Closed Bug 245570 Opened 21 years ago Closed 21 years ago

crash when setting a cookie on topgratuit.com

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.7final

People

(Reporter: bugmail-mozilla, Assigned: brendan)

References

(
URL
)

Details

(Keywords: crash, verified1.7, Whiteboard: fixed-aviary1.0)

Attachments

(2 files)

Stacktrace Mozilla debug build 20040516
1.24 KB, text/plain
Details
proposed fix
1021 bytes, patch
brendan
: review+
jst
: superreview+
dbaron
: approval1.7+
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.6) Gecko/20040210 Firelimace/0.8 (User Agent modifie grace a Firesomething. Telechargez Firefox/0.8 en francais sur http://frenchmozilla.org/) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040603 Firefox/0.8.0+ In this page at http://www.topgratuit.com/bienvenue.htm, browser crash when setting a cookie if you click "Cancel" in the dialog. Reproducible: Always Steps to Reproduce: 1. Save your data 2. Go on the page http://www.topgratuit.com/ 3. Click Cancel Actual Results: Browser crash if you didn't visit this site before. Expected Results: Nothing. It crashes only the first time you go on the site. But if you clear your Cookies and reload the page, it crashes again. Crash on latest Firefox 0.9, Mozilla 1.7 rc2 and several other configurations (windows XP, 2000, ME ; not tested in Linux. You can find some discussions about this bug (in french) on the page http://www.geckozone.org/forum/viewtopic.php?t=5362). Doesn't crash with 0.8_fr + TBE
TB74610X Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7) Gecko/20040514
Keywords: crash, stackwanted, talkbackid
OS: Windows XP → All
Whiteboard: TB74610X
Confirming with build 2004-06-04-07 on Windows XP. Marking NEW.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Not sure where this bug should land, but I'm hoping jst can help investigate. /be
Component: JavaScript Engine → DOM: Level 0
crashes 1.7rc2 The instruction at xxxx referenced memory at xxxxx. The memory could not be "read". call stack: > xpcom.dll!nsSubstring::Assign(const unsigned short * data=0x020efde3, unsigned int length=0x020f0680) Line 292 + 0xb C++ firefox.exe!JSValueToAString(JSContext * cx=0x050efee0, long val=0x010716b9, nsAString * result=0x0012ec34, int * isUndefined=0x000b0023) Line 825 + 0x1e C firefox.exe!nsJSContext::EvaluateString(const nsAString & aScript={...}, void * aScopeObject=0x020eb038, nsIPrincipal * aPrincipal=0x00000000, const char * aURL=0x05155520, unsigned int aLineNo=0x0000000d, const char * aVersion=0x600c41c0, nsAString & aRetValue={...}, int * aIsUndefined=0x0012ecdc) Line 967 + 0x15 C firefox.exe!nsScriptLoader::EvaluateScript(const nsString & aScript={...}, nsCOMPtr<nsIScriptContext> context={...}) Line 660 C firefox.exe!nsScriptLoader::ProcessRequest(nsAutoString textData={...}) Line 573 + 0x8 C firefox.exe!nsScriptLoader::ProcessScriptElement(nsIDOMHTMLScriptElement * aElement=0x037142ac, nsIScriptLoaderObserver * aObserver=0x037142b0) Line 519 + 0xc C firefox.exe!nsHTMLScriptElement::MaybeProcessScript() Line 656 C firefox.exe!nsHTMLScriptElement::SetDocument(nsIDocument * aDocument=0x0347e3f8, int aDeep=0x00000000, int aCompileEventHandlers=0x00000001) Line 469 + 0x5 C firefox.exe!nsGenericElement::AppendChildTo(nsIContent * aKid=0x03714290, int aNotify=0x00000000, int aDeepSetDocument=0x00000000) Line 2561 C firefox.exe!HTMLContentSink::ProcessSCRIPTTag(const nsIParserNode & aNode={...}) Line 4357 C firefox.exe!HTMLContentSink::AddLeaf(const nsIParserNode & aNode={...}) Line 3209 + 0x9 C firefox.exe!CNavDTD::AddLeaf(const nsIParserNode * aNode=0x03030ea0) Line 3787 + 0xd C firefox.exe!CNavDTD::HandleScriptToken() Line 2327 C firefox.exe!CNavDTD::OpenContainer(int aClosedByStartTag=0x00000000, nsEntryStack * aStyleStack=0x00000000, int rs_tag=0x00000000) Line 3439 + 0x9 C firefox.exe!CNavDTD::HandleDefaultStartToken(CToken * aToken=0x02de2b00, nsCParserNode * aNode=0x03030ea0, int theIndex=0x00000009) Line 1457 + 0xf C firefox.exe!CNavDTD::HandleStartToken(CToken * aToken=0x02de2b00) Line 1835 + 0xc C firefox.exe!CNavDTD::HandleToken(CToken * aToken=0x00000001, nsIParser * aParser=0x039db3f0) Line 1019 + 0x8 C firefox.exe!CNavDTD::BuildModel(nsIParser * aParser=0x039db3f0, nsITokenizer * aTokenizer=0x05085660, nsITokenObserver * anObserver=0x00000000, nsIContentSink * aSink=0x035f9e74) Line 511 + 0x8 C firefox.exe!nsParser::BuildModel() Line 1894 + 0xd C firefox.exe!nsParser::ResumeParse(int allowIteration=0x00000001, int aIsFinalChunk=0x00000001, int aCanInterrupt=0x00000001) Line 1761 + 0x7 C firefox.exe!nsParser::ContinueParsing() Line 1359 + 0xc C firefox.exe!CSSLoaderImpl::SheetComplete(SheetLoadData * aLoadData=0x04d28320, int aSucceeded=0x00000001) Line 1532 C firefox.exe!CSSLoaderImpl::ParseSheet(nsIUnicharInputStream * aStream=0x0348dae0, int & aCompleted=0x00000001, nsCOMPtr<nsICSSStyleSheet> dummySheet={...}) Line 1467 C firefox.exe!SheetLoadData::OnStreamComplete(nsIUnicharStreamLoader * aLoader=0x0515b748, nsISupports * aContext=0x00000000, unsigned int aStatus=0x00000000, nsIUnicharInputStream * aDataStream=0x0348dae0) Line 805 + 0x10 C firefox.exe!nsUnicharStreamLoader::OnStopRequest(nsIRequest * request=0x0348dae0, nsISupports * ctxt=0x00000000, unsigned int aStatus=0x00000000) Line 196 C firefox.exe!nsHttpChannel::OnStopRequest(nsIRequest * request=0x03a325a8, nsISupports * ctxt=0x00000000, unsigned int status=0x00000000) Line 3542 C firefox.exe!nsInputStreamPump::OnStateStop() Line 499 C firefox.exe!nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream * stream=0x027950c0) Line 340 C xpcom.dll!nsInputStreamReadyEvent::EventHandler(PLEvent * plevent=0x03603b94) Line 215 C++ xpcom.dll!PL_HandleEvent(PLEvent * self=0x03603b94) Line 673 + 0x4 C++ xpcom.dll!PL_ProcessPendingEvents(PLEventQueue * self=0x0119b138) Line 608 + 0x6 C++ xpcom.dll!_md_EventReceiverProc(HWND__ * hwnd=0x03400544, unsigned int uMsg=0x0000c120, unsigned int wParam=0x00000000, long lParam=0x0119b138) Line 1415 C++ user32.dll!77d0612f() user32.dll!77d069a5() user32.dll!77d0695b() user32.dll!77d351fe() user32.dll!77d06689() user32.dll!77d07438() user32.dll!77d351fe() user32.dll!77d06704() firefox.exe!nsAppShell::Run() Line 159 C firefox.exe!nsAppShellService::Run() Line 489 C firefox.exe!xre_main(int argc=0x041e0d00, char * * argv=0x010716b9, const nsXREAppData * aAppData=0x00000000) Line 1987 C firefox.exe!WinMain(HINSTANCE__ * __formal=0x00400000, HINSTANCE__ * __formal=0x00400000, char * args=0x00152348, HINSTANCE__ * __formal=0x00400000) Line 67 + 0x1c C firefox.exe!WinMainCRTStartup() Line 390 + 0x1b C kernel32.dll!_BaseProcessStart@4() + 0x23 code: (nstsubstring.cpp, void nsTSubstring_CharT::Assign( const char_type* data, size_type length ) ) .... .... ReplacePrep(0, mLength, length); 6037F676 push edi 6037F677 push eax 6037F678 push 0 6037F67A call nsSubstring::ReplacePrep (6037F400h) char_traits::copy(mData, data, length); 6037F67F lea ecx,[edi+edi] 6037F682 mov edi,dword ptr [ebx+4] 6037F685 mov edx,ecx 6037F687 shr ecx,2 6037F68A rep movs dword ptr [edi],dword ptr [esi] <======== CRASH HERE 6037F68C mov ecx,edx 6037F68E and ecx,3 6037F691 rep movs byte ptr [edi],byte ptr [esi] 6037F693 pop edi 6037F694 pop esi 6037F695 pop ebx registers: EAX = 020F0680 EBX = 0012ED38 ECX = 010716B9 EDX = 041E0D00 ESI = 0210AFFF EDI = 0874B244 EIP = 6037F68A ESP = 0012EC34 EBP = 050EFEE0 EFL = 00210212
Flags: blocking1.7?
Assignee: general → brendan
Flags: blocking1.7? → blocking1.7+
Priority: -- → P1
Target Milestone: --- → mozilla1.7final
This crash happens when Mozilla is executing the following top-level script and you hit "Cancel" in the confirm() dialog: cookie_name = "tgg50"; if(document.cookie) { index = document.cookie.indexOf(cookie_name); } else { index = -1; } var date = new Date(); date.setMonth(date.getMonth()+1); var expires = date.toGMTString(); if (index == -1) { document.cookie=cookie_name+"=1; expires=" + expires; if (confirm("Avec France Télécom, cumulez des points et gagnez des cadeaux !")) { ... } } else { ... } Brendan and I had a look at this in a debugger, and he's got a lead...
Very old bug: the result jsval passed by reference to JS_Evaluate*Script and similar such APIs that call js_Interpret is not rooted. Two line patch coming up. /be
Status: NEW → ASSIGNED
Attached patch proposed fixSplinter Review
jst, can you give this a whirl? /be
Attachment #150048 - Flags: review?(shaver)
Component: DOM: Level 0 → JavaScript Engine
Hardware: PC → All
Attachment #150048 - Flags: superreview?(jst)
Comment on attachment 150048 [details] [diff] [review] proposed fix Looks good, and fixes the crash. sr=jst
Attachment #150048 - Flags: superreview?(jst) → superreview+
Comment on attachment 150048 [details] [diff] [review] proposed fix shaver sez r=him over the phone. /be
Attachment #150048 - Flags: review?(shaver) → review+
Attachment #150048 - Flags: approval1.7?
Fixed on trunk and 1.7 branch -- thanks to jst for the debugging and testing! /be
Keywords: fixed1.7
Status: ASSIGNED → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Whiteboard: needed-aviary1.0
Verified FIXED on the trunk for me with build 2004-06-06-09, Windows XP. (Will someone else do the 1.7 branch verification?)
Status: RESOLVED → VERIFIED
FIXED with Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7) Gecko/20040606
Whiteboard: needed-aviary1.0 → fixed-aviary1.0
Keywords: fixed1.7verified1.7
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: