Closed
Bug 19933
Opened 25 years ago
Closed 25 years ago
JavaScript "window.location" core dumps in CAPS
Categories
(Core :: Security: CAPS, defect, P3)
Tracking
()
VERIFIED
FIXED
People
(Reporter: dejong, Assigned: norrisboyd)
References
()
Details
(Whiteboard: [TESTCASE])
Attachments
(1 file)
178 bytes,
text/html
|
Details |
I built from the CVS Tue Nov 22nd on a RedHat 5.2 Linux system. http://www.zdnet.com/pcweek/stories/java/news/0,7492,2350116,00.html When I loaded the page this is printed on the console. FindShortcut: in='http://www.zdnet.com/pcweek/stories/java/news/0,7492,2350116,00.html' out='null' Assertion: "last name should be 'X_COMMAND'" (0==nsCRT::strcmp(Uxcommand,nameArray[numOfAttributes-1])) at file ../../../../intl/chardet/src/nsMetaCharsetObserver.cpp, line 196 Break: at file ../../../../intl/chardet/src/nsMetaCharsetObserver.cpp, line 196 Assertion: "last name should be 'X_COMMAND'" (0==nsCRT::strcmp(Uxcommand,nameArray[numOfAttributes-1])) at file ../../../../intl/chardet/src/nsMetaCharsetObserver.cpp, line 196 Break: at file ../../../../intl/chardet/src/nsMetaCharsetObserver.cpp, line 196 Assertion: "last name should be 'X_COMMAND'" (0==nsCRT::strcmp(Uxcommand,nameArray[numOfAttributes-1])) at file ../../../../intl/chardet/src/nsMetaCharsetObserver.cpp, line 196 Break: at file ../../../../intl/chardet/src/nsMetaCharsetObserver.cpp, line 196 Assertion: "last name should be 'X_COMMAND'" (0==nsCRT::strcmp(Uxcommand,nameArray[numOfAttributes-1])) at file ../../../../intl/chardet/src/nsMetaCharsetObserver.cpp, line 196 Break: at file ../../../../intl/chardet/src/nsMetaCharsetObserver.cpp, line 196 Assertion: "last name should be 'X_COMMAND'" (0==nsCRT::strcmp(Uxcommand,nameArray[numOfAttributes-1])) at file ../../../../intl/chardet/src/nsMetaCharsetObserver.cpp, line 196 Break: at file ../../../../intl/chardet/src/nsMetaCharsetObserver.cpp, line 196 ********************************************************** ********************************************************** ********************************************************************* ********************************************************** ********************************************************** PreCondition: "You can't dereference a NULL nsCOMPtr with operator->()." (mRawPtr != 0) at file ../../dist/include/nsCOMPtr.h, line 569 Break: at file ../../dist/include/nsCOMPtr.h, line 569 Program received signal SIGSEGV, Segmentation fault. I have not been able to generate a stack trace of this problem yet. When I do I will post it.
I was able to generate a backtrace when mozilla core dumped. caps/src/nsScriptSecurityManager.cpp line 936 931 932 /* 933 ** Access tests failed, so now report error. 934 */ 935 nsCOMPtr<nsIURI> uri; 936 if (NS_FAILED(subjectCodebase->GetURI(getter_AddRefs(uri)))) 937 return NS_ERROR_FAILURE; 938 char *spec; 939 if (NS_FAILED(uri->GetSpec(&spec))) 940 return NS_ERROR_FAILURE; The problem is with the subjectCodebase pointer that is NULL in this case. (gdb) print subjectCodebase $1 = {mRawPtr = 0x0} #0 0x411f288a in nsScriptSecurityManager::CheckPermissions (this=0x822ed40, aCx=0x87966e0, aObj=0x87c81b8, aCapability=0x411f76e3 "UniversalBrowserRead", aResult=0xbfffe800) at ../../../caps/src/nsScriptSecurityManager.cpp:936 #1 0x411f06b1 in nsScriptSecurityManager::CheckScriptAccess (this=0x822ed40, aContext=0x8790578, aObj=0x87c81b8, domPropInt=579, isWrite=0, aResult=0xbfffe800) at ../../../caps/src/nsScriptSecurityManager.cpp:357 #2 0x403a7058 in LocationToString (cx=0x87966e0, obj=0x87c81b8, argc=0, argv=0x87b19c0, rval=0xbfffe94c) at ../../../../dom/src/base/nsJSLocation.cpp:397 #3 0x4007ac13 in js_Invoke (cx=0x87966e0, argc=0, flags=2) at ../../../js/src/jsinterp.c:673 #4 0x4007af78 in js_InternalCall (cx=0x87966e0, obj=0x87c81b8, fval=142377376, argc=0, argv=0x0, rval=0xbfffea68) at ../../../js/src/jsinterp.c:766 #5 0x4009fb1e in js_TryMethod (cx=0x87966e0, obj=0x87c81b8, atom=0x81d7050, argc=0, argv=0x0, rval=0xbfffea68) at ../../../js/src/jsobj.c:2705 #6 0x4009e75a in js_DefaultValue (cx=0x87966e0, obj=0x87c81b8, hint=JSTYPE_STRING, vp=0xbfffeaa0) at ../../../js/src/jsobj.c:2266 #7 0x400c3a57 in js_ValueToString (cx=0x87966e0, v=142377400) at ../../../js/src/jsstr.c:2214 #8 0x4004b3c9 in JS_ValueToString (cx=0x87966e0, v=142377400) at ../../../js/src/jsapi.c:500 #9 0x40399654 in nsJSContext::EvaluateString (this=0x8790578, aScript=@0xbfffedd8, jsObj=0x87282c8, aPrincipal=0x87bb770, aURL=0x890d248 "file:///usr/local/project/mozilla/pcweek.html", aLineNo=662, aVersion=0x400c7ed7 "default", aRetValue=@0xbfffebc0, aIsUndefined=0xbfffebb8) at ../../../../dom/src/base/nsJSEnvironment.cpp:240 #10 0x40f176a9 in HTMLContentSink::EvaluateScript (this=0x87e72c0, aScript=@0xbfffedd8, aLineNo=662, aVersion=0x400c7ed7 "default") at ../../../../../layout/html/document/src/nsHTMLContentSink.cpp:3619 #11 0x40f18570 in HTMLContentSink::ProcessSCRIPTTag (this=0x87e72c0, aNode=@0x884efd8) at ../../../../../layout/html/document/src/nsHTMLContentSink.cpp:3813 #12 0x40f13f20 in HTMLContentSink::AddLeaf (this=0x87e72c0, aNode=@0x884efd8) at ../../../../../layout/html/document/src/nsHTMLContentSink.cpp:2625 #13 0x41193e97 in CNavDTD::AddLeaf (this=0x8814028, aNode=0x884efd8) at ../../../htmlparser/src/CNavDTD.cpp:3013 #14 0x4119210d in CNavDTD::HandleScriptToken (this=0x8814028, aNode=0x884efd8) at ../../../htmlparser/src/CNavDTD.cpp:1767 #15 0x41193878 in CNavDTD::OpenContainer (this=0x8814028, aNode=0x884efd8, aTag=eHTMLTag_script, aClosedByStartTag=1, aResidualStyleLevel=-1) at ../../../htmlparser/src/CNavDTD.cpp:2760 #16 0x411908ac in CNavDTD::HandleDefaultStartToken (this=0x8814028, aToken=0x8308930, aChildTag=eHTMLTag_script, aNode=0x884efd8) at ../../../htmlparser/src/CNavDTD.cpp:1024 #17 0x411911b6 in CNavDTD::HandleStartToken (this=0x8814028, aToken=0x8308930) at ../../../htmlparser/src/CNavDTD.cpp:1328 #18 0x411900ee in CNavDTD::HandleToken (this=0x8814028, aToken=0x82f6700, aParser=0x88153f8) at ../../../htmlparser/src/CNavDTD.cpp:736 #19 0x4118fb80 in CNavDTD::BuildModel (this=0x8814028, aParser=0x88153f8, aTokenizer=0x878c2b0, anObserver=0x0, aSink=0x87e72c0) at ../../../htmlparser/src/CNavDTD.cpp:529 #20 0x4119e0c8 in nsParser::BuildModel (this=0x88153f8) at ../../../htmlparser/src/nsParser.cpp:1034 #21 0x4119df88 in nsParser::ResumeParse (this=0x88153f8, aDefaultDTD=0x0, aIsFinalChunk=0) at ../../../htmlparser/src/nsParser.cpp:960 #22 0x4119ea7e in nsParser::OnDataAvailable (this=0x88153f8, channel=0x8820038, aContext=0x0, pIStream=0x8824718, sourceOffset=32768, aLength=8192) at ../../../htmlparser/src/nsParser.cpp:1310 #23 0x4098329b in nsDocumentBindInfo::OnDataAvailable (this=0x881ff20, channel=0x8820038, ctxt=0x0, aStream=0x8824718, sourceOffset=32768, aLength=8192) at ../../../webshell/src/nsDocLoader.cpp:1414 #24 0x40983e24 in nsChannelListener::OnDataAvailable (this=0x881ff40, aChannel=0x8820038, aContext=0x0, aInStream=0x8824718, aOffset=32768, aCount=8192) at ../../../webshell/src/nsDocLoader.cpp:1566 #25 0x404fce55 in nsFileChannel::OnDataAvailable (this=0x8820038, transportChannel=0x88245b0, context=0x0, aIStream=0x8824718, aSourceOffset=32768, aLength=8192) at ../../../../../netwerk/protocol/file/src/nsFileChannel.cpp:494 #26 0x404bebde in nsOnDataAvailableEvent::HandleEvent (this=0x887af40) at ../../../../netwerk/base/src/nsAsyncStreamListener.cpp:416 #27 0x404be186 in nsStreamListenerEvent::HandlePLEvent (aEvent=0x88f5f80) at ../../../../netwerk/base/src/nsAsyncStreamListener.cpp:173 #28 0x4019d2fb in PL_HandleEvent (self=0x88f5f80) at plevent.c:537 #29 0x4019d20d in PL_ProcessPendingEvents (self=0x80a5188) at plevent.c:498 #30 0x40159231 in nsEventQueueImpl::ProcessPendingEvents (this=0x80a5160) at ../../../xpcom/threads/nsEventQueue.cpp:193 #31 0x40563b6c in event_processor_callback (data=0x80a5160, source=8, condition=GDK_INPUT_READ) at ../../../../widget/src/gtk/nsAppShell.cpp:233 #32 0x40563473 in our_gdk_io_invoke (source=0x82324f0, condition=G_IO_IN, data=0x8257878) at ../../../../widget/src/gtk/nsAppShell.cpp:54 #33 0x4070778e in g_io_unix_dispatch (source_data=0x8232508, current_time=0xbffff590, user_data=0x8257878) at giounix.c:135 #34 0x40708cef in g_main_dispatch (current_time=0xbffff590) at gmain.c:656 #35 0x407092d7 in g_main_iterate (block=1, dispatch=1) at gmain.c:874 #36 0x40709459 in g_main_run (loop=0x825dba8) at gmain.c:932 #37 0x40636ac3 in gtk_main () at gtkmain.c:476 #38 0x40564165 in nsAppShell::Run (this=0x80b27b8) at ../../../../widget/src/gtk/nsAppShell.cpp:404 #39 0x403376b5 in nsAppShellService::Run (this=0x80a4e10) at ../../../../xpfe/appshell/src/nsAppShellService.cpp:488 #40 0x804d845 in main1 (argc=1, argv=0xbffff804) at ../../../xpfe/bootstrap/nsAppRunner.cpp:588 #41 0x804db05 in main (argc=1, argv=0xbffff804) at ../../../xpfe/bootstrap/nsAppRunner.cpp:638
Comment 2•25 years ago
|
||
Updated•25 years ago
|
Assignee: leger → mccabe
Component: Browser-General → Javascript Engine
OS: Linux → All
Summary: Mozila core dumps while loading this page! → JavaScript "window.location" core dumps in CAPS
Whiteboard: [TESTCASE]
Comment 3•25 years ago
|
||
This happens on NT4sp5 too. Changing OS to All and updating Summary based on testcase. Here is the stack dump on NT: FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Function Name 0012f2b8 600921ae 00a47428 0a1d1ea0 0163bdf0 6009d2f8 caps!nsGetServiceByProgID::~nsGetServiceByProgID 0012f2ec 609b2324 00a47428 0a1d00c0 0163bdf0 00000243 caps!nsGetServiceByProgID::~nsGetServiceByProgID 0012f3b4 609747b7 00a47428 00000000 00000000 015fe908 jsdom!NS_NewScriptNameSpaceManager 0012f458 60974928 0a1d1ea0 00000000 00000002 0a1d1ea0 js3250!js_Invoke 0012f4d0 6097f311 0a1d1ea0 0163bdf0 0163bdd8 00000000 js3250!js_Invoke 0012f4fc 6097eb86 0163bdd8 0163bdf0 010dfac0 00000000 js3250!js_FindProperty 0012f524 6098fe74 0a1d1ea0 0163bdf0 00000003 0012f54c js3250!js_FindProperty 0012f540 609618b0 0a1d1ea0 0163bdf0 609b8bd0 0a1d1ea0 js3250!js_NewScriptFromCG 0012f54c 609b8bd0 0a1d1ea0 0163bdf0 0a1c2da0 0a1f0d90 js3250!JS_ValueToString (FPO: [2,0,0]) 0012f5a0 601b5cfb 00000000 0012f99c 0163aaf0 00000000 jsdom!NS_NewScriptGlobalObject 0012f684 601b6338 0012f99c 00000005 60999050 0a23cbc0 gkhtml!NS_CreateHTMLElement 0012faf8 601b4316 00000001 0a23cbc0 0a23dc30 00000055 gkhtml!NS_CreateHTMLElement 0012fb10 602a86a2 0a268b90 0a23cbc0 0a23cbc0 0a23dc30 gkhtml!NS_CreateHTMLElement 0012fbf0 602a898b 0a23cbc0 0a046a60 0a23dc30 0012fc30 gkparser!CNavDTD::AddLeaf 0012fc08 602a6dcb 0a23cbc0 0a046a60 0a23dc30 00000055 gkparser!CNavDTD::AddHeadLeaf (FPO: [EBP 0x0a046a60] [1,0,4]) 0a046a60 00000000 00000000 00000000 00000055 00000001 gkparser!CNavDTD::HandleStartToken 602c5c54 602aa87d 602af966 602aa9ee 602aa7a9 602af988 mozilla!<nosymbols> 602c5c9c 602aab97 602aa7a9 602af988 602af99f 602aab0e gkparser!nsHTMLTags::GetStringValue (FPO: [2,0,1])
Updated•25 years ago
|
Assignee: mccabe → norris
Component: Javascript Engine → CAPS
Comment 4•25 years ago
|
||
document.whatever is DOM, (APIs exposed to the JavaScript engine) - not JS. Looks like caps - reassigning there.
Assignee | ||
Updated•25 years ago
|
Status: NEW → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
I just ran the current CVS tree on this page and it does not crash anymore. The problem is that now it does not ever seem to load and it just looks hosed.
Moving all CAPS bugs to Security: CAPS component. CAPS component will be deleted.
Component: CAPS → Security: CAPS
Comment hidden (collapsed) |
You need to log in
before you can comment on or make changes to this bug.
Description
•