Closed Bug 5673 Opened 26 years ago Closed 26 years ago

Crash - Reloading this page causes Apprunner crashes

Categories

(Core :: Internationalization, defect, P1)

All
Other
defect

Tracking

()

VERIFIED WORKSFORME

People

(Reporter: teruko, Assigned: rickg)

References

()

Details

(Whiteboard: Talkback ID 7900392 -still investigating - m5 branch?)

Tested 4-28-09 Win32 under Window 95J, Winnt 4.0J and Mac build. Step of reproduce 1. Go to the above URL 2. Click on Reload button or select enter the URL location to reload the page Apprunner crashes.
Priority: P3 → P1
Whiteboard: Talkback ID 7900392
Target Milestone: M5
URL for talkback report: http://cyclone/reports/incidenttemplate.CFM?reportID=1568&style=0&tc=2&cp=1&ck1= SNub+trigger+event+time&bbid=7900392 Call Stack: (Signature = SinkContext::~SinkContext 1f801ddf) SinkContext::~SinkContext [d:\builds\seamonkey\mozilla\layout\html\document\src\nsHTMLContentSink.cpp, line 835] HTMLContentSink::~HTMLContentSink [d:\builds\seamonkey\mozilla\layout\html\document\src\nsHTMLContentSink.cpp, line 1379] HTMLContentSink::`scalar deleting destructor' HTMLContentSink::Release [d:\builds\seamonkey\mozilla\layout\html\document\src\nsHTMLContentSink.cpp, line 1390] nsParser::~nsParser [d:\builds\seamonkey\mozilla\htmlparser\src\nsParser.cpp, line 171] nsParser::`vector deleting destructor' nsParser::Release [d:\builds\seamonkey\mozilla\htmlparser\src\nsParser.cpp, line 191] nsDocumentBindInfo::OnStopBinding [d:\builds\seamonkey\mozilla\webshell\src\nsDocLoader.cpp, line 2143] OnStopBindingProxyEvent::HandleEvent [d:\builds\seamonkey\mozilla\network\module\nsNetThread.cpp, line 592] StreamListenerProxyEvent::HandlePLEvent [d:\builds\seamonkey\mozilla\network\module\nsNetThread.cpp, line 472] PL_HandleEvent [plevent.c, line 477] PL_ProcessPendingEvents [plevent.c, line 438] _md_EventReceiverProc [plevent.c, line 803] KERNEL32.DLL + 0x3663 (0xbff73663) KERNEL32.DLL + 0x2297c (0xbff9297c) 0x00778c54
I looked at the page. The page title was written in Shift-JIS. I created the good UTF-8 page in http://babel/testdata/double_byte/good_utf-8_code.htm When I reload the page, Apprunner does not crash.
What happen is the following, the origional url below have non UTF-8 data there and the UTF8 converter go into error stage and stop feed parser the rest of the data. Somehow the content sink have a bug which will crash when receive partial html. Origional url - http://babel/testdata/double_byte/utf-8_code.html reassign this bug to i have put down a better test page which do not have META tag neither need to switch converter and still crash the apprunner. the new url is in http://peoplestage.netscape.com/ftang/test/bug5673.html This html is a partial html. The Content sink should not crash. it crash on SinkContext::~SinkContext. I will attach the stack trace later.
Assignee: ftang → kipp
Status: ASSIGNED → NEW
Change summary to "Partial html crash apprunner" from "Crash - Reloading this page causes Apprunner crashes" . Here is the stack trace: SinkContext::~SinkContext() line 833 + 12 bytes SinkContext::`scalar deleting destructor'(unsigned int 0x00000001) + 15 bytes HTMLContentSink::~HTMLContentSink() line 1377 + 31 bytes HTMLContentSink::`scalar deleting destructor'(unsigned int 0x00000001) + 15 bytes HTMLContentSink::Release(HTMLContentSink * const 0x0360f4f0) line 1390 + 99 bytes nsParser::~nsParser() line 167 + 27 bytes nsParser::`vector deleting destructor'(unsigned int 0x00000001) + 65 bytes nsParser::Release(nsParser * const 0x0360e6f0) line 176 + 99 bytes nsDocumentBindInfo::OnStopBinding(nsDocumentBindInfo * const 0x036095e0, nsIURL * 0x03609660, unsigned int 0x00000000, unsigned short * 0x00f506e0) line 2141 + 27 bytes OnStopBindingProxyEvent::HandleEvent(OnStopBindingProxyEvent * const 0x00f50690) line 591 + 45 bytes StreamListenerProxyEvent::HandlePLEvent(PLEvent * 0x00f50694) line 471 + 12 bytes PL_HandleEvent(PLEvent * 0x00f50694) line 476 + 10 bytes PL_ProcessPendingEvents(PLEventQueue * 0x00c209a0) line 437 + 9 bytes _md_EventReceiverProc(void * 0x00840338, unsigned int 0x0000c117, unsigned int 0x00000000, long 0x00c209a0) line 799 + 9 bytes USER32! 77e5111a() set a break point at HTMLContentSink::CloseHTML. You will see it set 0xdddddddd to all the fields of mCurrentContextk when it hit the delete mHeadContext line. This cause the crash later when try SinkContext::~SinkContext try to delete mStack. Reassign to kipp since kipp is the last one touch the function HTMLContentSink::CloseHTML
is anyone held up on this one for M5? kipp, had a chance to look at this one yet?
Whiteboard: Talkback ID 7900392 → Talkback ID 7900392 -need status update
Assignee: kipp → rickg
I can't make either test url crash; the one with utf8 data acts oddly however (the second load leads to an empty document). ftang's page shows up empty, as it should, without crashing anything. Maybe somebody on windows could run this test under purify and see if anything shows up? I'm going to ask rickg to look at it since he can use purify and see if anything shows up...If there is a problem with the sink, then reassign it back to harishd with the purify information. Thanks
The correct original bad URL (note .htm not .html) is: http://babel/testdata/double_byte/utf-8_code.htm A corrected version is at http://babel/testdata/double_byte/good_utf-8_code.htm Using 1999-05-03-08 build on US NT4 this works for me. The bad URL gives a blank window and the good URL appears to work. We need to work on the UE for bad pages, but that's separate from this bug.
Whiteboard: Talkback ID 7900392 -need status update → Talkback ID 7900392 -still investigating - m5 branch?
Status: NEW → RESOLVED
Closed: 26 years ago
Resolution: --- → WORKSFORME
I verified this in 5-03-08 Win32 and MAC build.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.