Last Comment Bug 329364 - Crash with iExploder testcase 10158270
: Crash with iExploder testcase 10158270
: crash, fixed1.8.1, testcase, verified1.8.0.2
Product: Core
Classification: Components
Component: HTML: Parser (show other bugs)
: Trunk
: All All
: P1 critical (vote)
: mozilla1.9alpha1
Assigned To: Blake Kaplan (:mrbkap)
: Andrew Overholt [:overholt]
: 329398 (view as bug list)
Depends on:
Blocks: iexploder
  Show dependency treegraph
Reported: 2006-03-04 14:17 PST by Joonas Marttila
Modified: 2007-05-17 16:57 PDT (History)
6 users (show)
dveditz: blocking1.8.1+
dveditz: blocking1.8.0.2+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

testcase (24 bytes, text/html)
2006-03-04 14:21 PST, Joonas Marttila
no flags Details
Proposed fix (1.50 KB, patch)
2006-03-05 02:12 PST, Blake Kaplan (:mrbkap)
jst: review+
jst: superreview+
Details | Diff | Splinter Review
Better proposed fix (1.61 KB, patch)
2006-03-06 12:48 PST, Blake Kaplan (:mrbkap)
jst: approval‑branch‑1.8.1+
timr: approval1.8.0.2+
Details | Diff | Splinter Review

Description Joonas Marttila 2006-03-04 14:17:09 PST
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060303 Firefox/1.6a1

The browser crashes with iExploder test 10158270

Found using

TB15912060Z, TB15932599H
Comment 1 Steve England [:stevee] 2006-03-04 14:21:02 PST
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a1) Gecko/20060228 Firefox/1.6a1 ID:2006022815

1. Go to
2. Enter 10158270 in 'Lookup a single test number:'
3. Press return or click lookup --> CRASH!

My TB15933186X [@ js_FindConstructor e0906f3a]
Comment 2 Joonas Marttila 2006-03-04 14:21:39 PST
Created attachment 214022 [details]

Reduced test case. TB15912033W, TB15929766H, TB15930568Z.

The source is <h1><table>a</h2><title>
Comment 3 Joonas Marttila 2006-03-04 14:32:15 PST
I think lots of iExploder crashes are variants of this bug. Tests 10073854, 10150163, 10158270, 10570989, 10707715 and 10797599 all look similar. For example 10073854 is essentially <h4><table>a</h5><title>, 10150163 is <h4><table>a</h2><style> etc.
Comment 4 Martijn Wargers [:mwargers] (not working for Mozilla) 2006-03-04 15:04:30 PST
Seems like a parser bug to me.
Comment 5 Blake Kaplan (:mrbkap) 2006-03-05 02:07:42 PST
Indeed it is.
Comment 6 Blake Kaplan (:mrbkap) 2006-03-05 02:12:53 PST
Created attachment 214073 [details] [diff] [review]
Proposed fix

Harish's fix for bug 25202 was not quite sufficient. His fix caught the case where the tag closing the context tag (which is the tag that we're inserting the misplaced content into) was the exact same as the context tag. In this case, however, we're looking at a quirk where </h2> closes the open <h1> tag, which is the "top" index. Therefore Harish's IndexOf call was returning the wrong answer, and we were closing the wrong context. This patch makes the HandleSavedTokens path imitate the HandleEndToken path, so it'll find the <h1> and discard the </h2> without doing any damage.
Comment 7 Blake Kaplan (:mrbkap) 2006-03-05 02:20:28 PST
Also note that this patch might impose a small performance hit on pages that have malformed table content, but I'm hoping that it won't be large enough to notice (and since this is really badly malformed content, I don't think I care about penalizing such pages anyway).
Comment 8 Martijn Wargers [:mwargers] (not working for Mozilla) 2006-03-05 02:31:07 PST
Does the patch also fix bug 329398 and bug 329399?
Comment 9 Blake Kaplan (:mrbkap) 2006-03-05 02:36:02 PST
bug 329398 is fixed by this patch, bug 329399 is not.
Comment 10 Blake Kaplan (:mrbkap) 2006-03-05 03:38:56 PST
*** Bug 329398 has been marked as a duplicate of this bug. ***
Comment 11 Johnny Stenback (:jst, 2006-03-06 12:37:26 PST
Comment on attachment 214073 [details] [diff] [review]
Proposed fix

Comment 12 Blake Kaplan (:mrbkap) 2006-03-06 12:48:46 PST
Created attachment 214215 [details] [diff] [review]
Better proposed fix

jst agrees with this fix on the fix, which is to avoid doing the LastOf call if we're unable to find a close target.
Comment 13 Blake Kaplan (:mrbkap) 2006-03-06 14:18:52 PST
Fix checked into trunk.
Comment 14 Blake Kaplan (:mrbkap) 2006-03-06 14:21:52 PST
Comment on attachment 214215 [details] [diff] [review]
Better proposed fix

Nominating for branches.
Comment 15 Tim Riley [:timr] 2006-03-06 14:42:26 PST
Comment on attachment 214215 [details] [diff] [review]
Better proposed fix

a=timr for drivers.  This fixes a blocker bug (329406)  that references this bug.
Comment 16 Blake Kaplan (:mrbkap) 2006-03-06 14:50:01 PST
Fix checked into the 1.8 branches.
Comment 17 Dave Liebreich [:davel] 2006-03-06 15:31:49 PST
oops - clicked wrong thing and marked bug as verified.  starting 2-step process to reset as resolved.
Comment 18 Jay Patel [:jay] 2006-03-07 16:21:04 PST
v.fixed on 1.8.0 branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20060307 Firefox/, no crash with iexploder test 10158270.
Comment 19 Stephen Donner [:stephend] 2006-03-07 21:19:49 PST
Verified FIXED on trunk using SeaMonkey build 2006-03-07-10 on Windows XP with the testcase of/at:

Note You need to log in before you can comment on or make changes to this bug.