Closed Bug 148277 Opened 23 years ago Closed 16 years ago

crash when loading URL [@ nsHTMLScriptElement::SetDocument]

Categories

(Core :: DOM: Core & HTML, defect, P1)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.3final

People

(Reporter: drbrain-bugzilla, Unassigned)

References

(
URL
)

Details

(Keywords: crash, Whiteboard: [HAVE FIX])

Crash Data

Attachments

(3 files)

Prevent infinite nesting of script evaluations
4.74 KB, patch
peterv
: review+
Details | Diff | Splinter Review
Fix typo in the previous patch
4.74 KB, patch
jst
: review+
Details | Diff | Splinter Review
Move the check into nsJSContext, and up the max depth to 32
6.33 KB, patch
Details | Diff | Splinter Review
Steps to reproduce: 1: load URL: data:text/html,<script>document.write(document.location)</script> 2: see 'Bus Error' on console This is probably recursive as all hell, rapidly nesting document.write calls into oblivion. I was looking at a self-printing URL, and this one works: data:text/html,<script>alert(document.location)</script>
wow, deep recursion, 5446 frames from top to bottom, here's an abbreviated traceback. The rest of the stack is just a loop of the same calls. #5388 0x28b3433a in nsHTMLScriptElement::SetDocument () from /usr/X11R6/lib/mozilla/components/libgkcontent.so #5389 0x28b018bb in nsGenericHTMLContainerElement::AppendChildTo () from /usr/X11R6/lib/mozilla/components/libgkcontent.so #5390 0x28b582b9 in HTMLContentSink::ProcessSCRIPTTag () from /usr/X11R6/lib/mozilla/components/libgkcontent.so #5391 0x28b528b3 in HTMLContentSink::AddLeaf () from /usr/X11R6/lib/mozilla/components/libgkcontent.so #5392 0x28907f34 in CNavDTD::AddLeaf () from /usr/X11R6/lib/mozilla/components/libhtmlpars.so #5393 0x28905ba0 in CNavDTD::HandleScriptToken () from /usr/X11R6/lib/mozilla/components/libhtmlpars.so #5394 0x2890770d in CNavDTD::OpenContainer () from /usr/X11R6/lib/mozilla/components/libhtmlpars.so #5395 0x28903d6d in CNavDTD::HandleDefaultStartToken () from /usr/X11R6/lib/mozilla/components/libhtmlpars.so #5396 0x28904c26 in CNavDTD::HandleStartToken () from /usr/X11R6/lib/mozilla/components/libhtmlpars.so #5397 0x28903313 in CNavDTD::HandleToken () from /usr/X11R6/lib/mozilla/components/libhtmlpars.so #5398 0x289021bf in CNavDTD::BuildModel () from /usr/X11R6/lib/mozilla/components/libhtmlpars.so #5399 0x28915da7 in nsParser::BuildModel () from /usr/X11R6/lib/mozilla/components/libhtmlpars.so #5400 0x28915af8 in nsParser::ResumeParse () from /usr/X11R6/lib/mozilla/components/libhtmlpars.so #5401 0x289156ba in nsParser::Parse () from /usr/X11R6/lib/mozilla/components/libhtmlpars.so #5402 0x28b6337d in nsHTMLDocument::WriteCommon () from /usr/X11R6/lib/mozilla/components/libgkcontent.so #5403 0x28b63aee in nsHTMLDocument::ScriptWriteCommon () from /usr/X11R6/lib/mozilla/components/libgkcontent.so #5404 0x28b63cfc in nsHTMLDocument::Write () from /usr/X11R6/lib/mozilla/components/libgkcontent.so #5405 0x282085e5 in XPTC_InvokeByIndex () from /usr/X11R6/lib/mozilla/./libxpcom.so #5406 0x286aa886 in XPCWrappedNative::CallMethod () from /usr/X11R6/lib/mozilla/components/libxpconnect.so #5407 0x286b00aa in XPC_WN_CallMethod () from /usr/X11R6/lib/mozilla/components/libxpconnect.so #5408 0x2811736c in js_Invoke () from /usr/X11R6/lib/mozilla/./libmozjs.so #5409 0x2811e7c1 in js_Interpret () from /usr/X11R6/lib/mozilla/./libmozjs.so #5410 0x281177b4 in js_Execute () from /usr/X11R6/lib/mozilla/./libmozjs.so #5411 0x280f852d in JS_EvaluateUCScriptForPrincipals () from /usr/X11R6/lib/mozilla/./libmozjs.so #5412 0x28ef5e5e in nsJSContext::EvaluateString () from /usr/X11R6/lib/mozilla/components/libjsdom.so #5413 0x28ce2688 in nsScriptLoader::EvaluateScript () from /usr/X11R6/lib/mozilla/components/libgkcontent.so #5414 0x28ce2272 in nsScriptLoader::ProcessRequest () from /usr/X11R6/lib/mozilla/components/libgkcontent.so #5415 0x28ce1f7a in nsScriptLoader::ProcessScriptElement () from /usr/X11R6/lib/mozilla/components/libgkcontent.so #5416 0x28b3433a in nsHTMLScriptElement::SetDocument () from /usr/X11R6/lib/mozilla/components/libgkcontent.so #5417 0x28b018bb in nsGenericHTMLContainerElement::AppendChildTo () from /usr/X11R6/lib/mozilla/components/libgkcontent.so #5418 0x28b582b9 in HTMLContentSink::ProcessSCRIPTTag () from /usr/X11R6/lib/mozilla/components/libgkcontent.so #5419 0x28b528b3 in HTMLContentSink::AddLeaf () from /usr/X11R6/lib/mozilla/components/libgkcontent.so #5420 0x28907f34 in CNavDTD::AddLeaf () from /usr/X11R6/lib/mozilla/components/libhtmlpars.so #5421 0x289080d4 in CNavDTD::AddHeadLeaf () from /usr/X11R6/lib/mozilla/components/libhtmlpars.so #5422 0x28904c10 in CNavDTD::HandleStartToken () from /usr/X11R6/lib/mozilla/components/libhtmlpars.so #5423 0x28903313 in CNavDTD::HandleToken () from /usr/X11R6/lib/mozilla/components/libhtmlpars.so #5424 0x289021bf in CNavDTD::BuildModel () from /usr/X11R6/lib/mozilla/components/libhtmlpars.so #5425 0x28915da7 in nsParser::BuildModel () from /usr/X11R6/lib/mozilla/components/libhtmlpars.so #5426 0x28915af8 in nsParser::ResumeParse () from /usr/X11R6/lib/mozilla/components/libhtmlpars.so #5427 0x289177d8 in nsParser::OnDataAvailable () from /usr/X11R6/lib/mozilla/components/libhtmlpars.so #5428 0x2896a243 in nsDocumentOpenInfo::OnDataAvailable () from /usr/X11R6/lib/mozilla/components/liburiloader.so #5429 0x2878ba7c in nsDataChannel::OnDataAvailable () from /usr/X11R6/lib/mozilla/components/libnecko.so #5430 0x28720189 in nsOnDataAvailableEvent0::HandleEvent () from /usr/X11R6/lib/mozilla/components/libnecko.so #5431 0x2871f9bc in nsStreamListenerEvent0::HandlePLEvent () from /usr/X11R6/lib/mozilla/components/libnecko.so #5432 0x281f0f4d in PL_HandleEvent () from /usr/X11R6/lib/mozilla/./libxpcom.so #5443 0x287df07a in nsAppShellService::Run () from /usr/X11R6/lib#5433 0x281f0e55 in PL_ProcessPendingEvents () from /usr/X11R6/lib/mozilla/./libxpcom.so #5434 0x281f1f9b in nsEventQueueImpl::ProcessPendingEvents () from /usr/X11R6/lib/mozilla/./libxpcom.so #5435 0x2880ee9b in nsAppShell::SetDispatchListener () from /usr/X11R6/lib/mozilla/components/libwidget_gtk.so #5436 0x2880ebca in keysym2ucs () from /usr/X11R6/lib/mozilla/components/libwidget_gtk.so #5437 0x283ee64c in g_io_unix_dispatch () from /usr/local/lib/libglib12.so.3 #5438 0x283efcf3 in g_main_dispatch () from /usr/local/lib/libglib12.so.3 #5439 0x283f031c in g_main_iterate () from /usr/local/lib/libglib12.so.3 #5440 0x283f04b4 in g_main_run () from /usr/local/lib/libglib12.so.3 #5441 0x28310813 in gtk_main () from /usr/X11R6/lib/libgtk12.so.2 #5442 0x2880f370 in nsAppShell::Run () from /usr/X11R6/lib/mozilla/components/libwidget_gtk.so /mozilla/components/libnsappshell.so #5444 0x804dc8b in nsIServiceManager::GetIID () #5445 0x804cc00 in main () #5446 0x804c9d9 in _start ()
