Closed
Bug 91744
Opened 24 years ago
Closed 23 years ago
Page (possibly Office XP-generated HTML file) crashes Mozilla
Categories
(Core :: DOM: HTML Parser, defect, P1)
Tracking
()
VERIFIED
FIXED
mozilla0.9.5
People
(Reporter: wolruf, Assigned: harishd)
References
()
Details
(Keywords: crash, testcase, Whiteboard: PDT+[fix on the trunk and branch])
Attachments
(6 files)
|
(deleted),
text/html
|
Details | |
|
(deleted),
text/html
|
Details | |
|
(deleted),
text/html
|
Details | |
|
(deleted),
text/html
|
Details | |
|
(deleted),
patch
|
hjtoi-bugzilla
:
review+
|
Details | Diff | Splinter Review |
|
(deleted),
patch
|
vidur
:
superreview+
|
Details | Diff | Splinter Review |
Mozilla Build: 2001072003 on Win2k
Mozilla Build: 2001072021 on Linux
URL to load: http://www.rageunderground.com/Benchmarks/RV200int.htm
Behaviour: Mozilla crashes.
Expected behaviour: not crashing (IE 5.5 does not crash).
Talkback ID on Win2k: TB33160290M and TB33160267H.
On Linux, it doesn't generate a Talkback ID but instead enters GDB where
relevant information is the last line only (before, it just reads symbols from
various libraries):
#0 0x401578c6 in Distance () from /home/cahagn_o/fichiers/mozilla/libxpcom.so
The link is from the following site:
http://www.rageunderground.com/ (News from July 18th on front page)
and the page seems to be an Excel-exported HTML table.
|
||
Comment 1•24 years ago
|
||
|
|
||
Comment 2•24 years ago
|
||
Looks like an active-x control being called from an <object>
Confirmed crash, 100% reproducible on Win2K 2001072003
|
||
Comment 3•24 years ago
|
||
Over to strings.
Asa, could you retrieve those talkbacks?
Assignee: kandrot → scc
Status: UNCONFIRMED → NEW
Component: XPCOM → String
Ever confirmed: true
|
||
Comment 4•24 years ago
|
||
Incident ID 33160290
Stack Signature nsReadingIterator::normalize_forward 5f84208b
Bug ID
Trigger Time 2001-07-21 02:57:18
User Comments Reproducible crash
Build ID 2001072005
Product ID MozillaTrunk
Platform ID Win32
Stack Trace
nsReadingIterator::normalize_forward [..\..\dist\include\nsStringIterator.h,
line 363]
copy_string [..\..\dist\include\nsAlgorithm.h, line 81]
Distance [d:\builds\seamonkey\mozilla\string\src\nsReadableUtils.cpp, line 100]
copy_string [..\..\dist\include\nsAlgorithm.h, line 81]
Distance [d:\builds\seamonkey\mozilla\string\src\nsReadableUtils.cpp, line 100]
AppendUnicodeTo [d:\builds\seamonkey\mozilla\string\src\nsReadableUtils.cpp,
line 302]
nsScanner::ReadNumber [d:\builds\seamonkey\mozilla\htmlparser\src\nsScanner.cpp,
line 924]
CEntityToken::ConsumeEntity
[d:\builds\seamonkey\mozilla\htmlparser\src\nsHTMLTokens.cpp, line 1958]
ConsumeAttributeEntity
[d:\builds\seamonkey\mozilla\htmlparser\src\nsHTMLTokens.cpp, line 1506]
ConsumeAttributeValueText
[d:\builds\seamonkey\mozilla\htmlparser\src\nsHTMLTokens.cpp, line 1556]
ConsumeAttributeValueText
[d:\builds\seamonkey\mozilla\htmlparser\src\nsHTMLTokens.cpp, line 1562]
ConsumeAttributeValueText
[d:\builds\seamonkey\mozilla\htmlparser\src\nsHTMLTokens.cpp, line 1562]
ConsumeAttributeValueText
[d:\builds\seamonkey\mozilla\htmlparser\src\nsHTMLTokens.cpp, line 1562]
ConsumeAttributeValueText
[d:\builds\seamonkey\mozilla\htmlparser\src\nsHTMLTokens.cpp, line 1562]
ConsumeAttributeValueText
[d:\builds\seamonkey\mozilla\htmlparser\src\nsHTMLTokens.cpp, line 1562]
ConsumeAttributeValueText
[d:\builds\seamonkey\mozilla\htmlparser\src\nsHTMLTokens.cpp, line 1562]
ConsumeAttributeValueText
[d:\builds\seamonkey\mozilla\htmlparser\src\nsHTMLTokens.cpp, line 1562]
ConsumeAttributeValueText
[d:\builds\seamonkey\mozilla\htmlparser\src\nsHTMLTokens.cpp, line 1562]
ConsumeAttributeValueText
[d:\builds\seamonkey\mozilla\htmlparser\src\nsHTMLTokens.cpp, line 1562]
ConsumeAttributeValueText
[d:\builds\seamonkey\mozilla\htmlparser\src\nsHTMLTokens.cpp, line 1562]
ConsumeAttributeValueText
[d:\builds\seamonkey\mozilla\htmlparser\src\nsHTMLTokens.cpp, line 1562]
ConsumeAttributeValueText
[d:\builds\seamonkey\mozilla\htmlparser\src\nsHTMLTokens.cpp, line 1562]
ConsumeAttributeValueText
[d:\builds\seamonkey\mozilla\htmlparser\src\nsHTMLTokens.cpp, line 1562]
ConsumeAttributeValueText
[d:\builds\seamonkey\mozilla\htmlparser\src\nsHTMLTokens.cpp, line 1562]
ConsumeAttributeValueText
[d:\builds\seamonkey\mozilla\htmlparser\src\nsHTMLTokens.cpp, line 1562]
ConsumeAttributeValueText
[d:\builds\seamonkey\mozilla\htmlparser\src\nsHTMLTokens.cpp, line 1562]
ConsumeAttributeValueText
[d:\builds\seamonkey\mozilla\htmlparser\src\nsHTMLTokens.cpp, line 1562]
ConsumeAttributeValueText
[d:\builds\seamonkey\mozilla\htmlparser\src\nsHTMLTokens.cpp, line 1562]
ConsumeAttributeValueText
[d:\builds\seamonkey\mozilla\htmlparser\src\nsHTMLTokens.cpp, line 1562]
ConsumeAttributeValueText
[d:\builds\seamonkey\mozilla\htmlparser\src\nsHTMLTokens.cpp, line 1562]
ConsumeAttributeValueText
[d:\builds\seamonkey\mozilla\htmlparser\src\nsHTMLTokens.cpp, line 1562]
ConsumeAttributeValueText
[d:\builds\seamonkey\mozilla\htmlparser\src\nsHTMLTokens.cpp, line 1562]
ConsumeAttributeValueText
[d:\builds\seamonkey\mozilla\htmlparser\src\nsHTMLTokens.cpp, line 1562]
ConsumeAttributeValueText
[d:\builds\seamonkey\mozilla\htmlparser\src\nsHTMLTokens.cpp, line 1562]
ConsumeAttributeValueText
[d:\builds\seamonkey\mozilla\htmlparser\src\nsHTMLTokens.cpp, line 1562]
ConsumeAttributeValueText
[d:\builds\seamonkey\mozilla\htmlparser\src\nsHTMLTokens.cpp, line 1562]
ConsumeAttributeValueText
[d:\builds\seamonkey\mozilla\htmlparser\src\nsHTMLTokens.cpp, line 1562]
ConsumeAttributeValueText
[d:\builds\seamonkey\mozilla\htmlparser\src\nsHTMLTokens.cpp, line 1562]
ConsumeAttributeValueText
[d:\builds\seamonkey\mozilla\htmlparser\src\nsHTMLTokens.cpp, line 1562]
ConsumeAttributeValueText
[d:\builds\seamonkey\mozilla\htmlparser\src\nsHTMLTokens.cpp, line 1562]
ConsumeAttributeValueText
[d:\builds\seamonkey\mozilla\htmlparser\src\nsHTMLTokens.cpp, line 1562]
ConsumeAttributeValueText
[d:\builds\seamonkey\mozilla\htmlparser\src\nsHTMLTokens.cpp, line 1562]
ConsumeAttributeValueText
[d:\builds\seamonkey\mozilla\htmlparser\src\nsHTMLTokens.cpp, line 1562]
ConsumeAttributeValueText
[d:\builds\seamonkey\mozilla\htmlparser\src\nsHTMLTokens.cpp, line 1562]
ConsumeAttributeValueText
[d:\builds\seamonkey\mozilla\htmlparser\src\nsHTMLTokens.cpp, line 1562]
ConsumeAttributeValueText
[d:\builds\seamonkey\mozilla\htmlparser\src\nsHTMLTokens.cpp, line 1562]
ConsumeAttributeValueText
[d:\builds\seamonkey\mozilla\htmlparser\src\nsHTMLTokens.cpp, line 1562]
ConsumeAttributeValueText
[d:\builds\seamonkey\mozilla\htmlparser\src\nsHTMLTokens.cpp, line 1562]
ConsumeAttributeValueText
[d:\builds\seamonkey\mozilla\htmlparser\src\nsHTMLTokens.cpp, line 1562]
ConsumeAttributeValueText
[d:\builds\seamonkey\mozilla\htmlparser\src\nsHTMLTokens.cpp, line 1562]
ConsumeAttributeValueText
[d:\builds\seamonkey\mozilla\htmlparser\src\nsHTMLTokens.cpp, line 1562]
ConsumeAttributeValueText
[d:\builds\seamonkey\mozilla\htmlparser\src\nsHTMLTokens.cpp, line 1562]
ConsumeAttributeValueText
[d:\builds\seamonkey\mozilla\htmlparser\src\nsHTMLTokens.cpp, line 1562]
ConsumeAttributeValueText
[d:\builds\seamonkey\mozilla\htmlparser\src\nsHTMLTokens.cpp, line 1562]
ConsumeAttributeValueText
[d:\builds\seamonkey\mozilla\htmlparser\src\nsHTMLTokens.cpp, line 1562]
ConsumeAttributeValueText
[d:\builds\seamonkey\mozilla\htmlparser\src\nsHTMLTokens.cpp, line 1562]
ConsumeAttributeValueText
[d:\builds\seamonkey\mozilla\htmlparser\src\nsHTMLTokens.cpp, line 1562]
ConsumeAttributeValueText
[d:\builds\seamonkey\mozilla\htmlparser\src\nsHTMLTokens.cpp, line 1562]
ConsumeAttributeValueText
[d:\builds\seamonkey\mozilla\htmlparser\src\nsHTMLTokens.cpp, line 1562]
ConsumeAttributeValueText
[d:\builds\seamonkey\mozilla\htmlparser\src\nsHTMLTokens.cpp, line 1562]
ConsumeAttributeValueText
[d:\builds\seamonkey\mozilla\htmlparser\src\nsHTMLTokens.cpp, line 1562]
ConsumeAttributeValueText
[d:\builds\seamonkey\mozilla\htmlparser\src\nsHTMLTokens.cpp, line 1562]
ConsumeAttributeValueText
[d:\builds\seamonkey\mozilla\htmlparser\src\nsHTMLTokens.cpp, line 1562]
ConsumeAttributeValueText
[d:\builds\seamonkey\mozilla\htmlparser\src\nsHTMLTokens.cpp, line 1562]
|
Reporter | |
Comment 5•23 years ago
|
||
|
|
Reporter | |
Comment 6•23 years ago
|
||
|
|
Reporter | |
Comment 7•23 years ago
|
||
With the previous attachments, I tried to reduce the testcases to the max and
came to these final files: if you add any character at the end of the second
attachment, Mozilla will crash (at least, build ID 20010822 on Win2k), the
first attachment is exactly the same except it contains one more character at
the end, a 'g'.
Perhaps this means there's a memory allocation problem ?
With more time, I'd have to see if this XML parser-specific or a more general
parsing issue.
|
|
Reporter | |
Comment 8•23 years ago
|
||
|
|
Reporter | |
Comment 9•23 years ago
|
||
Again, this last attachment crashes latest Mozilla 20010827 on Win2k but *not*
Linux.
I reduced the testcase to the max, it won't crash on Win2k if the last character
'g' is removed from the testcase or if you remove the '<param name=foo value=""
part.
Does it come from a parser bug, buffer overflow ?
|
|
Reporter | |
Updated•23 years ago
|
Component: String → Parser
|
|
Reporter | |
Comment 10•23 years ago
|
||
Reassigning to the Parser component's owner as other people advised me to do so
on #mozillazine.
Assignee: scc → harishd
QA Contact: scc → bsharma
|
Assignee | |
Comment 11•23 years ago
|
||
oh boy!...this looks like a stack over flow problem. I used recursion hoping
that we would never hit this case and apparently I was wrong. Will figure out a
way to fix it.
Status: NEW → ASSIGNED
Priority: -- → P1
Target Milestone: --- → mozilla0.9.5
|
|
Assignee | |
Comment 12•23 years ago
|
||
|
||
Comment 13•23 years ago
|
||
the table regression testcase layout/html/tests/table/other/slashlogo.html
triggers the assertion at
http://lxr.mozilla.org/seamonkey/source/htmlparser/src/nsHTMLTokens.cpp#1986
|
|
Assignee | |
Comment 14•23 years ago
|
||
I noticed that assertion and it was annoying. I've addressed the issue in my
patch. That is, I've replaced NS_ENSURE_SUCCESS, because it's not really
necessary to assert before returning EOF message, with a local macro.
Comment on attachment 49041 [details] [diff] [review]
Patch v1.0 [ Tentative - Needs additional testing ]
r=heikki
I would rather see you'd remove the homegrown macro with the expanded code, as we do everywhere else. The macro is just an annoying thing you need to go and check to see what it does when you want to, like, review the code ;)
Attachment #49041 -
Flags: review+
|
|
Assignee | |
Comment 16•23 years ago
|
||
|
||
Comment 17•23 years ago
|
||
Comment on attachment 49355 [details] [diff] [review]
patch v1.1 [ sigh! ]
sr=vidur
Attachment #49355 -
Flags: superreview+
|
|
Assignee | |
Comment 18•23 years ago
|
||
Leaving bug open to get into 0.9.4.
Keywords: nsbranch
Whiteboard: [fix in hand] → [fix on the trunk]
Seems like a safe fix with good return (fix crash), therefore nsbranch+.
|
||
Comment 20•23 years ago
|
||
Get the r= on patch 1.1 ASAP, and we can talk PDT+
|
|
Assignee | |
Comment 21•23 years ago
|
||
Jaime: I already have "has-review" and "has-super-review" for this. Why do I
need yet another r=?
|
|
||
Comment 22•23 years ago
|
||
PDT+. Check this one in today.
Whiteboard: [fix on the trunk] → PDT+[fix on the trunk]
|
|
Assignee | |
Comment 23•23 years ago
|
||
Landed on the branch. Marking FIXED.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Whiteboard: PDT+[fix on the trunk] → PDT+[fix on the trunk and branch]
|
||
Comment 25•23 years ago
|
||
Marking verified with build ID 20011116 on win2k
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•