Closed
Bug 339128
(stirtable)
Opened 18 years ago
Closed 4 months ago
[meta] StirTable meta bug
Categories
(Core :: Layout: Tables, defect)
Core
Layout: Tables
Tracking
()
RESOLVED
INACTIVE
People
(Reporter: MatsPalmgren_bugz, Unassigned)
References
(Depends on 1 open bug, )
Details
(Keywords: meta, sec-other, Whiteboard: [sg:nse meta])
Attachments
(11 files, 7 obsolete files)
|
5.55 KB,
text/html
|
Details | |
|
6.43 KB,
text/html
|
Details | |
|
7.52 KB,
text/html
|
Details | |
|
1.29 KB,
text/plain
|
Details | |
|
3.50 KB,
application/zip
|
Details | |
|
8.01 KB,
text/javascript
|
Details | |
|
1.88 KB,
application/xhtml+xml
|
Details | |
|
7.95 KB,
text/javascript
|
Details | |
|
1.86 KB,
text/html
|
Details | |
|
8.88 KB,
text/javascript
|
Details | |
|
12.43 KB,
text/javascript
|
Details |
This tool is pretty simple actually, it adds and removes table elements and for <td> it uses a random colspan/rowspan, so I am a bit surprised that it seems to cause so many crashes and table assertions that I haven't seen before. I'll file the individual crashes separately, blocking this bug.
|
Reporter | |
Comment 1•18 years ago
|
||
Start by pressing the "start random changes" button.
|
|
Reporter | |
Comment 2•18 years ago
|
||
Now also generates <colgroup> and <col> (found 1 new bug on this) Added random width/height px and % attrs on all levels (no new bugs so far)
|
||
Comment 3•18 years ago
|
||
I can make reduced testcases if needed, using the techniques in bug 331889 and bug 329066.
Jesse: Please, Please do so. I don't have the capacity to reduce the crashes down to testcases. Mats: Please put me on CC on every crash bug that you file under layout-table. I currently touch only this class of bugs.
If a testcase trips the following assertion: ASSERTION: colgroup data should not be null - bug 237421 then it would be enormous helpfull to have also a testcase that is further reduced till it only triggers the assert.
|
|
Reporter | |
Comment 6•18 years ago
|
||
Now also generates <caption> Randomly toggles style.visibility:collapse/visible Uses location.search to initialize the seed if present, for example: file:///home/mats/stirtable/StirTable-v03.html?seed=18
|
|
Reporter | |
Comment 7•18 years ago
|
||
FWIW, this is a python hack I did to start seamonkey in gdb for a range of seeds. It runs seamonkey until it crashes, takes a stack dump and then continues... Adjust the profile name in this script and then run for example: python crashgen-v01.py file:///home/mats/stirtable/StirTable-v03.html (Note: it overwrites .gdbinit in the local directory)
|
|
Reporter | |
Comment 8•18 years ago
|
||
I ran StirTable-v03.html with seed 0 to 127 and I couldn't find any new unique stacks other than what has been reported uptil now (last 339264).
Mats could you modify the StirTable so that it flattens the actions to a log that could be replayed like the dom stir recorder?
|
|
||
Comment 10•18 years ago
|
||
I'm working on that right now.
|
|
||
Comment 11•18 years ago
|
||
I ended up using a strategy more like in bug 326633: it prints what it's about to do using dump, then does it. You can then copy&paste the console output (grep for lines containing "anonymous" if needed) into an array at the top of the script. I used this (with Lithium) to make testcases for bug 339246, bug 339315, and bug 339130. This should do the same thing for a given seed as StirTable 0.3. I broke the manual buttons, but that shouldn't be too hard to fix. Mats, if you create updated versions, please base them on this so it will remain easy to make reduced testcases.
|
|
||
Comment 12•18 years ago
|
||
Btw, I think fixing those 3 will make several others go away as well. While reducing each bug I often saw several stacks.
|
||
Comment 13•18 years ago
|
||
Mats, Martijn, Jesse: can we get together on a design for these fuzzers that would allow me to plug them into the automation without having to fork them each time?
|
||
Comment 14•18 years ago
|
||
At first glance the testcases involve zero row-, colspans. A badly tested code area. Does any of the crashes happen in quirks mode (zero spans are disabled in quirks mode).
|
|
||
Comment 15•18 years ago
|
||
I still get a lot of crashes if I make it not set rowspans or colspans of 0. I attached a reduced testcase to bug 339170 that doesn't involve rowspans or colspans at all.
|
|
||
Comment 16•18 years ago
|
||
Even though those three bugs have testcases with rowspan=0 or colspan=0, I think at least some of the same crashes can happen without rowspan=0 or colspan=0.
|
|
||
Updated•18 years ago
|
|
|
||
Comment 17•18 years ago
|
||
* Converted it to use fuzz.js (see bug 339948). * Fixed some ugliness I introduced in the conversion to command strings. * Made it work as a bookmarklet: add IDs as needed, bail when the page has no tables, etc. * Removed the manual buttons, but leave the counters. * Converted the main page to (text/html-safe) XHTML, making it easy to ensure that the fuzzer works with both HTML and XHTML. I did not try to maintain seed-compatibility this time. I haven't converted it to use createElementNS, so I don't think it will work on SVG pages.
Attachment #223438 -
Attachment is obsolete: true
|
||
Updated•18 years ago
|
Whiteboard: [sg:nse meta]
|
|
||
Comment 18•18 years ago
|
||
Updated for fuzz.js 2.0.
Attachment #224055 -
Attachment is obsolete: true
|
|
||
Comment 19•18 years ago
|
||
|
|
||
Comment 20•18 years ago
|
||
The first round of patches got checked in, if somebody could independently verify my alleged dupes I would be grateful. I think the bugs without a seed are now close to useless. Even the bugs with seeds are probably obsolete. A second round of testing preferably coupled with a first reduction via lithium would be very helpful.
|
|
||
Comment 21•18 years ago
|
||
This are the files that I use to get from a scanning fuzz to a fairly reduced testcase. Not optimized nothing to be really proud of but it moves the burden on the PC.
|
|
||
Comment 22•18 years ago
|
||
Adds some features: * Sometimes violate the "preferred children" rules. For example, when creating a TR, it usually creates a TD child, but sometimes it creates a different kind of child (e.g. a TR or a TABLE or a DIV), and sometimes it does not create a child at all. * Change more CSS: float, position, display: table-*, and a few others. Surprisingly, I haven't found any new bugs as a result of adding these features.
Attachment #226752 -
Attachment is obsolete: true
|
|
||
Comment 23•18 years ago
|
||
Small changes to the CSS.
Attachment #226753 -
Attachment is obsolete: true
|
|
Reporter | |
Comment 24•18 years ago
|
||
v2.1 restores the rowspan/colspan=0 feature and removes the non-table elements and styling features. This does not replace v2.0.9, it's an alternative.
|
|
||
Comment 25•18 years ago
|
||
Based on (and replacing) 2.0.9, not 2.1.
Attachment #236736 -
Attachment is obsolete: true
|
|
Reporter | |
Comment 26•17 years ago
|
||
Now has all 4 combinations of border-collapse:collapse/separate and table-layout:fixed/auto. Uses fuzz-2.0.3.js + StirTable-2.1.js
Attachment #236737 -
Attachment is obsolete: true
|
|
Reporter | |
Comment 27•17 years ago
|
||
A small change to re-enable <caption> changes.
|
|
||
Comment 28•17 years ago
|
||
How does one use the output of t v2.1.1???
What I get with recording on is:
{ origCount: 1, fun: function() { var $table16 = doc.getElementById('table16'); undefined } },
{ origCount: 2, fun: function() { var $table16 = doc.getElementById('table16'); var newNode = document.createElement('caption'); newNode.appendChild(document.createTextNode('CAPTION')); newNode.setAttribute('id', 'caption20'); newNode.setAttribute('height', '1em'); $table16.insertBefore(newNode, doc.getElementById('tbody12')); bless(newNode); } },
What I would expect is a output that could be pasted into a xhtml file and will reproduce the bugs and has *NO* randomness at all. The function bless(newNode) is just the opposite of it. It needs to be flattened.
I am basically trowing the towel at 370709 370710 370711 370712 370713. As I don't get the deterministic xhtml file I can't feed it to lithium.
No lithium ===> No test case
No test case ===> No action on security tagged bugs
|
|
||
Comment 29•17 years ago
|
||
bless() shouldn't be a problem. It doesn't affect the DOM directly; it only influences future randomly generated functions. If all of the functions are recorded, it doesn't affect anything at all. What is a problem is the document.body.offsetHeight in doCommand. doCommand is used during the initial run but not during playback, so any bug that relies on the layout-forcing of document.body.offsetHeight is not triggered during playback. This is an API flaw in fuzz.js (my fault) and has tripped me up more than once; I'll try to fix it for the next version of fuzz.js. The short-term workaround is to move document.body.offsetHeight from doCommand to somewhere where it will get executed reliably.
|
|
Reporter | |
Comment 30•17 years ago
|
||
|
|
Reporter | |
Comment 31•17 years ago
|
||
(In reply to comment #29) > The short-term workaround is to move document.body.offsetHeight from > doCommand to somewhere where it will get executed reliably. I moved document.body.offsetHeight into the command itself for now. At the same time I added a parameter to control how often it's included. StirTable 2.2 changes: * added 'ch' length unit * workaround for the document.body.offsetHeight problem: parameter "flush" is 0 to 100, probability of including it (100 is the default to be compatible with earlier versions of StirTable which always did it in doCommand) * added a resize feature that resizes the test container: parameter "resize" is 0 to 100, probability of resizing the test container after a command. (0 is the default for back compat.) Example: StirTable-2.2-quirks.html?fuzz=a,b,c,d,e&resize=25&flush=50 generates commands that looks like: <Command>; resizeContainer('testRootContainer'); doc.body.offsetHeight; where <Command> is the same as earlier versions of StirTable and 25% of the total commands will have the resizeContainer part, and 50% of the total commands will have the doc.body.offsetHeight part. Which commands that get the extra part(s) is random, under the control of the seed. You can exclude the new parameters: StirTable-2.2-quirks.html?fuzz=a,b,c,d,e resize/flush will then have the default values.
|
|
||
Comment 32•17 years ago
|
||
New version from Jesse's side of the fork. (Hopefully the fork won't last forever.) * Added captionSide, emptyCells, tableLayout CSS properties. * Added inline-block and inline-table values for the CSS display property. * Restored use of zero rowspan / colspan. * Removed doCommand to bring it in line with fuzz.js 3.1, as I promised in comment 29.
Attachment #242973 -
Attachment is obsolete: true
|
|
||
Updated•16 years ago
|
Depends on: CVE-2009-3981
|
|
||
Comment 33•9 years ago
|
||
https://github.com/MozillaSecurity/funfuzz/blob/master/dom/fuzzer/modules/tables.js Thanks, Mats!
|
|
||
Updated•9 years ago
|
Group: core-security
|
||
Updated•3 years ago
|
Summary: StirTable meta bug → [meta] StirTable meta bug
|
|
||
Comment 34•2 years ago
|
||
The bug assignee didn't login in Bugzilla in the last months and this bug has severity 'critical'.
:dholbert, could you have a look please?
For more information, please visit auto_nag documentation.
Assignee: MatsPalmgren_bugz → nobody
Flags: needinfo?(dholbert)
|
|
||
Comment 35•2 years ago
|
||
In the process of migrating remaining bugs to the new severity system, the severity for this bug cannot be automatically determined. Please retriage this bug using the new severity system.
Severity: critical → --
|
||
Comment 36•4 months ago
|
||
(In reply to BugBot [:suhaib / :marco/ :calixte] from comment #34)
The bug assignee didn't login in Bugzilla in the last months and this bug has severity 'critical'.
:dholbert, could you have a look please?
Given that this was a metabug, it didn't really make sense for it to have an assignee anyway.
Since this is about bugs-found-by-a-fuzzer that I think (?) we're not using anymore, I think we can close this as INACTIVE at this point.
Status: NEW → RESOLVED
Closed: 4 months ago
Flags: needinfo?(dholbert)
Resolution: --- → INACTIVE
You need to log in
before you can comment on or make changes to this bug.
Description
•