Component: Browser-General → JavaScript Engine
Keywords: crash
Crashes on both FreeBSD 1.0rc3 and Win XP 1.0rc3
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: FreeBSD → All
-> DOM0
Assignee: Matti → jst
Component: JavaScript Engine → DOM Level 0
QA Contact: imajes-qa → desale
crashes win2k, sp2, M1 RC3, Talkback id:TB6850950M
Summary: crash when loading URL → crash when loading URL [@ nsHTMLScriptElement::SetDocument]
The code is an infinte recursion, so it's no wornder mozilla crashes (by doing what it's asked to do), but where should we stop this recursion? Looks like 4x goes 4 levels deep, maybe we should do the same? Brendan, does this ring any bells from the 3x or 4x days?
Status: NEW → ASSIGNED
Priority: -- → P1
Hardware: PC → All
Whiteboard: [HAVE FIX]
Target Milestone: --- → mozilla1.1alpha
Comment on attachment 86461 [details] [diff] [review] Prevent infinite nesting of script evaluations r=peterv but it's mismatch, not missmatch. Hmmmm, a matching miss.
Attachment #86461 - Flags: review+
Attachment #86465 - Flags: review+
Comment on attachment 86465 [details] [diff] [review] Fix typo in the previous patch Moving r=peterv forward...
Comment on attachment 86465 [details] [diff] [review] Fix typo in the previous patch Adding the recursion depth guard to nsJSContext would result in less code (you'd only need to add a data member to the context). It will, however, deal with more cases. This is both good and bad - are there cases in which we don't want to limit recursion to some arbitrary amount which we choose?
That's a good question. I would assume that if we up the limit to say 32, we'd be safe, seems like anything that nests deeper than that needs to re-think. I'd be ok with pushing such a check in on the trunk and see what happens, patch coming up...
Target Milestone: mozilla1.1alpha → mozilla1.3alpha
Target Milestone: mozilla1.3alpha → mozilla1.3final
Mass-reassigning bugs to dom_bugs@netscape.com
Assignee: jst → dom_bugs
Status: ASSIGNED → NEW
The given url makes firebird disappear immediately (win XP).
Comment on attachment 86526 [details] [diff] [review] Move the check into nsJSContext, and up the max depth to 32 I'm just wondering what people think. in theory spidermonkey has an api to deal w/ stack depth limit. do we still want to play with this?
Attachment #86526 - Flags: review?(caillon)
Why wouldn't you use the JS_SetThreadStackLimit API and avoid all this ad-hoc reentry counting? /be
Comment on attachment 86526 [details] [diff] [review] Move the check into nsJSContext, and up the max depth to 32 Minusing pending a response to brendan's question.
Attachment #86526 - Flags: review?(caillon)
URL WFM using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a2pre) Gecko/20070201 Minefield/3.0a2pre ID:2007020104 [cairo]
I get NS_ENSURE_TRUE(!mTooDeepWriteRecursion) failed: file /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/html/document/src/nsHTMLDocument.cpp, line 2138 and no crash.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Crash Signature: [@ nsHTMLScriptElement::SetDocument]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: