Closed Bug 329399 Opened 19 years ago Closed 19 years ago

Crash with iExploder test 10050419 [@ js_AllocStack]

Categories

(Core :: DOM: HTML Parser, defect, P1)

Product:
Core
Component:
DOM: HTML Parser
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9alpha1

People

(Reporter: j.moz, Assigned: mrbkap)

References

(
URL
)

Details

(Keywords: crash, testcase, Whiteboard: [patch])

Crash Data

Attachments

(4 files)

testcase
37 bytes, text/html
Details
testcase2: iExploder test 10123392
48 bytes, text/html
Details
testcase3: iExploder test 10731007
37 bytes, text/html
Details
Make the badness stop
1.04 KB, patch
sicking
: review+
jst
: superreview+
Details | Diff | Splinter Review
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060303 Firefox/1.6a1 If you visit the url in the URL field (iExploder test 10050419), the browser crashes. Found using http://toadstool.se/software/iexploder/ TB15947641Q, TB15947662G.
Attached file testcase
Reduced test case. The source is <head></head><object><select> a<base>
The test case crashes like this: TB15947740Q, TB15947772Y, TB15947806M.
Keywords: testcase
This is from iExploder test 10123392, looks a bit similar <head></head><object><style=""> <dt> <table>
Summary: Crash with iExploder test 10050419 → Crash with iExploder test 10050419 [@ js_AllocStack]
Another iExploder test (10731007) <head></head><object><a> a<pre><base>
testcase2 (attachment 214069 [details]): TB15948024K, TB15948109H testcase3 (attachment 214070 [details]): TB15948038K, TB15948097Z I'm not sure if these are the same crash. Does this have something to do with the <object> tag?
Assignee: nobody → mrbkap
Component: General → HTML: Parser
Product: Firefox → Core
QA Contact: general → parser
These look like more problems resulting from allowing <object> to be head content.
Status: UNCONFIRMED → NEW
Ever confirmed: true
I claim that the reward for allowing <object> in <head> is not worth the complexity that it imposes on the DTD. As far as I know, no other browser allows it, and it's causing crashes like this and bug 328751. As much as everybody loves the HTML4 spec, this is a place where deviating seems like more of a win than not. Is there any noticeable difference to users or site authors in doing this?
Status: NEW → ASSIGNED
OS: Windows XP → All
Priority: -- → P1
Hardware: PC → All
Whiteboard: [patch]
Target Milestone: --- → mozilla1.9alpha
Easy implementation -- what does everybody think?
Attachment #214075 - Flags: superreview?(jst)
Attachment #214075 - Flags: review?(bugmail)
Comment on attachment 214075 [details] [diff] [review] Make the badness stop Since we just started doing this i doubt anyone will care if we revert.
Attachment #214075 - Flags: review?(bugmail) → review+
If IE doesn't do this, then sure. What the heck.
Comment on attachment 214075 [details] [diff] [review] Make the badness stop sr=jst
Attachment #214075 - Flags: superreview?(jst) → superreview+
Fix checked into trunk.
Blocks: 328751
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Verified FIXED with all three testcases in this bug using build 2006-03-07-19 of SeaMonkey on trunk (Windows XP).
Status: RESOLVED → VERIFIED
Crash Signature: [@ js_AllocStack]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: