Closed
Bug 10762
Opened 25 years ago
Closed 25 years ago
Crasho manipulating <select>/<option> with JavaScript
Categories
(Core :: DOM: Core & HTML, defect, P1)
Tracking
()
VERIFIED
FIXED
M11
People
(Reporter: law, Assigned: vidur)
References
()
Details
(Keywords: crash)
I was playing with an old .xml file and produced a crash. The URL above will take you to the page (careful, it crashes 5.0!). Here's the stack when it crashes: nsOptionList::IndexOf(nsIContent * 0x0a22453c) line 988 + 3 bytes nsHTMLSelectElement::RemoveOption(nsHTMLSelectElement * const 0x0a224a3c, nsIContent * 0x0a22453c) line 658 + 15 bytes nsHTMLOptionElement::SetParent(nsHTMLOptionElement * const 0x0a22453c, nsIContent * 0x00000000) line 197 nsGenericHTMLContainerElement::RemoveChildAt(int 0x00000001, int 0x00000001) line 2780 nsGenericHTMLContainerElement::RemoveChild(nsIDOMNode * 0x0a224530, nsIDOMNode * * 0x0012e96c) line 2588 + 14 bytes nsHTMLSelectElement::RemoveChild(nsHTMLSelectElement * const 0x0a224a20, nsIDOMNode * 0x0a224530, nsIDOMNode * * 0x0012e96c) line 120 + 22 bytes NodeRemoveChild(JSContext * 0x09e07310, JSObject * 0x00e1a0c8, unsigned int 0x00000001, long * 0x00d90f50, long * 0x0012ea28) line 543 + 25 bytes js_Invoke(JSContext * 0x09e07310, unsigned int 0x00000001, unsigned int 0x00000000) line 654 + 26 bytes js_Interpret(JSContext * 0x09e07310, long * 0x0012f254) line 2228 + 15 bytes js_Invoke(JSContext * 0x09e07310, unsigned int 0x00000000, unsigned int 0x00000000) line 670 + 13 bytes js_Interpret(JSContext * 0x09e07310, long * 0x0012fa2c) line 2228 + 15 bytes js_Execute(JSContext * 0x09e07310, JSObject * 0x00d82e58, JSScript * 0x0a220f40, JSFunction * 0x00000000, JSStackFrame * 0x00000000, int 0x00000000, long * 0x0012fa2c) line 827 + 13 bytes JS_EvaluateUCScriptForPrincipals(JSContext * 0x09e07310, JSObject * 0x00d82e58, JSPrincipals * 0x0a219260, const unsigned short * 0x0012fadc, unsigned int 0x0000000d, const char * 0x0a220fd0, unsigned int 0x0000007d, long * 0x0012fa2c) line 2596 + 27 bytes nsJSContext::EvaluateString(nsJSContext * const 0x09e07480, const nsString & {...}, const char * 0x0a220fd0, unsigned int 0x0000007d, nsString & {...}, int * 0x0012fa50) line 155 + 66 bytes nsXMLContentSink::EvaluateScript(nsXMLContentSink * const 0x0a230b10, nsString & {...}, unsigned int 0x0000007d) line 1680 + 32 bytes nsXMLContentSink::ProcessEndSCRIPTTag(const nsIParserNode & {...}) line 1703 + 23 bytes nsXMLContentSink::CloseContainer(nsXMLContentSink * const 0x0a230b10, const nsIParserNode & {...}) line 774 + 12 bytes CWellFormedDTD::HandleToken(CWellFormedDTD * const 0x0a1fb830, CToken * 0x09af48e0, nsIParser * 0x0a237da0) line 539 + 22 bytes CWellFormedDTD::BuildModel(CWellFormedDTD * const 0x0a1fb830, nsIParser * 0x0a237da0, nsITokenizer * 0x0a1fa920, nsITokenObserver * 0x00000000, nsIContentSink * 0x0a230b10) line 253 + 20 bytes nsParser::BuildModel() line 941 + 34 bytes nsParser::ResumeParse(nsIDTD * 0x00000000, int 0x00000000) line 886 + 11 bytes nsParser::OnDataAvailable(nsParser * const 0x0a237da4, nsIChannel * 0x0a22e790, nsISupports * 0x00000000, nsIInputStream * 0x0a22cfe0, unsigned int 0x00000000, unsigned int 0x00001159) line 1159 + 19 bytes nsDocumentBindInfo::OnDataAvailable(nsDocumentBindInfo * const 0x0a21e950, nsIChannel * 0x0a22e790, nsISupports * 0x00000000, nsIInputStream * 0x0a22cfe0, unsigned int 0x00000000, unsigned int 0x00001159) line 2024 + 32 bytes nsOnDataAvailableEvent::HandleEvent(nsOnDataAvailableEvent * const 0x0a233890) line 350 nsStreamListenerEvent::HandlePLEvent(PLEvent * 0x0a233894) line 149 + 12 bytes PL_HandleEvent(PLEvent * 0x0a233894) line 509 + 10 bytes PL_ProcessPendingEvents(PLEventQueue * 0x00ae2b40) line 470 + 9 bytes _md_EventReceiverProc(HWND__ * 0x052d0532, unsigned int 0x0000c0aa, unsigned int 0x00000000, long 0x00ae2b40) line 932 + 9 bytes USER32! 77e713ed() 00ae2b40()
Updating URL (renamed the .xml file). Sorry about that file being on on internal web server (to anybody on the outside). If you're really curious, email me and I'll send it to you.
Comment 2•25 years ago
|
||
Dupe of 11488? (Hard to tell without being able to access the testcase)
The call stack is different, but both bugs seemed to be triggered by removing an option element. Here's the xml file for this bug: <app xmlns:foo="http://foo.bar.com/xml#" xmlns:html="http://www.w3.org/TR/REC-html40"> <data> <var id="AppShell"> <windowlist> <window type="browser" id="1"/> <window type="browser" id="2"/> <window type="mail-news" id="3"/> </windowlist> </var> <var id="ProfileMgr"> <profilelist> <profile id="law" dir="file:///c/program files/communicator/users/law"/> <profile id="home" dir="file:///c/program files/communicator/users/home"/> </profilelist> </var> </data> <html:script> function hex( value ) { var result = ""; for( var i = 0; i < value.length; i++ ) { var c = value[i] - 0; result += c.toString(16); } return result; } function nodeChildren( node ) { var kids = ""; var children = node.childNodes; for( var i = 0; i < children.length; i++ ) { kids += "\n\tchild["; kids += i; if ( children.item(i) != null ) { kids += "] = name["; kids += children.item( i ).nodeName; kids += "] = type["; kids += children.item( i ).nodeType; kids += "] value["; kids += children.item( i ).nodeValue; kids += "]"; } else { kids += "] = null"; } } return kids; } function nodeAttrs( node ) { var attrs = ""; var attrList = node.attributes; for( var i = 0; attrList && i < attrList.length; i++ ) { attrs += "\n\tattr["; attrs += attrList[i].nodeName; attrs += "] = ["; attrs += attrList[i].nodeValue; attrs += "]"; } return attrs; } function nodeInfo( node, label ) { var msg = label + ":"; msg += " name=[" + node.nodeName + "]"; msg += " type=[" + node.nodeType + "]"; msg += " value=[" + node.nodeValue + "]"; msg += " len=[" + node.nodeValue.length + "]"; msg += " hex=[" + hex(node.nodeValue) + "]"; msg += nodeChildren(node); msg += nodeAttrs(node); return msg; } function showProfiles() { var data = document.getElementsByTagName( "profile" ); var txt = ""; for( var i = 0; i < data.length; i++ ) { txt += "\n" + nodeInfo( data[i], "profile " + i ); for( var j = 0; j < data[i].attributes.length; j++ ) { var attr = data[i].attributes[j]; txt += "\n\t" + nodeInfo( attr, "attr " + j ); } } alert(txt); } function showOptions() { var opts = document.getElementsByTagName( "select" )[0]; var txt = nodeInfo(opts, "\nOptions"); alert(txt); } function addOptions() { var list = document.getElementsByTagName( "select" )[0]; var data = document.getElementsByTagName( "profile" ); for( var i = 0; i < data.length; i++ ) { // Clone first option (second child). var opt = list.childNodes[1].cloneNode( false ); if ( !opt ) { alert( "couldn't create new option element!" ); return; } var before = list.childNodes.length; // Insert after dummy node. list.insertBefore( opt, list.childNodes[2+i] ); if ( before == list.childNodes.length ) { alert( "couldn't append child to list!" ); return; } opt.setAttribute( "index", i ); var val = data[i].attributes.getNamedItem("id").nodeValue; text = document.createTextNode( val ); opt.appendChild( text ); } // Remove dummy. list.removeChild( list.childNodes[1] ); } </html:script> <html:div> <html:center> <html:table html:cols="1" html:width="90%"><html:tr><html:td> <html:b><html:font html:size="+1">Welcome to Mozilla</html:font></html:b><html:br/> <html:p/>To access your personal profile, passwords, and certificates, please choose your profile from the list below. <html:p>If you have a Roaming Access profile which does not exist on this computer, choose Guest. Mozilla will then prompt you to log into your Roaming Access server.<html:br/> <html:p/>Profile Name <html:select html:id="x" html:size="1" html:width="200"> <html:option>dummy</html:option> <html:option>Guest</html:option> <html:script>addOptions();</html:script> </html:select> <html:hr/> <html:button>Manage Profiles</html:button> <html:button>Start Communicator</html:button> <html:button>Exit</html:button> </html:td></html:tr></html:table> </html:center> </html:div> </app>
Crashes are all M11/P1/critical.
Assignee | ||
Updated•25 years ago
|
Status: NEW → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 5•25 years ago
|
||
Had to fix the XML to make it well-formed - the <html:p> element before the text "If you have Roaming..." needed a trailing slash (<html:p/>). Also, the preferred way to have inline scripts is to surround the contents of a <html:script> element a CDATA marked section (<![CDATA[ ... ]]>) rather than use character entities (< > etc.) in the script. Either way, I couldn't reproduce the crash. I suspect that Eric Pollmann's changes to the relevant code over the past several weeks has helped.
Comment 7•24 years ago
|
||
I do not see crash anymore. Marking it verified.
Status: RESOLVED → VERIFIED
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•