Closed Bug 220542 Opened 21 years ago Closed 20 years ago

document.write of <link> with invalid protocol crash [@ CNavDTD::BuildModel]

Categories

(Core :: DOM: HTML Parser, defect)

Product:
Core
Component:
DOM: HTML Parser
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: meumail, Assigned: mrbkap)

References

(
URL
)

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(4 files, 1 obsolete file)

win2k stack trace
5.59 KB, text/plain
Details
patch v2
9.37 KB, patch
bzbarsky
: superreview+
Details | Diff | Splinter Review
patch for checkin
9.79 KB, patch
Details | Diff | Splinter Review
Call stack for ASSERTION
8.33 KB, text/plain
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5) Gecko/20030925
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5) Gecko/20030925

Mozilla craches with the html code in the URL http://flop.catus.net/mozbug/
I’ve tried mozilla 1.4 final and 1.5rc2.

The html code on that URL is this:
<script>document.write('<link href="l:\\" rel=stylesheet>')</script>

Reproducible: Always

Steps to Reproduce:
1. Open the browser on the URL http://flop.catus.net/mozbug/
2. Wait for it to load the page and crach

Actual Results:  
It just craches...

Expected Results:  
nothing...
Are either of these related: bug 202765 and bug 185285?
-> Parser
Assignee: general → harishd
Status: UNCONFIRMED → NEW
Component: Browser-General → Parser
Ever confirmed: true
Keywords: crash
Bug occurs in Mozilla 1.3.1, 1.4, 1.5rc1 and trunk on Linux.
Bug does not occur in Mozilla 1.2.1 and 1.0.2
OS: Windows XP → All
Summary: Mozilla craches with the html code in the URL given → document.write of <link> with invalid protocol crash [@BuildModel]
bz: random guess, might we be incorrectly blocking/unblocking the parser for
sheets with bogus urls ?
Yeah.  We're blocking the parser for the script, then starting the sheet load,
which fails to open the channel in LoadSheet() and unblocks the parser, and then
things are all broken.  This could be wallpapered over with a lot of effort, but
it's better to just focus on bug 84582.
Depends on: 84582
*** Bug 223526 has been marked as a duplicate of this bug. ***
*** Bug 269603 has been marked as a duplicate of this bug. ***
*** Bug 256450 has been marked as a duplicate of this bug. ***
Summary: document.write of <link> with invalid protocol crash [@BuildModel] → document.write of <link> with invalid protocol crash [@ CNavDTD::BuildModel]
*** Bug 275089 has been marked as a duplicate of this bug. ***
*** Bug 277552 has been marked as a duplicate of this bug. ***
This bug is not well-assigned.  Anyone (mrbkap!) want to take it?

/be
Assignee: harishd → mrbkap
Attached patch patch v1 (obsolete) — Splinter Review 
With this patch, I introduce a new function to the nsIParser interface:
ContinueInterruptedParsing(). This function is to be used when the parser is
not currently parsing anything (not enforced) but is unblocked. This separation
allows me to stop any attempts to ContinueParsing() on a parser that is
unblocked, which in common usage means specifically that we are indeed already
parsing. I'm submitting this as a wallpaper until bug 84582 is fixed.
Attachment #171101 - Flags: review?(jst)
Comment on attachment 171101 [details] [diff] [review]
patch v1

r=jst
Attachment #171101 - Flags: review?(jst) → review+
Comment on attachment 171101 [details] [diff] [review]
patch v1

Looking for sr. If this is to be checked in for beta, then it'd be good to get
it checked in soon so we can catch regressions.
Attachment #171101 - Flags: superreview?(bzbarsky)
Depends on: 243338
Comment on attachment 171101 [details] [diff] [review]
patch v1

Yikes, this doesn't work quite right, I forgot to change the failed script load
case to call ContinueInterruptedParsing(). I'll attach a new patch, but hold
off on requesting reviews (since it looks like the approach in bug 243338 is
the safer fix).
Attachment #171101 - Attachment is obsolete: true
Attachment #171101 - Flags: superreview?(bzbarsky)
Attached patch patch v2Splinter Review 

    
    

    
  
Comment on attachment 171431 [details] [diff] [review]
patch v2

Actually, I now believe this patch is safe enough to be checked in.

There are currently 4 calls to nsParser::ContinueParsing(). One of these calls
is from nsParser::HandleParserContinueEvent().	This can safely call
ContinueInterruptedParsing(). Two other calls are in the script loader. One of
them is preceeded by code that says:
if (!mParser->IsParserEnabled()) {
  mParser->UnblockParser();
}

The other checks for IsParserEnabled() before calling ContinueParsing(), so
changing both of these to ContinueInterruptedParsing() is guaranteed to be
safe.

The only questionable call is the one in the css loader. However, there are two
paths to getting to the call:
1) The CSS loaded (or failed to connect, etc.) and the parser was blocked by
the loader. In this case ContinueParsing() is the correct thing to do.
2) There was a problem with the URI and we reached the call directly from the
parser without blocking it. In this case, we *should* ignore the
ContinueParsing() request and all the flags will be set correctly to do so.

In light of this, asking for sr=.

        Attachment #171431 -
        Flags: superreview?(bzbarsky)

    
    

    
  
Comment on attachment 171431 [details] [diff] [review]
patch v2

>     // Call this method to resume the parser from the blocked state..
>     NS_IMETHOD ContinueParsing() = 0;
>+    // Call this method to resume the parser from an unblocked state.
>+    NS_IMETHOD ContinueInterruptedParsing() = 0;

How would we be in such a state?  That is, requiring resuming but not blocked?

Perhaps some documentation on the interaction of these two functions with
BlockParser and UnblockParser (with examples, as needed) is in order.

sr=bzbarsky with some documentation about this.

        Attachment #171431 -
        Flags: superreview?(bzbarsky) → superreview+

    
    

    
  
Note that I removed the semicolons after the IIDs in nsIParser.h to fix build
bustage.

Fix checked in.

    
    

    
  
Fix was checked in, marking this bug FIXED.
Status: NEW → RESOLVED
Closed: 20 years ago
Hardware: PC → All
Resolution: --- → FIXED

    
    

    
  
Verified FIXED with build 2005-01-28-04 on Windows XP using Seamonkey trunk.

Tested with both http://flop.catus.net/mozbug/ and
data:text/html,<script>document.write('<link href="l:\\"
rel=stylesheet>')</script> (inserted into this bug's URL textfield).
Status: RESOLVED → VERIFIED

    
    

    
  
I am hitting this assertion:

###!!! ASSERTION: Trying to continue parsing on a unblocked parser.: '!(mFlags &
 NS_PARSER_FLAG_PARSER_ENABLED)', file d:/Mozilla/tip/mozilla/parser/htmlparser/
src/nsParser.cpp, line 1417

It is not easily reproducible, but seems to happen when clicking Reload on a
page with stylesheet links that take time to complete (I got the assertion at:
http://www.mozilla.org/start/)

    
    

    
  
(In reply to comment #24)
> It is not easily reproducible,

The next time you see this, could you please attach a stack trace? Incidentally
When this happens, does the page finish loading (i.e., does the throbber stop
spinning)? If it does, I think this may be beign.

    
    

    
  


  
Call stack for:
###!!! ASSERTION: Trying to continue parsing on a unblocked parser.: '!(mFlags
& NS_PARSER_FLAG_PARSER_ENABLED)', file nsParser.cpp, line 1417

It is 100% reproducable for me at http://flop.catus.net/mozbug/
(and the throbber stops spinning)

    
    

    
  
(In reply to comment #26)
> It is 100% reproducable for me at http://flop.catus.net/mozbug/
> (and the throbber stops spinning)

This is, unfortunately, expected. The CSS loader needs to be smarter about when
it calls ContinueParsing() and the assertion is a reminder of this. The reason
that that testcase asserts is because of the invalid <link> document.write()'n
out. The reason I'm concerned about rbs' assertion is because it's on a page
that doesn't have such a problem. There's a partial patch for the assertion on
this page in bug 243338.

    
    

    
  
Assertions should be fatal, and will be in 1.9 if I can help it, so do not use
them as warnings.  If your code can cope with this assertion botching, you
should not be asserting at all.  Please use NS_WARNING.

/be

    
    

    
  
*** Bug 285939 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 312407 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 312843 has been marked as a duplicate of this bug. ***

    
  
Keywords: testcase

    
    

    
  
parser/htmlparser/tests/crashtests/220542-1.html
http://hg.mozilla.org/mozilla-central/rev/b0337b6287f3
Flags: in-testsuite+
Crash Signature: [@ CNavDTD::BuildModel]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: