javascript/framesets crashes in parser

VERIFIED FIXED in M6

Status

()

P3
normal
VERIFIED FIXED
20 years ago
19 years ago

People

(Reporter: mcafee, Assigned: rickg)

Tracking

Trunk
x86
Linux
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

20 years ago
zillasplat is a simple javascript page that reads your bugsplat cookie
and creates two frame sets, one with your bugsplat bugs and the
other with your bugzilla bugs.  This crashes in the parser for me:

#0  0x40ac46a1 in __kill ()
#1  0x40ac44cf in raise (sig=6) at ../sysdeps/posix/raise.c:27
#2  0x40ac56df in abort () at ../sysdeps/generic/abort.c:83
#3  0x407d2fba in PR_Abort () at prlog.c:461
#4  0x4002f286 in nsDebug::Abort (aFile=0x4061bcc6 "CNavDTD.cpp", aLine=2492) at
nsDebug.cpp:93
#5  0x4002f2ea in nsDebug::Break (aFile=0x4061bcc6 "CNavDTD.cpp", aLine=2492) at
nsDebug.cpp:108
#6  0x4002f355 in nsDebug::PreCondition (aStr=0x4061bc9c "Error: invalid tag
stack position",
    aExpr=0x4061be36 "mBodyContext->GetCount() > 0", aFile=0x4061bcc6
"CNavDTD.cpp", aLine=2492)
    at nsDebug.cpp:120
#7  0x406044b6 in CNavDTD::CloseTopmostContainer (this=0x833cdd8) at
CNavDTD.cpp:2492
#8  0x4060499e in CNavDTD::ReduceContextStackFor (this=0x833cdd8,
aChildTag=eHTMLTag_br)
    at CNavDTD.cpp:2654
#9  0x40600d37 in CNavDTD::HandleDefaultStartToken (this=0x833cdd8,
aToken=0x81b9bb0,
    aChildTag=eHTMLTag_br, aNode=@0xbfffde70) at CNavDTD.cpp:905
#10 0x4060141d in CNavDTD::HandleStartToken (this=0x833cdd8, aToken=0x81b9bb0)
at CNavDTD.cpp:1066
#11 0x405ff999 in NavDispatchTokenHandler (aToken=0x81b9bb0, aDTD=0x833cdd8) at
CNavDTD.cpp:248
#12 0x406103a0 in CTokenHandler::operator() (this=0x83c4088, aToken=0x81b9bb0,
aDTD=0x833cdd8)
    at nsTokenHandler.cpp:80
#13 0x4060055c in CNavDTD::HandleToken (this=0x833cdd8, aToken=0x81b9bb0,
aParser=0x8403360)
    at CNavDTD.cpp:609
#14 0x40600262 in CNavDTD::BuildModel (this=0x833cdd8, aParser=0x8403360,
aTokenizer=0x81bd180,
    anObserver=0x0, aSink=0x8405de8) at CNavDTD.cpp:507
#15 0x4060da8f in nsParser::BuildModel (this=0x8403360) at nsParser.cpp:804
#16 0x4060d978 in nsParser::ResumeParse (this=0x8403360, aDefaultDTD=0x0) at
nsParser.cpp:756
#17 0x4060d828 in nsParser::Parse (this=0x8403360, aSourceBuffer=@0xbfffe0f8,
aKey=0x1,
    aContentType=@0xbfffe0e4, aEnableVerify=0, aLastCall=1) at nsParser.cpp:724
#18 0x404bb6f6 in nsHTMLDocument::WriteCommon (this=0x84057a8, cx=0x827aae0,
argv=0x82e2fc8, argc=2,
    aNewlineTerminate=0) at nsHTMLDocument.cpp:1342
#19 0x404bb798 in nsHTMLDocument::Write (this=0x84057a8, cx=0x827aae0,
argv=0x82e2fc8, argc=2)
    at nsHTMLDocument.cpp:1355
#20 0x40666d6a in HTMLDocumentWrite (cx=0x827aae0, obj=0x81c9538, argc=2,
argv=0x82e2fc8, rval=0xbfffe23c)
    at nsJSHTMLDocument.cpp:714
#21 0x406df76f in js_Invoke (cx=0x827aae0, argc=2, constructing=0) at
jsinterp.c:650
#22 0x406ef346 in js_Interpret (cx=0x827aae0, result=0xbfffe660) at
jsinterp.c:2183
#23 0x406dfc88 in js_Execute (cx=0x827aae0, chain=0x81c8a78, script=0x8284fa8,
fun=0x0, down=0x0,
    debugging=0, result=0xbfffe660) at jsinterp.c:815
#24 0x406b91c3 in JS_EvaluateUCScriptForPrincipals (cx=0x827aae0, obj=0x81c8a78,
principals=0x0,
    chars=0x83c9bb0, length=1996, filename=0x8320c50
"http://scopus/bugsplat/zillasplat.html", lineno=7,
    rval=0xbfffe660) at jsapi.c:2324
#25 0x406411b0 in nsJSContext::EvaluateString (this=0x827aac0,
aScript=@0xbfffe750,
    aURL=0x8320c50 "http://scopus/bugsplat/zillasplat.html", aLineNo=7,
aRetValue=@0xbfffe69c,
    aIsUndefined=0xbfffe690) at nsJSEnvironment.cpp:115
#26 0x404b6afd in HTMLContentSink::EvaluateScript (this=0x8405de8,
aScript=@0xbfffe750, aLineNo=7)
    at nsHTMLContentSink.cpp:2704
#27 0x404b704c in HTMLContentSink::ProcessSCRIPTTag (this=0x8405de8,
aNode=@0xbfffe8a4)
    at nsHTMLContentSink.cpp:2811
#28 0x404b3ec0 in HTMLContentSink::AddLeaf (this=0x8405de8, aNode=@0xbfffe8a4)
    at nsHTMLContentSink.cpp:1894
#29 0x406045ae in CNavDTD::AddLeaf (this=0x833cdd8, aNode=@0xbfffe8a4) at
CNavDTD.cpp:2511
#30 0x4060469a in CNavDTD::AddHeadLeaf (this=0x833cdd8, aNode=@0xbfffe8a4) at
CNavDTD.cpp:2541
#31 0x406013e5 in CNavDTD::HandleStartToken (this=0x833cdd8, aToken=0x81b9058)
at CNavDTD.cpp:1064
#32 0x405ff999 in NavDispatchTokenHandler (aToken=0x81b9058, aDTD=0x833cdd8) at
CNavDTD.cpp:248
#33 0x406103a0 in CTokenHandler::operator() (this=0x83c4088, aToken=0x81b9058,
aDTD=0x833cdd8)
    at nsTokenHandler.cpp:80
#34 0x4060055c in CNavDTD::HandleToken (this=0x833cdd8, aToken=0x81b9058,
aParser=0x8403360)
    at CNavDTD.cpp:609
#35 0x40600262 in CNavDTD::BuildModel (this=0x833cdd8, aParser=0x8403360,
aTokenizer=0x83b4e50,
    anObserver=0x0, aSink=0x8405de8) at CNavDTD.cpp:507
#36 0x4060da8f in nsParser::BuildModel (this=0x8403360) at nsParser.cpp:804
#37 0x4060d978 in nsParser::ResumeParse (this=0x8403360, aDefaultDTD=0x0) at
nsParser.cpp:756
#38 0x4060dec2 in nsParser::OnDataAvailable (this=0x8403360, aURL=0x83adaf0,
pIStream=0x8274960,
    aLength=2158) at nsParser.cpp:968
#39 0x4021450b in nsDocumentBindInfo::OnDataAvailable (this=0x827fcd8,
aURL=0x83adaf0, aStream=0x8274960,
    aLength=2158) at nsDocLoader.cpp:1783
#40 0x401f72d3 in stub_put_block (stream=0x8403190,
    buffer=0x804f878 "n your bugsplat cookie. \n     Sat Oct 17 00:02:29 PDT
1998
<mcafee@netscape.com>\n-->\n\n<HTML>\n<HEAD><TITLE>ZillaSplat</title>\n</HEAD>\n\n<script>\nfunction
getCookieVal (offset) {\n  var endstr = document."..., length=2158) at
nsStubContext.cpp:647
#41 0x4019ba7d in net_MemCacheWrite (stream=0x8323e40,
    buffer=0x804f878 "n your bugsplat cookie. \n     Sat Oct 17 00:02:29 PDT
1998
<mcafee@netscape.com>\n-->\n\n<HTML>\n<HEAD><TITLE>ZillaSplat</title>\n</HEAD>\n\n<script>\nfunction
getCookieVal (offset) {\n  var endstr = document."..., len=2158) at
mkmemcac.c:664
#42 0x40102978 in net_pull_http_data (ce=0x8338428) at mkhttp.c:3097
#43 0x401032d5 in net_ProcessHTTP (ce=0x8338428) at mkhttp.c:3489
#44 0x401c7e33 in NET_ProcessNet (ready_fd=0x83c1e40, fd_type=2) at
mkgeturl.c:3371
#45 0x401cfdbd in NET_PollSockets () at mkselect.c:320
#46 0x401f0872 in nsNetlibService::NetPollSocketsCallback (aTimer=0x82dea80,
aClosure=0x804e498)
    at nsNetService.cpp:1220
#47 0x400e2de9 in TimerImpl::FireTimeout (this=0x82dea80) at nsTimer.cpp:73
#48 0x400e32d2 in nsTimerExpired (aCallData=0x82dea80) at nsTimer.cpp:189
#49 0x40974a60 in g_timeout_dispatch (source_data=0x83e43f0,
current_time=0xbffff3a0, user_data=0x82dea80)
    at gmain.c:1144
#50 0x40973d53 in g_main_dispatch (current_time=0xbffff3a0) at gmain.c:644
#51 0x409742df in g_main_iterate (block=1, dispatch=1) at gmain.c:851
#52 0x40974461 in g_main_run (loop=0x812dc90) at gmain.c:909
#53 0x408a15f7 in gtk_main () at gtkmain.c:501
#54 0x4008234c in nsAppShell::Run (this=0x80eaae8) at nsAppShell.cpp:178
#55 0x40017ed1 in nsAppShellService::Run (this=0x80ea6a0) at
nsAppShellService.cpp:178
#56 0x804a38c in main (argc=1, argv=0xbffff4c4) at nsAppRunner.cpp:337
(Reporter)

Comment 1

20 years ago
This crashes both viewer & apprunner on linux.
(Assignee)

Updated

20 years ago
Status: NEW → ASSIGNED
(Assignee)

Comment 2

20 years ago
Chris -- I can't reproduce this. Can you send me your bugsplat cookie?
Alternatively, tell me what other steps I need to follow to reproduce this.
(Reporter)

Comment 3

20 years ago
I wiped out my cookies file, then visted:
  http://scopus/bugsplat/login.cgi
  http://bugzilla.mozilla.org
and then crashed on the zillasplat.html URL above.
Linux & Solaris, today's build.
(Assignee)

Updated

20 years ago
Status: ASSIGNED → RESOLVED
Last Resolved: 20 years ago
Resolution: --- → FIXED
(Assignee)

Comment 4

20 years ago
This doesn't crash now, but I can't see the zillasplat data due to a login
failure.

Updated

20 years ago
QA Contact: 3847 → 4141

Comment 5

20 years ago
Attempting to steal gem's HTMLParser bugs all at once.  Changing QAContact to
janc.

Updated

19 years ago
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.