Closed Bug 4108 Opened 26 years ago Closed 26 years ago

javascript/framesets crashes in parser

Categories

(Core :: DOM: HTML Parser, defect, P3)

x86
Linux
defect

Tracking

()

VERIFIED FIXED

People

(Reporter: mcafee, Assigned: rickg)

References

()

Details

zillasplat is a simple javascript page that reads your bugsplat cookie and creates two frame sets, one with your bugsplat bugs and the other with your bugzilla bugs. This crashes in the parser for me: #0 0x40ac46a1 in __kill () #1 0x40ac44cf in raise (sig=6) at ../sysdeps/posix/raise.c:27 #2 0x40ac56df in abort () at ../sysdeps/generic/abort.c:83 #3 0x407d2fba in PR_Abort () at prlog.c:461 #4 0x4002f286 in nsDebug::Abort (aFile=0x4061bcc6 "CNavDTD.cpp", aLine=2492) at nsDebug.cpp:93 #5 0x4002f2ea in nsDebug::Break (aFile=0x4061bcc6 "CNavDTD.cpp", aLine=2492) at nsDebug.cpp:108 #6 0x4002f355 in nsDebug::PreCondition (aStr=0x4061bc9c "Error: invalid tag stack position", aExpr=0x4061be36 "mBodyContext->GetCount() > 0", aFile=0x4061bcc6 "CNavDTD.cpp", aLine=2492) at nsDebug.cpp:120 #7 0x406044b6 in CNavDTD::CloseTopmostContainer (this=0x833cdd8) at CNavDTD.cpp:2492 #8 0x4060499e in CNavDTD::ReduceContextStackFor (this=0x833cdd8, aChildTag=eHTMLTag_br) at CNavDTD.cpp:2654 #9 0x40600d37 in CNavDTD::HandleDefaultStartToken (this=0x833cdd8, aToken=0x81b9bb0, aChildTag=eHTMLTag_br, aNode=@0xbfffde70) at CNavDTD.cpp:905 #10 0x4060141d in CNavDTD::HandleStartToken (this=0x833cdd8, aToken=0x81b9bb0) at CNavDTD.cpp:1066 #11 0x405ff999 in NavDispatchTokenHandler (aToken=0x81b9bb0, aDTD=0x833cdd8) at CNavDTD.cpp:248 #12 0x406103a0 in CTokenHandler::operator() (this=0x83c4088, aToken=0x81b9bb0, aDTD=0x833cdd8) at nsTokenHandler.cpp:80 #13 0x4060055c in CNavDTD::HandleToken (this=0x833cdd8, aToken=0x81b9bb0, aParser=0x8403360) at CNavDTD.cpp:609 #14 0x40600262 in CNavDTD::BuildModel (this=0x833cdd8, aParser=0x8403360, aTokenizer=0x81bd180, anObserver=0x0, aSink=0x8405de8) at CNavDTD.cpp:507 #15 0x4060da8f in nsParser::BuildModel (this=0x8403360) at nsParser.cpp:804 #16 0x4060d978 in nsParser::ResumeParse (this=0x8403360, aDefaultDTD=0x0) at nsParser.cpp:756 #17 0x4060d828 in nsParser::Parse (this=0x8403360, aSourceBuffer=@0xbfffe0f8, aKey=0x1, aContentType=@0xbfffe0e4, aEnableVerify=0, aLastCall=1) at nsParser.cpp:724 #18 0x404bb6f6 in nsHTMLDocument::WriteCommon (this=0x84057a8, cx=0x827aae0, argv=0x82e2fc8, argc=2, aNewlineTerminate=0) at nsHTMLDocument.cpp:1342 #19 0x404bb798 in nsHTMLDocument::Write (this=0x84057a8, cx=0x827aae0, argv=0x82e2fc8, argc=2) at nsHTMLDocument.cpp:1355 #20 0x40666d6a in HTMLDocumentWrite (cx=0x827aae0, obj=0x81c9538, argc=2, argv=0x82e2fc8, rval=0xbfffe23c) at nsJSHTMLDocument.cpp:714 #21 0x406df76f in js_Invoke (cx=0x827aae0, argc=2, constructing=0) at jsinterp.c:650 #22 0x406ef346 in js_Interpret (cx=0x827aae0, result=0xbfffe660) at jsinterp.c:2183 #23 0x406dfc88 in js_Execute (cx=0x827aae0, chain=0x81c8a78, script=0x8284fa8, fun=0x0, down=0x0, debugging=0, result=0xbfffe660) at jsinterp.c:815 #24 0x406b91c3 in JS_EvaluateUCScriptForPrincipals (cx=0x827aae0, obj=0x81c8a78, principals=0x0, chars=0x83c9bb0, length=1996, filename=0x8320c50 "http://scopus/bugsplat/zillasplat.html", lineno=7, rval=0xbfffe660) at jsapi.c:2324 #25 0x406411b0 in nsJSContext::EvaluateString (this=0x827aac0, aScript=@0xbfffe750, aURL=0x8320c50 "http://scopus/bugsplat/zillasplat.html", aLineNo=7, aRetValue=@0xbfffe69c, aIsUndefined=0xbfffe690) at nsJSEnvironment.cpp:115 #26 0x404b6afd in HTMLContentSink::EvaluateScript (this=0x8405de8, aScript=@0xbfffe750, aLineNo=7) at nsHTMLContentSink.cpp:2704 #27 0x404b704c in HTMLContentSink::ProcessSCRIPTTag (this=0x8405de8, aNode=@0xbfffe8a4) at nsHTMLContentSink.cpp:2811 #28 0x404b3ec0 in HTMLContentSink::AddLeaf (this=0x8405de8, aNode=@0xbfffe8a4) at nsHTMLContentSink.cpp:1894 #29 0x406045ae in CNavDTD::AddLeaf (this=0x833cdd8, aNode=@0xbfffe8a4) at CNavDTD.cpp:2511 #30 0x4060469a in CNavDTD::AddHeadLeaf (this=0x833cdd8, aNode=@0xbfffe8a4) at CNavDTD.cpp:2541 #31 0x406013e5 in CNavDTD::HandleStartToken (this=0x833cdd8, aToken=0x81b9058) at CNavDTD.cpp:1064 #32 0x405ff999 in NavDispatchTokenHandler (aToken=0x81b9058, aDTD=0x833cdd8) at CNavDTD.cpp:248 #33 0x406103a0 in CTokenHandler::operator() (this=0x83c4088, aToken=0x81b9058, aDTD=0x833cdd8) at nsTokenHandler.cpp:80 #34 0x4060055c in CNavDTD::HandleToken (this=0x833cdd8, aToken=0x81b9058, aParser=0x8403360) at CNavDTD.cpp:609 #35 0x40600262 in CNavDTD::BuildModel (this=0x833cdd8, aParser=0x8403360, aTokenizer=0x83b4e50, anObserver=0x0, aSink=0x8405de8) at CNavDTD.cpp:507 #36 0x4060da8f in nsParser::BuildModel (this=0x8403360) at nsParser.cpp:804 #37 0x4060d978 in nsParser::ResumeParse (this=0x8403360, aDefaultDTD=0x0) at nsParser.cpp:756 #38 0x4060dec2 in nsParser::OnDataAvailable (this=0x8403360, aURL=0x83adaf0, pIStream=0x8274960, aLength=2158) at nsParser.cpp:968 #39 0x4021450b in nsDocumentBindInfo::OnDataAvailable (this=0x827fcd8, aURL=0x83adaf0, aStream=0x8274960, aLength=2158) at nsDocLoader.cpp:1783 #40 0x401f72d3 in stub_put_block (stream=0x8403190, buffer=0x804f878 "n your bugsplat cookie. \n Sat Oct 17 00:02:29 PDT 1998 <mcafee@netscape.com>\n-->\n\n<HTML>\n<HEAD><TITLE>ZillaSplat</title>\n</HEAD>\n\n<script>\nfunction getCookieVal (offset) {\n var endstr = document."..., length=2158) at nsStubContext.cpp:647 #41 0x4019ba7d in net_MemCacheWrite (stream=0x8323e40, buffer=0x804f878 "n your bugsplat cookie. \n Sat Oct 17 00:02:29 PDT 1998 <mcafee@netscape.com>\n-->\n\n<HTML>\n<HEAD><TITLE>ZillaSplat</title>\n</HEAD>\n\n<script>\nfunction getCookieVal (offset) {\n var endstr = document."..., len=2158) at mkmemcac.c:664 #42 0x40102978 in net_pull_http_data (ce=0x8338428) at mkhttp.c:3097 #43 0x401032d5 in net_ProcessHTTP (ce=0x8338428) at mkhttp.c:3489 #44 0x401c7e33 in NET_ProcessNet (ready_fd=0x83c1e40, fd_type=2) at mkgeturl.c:3371 #45 0x401cfdbd in NET_PollSockets () at mkselect.c:320 #46 0x401f0872 in nsNetlibService::NetPollSocketsCallback (aTimer=0x82dea80, aClosure=0x804e498) at nsNetService.cpp:1220 #47 0x400e2de9 in TimerImpl::FireTimeout (this=0x82dea80) at nsTimer.cpp:73 #48 0x400e32d2 in nsTimerExpired (aCallData=0x82dea80) at nsTimer.cpp:189 #49 0x40974a60 in g_timeout_dispatch (source_data=0x83e43f0, current_time=0xbffff3a0, user_data=0x82dea80) at gmain.c:1144 #50 0x40973d53 in g_main_dispatch (current_time=0xbffff3a0) at gmain.c:644 #51 0x409742df in g_main_iterate (block=1, dispatch=1) at gmain.c:851 #52 0x40974461 in g_main_run (loop=0x812dc90) at gmain.c:909 #53 0x408a15f7 in gtk_main () at gtkmain.c:501 #54 0x4008234c in nsAppShell::Run (this=0x80eaae8) at nsAppShell.cpp:178 #55 0x40017ed1 in nsAppShellService::Run (this=0x80ea6a0) at nsAppShellService.cpp:178 #56 0x804a38c in main (argc=1, argv=0xbffff4c4) at nsAppRunner.cpp:337
This crashes both viewer & apprunner on linux.
Status: NEW → ASSIGNED
Chris -- I can't reproduce this. Can you send me your bugsplat cookie? Alternatively, tell me what other steps I need to follow to reproduce this.
I wiped out my cookies file, then visted: http://scopus/bugsplat/login.cgi http://bugzilla.mozilla.org and then crashed on the zillasplat.html URL above. Linux & Solaris, today's build.
Status: ASSIGNED → RESOLVED
Closed: 26 years ago
Resolution: --- → FIXED
This doesn't crash now, but I can't see the zillasplat data due to a login failure.
QA Contact: 3847 → 4141
Attempting to steal gem's HTMLParser bugs all at once. Changing QAContact to janc.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.