Closed
Bug 329364
Opened 18 years ago
Closed 18 years ago
Crash with iExploder testcase 10158270
Categories
(Core :: DOM: HTML Parser, defect, P1)
Core
DOM: HTML Parser
Tracking
()
VERIFIED
FIXED
mozilla1.9alpha1
People
(Reporter: j.moz, Assigned: mrbkap)
References
()
Details
(4 keywords, Whiteboard: [patch][rft-dl])
Attachments
(3 files)
24 bytes,
text/html
|
Details | |
1.50 KB,
patch
|
jst
:
review+
jst
:
superreview+
|
Details | Diff | Splinter Review |
1.61 KB,
patch
|
jst
:
approval-branch-1.8.1+
timr
:
approval1.8.0.2+
|
Details | Diff | Splinter Review |
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060303 Firefox/1.6a1 The browser crashes with iExploder test 10158270 Found using http://toadstool.se/software/iexploder/ TB15912060Z, TB15932599H
Comment 1•18 years ago
|
||
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a1) Gecko/20060228 Firefox/1.6a1 ID:2006022815 1. Go to http://toadstool.se/software/iexploder/ 2. Enter 10158270 in 'Lookup a single test number:' 3. Press return or click lookup --> CRASH! My TB15933186X [@ js_FindConstructor e0906f3a]
Reduced test case. TB15912033W, TB15929766H, TB15930568Z. The source is <h1><table>a</h2><title>
I think lots of iExploder crashes are variants of this bug. Tests 10073854, 10150163, 10158270, 10570989, 10707715 and 10797599 all look similar. For example 10073854 is essentially <h4><table>a</h5><title>, 10150163 is <h4><table>a</h2><style> etc.
Keywords: testcase
Comment 4•18 years ago
|
||
Seems like a parser bug to me.
Assignee: nobody → mrbkap
Status: UNCONFIRMED → NEW
Component: General → HTML: Parser
Ever confirmed: true
Product: Firefox → Core
QA Contact: general → parser
Assignee | ||
Comment 5•18 years ago
|
||
Indeed it is.
Status: NEW → ASSIGNED
OS: Windows XP → All
Priority: -- → P1
Hardware: PC → All
Whiteboard: [patch]
Target Milestone: --- → mozilla1.9alpha
Assignee | ||
Comment 6•18 years ago
|
||
Harish's fix for bug 25202 was not quite sufficient. His fix caught the case where the tag closing the context tag (which is the tag that we're inserting the misplaced content into) was the exact same as the context tag. In this case, however, we're looking at a quirk where </h2> closes the open <h1> tag, which is the "top" index. Therefore Harish's IndexOf call was returning the wrong answer, and we were closing the wrong context. This patch makes the HandleSavedTokens path imitate the HandleEndToken path, so it'll find the <h1> and discard the </h2> without doing any damage.
Attachment #214073 -
Flags: superreview?(jst)
Attachment #214073 -
Flags: review?(jst)
Assignee | ||
Comment 7•18 years ago
|
||
Also note that this patch might impose a small performance hit on pages that have malformed table content, but I'm hoping that it won't be large enough to notice (and since this is really badly malformed content, I don't think I care about penalizing such pages anyway).
Comment 8•18 years ago
|
||
Does the patch also fix bug 329398 and bug 329399?
Assignee | ||
Comment 9•18 years ago
|
||
bug 329398 is fixed by this patch, bug 329399 is not.
Assignee | ||
Comment 10•18 years ago
|
||
*** Bug 329398 has been marked as a duplicate of this bug. ***
Comment 11•18 years ago
|
||
Comment on attachment 214073 [details] [diff] [review] Proposed fix r+sr=jst
Attachment #214073 -
Flags: superreview?(jst)
Attachment #214073 -
Flags: superreview+
Attachment #214073 -
Flags: review?(jst)
Attachment #214073 -
Flags: review+
Assignee | ||
Comment 12•18 years ago
|
||
jst agrees with this fix on the fix, which is to avoid doing the LastOf call if we're unable to find a close target.
Assignee | ||
Comment 13•18 years ago
|
||
Fix checked into trunk.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 14•18 years ago
|
||
Comment on attachment 214215 [details] [diff] [review] Better proposed fix Nominating for branches.
Attachment #214215 -
Flags: approval1.8.0.2?
Attachment #214215 -
Flags: approval1.7.14?
Attachment #214215 -
Flags: approval-branch-1.8.1?(jst)
Updated•18 years ago
|
Attachment #214215 -
Flags: approval-branch-1.8.1?(jst) → approval-branch-1.8.1+
Comment 15•18 years ago
|
||
Comment on attachment 214215 [details] [diff] [review] Better proposed fix a=timr for drivers. This fixes a blocker bug (329406) that references this bug.
Attachment #214215 -
Flags: approval1.8.0.2? → approval1.8.0.2+
Assignee | ||
Comment 16•18 years ago
|
||
Fix checked into the 1.8 branches.
Keywords: fixed1.8.0.2,
fixed1.8.1
Updated•18 years ago
|
Status: RESOLVED → VERIFIED
Whiteboard: [patch] → [patch][rft-dl]
Comment 17•18 years ago
|
||
oops - clicked wrong thing and marked bug as verified. starting 2-step process to reset as resolved.
Status: VERIFIED → REOPENED
Resolution: FIXED → ---
Updated•18 years ago
|
Status: REOPENED → RESOLVED
Closed: 18 years ago → 18 years ago
Resolution: --- → FIXED
Updated•18 years ago
|
Flags: blocking1.8.1+
Flags: blocking1.8.0.2+
Comment 18•18 years ago
|
||
v.fixed on 1.8.0 branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.2) Gecko/20060307 Firefox/1.5.0.2, no crash with iexploder test 10158270.
Keywords: fixed1.8.0.2 → verified1.8.0.2
Verified FIXED on trunk using SeaMonkey build 2006-03-07-10 on Windows XP with the testcase of/at: https://bugzilla.mozilla.org/attachment.cgi?id=214022
Status: RESOLVED → VERIFIED
Assignee | ||
Updated•17 years ago
|
Attachment #214215 -
Flags: approval1.7.14?
You need to log in
before you can comment on or make changes to this bug.
Description
•