Closed Bug 50994 Opened 24 years ago Closed 24 years ago

Crashing in nsCParserNode::GetNodeType, with strict DOCTYPE and unclosed tags [@ nsCParserNode::GetNodeType]

Categories

(Core :: DOM: HTML Parser, defect, P3)

defect

Tracking

()

VERIFIED FIXED

People

(Reporter: jwbaker, Assigned: harishd)

References

()

Details

(Keywords: crash, testcase, topcrash, Whiteboard: [nsbeta3+]fix in hand)

Crash Data

Attachments

(3 files)

Mozilla crashes on the valid HTML file that I will attach herein. Stack trace: #0 0x40a8078c in nsCParserNode::GetNodeType (this=0x85e64d8) at nsParserNode.cpp:232 #1 0x4179e7eb in HTMLContentSink::CloseContainer (this=0x86a77f8, aNode=@0x85e64d8) at nsHTMLContentSink.cpp:3013 #2 0x40a70975 in CElement::CloseContainer (this=0x80ea958, aNode=0x85e64d8, aTag=eHTMLTag_p, aContext=0x8617490, aSink=0x86a77f8) at COtherElements.h:321 #3 0x40a7087f in CElement::CloseContainerInContext (this=0x80ea958, aNode=0x85e64d8, aTag=eHTMLTag_p, aContext=0x8617490, aSink=0x86a77f8) at COtherElements.h:349 #4 0x40a6e629 in CElement::HandleStartToken (this=0x80ea958, aNode=0x85e6400, aTag=eHTMLTag_form, aContext=0x8617490, aSink=0x86a77f8) at COtherElements.h:2771 #5 0x40a6fe45 in COtherDTD::HandleStartToken (this=0x8677480, aToken=0x86d52a8) at COtherDTD.cpp:784 #6 0x40a6f8e2 in COtherDTD::HandleToken (this=0x8677480, aToken=0x86d52a8, aParser=0x86a7058) at COtherDTD.cpp:584 #7 0x40a6f5ec in COtherDTD::BuildModel (this=0x8677480, aParser=0x86a7058, aTokenizer=0x85e1880, anObserver=0x0, aSink=0x86a77f8) at COtherDTD.cpp:479 #8 0x40a7c97f in nsParser::BuildModel (this=0x86a7058) at nsParser.cpp:1978 #9 0x40a7c715 in nsParser::ResumeParse (this=0x86a7058, allowIteration=1, aIsFinalChunk=0) at nsParser.cpp:1859 #10 0x40a7d4da in nsParser::OnDataAvailable (this=0x86a7058, channel=0x85c2dd0, aContext=0x0, pIStream=0x8611630, sourceOffset=0, aLength=230) at nsParser.cpp:2309 #11 0x410ab8c2 in nsDocumentOpenInfo::OnDataAvailable (this=0x85df370, aChannel=0x85c2dd0, aCtxt=0x0, inStr=0x8611630, sourceOffset=0, count=230) at nsURILoader.cpp:251 #12 0x409af641 in nsFileChannel::OnDataAvailable (this=0x85c2dd0, transportChannel=0x85e1f88, context=0x0, aIStream=0x8611630, aSourceOffset=0, aLength=230) at nsFileChannel.cpp:673 #13 0x4093ab8c in nsOnDataAvailableEvent::HandleEvent (this=0x41d02e38) at nsAsyncStreamListener.cpp:400 #14 0x40939dff in nsStreamListenerEvent::HandlePLEvent (aEvent=0x41d02e60) at nsAsyncStreamListener.cpp:97 #15 0x4011e80f in PL_HandleEvent (self=0x41d02e60) at plevent.c:587 #16 0x4011e6b1 in PL_ProcessPendingEvents (self=0x80ab6d0) at plevent.c:528 #17 0x40120431 in nsEventQueueImpl::ProcessPendingEvents (this=0x80ab698) at nsEventQueue.cpp:356 #18 0x40bccbcc in event_processor_callback (data=0x80ab698, source=8, condition=GDK_INPUT_READ) at nsAppShell.cpp:158 #19 0x40bcc80b in our_gdk_io_invoke (source=0x82084f0, condition=G_IO_IN, data=0x82084e0) at nsAppShell.cpp:58 #20 0x40d8920e in g_io_unix_dispatch (source_data=0x8208508, current_time=0xbffff680, user_data=0x82084e0) at giounix.c:135 #21 0x40d8a717 in g_main_dispatch (dispatch_time=0xbffff680) at gmain.c:656 #22 0x40d8acdb in g_main_iterate (block=1, dispatch=1) at gmain.c:877 #23 0x40d8ae59 in g_main_run (loop=0x8208550) at gmain.c:935 #24 0x40cb9069 in gtk_main () at gtkmain.c:476 #25 0x40bcd2b5 in nsAppShell::Run (this=0x80f41f8) at nsAppShell.cpp:335 #26 0x406a7290 in nsAppShellService::Run (this=0x80f3010) at nsAppShellService.cpp:378 #27 0x8055374 in main1 (argc=1, argv=0xbffff964, nativeApp=0x0) at nsAppRunner.cpp:958 #28 0x8055a48 in main (argc=1, argv=0xbffff964) at nsAppRunner.cpp:1139 #29 0x4036a2e7 in __libc_start_main () from /lib/libc.so.6 This occurs on every build after 2000-08-30-15 on Linux. cc harishd because he diddled in this code at the right time re: Bug 46702.
Keywordage.
Severity: normal → critical
Keywords: crash, nsbeta3, testcase
Attached file Minimal valid testcase (deleted) —
Unable to reproduce crash on 083111 Win98.
I apologize. I uploaded the wrong testcase. The second testcase really does crash repeatably.
Attached file Real testcase this time (deleted) —
*** Bug 50964 has been marked as a duplicate of this bug. ***
Attached patch Proposed patch.. (deleted) — Splinter Review
The problem is that in COtherElements the node that got recycled was being referenced! Rickg, could you please review the patch? Thanx
Harishd, I applied you patch to source pulled 2000-09-01-06. It applies, compiles, and fixes the crash. However, I get a new compiler warning: COtherElements.h: In method `nsresult CElement::CloseContainerInContext(class nsIParserNode *, enum nsHTMLTag, class nsDTDContext *, class nsIHTMLContentSink *)': In file included from COtherDTD.cpp:82: COtherElements.h:344: warning: unused variable `nsresult result' I don't see any reason for the result variable, either. You don't use it or return it. It seems vestigial.
Ya, I was planning on using that variable then decided not to..but then forgot to remove it!!! Thanx for the heads up Jeffrey.
This was also seen on Win2k.
OS: Linux → All
*** Bug 51071 has been marked as a duplicate of this bug. ***
*** Bug 51183 has been marked as a duplicate of this bug. ***
*** Bug 51162 has been marked as a duplicate of this bug. ***
I probably have a dupe of this bug. CCing myself so I can check after fix goes in.
*** Bug 51217 has been marked as a duplicate of this bug. ***
*** Bug 51219 has been marked as a duplicate of this bug. ***
*** Bug 51234 has been marked as a duplicate of this bug. ***
Changing Summary to make easier to find(it's getting lots of dups)
Summary: Crashing in nsCParserNode::GetNodeType → Crashing in nsCParserNode::GetNodeType, with strict DOCTYPE and unclosed tags
Keywords: mostfreq
Adding topcrash keyword. This is #5 on today's list of top crashes for the past week (in n.p.m.crash-data). (And #1 and #4 are fixed.)
Keywords: topcrash
*** Bug 51243 has been marked as a duplicate of this bug. ***
*** Bug 51257 has been marked as a duplicate of this bug. ***
Another example of this is http://www.mozart-oz.org/ . This starts with <!doctype html public "-//w3c//dtd html 4.0 transitional//en"> . PC/Linux build 2000090308.
*** Bug 51200 has been marked as a duplicate of this bug. ***
*** Bug 51173 has been marked as a duplicate of this bug. ***
*** Bug 51277 has been marked as a duplicate of this bug. ***
It should be but it wasn't (I don't have perms but bugzilla doesn't seem to check before making the annotation above).
*** Bug 51277 has been marked as a duplicate of this bug. ***
*** Bug 51293 has been marked as a duplicate of this bug. ***
*** Bug 51310 has been marked as a duplicate of this bug. ***
*** Bug 51310 has been marked as a duplicate of this bug. ***
*** Bug 51290 has been marked as a duplicate of this bug. ***
*** Bug 51302 has been marked as a duplicate of this bug. ***
Here's another testcase (not that it's really needed): http://www.davidkrause.com/~david/crash.html Also, just a reminder that we're going to need to check each of these dups once this is fixed to make sure nothing slipped through the cracks.
*** Bug 51344 has been marked as a duplicate of this bug. ***
*** Bug 51356 has been marked as a duplicate of this bug. ***
*** Bug 51332 has been marked as a duplicate of this bug. ***
Harishd has the probable fix for this. We are accumulating more and more duplicate bug reports everyday. Since this crash is so frequent, this is preventing everyday use, and also most likely masking other bugs. I have this fixed in my tree, but people who test with the nightlies do not have that remedy. I would be very appreciative if someone could review this patch ASAP, and if leger or whomever could please come along and nsbeta3+ this bug.
Whiteboard: fix in hand
Keywords: review
Whiteboard: fix in hand → fix in hand [needs review]
nisheeth, i summon thee to review harish's patch. harish, i implore you to find a reviewer if nisheeth/rickg cannot be found (and, maybe, take ownership of the bug!)
Only code written by Netscapers requires an nsbeta3+ for checkin; anyone can checkin this patch with module owner review and approval from brendan or waterson.
But Harish wrote the code, and he's a netscape employee...
Reassigning to myself. Got the patch reviewed by nisheeth. Will checkin first thing in the morning after comprehensive ( walking top 100 sites ) testing.
Assignee: rickg → harishd
Keywords: reviewapproval
Whiteboard: fix in hand [needs review] → fix in hand [should be + by pdt since a netscape employee intends to check this in]
Putting on [nsbeta3+] radar.
Whiteboard: fix in hand [should be + by pdt since a netscape employee intends to check this in] → [nsbeta3+]fix in hand [should be + by pdt since a netscape employee intends to check this in]
Bug asserts iteslf on Mac versions, crashes repetedly, reccommend changing platform to 'all'
Hardware: PC → All
thank you
Status: NEW → ASSIGNED
Whiteboard: [nsbeta3+]fix in hand [should be + by pdt since a netscape employee intends to check this in] → [nsbeta3+]fix in hand
*** Bug 51369 has been marked as a duplicate of this bug. ***
*** Bug 51394 has been marked as a duplicate of this bug. ***
*** Bug 51402 has been marked as a duplicate of this bug. ***
*** Bug 51383 has been marked as a duplicate of this bug. ***
*** Bug 51458 has been marked as a duplicate of this bug. ***
Will checkin as soon as the tree opens today.
*** Bug 51542 has been marked as a duplicate of this bug. ***
I'm absolutely dead in the water today with this crash. I'll try your patch...
so far, this patch is working for me. no more crashes!
Fix is in. Everyone should be happy :-) Good...marking FIXED.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
*** Bug 51204 has been marked as a duplicate of this bug. ***
How did you manage to resolve this bug w/o it getting marked as fixed? [Reopening to reresolve as fixed - please excuse the spam]
Status: RESOLVED → REOPENED
Trying to resolve as Fixed
Status: REOPENED → RESOLVED
Closed: 24 years ago24 years ago
Resolution: --- → FIXED
*** Bug 51647 has been marked as a duplicate of this bug. ***
*** Bug 51654 has been marked as a duplicate of this bug. ***
*** Bug 51819 has been marked as a duplicate of this bug. ***
*** Bug 51818 has been marked as a duplicate of this bug. ***
*** Bug 51864 has been marked as a duplicate of this bug. ***
I verified every URL and testcase attached to this bug and its duplicates. None of them crashed on Linux build 2000-09-08-06. The fact that I could visit every one of these URLs, and then back-button through them without crashing is an unexpected testament to Mozilla's current quality. http://bugzilla.mozilla.org/showattachment.cgi?attach_id=14260 http://www.la-sorciere.de/Wine-HOWTO/index.html http://www.lokigames.com/ http://people.netscape.com/ftang/number/test/armenian.html http://blanalex.dyndns.org/ http://studweb.euv-frankfurt-o.de/twardoch/f/en/charsets/html4_0unicode2_0.html http://bugzilla.mozilla.org/showattachment.cgi?attach_id=14096 http://www.psu.edu/ur/directory/ http://www.physik.fu-berlin.de/~fsi/statistik.html http://www.gnu.org/software/hurd/ http://www.mihalis.org/Laurent/cv_lc.html http://www.kde.org/announcements/k2launchpad.html http://johnandlucy.com/crash.html http://www.davidkrause.com/~david/crash.html http://www.lowfield.co.uk/archers/ http://bugzilla.mozilla.org/showattachment.cgi?attach_id=13998 http://www.amd.com/news/corppr/20152.html http://www.nemesis.se/about_site http://www.swiss.ai.mit.edu/~rms/anti-posco/ http://www.amd.com/products/cpg/athlon/benchmarks/benchmarks.html http://www.nemesis.se/clients/ http://bugzilla.mozilla.org/showattachment.cgi?attach_id=13960 http://www.lokigames.com/products/sc3k/ http://www.mozart-oz.org/ http://www.htmlhelp.org/reference/html40/deprecated.html http://www.gtk.org/~otaylor/gtk/gobject/ http://www.strusel007.de/linux/xawtv/ http://bugzilla.mozilla.org/showattachment.cgi?attach_id=13953 http://www.w3.org/StyleSheets/Core/preview http://bugzilla.mozilla.org/showattachment.cgi?attach_id=13888 http://www.richinstyle.com/bugs/ie5demo.html http://www.americangreetings.com/ http://bugzilla.mozilla.org/showattachment.cgi?attach_id=13861 http://bugzilla.mozilla.org/showattachment.cgi?attach_id=13849 http://www.northernsun.com/
[@ nsCParserNode::GetNodeType]
Summary: Crashing in nsCParserNode::GetNodeType, with strict DOCTYPE and unclosed tags → Crashing in nsCParserNode::GetNodeType, with strict DOCTYPE and unclosed tags [@ nsCParserNode::GetNodeType]
*** Bug 51818 has been marked as a duplicate of this bug. ***
I checked the links as well, on NT, and did not get a crash. However, I got unrelated assertion on two of them: http://studweb.euv-frankfurt-o.de/twardoch/f/en/charsets/html4_0unicode2_0.html http://www.physik.fu-berlin.de/~fsi/statistik.html I will see if there are bugs on them and file new ones if not. But, since Jeffrey passed the list on Linux and I passed the list on NT I am marking this verified.
Status: RESOLVED → VERIFIED
Flags: in-testsuite+
Crash Signature: [@ nsCParserNode::GetNodeType]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: