Closed
Bug 299036
Opened 20 years ago
Closed 20 years ago
Crash in [@ CNavDTD::DidHandleStartTag] while handling misplaced content
Categories
(Core :: DOM: HTML Parser, defect)
Tracking
()
RESOLVED
FIXED
mozilla1.8beta3
People
(Reporter: mrbkap, Assigned: mrbkap)
References
Details
(Keywords: crash, testcase)
Crash Data
Attachments
(2 files, 1 obsolete file)
38 bytes,
text/html
|
Details | |
13.72 KB,
patch
|
Details | Diff | Splinter Review |
This is a mangleme crasher. The problem is that in CNavDTD::DidHandleStartTag
relies (in a couple of cases) on the next token (that's about to be handled)
being in the tokenizer. However, when we're handling misplaced content (such as
<table><textarea>), this is not the case.
This turns out to be a decently difficult problem to solve with a general
solution because CNavDTD::HandleSavedTokens keeps its own count of how many
tokens it has to process, and updating that count outside of
::HandleSavedTokens() is hard without adding a member specifically for this case
(which I don't really want to do).
My patch will fix the crash, but leave the other problem (which is with <pre>
and <xmp> in misplaced content) alone for a better solution.
Assignee | ||
Comment 1•20 years ago
|
||
Assignee | ||
Comment 2•20 years ago
|
||
This fix simply moves the newline stripping code yet another level back, into
the tokenizer. This has the advantage that we no longer need to worry about
stripping newlines (from <textarea>) in the DTD, so it doesn't ever have to
worry about where it's getting parsed (either directly from HandleToken or
through HandleSavedTokens). This is a *lot* cleaner (and more robust!) than any
fix in the DTD would have been.
Attachment #187531 -
Flags: superreview?(dbaron)
Attachment #187531 -
Flags: review?(jst)
Assignee | ||
Comment 3•20 years ago
|
||
I don't know if it's too late, but I'd like to get this HTML parser crash fix
into 1.8b3.
Flags: blocking1.8b3?
Comment 4•20 years ago
|
||
Comment on attachment 187531 [details] [diff] [review]
patch v1
r+sr=jst
Attachment #187531 -
Flags: superreview?(dbaron)
Attachment #187531 -
Flags: superreview+
Attachment #187531 -
Flags: review?(jst)
Attachment #187531 -
Flags: review+
Assignee | ||
Comment 5•20 years ago
|
||
Comment on attachment 187531 [details] [diff] [review]
patch v1
This is a safe fix that stops a crash in the HTML parser.
Attachment #187531 -
Flags: approval1.8b3?
Comment 6•20 years ago
|
||
Comment on attachment 187531 [details] [diff] [review]
patch v1
a=chofmann
Attachment #187531 -
Flags: approval1.8b3? → approval1.8b3+
Assignee | ||
Comment 7•20 years ago
|
||
This is the patch that I will check in in a bit (it makes \n\r = 2 newlines
instead of 1 and ensures that we trim trailing newlines even if there isn't a
</textarea>).
Attachment #187531 -
Attachment is obsolete: true
Assignee | ||
Comment 8•20 years ago
|
||
Fix checked in.
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•20 years ago
|
Target Milestone: --- → mozilla1.8beta3
Updated•20 years ago
|
Flags: blocking1.8b3?
Comment 9•16 years ago
|
||
parser/htmlparser/tests/crashtests/299036-1.html
http://hg.mozilla.org/mozilla-central/rev/b0337b6287f3
Flags: in-testsuite+
Updated•14 years ago
|
Crash Signature: [@ CNavDTD::DidHandleStartTag]
You need to log in
before you can comment on or make changes to this bug.
Description
•