Closed
Bug 72476
Opened 23 years ago
Closed 23 years ago
browser crashes in JSDOM.DLL while opening document
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
VERIFIED
FIXED
mozilla0.9
People
(Reporter: vegaj, Assigned: jst)
References
()
Details
(Keywords: crash, Whiteboard: [HAVE FIX])
Attachments
(2 files)
2.73 KB,
text/html
|
Details | |
619 bytes,
patch
|
Details | Diff | Splinter Review |
From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; 0.8.1) Gecko/20010316 BuildID: 2001031604 In Knoxville, TN, there's an ISP that uses router based url modification to display advertisements to its subscribers, in return for lower rates. They do this by adding a JavaScript frame around the page requested. (See http://www.ntown.net) Therefore, when displaying any otherwise valid webpage, their javascript invokes : "MOZILLA caused an invalid page fault in module JSDOM.DLL at 015f:60b80bd8." Reproducible: Always Steps to Reproduce: Snip and attempt to open this document ===BEGIN ============================== <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <!-- saved from url=(0045)http://webmail.utk.edu/MBX/alokey/ID=3AABA307 --> <HTML><HEAD><TITLE>webmail.utk.edu/MBX/alokey/ID=3AABA307</TITLE> <META http-equiv=Content-Type content="text/html; charset=windows-1252"> <SCRIPT language=JavaScript> var a = ""; var sURL = ""; var g = ""; var gtop = ""; var s = ""; var depth = "00"; var x = ""; function ignoreError( err_msg, url, line ) { if( ( self.name != '_' ) && ( depth != "00" ) ) { location.replace( g ); } else { location.replace( gtop ); } return true; } window.onerror = ignoreError; function reload_top( err_msg, url, line ) { top.location = a; return true; } function def_url_vars() { sURL = "http://webmail.utk.edu/MBX/alokey/ID=3AABA307"; a = sURL + location.hash; x = "http://commcenter.message-exchange.com/!~@/2/XPR.shtml?UserId=7506&AdServerIP=208.245.096.228&RefreshURL="+escape(a); g = sURL + "&_wsgeturl3aa822162302c8a0_"+depth+location.hash; gtop = sURL + "&_wsgettop3aa822162302c8a0_"+depth+location.hash; s = "http://commcenter.message-exchange.com/!~@/2/bnr.html?UserID=7506&AdServerIP=208.245.096.228&GroupID=2&NtownDefaultIndex=0&ip=208.245.98.126&RefreshURL=" + escape( a ) +""; } def_url_vars(); function setsrc_func() { if( document.body.offsetWidth < 580 ) { top.location.replace( g.substring( 0, g.lastIndexOf( '_' ) ) + "_ff" + location.hash ); } else { top._.location.replace( gtop ); top._.focus(); } } // end setsrc_func() var count_depth = 0; var win_obj = "parent"; while( eval(win_obj) != top ) { win_obj += ".parent"; count_depth++; } if( count_depth < 10 ) { depth = "0" + count_depth; } else { depth = count_depth; } if( ( self != top ) && ( top.frames.length != 2 ) ) { depth = "ff"; } def_url_vars(); if( top.frames.length == 0 ) { document.open( "text/html", "replace" ); document.write( "<FRAMESET ROWS='51,*' BORDER=0 FRAMEBORDER=0>"); document.writeln( "<FRAME SRC='" + s + "' NAME='StreetFeed' NORESIZE MARGINHEIGHT=0 SCROLLING=NO TABINDEX=-1>" ); document.write( "<FRAME NAME='_' MARGINHEIGHT=0 " ); document.writeln( "SRC=\"javascript:top.setsrc_func();\">" ); document.writeln( "</FRAMESET>" ); document.close(); } else { if( ( self.name != '_' ) && ( depth != "00" ) ) { location.replace( g ); } else { window.onerror=reload_top; top.StreetFeed.NFeedXPRFrame.location.replace( x ); window.onerror=ignoreError; location.replace( gtop ); } } </SCRIPT> <NOSCRIPT> <META content="MSHTML 5.50.4611.1300" name=GENERATOR></HEAD> <BODY> <CENTER><FONT color=#ff0000>In order to continue you need to enable JavaScript in your browser.</FONT><BR><FONT color=#ff0000>Please call Message Exchange Customer Support if you need assistance.</FONT> </CENTER></NOSCRIPT></BODY></HTML> ===END============================== Actual Results: Crash Expected Results: In this specific example, the url "http://webmail.utk.edu/MBX/alokey/ID=3AABA307" should be opened (which will just prompt for a password). However, this is the standard template for any otherwise valid webpage - the javascript provided frames any requested page. MOZILLA caused an invalid page fault in module JSDOM.DLL at 015f:60b80bd8. Registers: EAX=00000000 CS=015f EIP=60b80bd8 EFLGS=00010246 EBX=00000000 SS=0167 ESP=0068f4b8 EBP=0068f4dc ECX=00000000 DS=0167 ESI=00000000 FS=20f7 EDX=0068f4b0 ES=0167 EDI=0068f5a0 GS=0000 Bytes at CS:EIP: 8b 01 ff 50 1c 89 07 8d 4d 08 e8 c1 33 03 00 5f Stack dump: 00000000 0f0000b0 00000000 60d59458 00000000 00000000 0f008ee4 00000000 0f008ee0 0068f58c 60b80adb 00000000 0068f5a0 80000000 0f00a5c0 60d5c4f4
This is not a Java API's DOM bug. Changed Component to DOM level 0.
Component: Java APIs for DOM → DOM Level 0
Comment 2•23 years ago
|
||
reassign to owner of js dom
Assignee: akhil.arora → jst
QA Contact: rajendra.pallath → desale
Comment 4•23 years ago
|
||
Unable to reproduce this one on Windows 95 with either build 2001031604 or build 2001031904 The frame didnt load, but no crash.
Assignee | ||
Comment 5•23 years ago
|
||
Please attach a (the) testcase.
Here's a slightly different test case that still crashes Mozilla for me on Win98. Build 2001031604 I've attached a picture of the IE5.5 behavior - expected. Note the bar across the top that the scroller doesn't extend into (this is where the advertisement is usually loaded). The "Page Note Found" message is because I opened the page at the office, while not connected to the NTown ISP (home). It looks like without the router to demangle the page request, it can't find the wrapped page either. The important thing is that the frame construction using the javascript was interpreted correctly in IE 5.5. The matter of the page loading is secondary. I would expect Mozilla to behave similarly, or report some error condition, or something other than a crash.
Okay, I couldn't attach the image showing the IE5.5 behavior... buzilla seems to hang. It doesn't matter much. Save the attachment, open in IE 5.5...
Assignee | ||
Comment 9•23 years ago
|
||
Assignee | ||
Comment 10•23 years ago
|
||
Accpting, confirming, and whatnot. Thanks for the testcase, the fix is attached and I'll try to check it in later today.
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
OS: Windows 98 → All
Hardware: PC → All
Whiteboard: [HAVE FIX]
Target Milestone: --- → mozilla0.9
Assignee | ||
Comment 11•23 years ago
|
||
Fix checked in.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•