Crash with iExploder testcase 10158270

VERIFIED FIXED in mozilla1.9alpha1

Status

()

Core
HTML: Parser
P1
critical
VERIFIED FIXED
12 years ago
10 years ago

People

(Reporter: Joonas Marttila, Assigned: mrbkap)

Tracking

(4 keywords)

Trunk
mozilla1.9alpha1
crash, fixed1.8.1, testcase, verified1.8.0.2
Points:
---
Bug Flags:
blocking1.8.1 +
blocking1.8.0.2 +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [patch][rft-dl], URL)

Attachments

(3 attachments)

(Reporter)

Description

12 years ago
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060303 Firefox/1.6a1

The browser crashes with iExploder test 10158270

Found using http://toadstool.se/software/iexploder/

TB15912060Z, TB15932599H
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a1) Gecko/20060228 Firefox/1.6a1 ID:2006022815

1. Go to http://toadstool.se/software/iexploder/
2. Enter 10158270 in 'Lookup a single test number:'
3. Press return or click lookup --> CRASH!

My TB15933186X [@ js_FindConstructor e0906f3a]
(Reporter)

Comment 2

12 years ago
Created attachment 214022 [details]
testcase

Reduced test case. TB15912033W, TB15929766H, TB15930568Z.

The source is <h1><table>a</h2><title>
(Reporter)

Comment 3

12 years ago
I think lots of iExploder crashes are variants of this bug. Tests 10073854, 10150163, 10158270, 10570989, 10707715 and 10797599 all look similar. For example 10073854 is essentially <h4><table>a</h5><title>, 10150163 is <h4><table>a</h2><style> etc.
Keywords: testcase
Seems like a parser bug to me.
Assignee: nobody → mrbkap
Status: UNCONFIRMED → NEW
Component: General → HTML: Parser
Ever confirmed: true
Product: Firefox → Core
QA Contact: general → parser
(Assignee)

Comment 5

12 years ago
Indeed it is.
Status: NEW → ASSIGNED
OS: Windows XP → All
Priority: -- → P1
Hardware: PC → All
Whiteboard: [patch]
Target Milestone: --- → mozilla1.9alpha
(Assignee)

Comment 6

12 years ago
Created attachment 214073 [details] [diff] [review]
Proposed fix

Harish's fix for bug 25202 was not quite sufficient. His fix caught the case where the tag closing the context tag (which is the tag that we're inserting the misplaced content into) was the exact same as the context tag. In this case, however, we're looking at a quirk where </h2> closes the open <h1> tag, which is the "top" index. Therefore Harish's IndexOf call was returning the wrong answer, and we were closing the wrong context. This patch makes the HandleSavedTokens path imitate the HandleEndToken path, so it'll find the <h1> and discard the </h2> without doing any damage.
Attachment #214073 - Flags: superreview?(jst)
Attachment #214073 - Flags: review?(jst)
(Assignee)

Comment 7

12 years ago
Also note that this patch might impose a small performance hit on pages that have malformed table content, but I'm hoping that it won't be large enough to notice (and since this is really badly malformed content, I don't think I care about penalizing such pages anyway).
Does the patch also fix bug 329398 and bug 329399?
(Assignee)

Comment 9

12 years ago
bug 329398 is fixed by this patch, bug 329399 is not.
(Assignee)

Comment 10

12 years ago
*** Bug 329398 has been marked as a duplicate of this bug. ***
Comment on attachment 214073 [details] [diff] [review]
Proposed fix

r+sr=jst
Attachment #214073 - Flags: superreview?(jst)
Attachment #214073 - Flags: superreview+
Attachment #214073 - Flags: review?(jst)
Attachment #214073 - Flags: review+
(Assignee)

Comment 12

12 years ago
Created attachment 214215 [details] [diff] [review]
Better proposed fix

jst agrees with this fix on the fix, which is to avoid doing the LastOf call if we're unable to find a close target.
(Assignee)

Comment 13

12 years ago
Fix checked into trunk.
Status: ASSIGNED → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED
(Assignee)

Comment 14

12 years ago
Comment on attachment 214215 [details] [diff] [review]
Better proposed fix

Nominating for branches.
Attachment #214215 - Flags: approval1.8.0.2?
Attachment #214215 - Flags: approval1.7.14?
Attachment #214215 - Flags: approval-branch-1.8.1?(jst)

Updated

12 years ago
Attachment #214215 - Flags: approval-branch-1.8.1?(jst) → approval-branch-1.8.1+

Comment 15

12 years ago
Comment on attachment 214215 [details] [diff] [review]
Better proposed fix

a=timr for drivers.  This fixes a blocker bug (329406)  that references this bug.
Attachment #214215 - Flags: approval1.8.0.2? → approval1.8.0.2+
(Assignee)

Comment 16

12 years ago
Fix checked into the 1.8 branches.
Keywords: fixed1.8.0.2, fixed1.8.1

Updated

12 years ago
Status: RESOLVED → VERIFIED
Whiteboard: [patch] → [patch][rft-dl]
oops - clicked wrong thing and marked bug as verified.  starting 2-step process to reset as resolved.
Status: VERIFIED → REOPENED
Resolution: FIXED → ---

Updated

12 years ago
Status: REOPENED → RESOLVED
Last Resolved: 12 years ago12 years ago
Resolution: --- → FIXED
Flags: blocking1.8.1+
Flags: blocking1.8.0.2+

Comment 18

12 years ago
v.fixed on 1.8.0 branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.2) Gecko/20060307 Firefox/1.5.0.2, no crash with iexploder test 10158270.
Keywords: fixed1.8.0.2 → verified1.8.0.2
Verified FIXED on trunk using SeaMonkey build 2006-03-07-10 on Windows XP with the testcase of/at: https://bugzilla.mozilla.org/attachment.cgi?id=214022
Status: RESOLVED → VERIFIED
(Assignee)

Updated

10 years ago
Attachment #214215 - Flags: approval1.7.14?
You need to log in before you can comment on or make changes to this bug.