Closed Bug 273213 Opened 20 years ago Closed 20 years ago

The last character of some tags consumed as CDATA get chopped off if the tag is not closed properly

Categories

(Core :: DOM: HTML Parser, defect)

x86
Linux
defect
Not set
major

Tracking

()

RESOLVED FIXED

People

(Reporter: bzbarsky, Assigned: mrbkap)

References

()

Details

(Keywords: regression)

Attachments

(1 file)

If I load

  data:text/html,<iframe>

in the browser, I get the following assertion:

###!!! ASSERTION: can't advance (backward) a reading iterator beyond the end of
a string: 'step<0', file ../../../dist/include/string/nsStringIterator.h, line 182

The callstack goes back to SinkContext::AddLeaf, where we call:

  AddText(aNode.GetText());

The string passed to AddText is:

(gdb) p aText
$2 = (const nsAString &) @0x8800e90: {mVTable = 0x4016e0c8, mData = 0x85e8708, 
  mLength = 4294967295, mFlags = 0}

Note the mLength.

This looks like fallout from either bug 269853 or bug 88952 to me...  I don't
recall this testcase asserting before the last time I pulled from CVS.

The token on the parser node is a CTextToken, and it looks like this:

$6 = {<CHTMLToken> = {<CToken> = {_vptr.CToken = 0x41d6fde8, mTypeID = 109, 
      mUseCount = 2, mNewlineCount = 0, mLineNumber = 1, mInError = 0, 
      mAttrCount = 0}, <No data fields>}, mTextValue = {mStart = {mBuffer =
0x85e86b8, 
      mPosition = 0x85e8708}, mEnd = {mBuffer = 0x85e86b8, mPosition = 0x85e8706}, 
    mBufferList = 0x867df98, mLength = 4294967295, 
    mFlattenedRep = {<nsSubstring> = {<nsAString> = {mVTable = 0x4016e0c8, 
          mData = 0x85e8708, mLength = 4294967295, 
          mFlags = 0}, <No data fields>}, <No data fields>}, mIsDirty = 0}}

Note that mStart.mPosition is bigger than mEnd.mPosition, which is what causes
the problem....

If I close the <iframe> I don't get an assert, so this looks like a bug in the
EOF case in ReadUntil().   This makes it likely bug 88952 is responsible.
Attached patch patch v1Splinter Review
I think if you had: "data:text/html,<iframe>123" view-source would have shown
"<iframe>12". This fixes all of it.
Assignee: parser → mrbkap
Status: NEW → ASSIGNED
Attachment #167904 - Flags: review?(bzbarsky)
Comment on attachment 167904 [details] [diff] [review]
patch v1

r+sr=bzbarsky
Attachment #167904 - Flags: superreview+
Attachment #167904 - Flags: review?(bzbarsky)
Attachment #167904 - Flags: review+
Changing summary to the larger problem and marking FIXED since this was checked in.
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Keywords: regression
Resolution: --- → FIXED
Summary: Assert when loading URL in URL field → The last character of some tags consumed as CDATA get chopped off if the tag is not closed properly
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: