Closed Bug 329399 Opened 14 years ago Closed 14 years ago
Crash with i
Exploder test 10050419 [@ js _Alloc Stack]
37 bytes, text/html
48 bytes, text/html
37 bytes, text/html
1.04 KB, patch
|Details | Diff | Splinter Review|
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060303 Firefox/1.6a1 If you visit the url in the URL field (iExploder test 10050419), the browser crashes. Found using http://toadstool.se/software/iexploder/ TB15947641Q, TB15947662G.
Reduced test case. The source is <head></head><object><select> a<base>
The test case crashes like this: TB15947740Q, TB15947772Y, TB15947806M.
This is from iExploder test 10123392, looks a bit similar <head></head><object><style=""> <dt> <table>
Summary: Crash with iExploder test 10050419 → Crash with iExploder test 10050419 [@ js_AllocStack]
Another iExploder test (10731007) <head></head><object><a> a<pre><base>
testcase2 (attachment 214069 [details]): TB15948024K, TB15948109H testcase3 (attachment 214070 [details]): TB15948038K, TB15948097Z I'm not sure if these are the same crash. Does this have something to do with the <object> tag?
Assignee: nobody → mrbkap
Component: General → HTML: Parser
Product: Firefox → Core
QA Contact: general → parser
These look like more problems resulting from allowing <object> to be head content.
Status: UNCONFIRMED → NEW
Ever confirmed: true
I claim that the reward for allowing <object> in <head> is not worth the complexity that it imposes on the DTD. As far as I know, no other browser allows it, and it's causing crashes like this and bug 328751. As much as everybody loves the HTML4 spec, this is a place where deviating seems like more of a win than not. Is there any noticeable difference to users or site authors in doing this?
Status: NEW → ASSIGNED
OS: Windows XP → All
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → mozilla1.9alpha
Easy implementation -- what does everybody think?
Comment on attachment 214075 [details] [diff] [review] Make the badness stop Since we just started doing this i doubt anyone will care if we revert.
Attachment #214075 - Flags: review?(bugmail) → review+
If IE doesn't do this, then sure. What the heck.
Comment on attachment 214075 [details] [diff] [review] Make the badness stop sr=jst
Attachment #214075 - Flags: superreview?(jst) → superreview+
Fix checked into trunk.
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Verified FIXED with all three testcases in this bug using build 2006-03-07-19 of SeaMonkey on trunk (Windows XP).
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.