Closed Bug 329364 Opened 18 years ago Closed 18 years ago

Crash with iExploder testcase 10158270

Categories

(Core :: DOM: HTML Parser, defect, P1)

Product:
Core
Component:
DOM: HTML Parser
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9alpha1

People

(Reporter: j.moz, Assigned: mrbkap)

References

(
URL
)

Details

(4 keywords, Whiteboard: [patch][rft-dl])

Attachments

(3 files)

testcase
24 bytes, text/html
Details
Proposed fix
1.50 KB, patch
jst
: review+
jst
: superreview+
Details | Diff | Splinter Review
Better proposed fix
1.61 KB, patch
jst
: approval-branch-1.8.1+
timr
: approval1.8.0.2+
Details | Diff | Splinter Review 
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060303 Firefox/1.6a1

The browser crashes with iExploder test 10158270

Found using http://toadstool.se/software/iexploder/

TB15912060Z, TB15932599H
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a1) Gecko/20060228 Firefox/1.6a1 ID:2006022815

1. Go to http://toadstool.se/software/iexploder/
2. Enter 10158270 in 'Lookup a single test number:'
3. Press return or click lookup --> CRASH!

My TB15933186X [@ js_FindConstructor e0906f3a]
Attached file testcase 
Reduced test case. TB15912033W, TB15929766H, TB15930568Z.

The source is <h1><table>a</h2><title>
I think lots of iExploder crashes are variants of this bug. Tests 10073854, 10150163, 10158270, 10570989, 10707715 and 10797599 all look similar. For example 10073854 is essentially <h4><table>a</h5><title>, 10150163 is <h4><table>a</h2><style> etc.
Keywords: testcase
Seems like a parser bug to me.
Assignee: nobody → mrbkap
Status: UNCONFIRMED → NEW
Component: General → HTML: Parser
Ever confirmed: true
Product: Firefox → Core
QA Contact: general → parser
Indeed it is.
Status: NEW → ASSIGNED
OS: Windows XP → All
Priority: -- → P1
Hardware: PC → All
Whiteboard: [patch]
Target Milestone: --- → mozilla1.9alpha
Attached patch Proposed fixSplinter Review 
Harish's fix for bug 25202 was not quite sufficient. His fix caught the case where the tag closing the context tag (which is the tag that we're inserting the misplaced content into) was the exact same as the context tag. In this case, however, we're looking at a quirk where </h2> closes the open <h1> tag, which is the "top" index. Therefore Harish's IndexOf call was returning the wrong answer, and we were closing the wrong context. This patch makes the HandleSavedTokens path imitate the HandleEndToken path, so it'll find the <h1> and discard the </h2> without doing any damage.
Attachment #214073 - Flags: superreview?(jst)
Attachment #214073 - Flags: review?(jst)
Also note that this patch might impose a small performance hit on pages that have malformed table content, but I'm hoping that it won't be large enough to notice (and since this is really badly malformed content, I don't think I care about penalizing such pages anyway).
Does the patch also fix bug 329398 and bug 329399?
bug 329398 is fixed by this patch, bug 329399 is not.
*** Bug 329398 has been marked as a duplicate of this bug. ***
Comment on attachment 214073 [details] [diff] [review]
Proposed fix

r+sr=jst
Attachment #214073 - Flags: superreview?(jst)
Attachment #214073 - Flags: superreview+
Attachment #214073 - Flags: review?(jst)
Attachment #214073 - Flags: review+
jst agrees with this fix on the fix, which is to avoid doing the LastOf call if we're unable to find a close target.
Fix checked into trunk.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Comment on attachment 214215 [details] [diff] [review]
Better proposed fix

Nominating for branches.
Attachment #214215 - Flags: approval1.8.0.2?
Attachment #214215 - Flags: approval1.7.14?
Attachment #214215 - Flags: approval-branch-1.8.1?(jst)
Attachment #214215 - Flags: approval-branch-1.8.1?(jst) → approval-branch-1.8.1+
Comment on attachment 214215 [details] [diff] [review]
Better proposed fix

a=timr for drivers.  This fixes a blocker bug (329406)  that references this bug.
Attachment #214215 - Flags: approval1.8.0.2? → approval1.8.0.2+
Fix checked into the 1.8 branches.
Keywords: fixed1.8.0.2, fixed1.8.1
Status: RESOLVED → VERIFIED
Whiteboard: [patch] → [patch][rft-dl]
oops - clicked wrong thing and marked bug as verified.  starting 2-step process to reset as resolved.
Status: VERIFIED → REOPENED
Resolution: FIXED → ---
Status: REOPENED → RESOLVED
Closed: 18 years ago18 years ago
Resolution: --- → FIXED
Flags: blocking1.8.1+
Flags: blocking1.8.0.2+
v.fixed on 1.8.0 branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.2) Gecko/20060307 Firefox/1.5.0.2, no crash with iexploder test 10158270.
Keywords: fixed1.8.0.2verified1.8.0.2
Verified FIXED on trunk using SeaMonkey build 2006-03-07-10 on Windows XP with the testcase of/at: https://bugzilla.mozilla.org/attachment.cgi?id=214022
Status: RESOLVED → VERIFIED
Attachment #214215 - Flags: approval1.7.14?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: