reporter | ||
Comment 12•24 years ago
|
||
*** Bug 51071 has been marked as a duplicate of this bug. ***
Reporter | ||
Comment 13•24 years ago
|
||
*** Bug 51183 has been marked as a duplicate of this bug. ***
Reporter | ||
Comment 14•24 years ago
|
||
*** Bug 51162 has been marked as a duplicate of this bug. ***
Comment 15•24 years ago
|
||
I probably have a dupe of this bug. CCing myself so I can check after fix goes
in.
Comment 16•24 years ago
|
||
*** Bug 51217 has been marked as a duplicate of this bug. ***
Comment 17•24 years ago
|
||
*** Bug 51219 has been marked as a duplicate of this bug. ***
Reporter | ||
Comment 18•24 years ago
|
||
*** Bug 51234 has been marked as a duplicate of this bug. ***
Comment 19•24 years ago
|
||
Changing Summary to make easier to find(it's getting lots of dups)
Summary: Crashing in nsCParserNode::GetNodeType → Crashing in nsCParserNode::GetNodeType, with strict DOCTYPE and unclosed tags
Comment 20•24 years ago
|
||
Adding topcrash keyword. This is #5 on today's list of top crashes for the past
week (in n.p.m.crash-data). (And #1 and #4 are fixed.)
Keywords: topcrash
Reporter | ||
Comment 21•24 years ago
|
||
*** Bug 51243 has been marked as a duplicate of this bug. ***
Reporter | ||
Comment 22•24 years ago
|
||
*** Bug 51257 has been marked as a duplicate of this bug. ***
Comment 23•24 years ago
|
||
Another example of this is http://www.mozart-oz.org/ . This starts with
<!doctype html public "-//w3c//dtd html 4.0 transitional//en"> .
PC/Linux build 2000090308.
Comment 24•24 years ago
|
||
*** Bug 51200 has been marked as a duplicate of this bug. ***
Comment 25•24 years ago
|
||
*** Bug 51173 has been marked as a duplicate of this bug. ***
Comment 26•24 years ago
|
||
*** Bug 51277 has been marked as a duplicate of this bug. ***
Comment 27•24 years ago
|
||
It should be but it wasn't (I don't have perms but bugzilla doesn't seem to
check before making the annotation above).
Comment 28•24 years ago
|
||
*** Bug 51277 has been marked as a duplicate of this bug. ***
Comment 29•24 years ago
|
||
*** Bug 51293 has been marked as a duplicate of this bug. ***
Reporter | ||
Comment 30•24 years ago
|
||
*** Bug 51310 has been marked as a duplicate of this bug. ***
Reporter | ||
Comment 31•24 years ago
|
||
*** Bug 51310 has been marked as a duplicate of this bug. ***
Reporter | ||
Comment 32•24 years ago
|
||
*** Bug 51290 has been marked as a duplicate of this bug. ***
Reporter | ||
Comment 33•24 years ago
|
||
*** Bug 51302 has been marked as a duplicate of this bug. ***
Comment 34•24 years ago
|
||
Here's another testcase (not that it's really needed):
http://www.davidkrause.com/~david/crash.html
Also, just a reminder that we're going to need to check each of these dups once
this is fixed to make sure nothing slipped through the cracks.
Comment 35•24 years ago
|
||
*** Bug 51344 has been marked as a duplicate of this bug. ***
Updated•24 years ago
|
Comment 36•24 years ago
|
||
*** Bug 51356 has been marked as a duplicate of this bug. ***
Reporter | ||
Comment 37•24 years ago
|
||
*** Bug 51332 has been marked as a duplicate of this bug. ***
Reporter | ||
Comment 38•24 years ago
|
||
Harishd has the probable fix for this. We are accumulating more and more
duplicate bug reports everyday. Since this crash is so frequent, this is
preventing everyday use, and also most likely masking other bugs.
I have this fixed in my tree, but people who test with the nightlies do not have
that remedy. I would be very appreciative if someone could review this patch
ASAP, and if leger or whomever could please come along and nsbeta3+ this bug.
Whiteboard: fix in hand
Keywords: review
Whiteboard: fix in hand → fix in hand [needs review]
Comment 39•24 years ago
|
||
nisheeth, i summon thee to review harish's patch.
harish, i implore you to find a reviewer if nisheeth/rickg cannot be found (and,
maybe, take ownership of the bug!)
Comment 40•24 years ago
|
||
Only code written by Netscapers requires an nsbeta3+ for checkin; anyone can
checkin this patch with module owner review and approval from brendan or waterson.
Comment 41•24 years ago
|
||
But Harish wrote the code, and he's a netscape employee...
Assignee | ||
Comment 42•24 years ago
|
||
Reassigning to myself. Got the patch reviewed by nisheeth. Will checkin first
thing in the morning after comprehensive ( walking top 100 sites ) testing.
Assignee: rickg → harishd
Comment 43•24 years ago
|
||
Putting on [nsbeta3+] radar.
Whiteboard: fix in hand [should be + by pdt since a netscape employee intends to check this in] → [nsbeta3+]fix in hand [should be + by pdt since a netscape employee intends to check this in]
Comment 44•24 years ago
|
||
Bug asserts iteslf on Mac versions, crashes repetedly, reccommend changing
platform to 'all'
Reporter | ||
Updated•24 years ago
|
Hardware: PC → All
Comment 45•24 years ago
|
||
thank you
Status: NEW → ASSIGNED
Whiteboard: [nsbeta3+]fix in hand [should be + by pdt since a netscape employee intends to check this in] → [nsbeta3+]fix in hand
Comment 46•24 years ago
|
||
*** Bug 51369 has been marked as a duplicate of this bug. ***
Comment 47•24 years ago
|
||
*** Bug 51394 has been marked as a duplicate of this bug. ***
Comment 48•24 years ago
|
||
*** Bug 51402 has been marked as a duplicate of this bug. ***
Comment 49•24 years ago
|
||
*** Bug 51383 has been marked as a duplicate of this bug. ***
Comment 50•24 years ago
|
||
*** Bug 51458 has been marked as a duplicate of this bug. ***
Assignee | ||
Comment 51•24 years ago
|
||
Will checkin as soon as the tree opens today.
Assignee | ||
Comment 52•24 years ago
|
||
*** Bug 51542 has been marked as a duplicate of this bug. ***
Comment 53•24 years ago
|
||
I'm absolutely dead in the water today with this crash. I'll try your patch...
Comment 54•24 years ago
|
||
so far, this patch is working for me. no more crashes!
Assignee | ||
Comment 55•24 years ago
|
||
Fix is in. Everyone should be happy :-)
Good...marking FIXED.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Assignee | ||
Comment 56•24 years ago
|
||
*** Bug 51204 has been marked as a duplicate of this bug. ***
Comment 57•24 years ago
|
||
How did you manage to resolve this bug w/o it getting marked as fixed?
[Reopening to reresolve as fixed - please excuse the spam]
Status: RESOLVED → REOPENED
Comment 58•24 years ago
|
||
Trying to resolve as Fixed
Status: REOPENED → RESOLVED
Closed: 24 years ago → 24 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 59•24 years ago
|
||
*** Bug 51647 has been marked as a duplicate of this bug. ***
Reporter | ||
Comment 60•24 years ago
|
||
*** Bug 51654 has been marked as a duplicate of this bug. ***
Comment 61•24 years ago
|
||
*** Bug 51819 has been marked as a duplicate of this bug. ***
Comment 62•24 years ago
|
||
*** Bug 51818 has been marked as a duplicate of this bug. ***
Reporter | ||
Comment 63•24 years ago
|
||
*** Bug 51864 has been marked as a duplicate of this bug. ***
Reporter | ||
Comment 64•24 years ago
|
||
I verified every URL and testcase attached to this bug and its duplicates. None
of them crashed on Linux build 2000-09-08-06. The fact that I could visit every
one of these URLs, and then back-button through them without crashing is an
unexpected testament to Mozilla's current quality.
http://bugzilla.mozilla.org/showattachment.cgi?attach_id=14260
http://www.la-sorciere.de/Wine-HOWTO/index.html
http://www.lokigames.com/
http://people.netscape.com/ftang/number/test/armenian.html
http://blanalex.dyndns.org/
http://studweb.euv-frankfurt-o.de/twardoch/f/en/charsets/html4_0unicode2_0.html
http://bugzilla.mozilla.org/showattachment.cgi?attach_id=14096
http://www.psu.edu/ur/directory/
http://www.physik.fu-berlin.de/~fsi/statistik.html
http://www.gnu.org/software/hurd/
http://www.mihalis.org/Laurent/cv_lc.html
http://www.kde.org/announcements/k2launchpad.html
http://johnandlucy.com/crash.html
http://www.davidkrause.com/~david/crash.html
http://www.lowfield.co.uk/archers/
http://bugzilla.mozilla.org/showattachment.cgi?attach_id=13998
http://www.amd.com/news/corppr/20152.html
http://www.nemesis.se/about_site
http://www.swiss.ai.mit.edu/~rms/anti-posco/
http://www.amd.com/products/cpg/athlon/benchmarks/benchmarks.html
http://www.nemesis.se/clients/
http://bugzilla.mozilla.org/showattachment.cgi?attach_id=13960
http://www.lokigames.com/products/sc3k/
http://www.mozart-oz.org/
http://www.htmlhelp.org/reference/html40/deprecated.html
http://www.gtk.org/~otaylor/gtk/gobject/
http://www.strusel007.de/linux/xawtv/
http://bugzilla.mozilla.org/showattachment.cgi?attach_id=13953
http://www.w3.org/StyleSheets/Core/preview
http://bugzilla.mozilla.org/showattachment.cgi?attach_id=13888
http://www.richinstyle.com/bugs/ie5demo.html
http://www.americangreetings.com/
http://bugzilla.mozilla.org/showattachment.cgi?attach_id=13861
http://bugzilla.mozilla.org/showattachment.cgi?attach_id=13849
http://www.northernsun.com/
Comment 65•24 years ago
|
||
[@ nsCParserNode::GetNodeType]
Summary: Crashing in nsCParserNode::GetNodeType, with strict DOCTYPE and unclosed tags → Crashing in nsCParserNode::GetNodeType, with strict DOCTYPE and unclosed tags [@ nsCParserNode::GetNodeType]
Comment 66•24 years ago
|
||
*** Bug 51818 has been marked as a duplicate of this bug. ***
I checked the links as well, on NT, and did not get a crash. However, I got
unrelated assertion on two of them:
http://studweb.euv-frankfurt-o.de/twardoch/f/en/charsets/html4_0unicode2_0.html
http://www.physik.fu-berlin.de/~fsi/statistik.html
I will see if there are bugs on them and file new ones if not.
But, since Jeffrey passed the list on Linux and I passed the list on NT I am
marking this verified.
Status: RESOLVED → VERIFIED
Comment 68•16 years ago
|
||
Crashtest added as part of http://hg.mozilla.org/mozilla-central/rev/5a6def05ccbc
Flags: in-testsuite+
Updated•13 years ago
|
Crash Signature: [@ nsCParserNode::GetNodeType]
You need to log in
before you can comment on or make changes to this bug.
Description
•