Closed Bug 147022 Opened 22 years ago Closed 22 years ago

Crash when calling prompt() with 2 arguments [@nsACString::Last]

Categories

(SeaMonkey :: Passwords & Permissions, defect)

Product:
SeaMonkey
Component:
Passwords & Permissions
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: wolruf, Assigned: cavin)

References

(
URL
)

Details

(4 keywords, Whiteboard: [adt2 rtm] [security problem. don't check in without fix for #148520])

Crash Data

Attachments

(1 obsolete file) 

Build ID: 2002052408 on Win2k (trunk).

Steps to reproduce:
1. Load URL
http://www.nomad-jedi.com/ws/forum/nj/Forum.asp?A=reply&P=8635&S=RE:%20SPOILER%20ALERT%20-%20Question
2. Click on 'Italics' icon/box,
3. Mozilla crashes.

Talkback ID: TB6660525M.
Keywords: crash, stackwanted
wfm win2k sp2, m1rc3.
I produced a reduced testcase, simply open JavaScript console and type in:

prompt('foo', '');
Assignee: attinasi → rogerl
Component: Layout → JavaScript Engine
Keywords: testcase
QA Contact: petersen → pschwartau
Summary: Crash on page → Crash when calling prompt() with 2 arguments
prompt('foo', ''); doesn't crash the 1.0 branch (Win2k 2002052106).
Still crashing with build 2002052504 on Win2k (trunk) with " prompt('','') " and
evaluate in JavaScript console.
Adding 'regression' keyword as it might be a recent checkin that affect trunk only.
Keywords: regression
prompt('foo', ''); on javascript console does not
crash little older trunk (Build ID: 2002052321) on linux.
So it is recent.
Stephend, could you get the stack?  TB6660525M
WFM with build 2002052306 under Windows ME.
*** Bug 147325 has been marked as a duplicate of this bug. ***
Doesn't crash on Linux build 20020526 (trunk).
nsACString::Last [nsAString.cpp, line 649] 
si_GetURL [singsign.cpp, line 762] 
si_GetUser [singsign.cpp, line 933] 
si_RestoreOldSignonDataFromBrowser [singsign.cpp, line 2247] 
SINGSIGN_Prompt [singsign.cpp, line 2492] 
nsSingleSignOnPrompt::Prompt [nsWalletService.cpp, line 659] 
GlobalWindowImpl::Prompt [nsGlobalWindow.cpp, line 2240] 
GlobalWindowImpl::Prompt [nsGlobalWindow.cpp, line 2318] 
XPTC_InvokeByIndex [xptcinvoke.cpp, line 106] 
XPCWrappedNative::CallMethod [xpcwrappednative.cpp, line 1996] 
XPC_WN_CallMethod [xpcwrappednativejsops.cpp, line 1267] 
js_Invoke [jsinterp.c, line 790] 
js_Interpret [jsinterp.c, line 2744] 
js_Invoke [jsinterp.c, line 806] 
js_InternalInvoke [jsinterp.c, line 881] 
JS_CallFunctionValue [jsapi.c, line 3426] 
nsJSContext::CallEventHandler [nsJSEnvironment.cpp, line 1045] 
nsJSEventListener::HandleEvent [nsJSEventListener.cpp, line 184] 
nsEventListenerManager::HandleEventSubType [nsEventListenerManager.cpp, line 
1222] 
nsEventListenerManager::HandleEvent [nsEventListenerManager.cpp, line 1399] 
nsGenericElement::HandleDOMEvent [nsGenericElement.cpp, line 1837] 
nsHTMLInputElement::HandleDOMEvent [nsHTMLInputElement.cpp, line 1398] 
PresShell::HandleEventInternal [nsPresShell.cpp, line 6123] 
PresShell::HandleEventWithTarget [nsPresShell.cpp, line 6091] 
nsEventStateManager::CheckForAndDispatchClick [nsEventStateManager.cpp, line 
2642] 
nsEventStateManager::PostHandleEvent [nsEventStateManager.cpp, line 1729] 
PresShell::HandleEventInternal [nsPresShell.cpp, line 6144] 
PresShell::HandleEvent [nsPresShell.cpp, line 6046] 
nsViewManager::HandleEvent [nsViewManager.cpp, line 2076] 
nsView::HandleEvent [nsView.cpp, line 306] 
nsViewManager::DispatchEvent [nsViewManager.cpp, line 1887] 
HandleEvent [nsView.cpp, line 83] 
nsWindow::DispatchEvent [nsWindow.cpp, line 973] 
nsWindow::DispatchWindowEvent [nsWindow.cpp, line 990] 
nsWindow::DispatchMouseEvent [nsWindow.cpp, line 4836] 
ChildWindow::DispatchMouseEvent [nsWindow.cpp, line 5091] 
nsWindow::ProcessMessage [nsWindow.cpp, line 3738] 
nsWindow::WindowProc [nsWindow.cpp, line 1235] 
USER32.DLL + 0x2e98 (0x77e12e98) 
USER32.DLL + 0x30e0 (0x77e130e0) 
USER32.DLL + 0x5824 (0x77e15824) 
nsAppShellService::Run [nsAppShellService.cpp, line 451] 
main1 [nsAppRunner.cpp, line 1472] 
main [nsAppRunner.cpp, line 1808] 
WinMain [nsAppRunner.cpp, line 1826] 
WinMainCRTStartup() 
KERNEL32.DLL + 0x17d08 (0x77e97d08) 
.
Assignee: rogerl → jst
Component: JavaScript Engine → DOM Level 0
Keywords: stackwanted
QA Contact: pschwartau → desale
Summary: Crash when calling prompt() with 2 arguments → Crash when calling prompt() with 2 arguments [@nsACString::Last]
Oops, this looks like it's due to cavin's checkin on May 23 to fix bug 94775.  
We probably need to test realmWithoutTrailingSlash for null and/or for zero 
length on line 761 of singsign.cpp.

Reassigning.
Assignee: jst → cavin
Component: DOM Level 0 → Password Manager
*** Bug 147390 has been marked as a duplicate of this bug. ***
Depends on: 94775
Attached patch treat "" like (char*)0 (obsolete) — Splinter Review 

    
    

    
  
Comment on attachment 85215 [details] [diff] [review]
treat "" like (char*)0

r=bzbarsky

        Attachment #85215 -
        Flags: review+

    
    

    
  
Comment on attachment 85215 [details] [diff] [review]
treat "" like (char*)0

sr=jst

        Attachment #85215 -
        Flags: superreview+

    
    

    
  
Comment on attachment 85215 [details] [diff] [review]
treat "" like (char*)0

checked in

        Attachment #85215 -
        Attachment is obsolete: true

    
    

    
  
*** Bug 146998 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 147099 has been marked as a duplicate of this bug. ***

    
    

    
  
Hmm, module owner approval was required here.  But I won't stand on ceremony.  
Approval granted after the fact.

Since patch has been checked in on trunk, this should be marked as fixed.
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED

    
    

    
  
Thanks for the fix as I was too late to do anything when I saw it this morning.

    
    

    
  
Nominating nsbeta1.
Whiteboard: nsbeta1

    
    

    
  
this change caused a security issue.

see http://bugzilla.mozilla.org/show_bug.cgi?id=148520


Whiteboard: nsbeta1 → nsbeta1 [security problem.  don't check in without fix for #148520]

    
    

    
  
Bug 148520 is fixed on the trunk.

    
    

    
  
nominating since it's needed for 94775
Keywords: adt1.0.1, 
          
            nsbeta1+
Whiteboard: nsbeta1 [security problem.  don't check in without fix for #148520] → [adt2 rtm] [security problem.  don't check in without fix for #148520]

    
    

    
  
Marking Verified. Talkback data shows this one stopped after checkin. (Also
adding "topcrash" in the keywords so that Talkback automation picks up this bug
in the lists as FIXED.)
Status: RESOLVED → VERIFIED
Keywords: topcrash

    
    

    
  
adding adt1.0.1+ for checkin to the branch along with 94775 and 148502.  Please
get drivers approval before checking in.
Keywords: adt1.0.1adt1.0.1+, 
          
            mozilla1.0.1+

    
    

    
  
Fix landed in the branch.
Keywords: mozilla1.0.1+fixed1.0.1

    
    

    
  
Verified on branch [2002-07-11].
Keywords: fixed1.0.1verified1.0.1
Product: Browser → Seamonkey
Crash Signature: [@nsACString::Last]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: