Open Bug 339128 (stirtable) Opened 14 years ago Updated 4 years ago

StirTable meta bug

Categories

(Core :: Layout: Tables, defect, critical)

defect
Not set
critical

Tracking

()

People

(Reporter: mats, Assigned: mats)

References

(Depends on 1 open bug, Blocks 1 open bug, )

Details

(Keywords: meta, sec-other, Whiteboard: [sg:nse meta])

Attachments

(11 files, 7 obsolete files)

5.55 KB, text/html
Details
6.43 KB, text/html
Details
7.52 KB, text/html
Details
1.29 KB, text/plain
Details
3.50 KB, application/zip
Details
8.01 KB, text/javascript
Details
1.88 KB, application/xhtml+xml
Details
7.95 KB, text/javascript
Details
1.86 KB, text/html
Details
8.88 KB, text/javascript
Details
12.43 KB, text/javascript
Details
This tool is pretty simple actually, it adds and removes
table elements and for <td> it uses a random colspan/rowspan,
so I am a bit surprised that it seems to cause so many
crashes and table assertions that I haven't seen before.

I'll file the individual crashes separately, blocking this bug.
Attached file StirTable v0.1
Start by pressing the "start random changes" button.
Depends on: 339129
Depends on: 339130
Depends on: 339131
Depends on: 339137
Depends on: 339147
Alias: stirtable
Blocks: fuzz
Depends on: 339154
Depends on: 339165
Attached file StirTable v0.2
Now also generates <colgroup> and <col> (found 1 new bug on this)
Added random width/height px and % attrs on all levels (no new bugs so far)
Depends on: 339170
I can make reduced testcases if needed, using the techniques in bug 331889 and bug 329066.
Jesse: Please, Please do so. I don't have the capacity to reduce the crashes down to testcases.
Mats: Please put me on CC on every crash bug that you file under layout-table. I currently touch only this class of bugs.
If a testcase trips the following assertion:
ASSERTION: colgroup data should not be null - bug 237421 
then it would be enormous helpfull to have also a testcase that is further reduced till it only triggers the assert.

Attached file StirTable v0.3
Now also generates <caption>
Randomly toggles style.visibility:collapse/visible
Uses location.search to initialize the seed if present, for example:
  file:///home/mats/stirtable/StirTable-v03.html?seed=18
Attached file Crashgen v0.1
FWIW, this is a python hack I did to start seamonkey in gdb for a range
of seeds. It runs seamonkey until it crashes, takes a stack dump
and then continues...
Adjust the profile name in this script and then run for example:

python crashgen-v01.py file:///home/mats/stirtable/StirTable-v03.html

(Note: it overwrites .gdbinit in the local directory)
Depends on: 339246
Depends on: 339264
I ran StirTable-v03.html with seed 0 to 127 and I couldn't find any new unique
stacks other than what has been reported uptil now (last 339264).
Mats could you modify the StirTable so that it flattens the actions to a log that could be replayed like the dom stir recorder?
I'm working on that right now.
Depends on: 339315
Attached file StirTable v0.3-jtr (obsolete) —
I ended up using a strategy more like in bug 326633: it prints what it's about to do using dump, then does it.  You can then copy&paste the console output (grep for lines containing "anonymous" if needed) into an array at the top of the script.  I used this (with Lithium) to make testcases for bug 339246, bug 339315, and bug 339130.  This should do the same thing for a given seed as StirTable 0.3.

I broke the manual buttons, but that shouldn't be too hard to fix.

Mats, if you create updated versions, please base them on this so it will remain easy to make reduced testcases.
Btw, I think fixing those 3 will make several others go away as well.  While reducing each bug I often saw several stacks.
Mats, Martijn, Jesse: can we get together on a design for these fuzzers that would allow me to plug them into the automation without having to fork them each time?
At first glance the testcases involve zero row-, colspans. A badly tested code area. Does any of the crashes happen in quirks mode (zero spans are disabled in quirks mode).
I still get a lot of crashes if I make it not set rowspans or colspans of 0.  I attached a reduced testcase to bug 339170 that doesn't involve rowspans or colspans at all.
Even though those three bugs have testcases with rowspan=0 or colspan=0, I think at least some of the same crashes can happen without rowspan=0 or colspan=0.
Attached file StirTable v0.3-jtr2 (requires fuzz.js) (obsolete) —
* Converted it to use fuzz.js (see bug 339948).
* Fixed some ugliness I introduced in the conversion to command strings.
* Made it work as a bookmarklet: add IDs as needed, bail when the page has no tables, etc.
* Removed the manual buttons, but leave the counters.
* Converted the main page to (text/html-safe) XHTML, making it easy to ensure that the fuzzer works with both HTML and XHTML.

I did not try to maintain seed-compatibility this time.

I haven't converted it to use createElementNS, so I don't think it will work on SVG pages.
Attachment #223438 - Attachment is obsolete: true
Depends on: 341227
Whiteboard: [sg:nse meta]
Attached file StirTable v2.0 (obsolete) —
Updated for fuzz.js 2.0.
Attachment #224055 - Attachment is obsolete: true
Attached file Default test page for StirTable v2.0 (obsolete) —
Depends on: 343087
The first round of patches got checked in, if somebody could independently verify my alleged dupes I would be grateful. 

I think the bugs without a seed are now close to useless. Even the bugs with seeds are probably obsolete. A second round of testing preferably coupled with a first reduction via lithium would be very helpful.
Depends on: 343778
Depends on: 343946
This are the files that I use to get from a scanning fuzz to a fairly reduced testcase. Not optimized nothing to be really proud of but it moves the burden on the PC.
Depends on: 344000
Depends on: 346980
Depends on: 347725
Depends on: 348062
Depends on: 350081
Depends on: 350370
Depends on: 350524
Depends on: 350602
Depends on: 350906
Depends on: 351068
Depends on: 351326
Depends on: 351327
Depends on: 351328
Attached file StirTable v2.0.9 (obsolete) —
Adds some features:

* Sometimes violate the "preferred children" rules.  For example, when creating a TR, it usually creates a TD child, but sometimes it creates a different kind of child (e.g. a TR or a TABLE or a DIV), and sometimes it does not create a child at all.

* Change more CSS: float, position, display: table-*, and a few others.

Surprisingly, I haven't found any new bugs as a result of adding these features.
Attachment #226752 - Attachment is obsolete: true
Attached file Default test page for StirTable v2.0.9 (obsolete) —
Small changes to the CSS.
Attachment #226753 - Attachment is obsolete: true
Attached file StirTable v2.1
v2.1 restores the rowspan/colspan=0 feature and removes the non-table elements
and styling features. This does not replace v2.0.9, it's an alternative.
Attached file StirTable v3.0 (obsolete) —
Based on (and replacing) 2.0.9, not 2.1.
Attachment #236736 - Attachment is obsolete: true
Depends on: 358679
Depends on: 323604
Depends on: 358729
Depends on: 358871
Depends on: 363370
Depends on: 365909
Depends on: 368166
Depends on: 368651
Depends on: 369975
Depends on: 370586
Now has all 4 combinations of border-collapse:collapse/separate and
table-layout:fixed/auto. Uses fuzz-2.0.3.js + StirTable-2.1.js
Attachment #236737 - Attachment is obsolete: true
Depends on: 370709
Depends on: 370710
Depends on: 370711
Depends on: 370712
Depends on: 370713
Attached file StirTable v2.1.1
A small change to re-enable <caption> changes.
How does one use the output of t v2.1.1???

What I get with recording on is:

  { origCount: 1, fun: function() { var $table16 = doc.getElementById('table16'); undefined } },
  { origCount: 2, fun: function() { var $table16 = doc.getElementById('table16'); var newNode = document.createElement('caption'); newNode.appendChild(document.createTextNode('CAPTION')); newNode.setAttribute('id', 'caption20'); newNode.setAttribute('height', '1em'); $table16.insertBefore(newNode, doc.getElementById('tbody12')); bless(newNode); } },

What I would expect is a output that could be pasted into a xhtml file and will reproduce the bugs and has *NO* randomness at all.  The function bless(newNode) is just the opposite of it. It needs to be flattened.

I am basically trowing the towel at 370709 370710 370711 370712 370713. As I don't get the deterministic xhtml file I can't feed it to lithium. 

No lithium   ===> No test case

No test case ===> No action on security tagged bugs

bless() shouldn't be a problem.  It doesn't affect the DOM directly; it only influences future randomly generated functions.  If all of the functions are recorded, it doesn't affect anything at all.

What is a problem is the document.body.offsetHeight in doCommand.  doCommand is used during the initial run but not during playback, so any bug that relies on the layout-forcing of document.body.offsetHeight is not triggered during playback.  This is an API flaw in fuzz.js (my fault) and has tripped me up more than once; I'll try to fix it for the next version of fuzz.js.

The short-term workaround is to move document.body.offsetHeight from doCommand to somewhere where it will get executed reliably.
Depends on: 370808
Depends on: 370842
Attached file StirTable-2.2.js
(In reply to comment #29)
> The short-term workaround is to move document.body.offsetHeight from
> doCommand to somewhere where it will get executed reliably.

I moved document.body.offsetHeight into the command itself for now.
At the same time I added a parameter to control how often it's
included.

StirTable 2.2 changes:
 * added 'ch' length unit
 * workaround for the document.body.offsetHeight problem:
    parameter "flush" is 0 to 100, probability of including it
    (100 is the default to be compatible with earlier versions
     of StirTable which always did it in doCommand)
 * added a resize feature that resizes the test container:
    parameter "resize" is 0 to 100, probability of resizing
    the test container after a command. (0 is the default for
    back compat.)

Example:
 StirTable-2.2-quirks.html?fuzz=a,b,c,d,e&resize=25&flush=50
generates commands that looks like:
<Command>; resizeContainer('testRootContainer'); doc.body.offsetHeight;
where <Command> is the same as earlier versions of StirTable and
25% of the total commands will have the resizeContainer part, and
50% of the total commands will have the doc.body.offsetHeight part.
Which commands that get the extra part(s) is random, under the
control of the seed.
You can exclude the new parameters:
  StirTable-2.2-quirks.html?fuzz=a,b,c,d,e
resize/flush will then have the default values.
Depends on: 370888
Depends on: 370897
Attached file StirTable v3.1
New version from Jesse's side of the fork.  (Hopefully the fork won't last forever.)

* Added captionSide, emptyCells, tableLayout CSS properties.
* Added inline-block and inline-table values for the CSS display property.
* Restored use of zero rowspan / colspan.
* Removed doCommand to bring it in line with fuzz.js 3.1, as I promised in comment 29.
Attachment #242973 - Attachment is obsolete: true
Depends on: 371290
Depends on: 371483
Depends on: 371556
Depends on: 371561
Depends on: 372376
Depends on: 374193
Depends on: 374405
Depends on: 374420
Depends on: 374422
Depends on: 374819
Depends on: 378240
Depends on: 378273
Depends on: 380749
Depends on: 385866
Depends on: 386014
Depends on: 387460
Depends on: 399209
Depends on: 403249
Depends on: 404209
Depends on: 404301
Depends on: 404666
Depends on: 405184
Depends on: 405186
Depends on: 408736
Depends on: 413063
Depends on: 413091
Depends on: 423514
Depends on: 427928
Depends on: 462849
Depends on: CVE-2009-3981
Depends on: 481557
Depends on: 488388
Depends on: 490376
Depends on: 509562
Depends on: 534716
Depends on: 536692
Depends on: 564054
Depends on: 573354
Depends on: 580481
Depends on: 664925
Depends on: 705996
Depends on: 710098
Depends on: 750147
Depends on: 862624
Depends on: 893333
Blocks: 1172704
No longer blocks: fuzz
Group: core-security
Depends on: 1235490
Depends on: 1283543
You need to log in before you can comment on or make changes to this bug.