Closed Bug 150374 Opened 18 years ago Closed 18 years ago

Crash or hang on this page [@ nsGenericHTMLContainerElement::AppendChildTo]

Categories

(Core :: DOM: Core & HTML, defect, critical)

x86
Windows 2000
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 13350

People

(Reporter: ezh, Assigned: jst)

References

()

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(1 file)

1. Load this page.
2. Trunk - hang, 1.0 - crash (reported by user).
Severity: normal → critical
Keywords: crash
nsGenericHTMLContainerElement::AppendChildTo(nsGenericHTMLContainerElement * 
const 0x043293e0, nsIContent * 0x0328d8a8, int 0, int 0) line 4064
HTMLContentSink::ProcessSCRIPTTag(const nsIParserNode & {...}) line 5002
HTMLContentSink::AddLeaf(HTMLContentSink * const 0x04328ae8, const nsIParserNode 
& {...}) line 3304 + 12 bytes
CNavDTD::AddLeaf(const nsIParserNode * 0x04312dc8) line 3786 + 25 bytes
CNavDTD::AddHeadLeaf(nsIParserNode * 0x04312dc8) line 3849 + 15 bytes
CNavDTD::HandleStartToken(CToken * 0x043276e0) line 1732 + 12 bytes
CNavDTD::HandleToken(CNavDTD * const 0x0377e460, CToken * 0x00000000, nsIParser 
* 0x043274a8) line 896 + 12 bytes
CNavDTD::BuildModel(CNavDTD * const 0x0377e460, nsIParser * 0x043274a8, 
nsITokenizer * 0x03221e30, nsITokenObserver * 0x00000000, nsIContentSink * 
0x04328ae8) line 507 + 20 bytes
nsParser::BuildModel() line 1870 + 34 bytes
nsParser::ResumeParse(int 1, int 0, int 1) line 1737 + 11 bytes
nsParser::OnDataAvailable(nsParser * const 0x043274ac, nsIRequest * 0x0431ecf8, 
nsISupports * 0x00000000, nsIInputStream * 0x03818d18, unsigned int 0, unsigned 
int 720) line 2371 + 21 bytes
nsDocumentOpenInfo::OnDataAvailable(nsDocumentOpenInfo * const 0x0431f648, 
nsIRequest * 0x0431ecf8, nsISupports * 0x00000000, nsIInputStream * 0x03818d18, 
unsigned int 0, unsigned int 720) line 243 + 46 bytes
nsStreamListenerTee::OnDataAvailable(nsStreamListenerTee * const 0x04345db0, 
nsIRequest * 0x0431ecf8, nsISupports * 0x00000000, nsIInputStream * 0x04320538, 
unsigned int 0, unsigned int 720) line 97 + 51 bytes
nsHttpChannel::OnDataAvailable(nsHttpChannel * const 0x0431ecfc, nsIRequest * 
0x04320a94, nsISupports * 0x00000000, nsIInputStream * 0x04320538, unsigned int 
0, unsigned int 720) line 2982 + 63 bytes
nsOnDataAvailableEvent::HandleEvent() line 193 + 70 bytes
nsARequestObserverEvent::HandlePLEvent(PLEvent * 0x043320cc) line 116
PL_HandleEvent(PLEvent * 0x043320cc) line 596 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x01037308) line 526 + 9 bytes
_md_EventReceiverProc(HWND__ * 0x0002045a, unsigned int 49412, unsigned int 0, 
long 17003272) line 1077 + 9 bytes
USER32! 77e01b60()
USER32! 77e01cca()
USER32! 77e083f1()
nsAppShellService::Run(nsAppShellService * const 0x0162e388) line 451
main1(int 1, char * * 0x00284f70, nsISupports * 0x00000000) line 1456 + 32 bytes
main(int 1, char * * 0x00284f70) line 1805 + 37 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 77e7d326()

-> Parser for triage
Assignee: Matti → harishd
Component: Browser-General → Parser
QA Contact: imajes-qa → moied
Attached file testcase
linux trunk (build 20020608) and branch (1.0 release) hang on URL and testcase.

on further investigation, the hang is a dupe of bug 13350.
Confirming it with build 2002052306 under Windows ME. Browser hangs. No crash, 
no Talkback ID provided.
Keywords: testcase
Summary: Crash or hang on this page → Crash or hang on this page [@ nsGenericHTMLContainerElement::AppendChildTo]
--> DOM

jst: Could you please take a look at this? Thanks
Assignee: harishd → jst
Component: Parser → DOM HTML
Um, so like the testcase does:

<html>
<head>
<script language="JavaScript">
while(1)
{
  parent.document.open();
  parent.document.writeln('topsgfjpew');
  parent.document.close();
}
</script>
</head>
</html>

This will obviously hang mozilla, at least for a while, as it should... DOS
attack, duping against the uber DOS attack bug 13350.

*** This bug has been marked as a duplicate of 13350 ***
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → DUPLICATE
Component: DOM: HTML → DOM: Core & HTML
QA Contact: moied → general
Crash Signature: [@ nsGenericHTMLContainerElement::AppendChildTo]
You need to log in before you can comment on or make changes to this bug.