Closed Bug 329399 Opened 14 years ago Closed 14 years ago

Crash with iExploder test 10050419 [@ js_AllocStack]

Categories

(Core :: DOM: HTML Parser, defect, P1, critical)

defect

Tracking

()

VERIFIED FIXED
mozilla1.9alpha1

People

(Reporter: j.moz, Assigned: mrbkap)

References

()

Details

(Keywords: crash, testcase, Whiteboard: [patch])

Crash Data

Attachments

(4 files)

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060303
Firefox/1.6a1

If you visit the url in the URL field (iExploder test 10050419), the browser crashes.

Found using http://toadstool.se/software/iexploder/

TB15947641Q, TB15947662G.
Attached file testcase
Reduced test case.

The source is <head></head><object><select>
a<base>
The test case crashes like this: TB15947740Q, TB15947772Y, TB15947806M.
Keywords: testcase
This is from iExploder test 10123392, looks a bit similar

<head></head><object><style="">
<dt>
<table>
Summary: Crash with iExploder test 10050419 → Crash with iExploder test 10050419 [@ js_AllocStack]
Another iExploder test (10731007)

<head></head><object><a>
a<pre><base>
testcase2 (attachment 214069 [details]): TB15948024K, TB15948109H
testcase3 (attachment 214070 [details]): TB15948038K, TB15948097Z

I'm not sure if these are the same crash. Does this have something to do with the <object> tag?
Assignee: nobody → mrbkap
Component: General → HTML: Parser
Product: Firefox → Core
QA Contact: general → parser
These look like more problems resulting from allowing <object> to be head content.
Status: UNCONFIRMED → NEW
Ever confirmed: true
I claim that the reward for allowing <object> in <head> is not worth the complexity that it imposes on the DTD. As far as I know, no other browser allows it, and it's causing crashes like this and bug 328751. As much as everybody loves the HTML4 spec, this is a place where deviating seems like more of a win than not. Is there any noticeable difference to users or site authors in doing this?
Status: NEW → ASSIGNED
OS: Windows XP → All
Priority: -- → P1
Hardware: PC → All
Whiteboard: [patch]
Target Milestone: --- → mozilla1.9alpha
Easy implementation -- what does everybody think?
Attachment #214075 - Flags: superreview?(jst)
Attachment #214075 - Flags: review?(bugmail)
Comment on attachment 214075 [details] [diff] [review]
Make the badness stop

Since we just started doing this i doubt anyone will care if we revert.
Attachment #214075 - Flags: review?(bugmail) → review+
If IE doesn't do this, then sure.  What the heck.
Comment on attachment 214075 [details] [diff] [review]
Make the badness stop

sr=jst
Attachment #214075 - Flags: superreview?(jst) → superreview+
Fix checked into trunk.
Blocks: 328751
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Verified FIXED with all three testcases in this bug using build 2006-03-07-19 of SeaMonkey on trunk (Windows XP).
Status: RESOLVED → VERIFIED
Crash Signature: [@ js_AllocStack]
You need to log in before you can comment on or make changes to this bug.