Closed Bug 19933 Opened 25 years ago Closed 25 years ago

JavaScript "window.location" core dumps in CAPS

Categories

(Core :: Security: CAPS, defect, P3)

Product:
Core
Component:
Security: CAPS
Platform:
x86
All
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: dejong, Assigned: norrisboyd)

References

(
URL
)

Details

(Whiteboard: [TESTCASE])

Attachments

(1 file)

minimal testcase
178 bytes, text/html
Details 
I built from the CVS Tue Nov 22nd on a RedHat 5.2 Linux system.

http://www.zdnet.com/pcweek/stories/java/news/0,7492,2350116,00.html

When I loaded the page this is printed on the console.


FindShortcut:
in='http://www.zdnet.com/pcweek/stories/java/news/0,7492,2350116,00.html'
out='null'
Assertion: "last name should be 'X_COMMAND'"
(0==nsCRT::strcmp(Uxcommand,nameArray[numOfAttributes-1])) at file
../../../../intl/chardet/src/nsMetaCharsetObserver.cpp, line 196
Break: at file ../../../../intl/chardet/src/nsMetaCharsetObserver.cpp, line 196
Assertion: "last name should be 'X_COMMAND'"
(0==nsCRT::strcmp(Uxcommand,nameArray[numOfAttributes-1])) at file
../../../../intl/chardet/src/nsMetaCharsetObserver.cpp, line 196
Break: at file ../../../../intl/chardet/src/nsMetaCharsetObserver.cpp, line 196
Assertion: "last name should be 'X_COMMAND'"
(0==nsCRT::strcmp(Uxcommand,nameArray[numOfAttributes-1])) at file
../../../../intl/chardet/src/nsMetaCharsetObserver.cpp, line 196
Break: at file ../../../../intl/chardet/src/nsMetaCharsetObserver.cpp, line 196
Assertion: "last name should be 'X_COMMAND'"
(0==nsCRT::strcmp(Uxcommand,nameArray[numOfAttributes-1])) at file
../../../../intl/chardet/src/nsMetaCharsetObserver.cpp, line 196
Break: at file ../../../../intl/chardet/src/nsMetaCharsetObserver.cpp, line 196
Assertion: "last name should be 'X_COMMAND'"
(0==nsCRT::strcmp(Uxcommand,nameArray[numOfAttributes-1])) at file
../../../../intl/chardet/src/nsMetaCharsetObserver.cpp, line 196
Break: at file ../../../../intl/chardet/src/nsMetaCharsetObserver.cpp, line 196
**********************************************************
**********************************************************
*********************************************************************
**********************************************************
**********************************************************
PreCondition: "You can't dereference a NULL nsCOMPtr with operator->()."
(mRawPtr != 0) at file ../../dist/include/nsCOMPtr.h, line 569
Break: at file ../../dist/include/nsCOMPtr.h, line 569

Program received signal SIGSEGV, Segmentation fault.

I have not been able to generate a stack trace of this
problem yet. When I do I will post it.
I was able to generate a backtrace when mozilla core dumped.


caps/src/nsScriptSecurityManager.cpp line 936


931
932         /*
933         ** Access tests failed, so now report error.
934         */
935         nsCOMPtr<nsIURI> uri;
936         if (NS_FAILED(subjectCodebase->GetURI(getter_AddRefs(uri))))
937             return NS_ERROR_FAILURE;
938         char *spec;
939         if (NS_FAILED(uri->GetSpec(&spec)))
940             return NS_ERROR_FAILURE;


The problem is with the subjectCodebase pointer that is NULL in this case.

(gdb) print subjectCodebase
$1 = {mRawPtr = 0x0}



#0  0x411f288a in nsScriptSecurityManager::CheckPermissions (this=0x822ed40,
    aCx=0x87966e0, aObj=0x87c81b8,
    aCapability=0x411f76e3 "UniversalBrowserRead", aResult=0xbfffe800)
    at ../../../caps/src/nsScriptSecurityManager.cpp:936
#1  0x411f06b1 in nsScriptSecurityManager::CheckScriptAccess (this=0x822ed40,
    aContext=0x8790578, aObj=0x87c81b8, domPropInt=579, isWrite=0,
    aResult=0xbfffe800) at ../../../caps/src/nsScriptSecurityManager.cpp:357
#2  0x403a7058 in LocationToString (cx=0x87966e0, obj=0x87c81b8, argc=0,
    argv=0x87b19c0, rval=0xbfffe94c)
    at ../../../../dom/src/base/nsJSLocation.cpp:397
#3  0x4007ac13 in js_Invoke (cx=0x87966e0, argc=0, flags=2)
    at ../../../js/src/jsinterp.c:673
#4  0x4007af78 in js_InternalCall (cx=0x87966e0, obj=0x87c81b8,
    fval=142377376, argc=0, argv=0x0, rval=0xbfffea68)
    at ../../../js/src/jsinterp.c:766
#5  0x4009fb1e in js_TryMethod (cx=0x87966e0, obj=0x87c81b8, atom=0x81d7050,
    argc=0, argv=0x0, rval=0xbfffea68) at ../../../js/src/jsobj.c:2705
#6  0x4009e75a in js_DefaultValue (cx=0x87966e0, obj=0x87c81b8,
    hint=JSTYPE_STRING, vp=0xbfffeaa0) at ../../../js/src/jsobj.c:2266
#7  0x400c3a57 in js_ValueToString (cx=0x87966e0, v=142377400)
    at ../../../js/src/jsstr.c:2214
#8  0x4004b3c9 in JS_ValueToString (cx=0x87966e0, v=142377400)
    at ../../../js/src/jsapi.c:500
#9  0x40399654 in nsJSContext::EvaluateString (this=0x8790578,
    aScript=@0xbfffedd8, jsObj=0x87282c8, aPrincipal=0x87bb770,
    aURL=0x890d248 "file:///usr/local/project/mozilla/pcweek.html",
    aLineNo=662, aVersion=0x400c7ed7 "default", aRetValue=@0xbfffebc0,
    aIsUndefined=0xbfffebb8)
    at ../../../../dom/src/base/nsJSEnvironment.cpp:240
#10 0x40f176a9 in HTMLContentSink::EvaluateScript (this=0x87e72c0,
    aScript=@0xbfffedd8, aLineNo=662, aVersion=0x400c7ed7 "default")
    at ../../../../../layout/html/document/src/nsHTMLContentSink.cpp:3619
#11 0x40f18570 in HTMLContentSink::ProcessSCRIPTTag (this=0x87e72c0,
    aNode=@0x884efd8)
    at ../../../../../layout/html/document/src/nsHTMLContentSink.cpp:3813
#12 0x40f13f20 in HTMLContentSink::AddLeaf (this=0x87e72c0, aNode=@0x884efd8)
    at ../../../../../layout/html/document/src/nsHTMLContentSink.cpp:2625
#13 0x41193e97 in CNavDTD::AddLeaf (this=0x8814028, aNode=0x884efd8)
    at ../../../htmlparser/src/CNavDTD.cpp:3013
#14 0x4119210d in CNavDTD::HandleScriptToken (this=0x8814028, aNode=0x884efd8)
    at ../../../htmlparser/src/CNavDTD.cpp:1767
#15 0x41193878 in CNavDTD::OpenContainer (this=0x8814028, aNode=0x884efd8,
    aTag=eHTMLTag_script, aClosedByStartTag=1, aResidualStyleLevel=-1)
    at ../../../htmlparser/src/CNavDTD.cpp:2760
#16 0x411908ac in CNavDTD::HandleDefaultStartToken (this=0x8814028,
    aToken=0x8308930, aChildTag=eHTMLTag_script, aNode=0x884efd8)
    at ../../../htmlparser/src/CNavDTD.cpp:1024
#17 0x411911b6 in CNavDTD::HandleStartToken (this=0x8814028, aToken=0x8308930)
    at ../../../htmlparser/src/CNavDTD.cpp:1328
#18 0x411900ee in CNavDTD::HandleToken (this=0x8814028, aToken=0x82f6700,
    aParser=0x88153f8) at ../../../htmlparser/src/CNavDTD.cpp:736
#19 0x4118fb80 in CNavDTD::BuildModel (this=0x8814028, aParser=0x88153f8,
    aTokenizer=0x878c2b0, anObserver=0x0, aSink=0x87e72c0)
    at ../../../htmlparser/src/CNavDTD.cpp:529
#20 0x4119e0c8 in nsParser::BuildModel (this=0x88153f8)
    at ../../../htmlparser/src/nsParser.cpp:1034
#21 0x4119df88 in nsParser::ResumeParse (this=0x88153f8, aDefaultDTD=0x0,
    aIsFinalChunk=0) at ../../../htmlparser/src/nsParser.cpp:960
#22 0x4119ea7e in nsParser::OnDataAvailable (this=0x88153f8,
    channel=0x8820038, aContext=0x0, pIStream=0x8824718, sourceOffset=32768,
    aLength=8192) at ../../../htmlparser/src/nsParser.cpp:1310
#23 0x4098329b in nsDocumentBindInfo::OnDataAvailable (this=0x881ff20,
    channel=0x8820038, ctxt=0x0, aStream=0x8824718, sourceOffset=32768,
    aLength=8192) at ../../../webshell/src/nsDocLoader.cpp:1414
#24 0x40983e24 in nsChannelListener::OnDataAvailable (this=0x881ff40,
    aChannel=0x8820038, aContext=0x0, aInStream=0x8824718, aOffset=32768,
    aCount=8192) at ../../../webshell/src/nsDocLoader.cpp:1566
#25 0x404fce55 in nsFileChannel::OnDataAvailable (this=0x8820038,
    transportChannel=0x88245b0, context=0x0, aIStream=0x8824718,
    aSourceOffset=32768, aLength=8192)
    at ../../../../../netwerk/protocol/file/src/nsFileChannel.cpp:494
#26 0x404bebde in nsOnDataAvailableEvent::HandleEvent (this=0x887af40)
    at ../../../../netwerk/base/src/nsAsyncStreamListener.cpp:416
#27 0x404be186 in nsStreamListenerEvent::HandlePLEvent (aEvent=0x88f5f80)
    at ../../../../netwerk/base/src/nsAsyncStreamListener.cpp:173
#28 0x4019d2fb in PL_HandleEvent (self=0x88f5f80) at plevent.c:537
#29 0x4019d20d in PL_ProcessPendingEvents (self=0x80a5188) at plevent.c:498
#30 0x40159231 in nsEventQueueImpl::ProcessPendingEvents (this=0x80a5160)
    at ../../../xpcom/threads/nsEventQueue.cpp:193
#31 0x40563b6c in event_processor_callback (data=0x80a5160, source=8,
    condition=GDK_INPUT_READ) at ../../../../widget/src/gtk/nsAppShell.cpp:233
#32 0x40563473 in our_gdk_io_invoke (source=0x82324f0, condition=G_IO_IN,
    data=0x8257878) at ../../../../widget/src/gtk/nsAppShell.cpp:54
#33 0x4070778e in g_io_unix_dispatch (source_data=0x8232508,
    current_time=0xbffff590, user_data=0x8257878) at giounix.c:135
#34 0x40708cef in g_main_dispatch (current_time=0xbffff590) at gmain.c:656
#35 0x407092d7 in g_main_iterate (block=1, dispatch=1) at gmain.c:874
#36 0x40709459 in g_main_run (loop=0x825dba8) at gmain.c:932
#37 0x40636ac3 in gtk_main () at gtkmain.c:476
#38 0x40564165 in nsAppShell::Run (this=0x80b27b8)
    at ../../../../widget/src/gtk/nsAppShell.cpp:404
#39 0x403376b5 in nsAppShellService::Run (this=0x80a4e10)
    at ../../../../xpfe/appshell/src/nsAppShellService.cpp:488
#40 0x804d845 in main1 (argc=1, argv=0xbffff804)
    at ../../../xpfe/bootstrap/nsAppRunner.cpp:588
#41 0x804db05 in main (argc=1, argv=0xbffff804)
    at ../../../xpfe/bootstrap/nsAppRunner.cpp:638
Assignee: leger → mccabe
Component: Browser-General → Javascript Engine
OS: Linux → All
Summary: Mozila core dumps while loading this page! → JavaScript "window.location" core dumps in CAPS
Whiteboard: [TESTCASE]
This happens on NT4sp5 too. Changing OS to All and updating Summary based on
testcase. Here is the stack dump on NT:

FramePtr ReturnAd Param#1  Param#2  Param#3  Param#4  Function Name
0012f2b8 600921ae 00a47428 0a1d1ea0 0163bdf0 6009d2f8
caps!nsGetServiceByProgID::~nsGetServiceByProgID
0012f2ec 609b2324 00a47428 0a1d00c0 0163bdf0 00000243
caps!nsGetServiceByProgID::~nsGetServiceByProgID
0012f3b4 609747b7 00a47428 00000000 00000000 015fe908
jsdom!NS_NewScriptNameSpaceManager
0012f458 60974928 0a1d1ea0 00000000 00000002 0a1d1ea0 js3250!js_Invoke
0012f4d0 6097f311 0a1d1ea0 0163bdf0 0163bdd8 00000000 js3250!js_Invoke
0012f4fc 6097eb86 0163bdd8 0163bdf0 010dfac0 00000000 js3250!js_FindProperty
0012f524 6098fe74 0a1d1ea0 0163bdf0 00000003 0012f54c js3250!js_FindProperty
0012f540 609618b0 0a1d1ea0 0163bdf0 609b8bd0 0a1d1ea0 js3250!js_NewScriptFromCG
0012f54c 609b8bd0 0a1d1ea0 0163bdf0 0a1c2da0 0a1f0d90 js3250!JS_ValueToString
(FPO: [2,0,0])
0012f5a0 601b5cfb 00000000 0012f99c 0163aaf0 00000000
jsdom!NS_NewScriptGlobalObject
0012f684 601b6338 0012f99c 00000005 60999050 0a23cbc0
gkhtml!NS_CreateHTMLElement
0012faf8 601b4316 00000001 0a23cbc0 0a23dc30 00000055
gkhtml!NS_CreateHTMLElement
0012fb10 602a86a2 0a268b90 0a23cbc0 0a23cbc0 0a23dc30
gkhtml!NS_CreateHTMLElement
0012fbf0 602a898b 0a23cbc0 0a046a60 0a23dc30 0012fc30 gkparser!CNavDTD::AddLeaf
0012fc08 602a6dcb 0a23cbc0 0a046a60 0a23dc30 00000055
gkparser!CNavDTD::AddHeadLeaf  (FPO: [EBP 0x0a046a60] [1,0,4])
0a046a60 00000000 00000000 00000000 00000055 00000001
gkparser!CNavDTD::HandleStartToken
602c5c54 602aa87d 602af966 602aa9ee 602aa7a9 602af988 mozilla!<nosymbols>
602c5c9c 602aab97 602aa7a9 602af988 602af99f 602aab0e
gkparser!nsHTMLTags::GetStringValue  (FPO: [2,0,1])
Assignee: mccabe → norris
Component: Javascript Engine → CAPS
document.whatever is DOM, (APIs exposed to the JavaScript engine) - not JS.

Looks like caps - reassigning there.
*** Bug 20060 has been marked as a duplicate of this bug. ***
*** Bug 20112 has been marked as a duplicate of this bug. ***
Status: NEW → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
I just ran the current CVS tree on this page and it does not crash
anymore. The problem is that now it does not ever seem to load and
it just looks hosed.
Moving all CAPS bugs to Security: CAPS component.  CAPS component will be 
deleted.
Component: CAPS → Security: CAPS
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: