Closed Bug 70005 Opened 25 years ago Closed 25 years ago

Crash in GC when running XUL with JS disabled

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla0.8.1

People

(Reporter: security-bugs, Assigned: waterson)

Details

Attachments

(7 files)

xul31.xul - part of testcase
1.07 KB, application/xul
Details
xul29.xul - part of testcase
4.51 KB, application/xul
Details
nojs.html - last part of testcase
185 bytes, text/html
Details
WinNT stack trace of crash
5.61 KB, text/plain
Details
Linux stack trace of hang on load
4.39 KB, text/plain
Details
only root if something got compiled (diff -wu)
780 bytes, patch
Details | Diff | Splinter Review
diff -wu, do event handlers, too
1.31 KB, patch
Details | Diff | Splinter Review
There is a problem when javascript is disabled but XUL file contains javascript. Depeneding on the JS in the XUL Mozilla crashes on load or after several reloadings. The point and type of crash also vary depending on the content. Sometimes - nojs.html testcase - the problem is the garbage collector and mozilla jumps somewhere in ntdll.dll on win2k. Other times - xul29.xul testcase - mozilla references NULL object and the crash is immediate access violation. I don't know whether this is exploitable but it may turn out to be - jumping to arbitrary addresses is dangerous. To test the testcases turn off javascript. Georgi Guninski
The bug may not be in the engine, although that is where we're crashing. Assigning to Phil for triage.
OK, here is what happened when I tried to open nojs.html. I haven't had a successful WinNT debug build for some days now, so the one I am using dates back to 2001-02-12. WinNT 20010212xx (JavaScript enabled) : no problem The page loads, and reloads; you see "XXXXXXXXX" loading in the left-hand box. WinNT 20010212xx (JavaScript disabled) : crash on load! You see the "XXXXXX" load once or twice, and then you crash. Will attach stack trace below. Note: you see this message in the debug console: Document file: ///(local path)/nojs.html loaded successfully JS API usage error: the address passed to JS_AddNamedRoot currently holds an invalid jsval. This is usually caused by a missing call to JS_RemoveRoot. The root's name is "nsXULPrototypeScript::mScriptObject". Based on this message, reassigning to Layout component for further triage - is this the component that owns nsXULPrototypeScript?
Assignee: pschwartau → karnaze
Component: Javascript Engine → Layout
QA Contact: pschwartau → petersen
Here's what I found with a debug Linux build: (from 2001-02-19): Whether or not JavaScript is enabled, nojs.html refuses to load, and the browser appears to hang to the user. In the debug console, you see hundreds of lines like these: Enabling Quirk StyleSheet Error loading URL file:///(local path)/nojs.html: 804b0002 Enabling Quirk StyleSheet Error loading URL file:///(local path)/nojs.html: 804b0002 Enabling Quirk StyleSheet Error loading URL file:///(local path)/nojs.html: 804b0002 etc. etc. When JavaScript was enabled, I seemed to be unable to interrupt this via Ctrl+C. When JavaScript was disabled, I successfully interrupted the browser and got a stack trace. Will attach that below -
Note: all my findings above are for the file nojs.html. When I tried xul29.xul, I never crashed on it with my WinNT build. On Linux, once again the page would not even load. I tried with and without JavaScript enabled on both platforms -
This crash should be reassigned, as it crashes in brendans land setting him on CC (usually I would reassign ....)
The windows stack trace suggests that a bogus root has been left in the JS GC's root hashtable. Reassigning to waterson, although I'm happy to help. I don't know what the Linux stack indicates. Bernd, that could be my bug, but let's start with the easier diagnosis and cure the windows crash. /be
Assignee: karnaze → waterson
mstoltz: can you r=? brendan, sr=?
Target Milestone: --- → mozilla0.8.1
Looks good, r=mstoltz.
Hmm, after looking at this one more time, I suspect we should probably be paranoid with event handlers as well, for paranoia's sake.
Status: NEW → ASSIGNED
Fix checked in.
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
Marking verified in the May 22 build.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: