Closed Bug 311157 Opened 20 years ago Closed 20 years ago

Comment-hiding compromise left E4X parsing/scanning inconsistent

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.8beta5

People

(Reporter: brendan, Assigned: brendan)

References

Details

(Keywords: crash, js1.6, verified1.8)

Attachments

(1 file)

proposed fix
4.14 KB, patch
mrbkap
: review+
shaver
: superreview+
asa
: approval1.8rc1+
Details | Diff | Splinter Review
Given the final state of affairs after bug 311071 was fixed, with XML element and list literals unambiguous in all script tags (with or without e4x=1 or a new MIME type), but XML comment and CDATA literals not supported because they're ambiguous with HTML comment hiding hacks, there are some holes in the parser/scanner state space. For example, x = <hi> <!-- duh --> there </hi>; should work in a script tag, but it does not. An assertion in jsparse.c fires and a bad parse tree is constructed, leading to a crash. The problem is that the scanner collects the space before the <!-- and stops on the <, thinking it will be tokenized as an XML token (start-tag opener, etc.). But thanks to the comment hiding hack support, it's skipped (characters to end of line are eaten). That means the next token is not something to-do with <, but a TOK_NAME for 'there'. The code in XMLElementContent in jsparse.c asserts otherwise, then blithely makes a parse node assuming it got the expected type (one of TOK_XMLPI, TOK_XMLCDATA, and TOK_XMLCOMMENT). For TOK_NAME, this is safe, but not so for other token types. The straightforward fix is to toggle JSOPTION_XML when parsing XMLElementContent (easy to do, restores the previous coupling between the TSF_XMLTEXTMODE scanner subset and the comment-hiding hack, by enabling the latter when using the former to scan text up to a < in a tag). /be
Should fix for RC1, not a 1.8b5 stopper. Potential for security exploit low but non-zero given content-controlled parse tree type botch. /be
Status: NEW → ASSIGNED
Keywords: crash
Priority: -- → P1
Target Milestone: --- → mozilla1.8beta5
Attached patch proposed fixSplinter Review
Straighforward refactoring to consolidate JSOPTION_XML toggling and avoid doing it when recursing through XMLElementOrList or XMLElementContent. /be
Attachment #198546 - Flags: superreview?(shaver)
Attachment #198546 - Flags: review?(mrbkap)
Comment on attachment 198546 [details] [diff] [review] proposed fix r=mrbkap
Attachment #198546 - Flags: review?(mrbkap) → review+
Comment on attachment 198546 [details] [diff] [review] proposed fix sr=shaver
Attachment #198546 - Flags: superreview?(shaver) → superreview+
Fixed on the trunk. /be
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Flags: blocking1.8rc1+
Resolution: --- → FIXED
Comment on attachment 198546 [details] [diff] [review] proposed fix This is a necessary fix to restore lost consistency between the scanner and the parser. /be
Attachment #198546 - Flags: approval1.8rc1?
RCS file: /cvsroot/mozilla/js/tests/e4x/Expressions/11.4.1-04.js,v done Checking in 11.4.1-04.js; /cvsroot/mozilla/js/tests/e4x/Expressions/11.4.1-04.js,v <-- 11.4.1-04.js initial revision: 1.1 done RCS file: /cvsroot/mozilla/js/tests/e4x/Expressions/11.4.1-05.js,v done Checking in 11.4.1-05.js; /cvsroot/mozilla/js/tests/e4x/Expressions/11.4.1-05.js,v <-- 11.4.1-05.js initial revision: 1.1 done
Flags: testcase+
Checking in regress-311157-01.js; /cvsroot/mozilla/js/tests/js1_6/Regress/regress-311157-01.js,v <-- regress-311157-01.js initial revision: 1.1 done RCS file: /cvsroot/mozilla/js/tests/js1_6/Regress/regress-311157-02.js,v done Checking in regress-311157-02.js; /cvsroot/mozilla/js/tests/js1_6/Regress/regress-311157-02.js,v <-- regress-311157-02.js initial revision: 1.1 done
Attachment #198546 - Flags: approval1.8rc1? → approval1.8rc1+
Fixed on branch, thanks. /be
Keywords: fixed1.8
So lemme get this straight. All XML comments and CDATA tags are ignored when the MIME type doesn't have e4x=1. Everything else works regardless of whether e4x=1. Is that correct? Are there any cases in which XML comments are parsed without e4x=1?
Blocks: 311950
(In reply to comment #10) > So lemme get this straight. All XML comments and CDATA tags are ignored when the > MIME type doesn't have e4x=1. No, only top-level ones. > Are there any cases in which XML comments are parsed without e4x=1? Yes, if they're contained in a list or element. Same for CDATA. /be
no crash firefox 1.5 rc2 winxp/linux
Keywords: fixed1.8verified1.8
verified fixed 1.9 windows/mac(ppc|tel)/linux 20060812
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: