Closed Bug 320996 (xangle) Opened 18 years ago Closed 6 years ago

mangle xul tags


(Core :: Layout, defect)

Not set





(Reporter: bernd_mozilla, Unassigned)


(Blocks 1 open bug)


(Keywords: meta, sec-other, Whiteboard: [sg:nse] meta)


(1 file, 6 obsolete files)

the mangleme script targets html, I thought that this should work also with xul. The attached "kiddy" stuff crashes at the first url that it creates.
Attached file (obsolete) —
the testcase crashes for me locally
Martijn, I just want to make sure that you see the new toy.
Blocks: fuzz
Depends on: 321016
I reduced the testcase in comment 2 and filed bug 321016 based on it.  I'm turning this into a metabug to match the bugs for other fuzz-testing tools.
Keywords: meta
Neil, interested in trying to fix some of these?
I added the ability to output nested tags, removed some bogus tags, and commented out <listboxbody> because it's known to crash.

I ran 500 files generated by this program through Firefox 1.5 and none of them made it crash.
Attachment #206430 - Attachment is obsolete: true
Attachment #206431 - Attachment is obsolete: true
Attached file New version of xangle (obsolete) —
Depends on: 321056
Depends on: 321058
Depends on: 321066
Depends on: 321069
Alias: xangle
Depends on: 321073
Depends on: 321074
Depends on: 321077
Attached patch make it crash again (obsolete) — Splinter Review
the diff is relative to attachment 206455 [details] and crashes tree times within the first 500 testfiles.
The new version (comment 9) generates files that are both smaller and flatter, so it would surprise me if it were more effective at finding bugs.

I don't get any crashes in the first 500 files (on Mac, using g++ 3.3's rand impl).  I tried with Firefox 1.5, today's trunk nightly, and my trunk debug build.  I also don't get any new assertions or warnings in the debug build.

Can you attach and/or reduce the files that crash for you?
Depends on: 321224
One crash got fixed by updating the browser, testcase 279 and 402 crash both at bug 321224.

Btw and the links there are interesting stuff.
Attached file next. rev. (obsolete) —
no new crashes, but new asserts, hang and window folding
Whiteboard: [sg:nse] meta
Depends on: 322074
OS: Windows XP → All
Hardware: PC → All
Depends on: 322725
Depends on: 322726
Depends on: 322731
Attachment #206455 - Attachment is obsolete: true
Attachment #206528 - Attachment is obsolete: true
Attachment #206454 - Attachment is obsolete: true
Attachment #206454 - Attachment is patch: true
Attached file rev 2006/01/08
some more style args, makes it crash again
Attachment #206840 - Attachment is obsolete: true
Depends on: 140218
Depends on: 322774
Depends on: 322779
Depends on: 322780
Depends on: 322783
Depends on: 322784
Depends on: 322786
Depends on: 329327
I made two changes to my local copy:

* Added "\n" to the dump, so I can "grep | sort | uniq -c" for assertion lines.

* Removed the space before both instances of "<script>var v =", which interfered with Lithium's indentation-based tree strucure guessing.
With the second patch to bug 140218, Firefox gets through 500 Xangle-generated pages without a crash or hang.  It stops drawing pretty quickly (bug 322731).  It hits a lot of assertions, but I think we already have bugs on all of them (the ones I checked were in this bug's dependencies list).
Depends on: 387080
Group: core-security → layout-core-security
Closed: 6 years ago
Resolution: --- → FIXED
Group: layout-core-security
You need to log in before you can comment on or make changes to this bug.