Closed
Bug 343951
Opened 18 years ago
Closed 3 years ago
[meta] New Script Node fuzzer
Categories
(Core :: Fuzzing, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: jruderman, Unassigned)
References
(Depends on 1 open bug)
Details
(Keywords: meta, sec-other, Whiteboard: [sg:nse])
Attachments
(1 file, 2 obsolete files)
|
(deleted),
text/plain
|
Details |
This fuzzer does StirDOM-like things, and inserts script elements containing scripts that "recursively" do StirDOM-like things as they are inserted into the document. It found bug 343730.
|
Reporter | |
Comment 1•18 years ago
|
||
Requires fuzz.js 2.0.x, which can be found in bug 339948.
|
|
Reporter | |
Comment 2•18 years ago
|
||
Should I reduce some more of these now, or wait until bug 343730 is fixed?
|
||
Updated•18 years ago
|
Whiteboard: [sg:nse]
|
|
Reporter | |
Comment 3•18 years ago
|
||
Putting the last attachment in the bug so the assertions will show up in "comment contains" searches.
Bug 343730:
###!!! ASSERTION: Bound to wrong document: 'aDocument == GetCurrentDoc()', file /Users/admin/trunk/mozilla/content/base/src/nsGenericElement.cpp, line 1950
With intermediate testcases I made while reducing bug 343730:
###!!! ASSERTION: Already have a document. Unbind first!: '!GetCurrentDoc() && !IsInDoc()', file /Users/admin/trunk/mozilla/content/base/src/nsGenericDOMDataNode.cpp, line 616
###!!! ASSERTION: Bound to wrong parent: 'aParent == GetParent()', file /Users/admin/trunk/mozilla/content/base/src/nsGenericElement.cpp, line 1951
###!!! ASSERTION: aDocument must be current doc of aParent: '!aParent || (aParent->IsNodeOfType(eXUL) && aDocument == nsnull) || aDocument == aParent->GetCurrentDoc()', file /Users/admin/trunk/mozilla/content/base/src/nsGenericElement.cpp, line 1841
Crash [@ nsBindingManager::GetNestedInsertionPoint]
With other seeds / documents:
###!!! ASSERTION: Already have an undisplayed context entry for aContent: '!GetUndisplayedContent(aContent)', file /Users/admin/trunk/mozilla/layout/base/nsFrameManager.cpp, line 570
###!!! ASSERTION: node in map twice: 'Not Reached', file /Users/admin/trunk/mozilla/layout/base/nsFrameManager.cpp, line 1624
###!!! ASSERTION: Found more undisplayed content data after removal: 'context == nsnull', file /Users/admin/trunk/mozilla/layout/base/nsFrameManager.cpp, line 627
###!!! ASSERTION: out-of-bounds access in nsAttrAndChildArray: 'aPos < ChildCount()', file /Users/admin/trunk/mozilla/content/base/src/nsAttrAndChildArray.h, line 87
Crash [@ nsContentUtils::ComparePosition]
|
|
Reporter | |
Comment 4•18 years ago
|
||
Attachment #228518 -
Attachment is obsolete: true
|
|
Reporter | |
Comment 5•18 years ago
|
||
The fix for bug 351633, "Make javascript: URI execution async" helped by fixing bug 344996.
The upcoming fix for bug 343730, "Scripts should not fire synchronously in BindToTree", will also help.
|
|
||
Comment 6•18 years ago
|
||
Shouldn't have security bugs assigned to nobody. Jesse can own his test bugs
Assignee: nobody → jruderman
|
|
Reporter | |
Comment 7•18 years ago
|
||
Comment on attachment 242975 [details]
New Script Node fuzzer 3.0
New version in bug 339948.
Attachment #242975 -
Attachment is obsolete: true
|
|
Reporter | |
Comment 8•9 years ago
|
||
Group: core-security
|
||
Updated•8 years ago
|
Component: Tracking → Platform Fuzzing Team
|
||
Comment 9•3 years ago
|
||
The bug assignee didn't login in Bugzilla in the last 7 months.
:decoder, could you have a look please?
For more information, please visit auto_nag documentation.
Assignee: jruderman → nobody
Flags: needinfo?(choller)
|
|
||
Updated•3 years ago
|
Summary: New Script Node fuzzer → [meta] New Script Node fuzzer
|
||
Updated•3 years ago
|
Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(choller)
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•