Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060303 Firefox/1.6a1 The browser crashes with iExploder test 10158270 Found using http://toadstool.se/software/iexploder/ TB15912060Z, TB15932599H
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a1) Gecko/20060228 Firefox/1.6a1 ID:2006022815 1. Go to http://toadstool.se/software/iexploder/ 2. Enter 10158270 in 'Lookup a single test number:' 3. Press return or click lookup --> CRASH! My TB15933186X [@ js_FindConstructor e0906f3a]
Created attachment 214022 [details] testcase Reduced test case. TB15912033W, TB15929766H, TB15930568Z. The source is <h1><table>a</h2><title>
I think lots of iExploder crashes are variants of this bug. Tests 10073854, 10150163, 10158270, 10570989, 10707715 and 10797599 all look similar. For example 10073854 is essentially <h4><table>a</h5><title>, 10150163 is <h4><table>a</h2><style> etc.
Seems like a parser bug to me.
Indeed it is.
Created attachment 214073 [details] [diff] [review] Proposed fix Harish's fix for bug 25202 was not quite sufficient. His fix caught the case where the tag closing the context tag (which is the tag that we're inserting the misplaced content into) was the exact same as the context tag. In this case, however, we're looking at a quirk where </h2> closes the open <h1> tag, which is the "top" index. Therefore Harish's IndexOf call was returning the wrong answer, and we were closing the wrong context. This patch makes the HandleSavedTokens path imitate the HandleEndToken path, so it'll find the <h1> and discard the </h2> without doing any damage.
Also note that this patch might impose a small performance hit on pages that have malformed table content, but I'm hoping that it won't be large enough to notice (and since this is really badly malformed content, I don't think I care about penalizing such pages anyway).
*** Bug 329398 has been marked as a duplicate of this bug. ***
Comment on attachment 214073 [details] [diff] [review] Proposed fix r+sr=jst
Created attachment 214215 [details] [diff] [review] Better proposed fix jst agrees with this fix on the fix, which is to avoid doing the LastOf call if we're unable to find a close target.
Fix checked into trunk.
Comment on attachment 214215 [details] [diff] [review] Better proposed fix Nominating for branches.
Comment on attachment 214215 [details] [diff] [review] Better proposed fix a=timr for drivers. This fixes a blocker bug (329406) that references this bug.
Fix checked into the 1.8 branches.
oops - clicked wrong thing and marked bug as verified. starting 2-step process to reset as resolved.
v.fixed on 1.8.0 branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:220.127.116.11) Gecko/20060307 Firefox/18.104.22.168, no crash with iexploder test 10158270.
Verified FIXED on trunk using SeaMonkey build 2006-03-07-10 on Windows XP with the testcase of/at: https://bugzilla.mozilla.org/attachment.cgi?id=214022