Bug 339128 (stirtable)

StirTable meta bug

NEW
Assigned to

Status

()

Core
Layout: Tables
--
critical
12 years ago
2 years ago

People

(Reporter: mats, Assigned: mats)

Tracking

(Depends on: 1 bug, Blocks: 1 bug, {meta, sec-other})

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:nse meta], URL)

Attachments

(11 attachments, 7 obsolete attachments)

5.55 KB, text/html
Details
6.43 KB, text/html
Details
7.52 KB, text/html
Details
1.29 KB, text/plain
Details
3.50 KB, application/zip
Details
8.01 KB, text/javascript
Details
1.88 KB, application/xhtml+xml
Details
7.95 KB, text/javascript
Details
1.86 KB, text/html
Details
8.88 KB, text/javascript
Details
12.43 KB, text/javascript
Details
(Assignee)

Description

12 years ago
This tool is pretty simple actually, it adds and removes
table elements and for <td> it uses a random colspan/rowspan,
so I am a bit surprised that it seems to cause so many
crashes and table assertions that I haven't seen before.

I'll file the individual crashes separately, blocking this bug.
(Assignee)

Comment 1

12 years ago
Created attachment 223203 [details]
StirTable v0.1

Start by pressing the "start random changes" button.
(Assignee)

Updated

12 years ago
Depends on: 339129
(Assignee)

Updated

12 years ago
Depends on: 339130
(Assignee)

Updated

12 years ago
Depends on: 339131
(Assignee)

Updated

12 years ago
Depends on: 339137
(Assignee)

Updated

12 years ago
Depends on: 339147

Updated

12 years ago
Alias: stirtable
Blocks: 316898
(Assignee)

Updated

12 years ago
Depends on: 339154
(Assignee)

Updated

12 years ago
Depends on: 339165
(Assignee)

Comment 2

12 years ago
Created attachment 223249 [details]
StirTable v0.2

Now also generates <colgroup> and <col> (found 1 new bug on this)
Added random width/height px and % attrs on all levels (no new bugs so far)
(Assignee)

Updated

12 years ago
Depends on: 339170

Comment 3

12 years ago
I can make reduced testcases if needed, using the techniques in bug 331889 and bug 329066.

Comment 4

12 years ago
Jesse: Please, Please do so. I don't have the capacity to reduce the crashes down to testcases.
Mats: Please put me on CC on every crash bug that you file under layout-table. I currently touch only this class of bugs.

Comment 5

12 years ago
If a testcase trips the following assertion:
ASSERTION: colgroup data should not be null - bug 237421 
then it would be enormous helpfull to have also a testcase that is further reduced till it only triggers the assert.

(Assignee)

Comment 6

12 years ago
Created attachment 223339 [details]
StirTable v0.3

Now also generates <caption>
Randomly toggles style.visibility:collapse/visible
Uses location.search to initialize the seed if present, for example:
  file:///home/mats/stirtable/StirTable-v03.html?seed=18
(Assignee)

Comment 7

12 years ago
Created attachment 223341 [details]
Crashgen v0.1

FWIW, this is a python hack I did to start seamonkey in gdb for a range
of seeds. It runs seamonkey until it crashes, takes a stack dump
and then continues...
Adjust the profile name in this script and then run for example:

python crashgen-v01.py file:///home/mats/stirtable/StirTable-v03.html

(Note: it overwrites .gdbinit in the local directory)
(Assignee)

Updated

12 years ago
Depends on: 339246
(Assignee)

Updated

12 years ago
Depends on: 339264
(Assignee)

Comment 8

12 years ago
I ran StirTable-v03.html with seed 0 to 127 and I couldn't find any new unique
stacks other than what has been reported uptil now (last 339264).

Comment 9

12 years ago
Mats could you modify the StirTable so that it flattens the actions to a log that could be replayed like the dom stir recorder?

Comment 10

12 years ago
I'm working on that right now.

Updated

12 years ago
Depends on: 339315

Comment 11

12 years ago
Created attachment 223438 [details]
StirTable v0.3-jtr

I ended up using a strategy more like in bug 326633: it prints what it's about to do using dump, then does it.  You can then copy&paste the console output (grep for lines containing "anonymous" if needed) into an array at the top of the script.  I used this (with Lithium) to make testcases for bug 339246, bug 339315, and bug 339130.  This should do the same thing for a given seed as StirTable 0.3.

I broke the manual buttons, but that shouldn't be too hard to fix.

Mats, if you create updated versions, please base them on this so it will remain easy to make reduced testcases.

Comment 12

12 years ago
Btw, I think fixing those 3 will make several others go away as well.  While reducing each bug I often saw several stacks.

Comment 13

12 years ago
Mats, Martijn, Jesse: can we get together on a design for these fuzzers that would allow me to plug them into the automation without having to fork them each time?

Comment 14

12 years ago
At first glance the testcases involve zero row-, colspans. A badly tested code area. Does any of the crashes happen in quirks mode (zero spans are disabled in quirks mode).

Comment 15

12 years ago
I still get a lot of crashes if I make it not set rowspans or colspans of 0.  I attached a reduced testcase to bug 339170 that doesn't involve rowspans or colspans at all.

Comment 16

12 years ago
Even though those three bugs have testcases with rowspan=0 or colspan=0, I think at least some of the same crashes can happen without rowspan=0 or colspan=0.

Updated

12 years ago

Comment 17

12 years ago
Created attachment 224055 [details]
StirTable v0.3-jtr2 (requires fuzz.js)

* Converted it to use fuzz.js (see bug 339948).
* Fixed some ugliness I introduced in the conversion to command strings.
* Made it work as a bookmarklet: add IDs as needed, bail when the page has no tables, etc.
* Removed the manual buttons, but leave the counters.
* Converted the main page to (text/html-safe) XHTML, making it easy to ensure that the fuzzer works with both HTML and XHTML.

I did not try to maintain seed-compatibility this time.

I haven't converted it to use createElementNS, so I don't think it will work on SVG pages.
Attachment #223438 - Attachment is obsolete: true

Updated

12 years ago
Depends on: 341227
Whiteboard: [sg:nse meta]

Comment 18

12 years ago
Created attachment 226752 [details]
StirTable v2.0

Updated for fuzz.js 2.0.
Attachment #224055 - Attachment is obsolete: true

Comment 19

12 years ago
Created attachment 226753 [details]
Default test page for StirTable v2.0

Updated

12 years ago
Depends on: 343087

Comment 20

12 years ago
The first round of patches got checked in, if somebody could independently verify my alleged dupes I would be grateful. 

I think the bugs without a seed are now close to useless. Even the bugs with seeds are probably obsolete. A second round of testing preferably coupled with a first reduction via lithium would be very helpful.

Updated

12 years ago
Depends on: 343778

Updated

12 years ago
Depends on: 343946

Comment 21

12 years ago
Created attachment 228577 [details]
fuzz 2 test transition 

This are the files that I use to get from a scanning fuzz to a fairly reduced testcase. Not optimized nothing to be really proud of but it moves the burden on the PC.

Updated

12 years ago
Depends on: 344000

Updated

12 years ago
Depends on: 346980

Updated

12 years ago
Depends on: 347725

Updated

12 years ago
Depends on: 348062

Updated

12 years ago
Depends on: 350081

Updated

12 years ago
Depends on: 350370

Updated

12 years ago
Depends on: 350524

Updated

12 years ago
Depends on: 350602

Updated

12 years ago
Depends on: 350906

Updated

12 years ago
Depends on: 351068

Updated

11 years ago
Depends on: 351326

Updated

11 years ago
Depends on: 351327

Updated

11 years ago
Depends on: 351328

Comment 22

11 years ago
Created attachment 236736 [details]
StirTable v2.0.9

Adds some features:

* Sometimes violate the "preferred children" rules.  For example, when creating a TR, it usually creates a TD child, but sometimes it creates a different kind of child (e.g. a TR or a TABLE or a DIV), and sometimes it does not create a child at all.

* Change more CSS: float, position, display: table-*, and a few others.

Surprisingly, I haven't found any new bugs as a result of adding these features.
Attachment #226752 - Attachment is obsolete: true

Comment 23

11 years ago
Created attachment 236737 [details]
Default test page for StirTable v2.0.9

Small changes to the CSS.
Attachment #226753 - Attachment is obsolete: true
(Assignee)

Comment 24

11 years ago
Created attachment 239892 [details]
StirTable v2.1

v2.1 restores the rowspan/colspan=0 feature and removes the non-table elements
and styling features. This does not replace v2.0.9, it's an alternative.

Comment 25

11 years ago
Created attachment 242973 [details]
StirTable v3.0

Based on (and replacing) 2.0.9, not 2.1.
Attachment #236736 - Attachment is obsolete: true

Updated

11 years ago
Depends on: 358679

Updated

11 years ago
Depends on: 323604

Updated

11 years ago
Depends on: 358729

Updated

11 years ago
Depends on: 358871

Updated

11 years ago
Depends on: 363370

Updated

11 years ago
Depends on: 365909

Updated

11 years ago
Depends on: 368166

Updated

11 years ago
Depends on: 368651

Updated

11 years ago
Depends on: 369975

Updated

11 years ago
Depends on: 370586
(Assignee)

Comment 26

11 years ago
Created attachment 255426 [details]
StirTable-2.1.1-standards.xhtml  (updated test page for StirTable v2.1)

Now has all 4 combinations of border-collapse:collapse/separate and
table-layout:fixed/auto. Uses fuzz-2.0.3.js + StirTable-2.1.js
Attachment #236737 - Attachment is obsolete: true
(Assignee)

Updated

11 years ago
Depends on: 370709
(Assignee)

Updated

11 years ago
Depends on: 370710
(Assignee)

Updated

11 years ago
Depends on: 370711
(Assignee)

Updated

11 years ago
Depends on: 370712
(Assignee)

Updated

11 years ago
Depends on: 370713
(Assignee)

Comment 27

11 years ago
Created attachment 255454 [details]
StirTable v2.1.1

A small change to re-enable <caption> changes.

Comment 28

11 years ago
How does one use the output of t v2.1.1???

What I get with recording on is:

  { origCount: 1, fun: function() { var $table16 = doc.getElementById('table16'); undefined } },
  { origCount: 2, fun: function() { var $table16 = doc.getElementById('table16'); var newNode = document.createElement('caption'); newNode.appendChild(document.createTextNode('CAPTION')); newNode.setAttribute('id', 'caption20'); newNode.setAttribute('height', '1em'); $table16.insertBefore(newNode, doc.getElementById('tbody12')); bless(newNode); } },

What I would expect is a output that could be pasted into a xhtml file and will reproduce the bugs and has *NO* randomness at all.  The function bless(newNode) is just the opposite of it. It needs to be flattened.

I am basically trowing the towel at 370709 370710 370711 370712 370713. As I don't get the deterministic xhtml file I can't feed it to lithium. 

No lithium   ===> No test case

No test case ===> No action on security tagged bugs

Comment 29

11 years ago
bless() shouldn't be a problem.  It doesn't affect the DOM directly; it only influences future randomly generated functions.  If all of the functions are recorded, it doesn't affect anything at all.

What is a problem is the document.body.offsetHeight in doCommand.  doCommand is used during the initial run but not during playback, so any bug that relies on the layout-forcing of document.body.offsetHeight is not triggered during playback.  This is an API flaw in fuzz.js (my fault) and has tripped me up more than once; I'll try to fix it for the next version of fuzz.js.

The short-term workaround is to move document.body.offsetHeight from doCommand to somewhere where it will get executed reliably.

Updated

11 years ago
Depends on: 370808

Updated

11 years ago
Depends on: 370842
(Assignee)

Comment 30

11 years ago
Created attachment 255645 [details]
StirTable-2.2-quirks.html (Quirks mode testpage for StirTable v2.x)
(Assignee)

Comment 31

11 years ago
Created attachment 255646 [details]
StirTable-2.2.js

(In reply to comment #29)
> The short-term workaround is to move document.body.offsetHeight from
> doCommand to somewhere where it will get executed reliably.

I moved document.body.offsetHeight into the command itself for now.
At the same time I added a parameter to control how often it's
included.

StirTable 2.2 changes:
 * added 'ch' length unit
 * workaround for the document.body.offsetHeight problem:
    parameter "flush" is 0 to 100, probability of including it
    (100 is the default to be compatible with earlier versions
     of StirTable which always did it in doCommand)
 * added a resize feature that resizes the test container:
    parameter "resize" is 0 to 100, probability of resizing
    the test container after a command. (0 is the default for
    back compat.)

Example:
 StirTable-2.2-quirks.html?fuzz=a,b,c,d,e&resize=25&flush=50
generates commands that looks like:
<Command>; resizeContainer('testRootContainer'); doc.body.offsetHeight;
where <Command> is the same as earlier versions of StirTable and
25% of the total commands will have the resizeContainer part, and
50% of the total commands will have the doc.body.offsetHeight part.
Which commands that get the extra part(s) is random, under the
control of the seed.
You can exclude the new parameters:
  StirTable-2.2-quirks.html?fuzz=a,b,c,d,e
resize/flush will then have the default values.
(Assignee)

Updated

11 years ago
Depends on: 370888
(Assignee)

Updated

11 years ago
Depends on: 370897

Comment 32

11 years ago
Created attachment 256013 [details]
StirTable v3.1

New version from Jesse's side of the fork.  (Hopefully the fork won't last forever.)

* Added captionSide, emptyCells, tableLayout CSS properties.
* Added inline-block and inline-table values for the CSS display property.
* Restored use of zero rowspan / colspan.
* Removed doCommand to bring it in line with fuzz.js 3.1, as I promised in comment 29.
Attachment #242973 - Attachment is obsolete: true

Updated

11 years ago
Depends on: 371290

Updated

11 years ago
Depends on: 371483
(Assignee)

Updated

11 years ago
Depends on: 371556
(Assignee)

Updated

11 years ago
Depends on: 371561

Updated

11 years ago
Depends on: 372376

Updated

11 years ago
Depends on: 374193

Updated

11 years ago
Depends on: 374405

Updated

11 years ago
Depends on: 374420

Updated

11 years ago
Depends on: 374422

Updated

11 years ago
Depends on: 374819

Updated

11 years ago
Depends on: 378240

Updated

11 years ago
Depends on: 378273

Updated

11 years ago
Depends on: 380749

Updated

11 years ago
Depends on: 385866

Updated

11 years ago
Depends on: 386014

Updated

11 years ago
Depends on: 387460

Updated

10 years ago
Depends on: 399209

Updated

10 years ago
Depends on: 403249

Updated

10 years ago
Depends on: 404209

Updated

10 years ago
Depends on: 404301

Updated

10 years ago
Depends on: 404666

Updated

10 years ago
Depends on: 405184

Updated

10 years ago
Depends on: 405186

Updated

10 years ago
Depends on: 408736

Updated

10 years ago
Depends on: 413063

Updated

10 years ago
Depends on: 413091

Updated

10 years ago
Depends on: 423514

Updated

10 years ago
Depends on: 427928

Updated

9 years ago
Depends on: 462849

Updated

9 years ago
Depends on: 468771

Updated

9 years ago
Depends on: 481557

Updated

9 years ago
Depends on: 488388

Updated

9 years ago
Depends on: 490376

Updated

9 years ago
Depends on: 509562

Updated

8 years ago
Depends on: 534716

Updated

8 years ago
Depends on: 536692

Updated

8 years ago
Depends on: 564054

Updated

8 years ago
Depends on: 573354

Updated

8 years ago
Depends on: 580481

Updated

7 years ago
Depends on: 664925

Updated

6 years ago
Depends on: 705996

Updated

6 years ago
Depends on: 710098

Updated

6 years ago
Depends on: 750147
Keywords: sec-other

Updated

5 years ago
Depends on: 862624

Updated

5 years ago
Depends on: 893333

Updated

3 years ago
Blocks: 1172704

Updated

3 years ago
No longer blocks: 316898

Comment 33

2 years ago
https://github.com/MozillaSecurity/funfuzz/blob/master/dom/fuzzer/modules/tables.js

Thanks, Mats!

Updated

2 years ago
Group: core-security

Updated

2 years ago
Depends on: 1235490

Updated

2 years ago
Depends on: 1283543
You need to log in before you can comment on or make changes to this bug.