Open Bug 306939 (randomstyles) Opened 15 years ago Updated 3 years ago
Bugs found by Random Styles (adding random style properties to DOM elements)
This bookmarklet gives random inline styles to random elements in the page. Like the bookmarklet in bug 306663, "Random styles" is fairly effective at finding crash bugs in Gecko. I'm filing this bug as security-sensitive and keeping the bookmarklet secret for now. I've seen this bookmarklet give me three unique stack signatures so far, but I've only been able to reproduce one somewhat reliably. Testcase coming up in a bug that will block this one.
Bug 306940 happens often enough that it makes it difficult to tell whether there are other crashes. I'll do another round of testing once it is fixed.
Bug fix: add a check that n.style exists before trying to change a node's style.
Attachment #195383 - Attachment is obsolete: true
dbaron, can you look into this?
Assignee: nobody → dbaron
If you come up with a very safe fix in the next couple of days, please request approval for the patch and we'll evaluate.
Flags: blocking1.8b5+ → blocking1.8b5-
This is one of the tools I use when I want to reduce a Random Styles testcase. Its output is meant to be pasted back into the script, replacing the first two lines.
The crash points of bug 316599 and bug 316608 appear in many of the others random styles and stir dom crashers. I didn't report each individually, but bug 316599 and bug 316608 look like good candidates to fix first so that we find other crashers which are hiding behind them.
i don't have enough permissions to see the individual bugs, so commenting here: on 1.5 i crash in XmlInitUnknownEncodingNS probably due to null dereference. on latest trunk jesse's programs stops generating new styles after several seconds. on trunk on linux from several days before there is potential stack overflow from this starting values: 808080, 3, 100, 400 Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1222022944 (LWP 2717)] 0xdddddddd in ?? () (gdb) info stack #0 0xdddddddd in ?? () #1 0x082ce69c in nsIFrame::GetStyleData (this=0x954a4d8, aSID=eStyleStruct_Display) at nsIFrame.h:610
(In reply to comment #8) Bug 316608 seems to have a similar stacktrace as the GetStyleData crash. It's also important to mention on which page you crash and with what parameters.
(In reply to comment #9) > (In reply to comment #8) > Bug 316608 seems to have a similar stacktrace as the GetStyleData crash. > this bug gives me "access denied". > It's also important to mention on which page you crash and with what > parameters. as mentioned in my previous post, the starting parameters in the confirm dialog are: 808080, 3, 100, 400 waiting is several seconds. tested on linux. don't know how to find the exact page.
if someone cc's me on Bug 316608 i will try the testcase.
The problem is, I'm not really sure I'm allowed to cc you on that bug.
running jesse's fuzzer on linux: ff 1.5: crashes only in XmlInitUnknownEncodingNS for me. on latest trunk: stops generating new pages after several seconds. am i doing something wrong?
starting values in the confirm dialog: 161616, 4, 100, 400 all linux: 1.5 - innocent crash in XmlInitUnknownEncodingNS latest trunk on x86_64 (64 bit) - smashed |this| in nsCachedStyleData::GetStyleData latest trunk on i386: the stack seems smashed
Without knowing what page you're starting on (and the parameters, which you did give), we can't reproduce the crashes you're seeing.
(In reply to comment #15) > Without knowing what page you're starting on (and the parameters, which you did > give), we can't reproduce the crashes you're seeing. > starting local copy of "Random Styles 1.5.1 (for pasting into testcases)" the paramaters are described in comment #14: starting values in the confirm dialog: 161616, 4, 100, 400
jesse: what about adding window.dump(CURRENTVALUES) in debug builds started from terminal, this will print the current values in the terminal, so the exact page will be easily found?
crashes or timeouts found in this run appear as randomstyles: url?fuzz=parms... The test loads the page (with the querystring), then runs the randomstyles bookmarklet with the specified parameters. You can copy/paste the parameters from the query string directly into the randomstyles input prompt. The end of each line identifies the machine, the date the test run began and the build which was tested. For example, prunessh/2005-12-17-02-34-33-firefox-1.5-build-dbg-1.8_2005121411.log was run on prune (a windows machine), on Dec 17, using a 1.8 debug build built on 2005-12-14-11. You can reproduce each test case by loading the url including the query string, then running randomstyles with the appropriate parameter.
latest ff trunk build from source stops the crashes in comment 8 and comment 14, but the generator stops generating new pages. there are assertions in the terminal.
Changes made to both Stir DOM and Random Styles recorders: 1. Make it record information about chunks/intervals so that (a) it can record the equivalent of a nonzero "number of changes to do immediately" in the bookmarklet. (b) while reducing, the chunk boundaries don't move. 2. Make it work with both XML and HTML without requiring separate versions. 3. Improve the instructions. Changes made only to Random Styles recorder: 1. Add "if(n.style)" check in addElements to match bookmarklet.
Attachment #198554 - Attachment is obsolete: true
See also bug 331889. The "Random Classes" bookmarklet there does most of what this one does, and more.
* Converted it to use fuzz.js (see bug 339948). * No longer uses separate versions for bookmarklet-source and recording. * Changed "float" to "cssFloat" (???).
Shouldn't have security bugs assigned to nobody. Jesse can own his test bugs
Assignee: nobody → jruderman
Summary: Crashes found by Jesse's "Random styles" bookmarklet → Bugs found by Jesse's "Random styles" bookmarklet
Comment on attachment 242968 [details] Random Styles 3.0 New version in bug 339948.
Attachment #242968 - Attachment is obsolete: true