Closed Bug 502848 Opened 16 years ago Closed 15 years ago

[HTML5] Crash [@ nsHtml5TreeOperation::Init] with document.write script removing window and span

Categories

(Core :: DOM: HTML Parser, defect)

Product:
Core
Component:
DOM: HTML Parser
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: martijn.martijn, Unassigned)

References

Details

(Keywords: crash, testcase, Whiteboard: [sg:dos] null deref)

Crash Data

Attachments

(1 file)

testcase
(deleted), text/html
Details
See testcase, to get this crash, you need to have the html5.enable pref set to true. I don't know if this is related to the other html5 parser crashes, might be. The iframe content is this: <script>document.write('<script>window.frameElement.parentNode.removeChild(window.frameElement)<'+'/script><span>');</script> http://crash-stats.mozilla.com/report/index/e5e27f4d-8280-4cb8-8efb-23e3b2090707?p=1 0 xul.dll nsCOMPtr_base::assign_with_AddRef obj-firefox/xpcom/build/nsCOMPtr.cpp:88 1 xul.dll nsCOMPtr<nsIDOMNode>::operator= obj-firefox/dist/include/nsCOMPtr.h:640 2 xul.dll nsHtml5TreeOperation::Init parser/html/nsHtml5TreeOperation.h:72 3 xul.dll nsHtml5TreeBuilder::appendElement parser/html/nsHtml5TreeBuilderCppSupplement.h:170 4 xul.dll nsHtml5TreeBuilder::insertIntoFosterParent parser/html/nsHtml5TreeBuilder.cpp:3248 5 xul.dll nsHtml5TreeBuilder::appendToCurrentNodeAndPushElementMayFoster parser/html/nsHtml5TreeBuilder.cpp:3386 6 xul.dll nsHtml5TreeBuilder::startTag parser/html/nsHtml5TreeBuilder.cpp:1245 7 xul.dll nsHtml5Tokenizer::emitCurrentTagToken parser/html/nsHtml5Tokenizer.cpp:364 8 xul.dll nsHtml5Tokenizer::stateLoop parser/html/nsHtml5Tokenizer.cpp:596 9 xul.dll nsHtml5Tokenizer::tokenizeBuffer parser/html/nsHtml5Tokenizer.cpp:459 10 xul.dll nsHtml5Parser::Parse parser/html/nsHtml5Parser.cpp:378 11 xul.dll nsHTMLDocument::WriteCommon content/html/document/src/nsHTMLDocument.cpp:2172 12 xul.dll nsHTMLDocument::ScriptWriteCommon content/html/document/src/nsHTMLDocument.cpp:2250 13 xul.dll nsHTMLDocument::Write content/html/document/src/nsHTMLDocument.cpp:2256 14 xul.dll NS_InvokeByIndex_P xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:101 15 xul.dll XPCWrappedNative::CallMethod js/src/xpconnect/src/xpcwrappednative.cpp:2691
Attached file testcase (deleted) —
Crash on mac, too, but not the same stack bp-263ab4ae-68df-432c-9719-3e2972090727
OS: Windows XP → All
Hardware: x86 → All
Whiteboard: [sg:dos] null deref
Still crashes current trunk.
I'm interested to see if the patch from bug 503473 fixes this.
With everything in my queue up to and including bug 503473 applied, I don't see the crash on Mac in a debug build.
Depends on: 503473
I believe this was fixed together with bug 503473.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Crash Signature: [@ nsHtml5TreeOperation::Init]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: