Closed
Bug 44001
Opened 24 years ago
Closed 24 years ago
Crash with <STYLE> tag and JS
Categories
(Core :: DOM: Core & HTML, defect, P1)
Core
DOM: Core & HTML
Tracking
()
VERIFIED
FIXED
M17
People
(Reporter: security-bugs, Assigned: jst)
Details
(Keywords: crash, Whiteboard: [nsbeta2+][HAVE FIX][ETA 7/11])
Attachments
(1 file)
|
1.47 KB,
patch
|
Details | Diff | Splinter Review |
The following crashes at least builds 20000620 and 20000621 on Windows
98:
--------------------------------------------
<STYLE TYPE="text/css" ID="ST1">
</STYLE>
<SCRIPT>
function f(o)
{
for(var i in o)
s = o[i];
}
st=document.getElementById("ST1");
f(st.style);
</SCRIPT>
--------------------------------------------
|
Reporter | |
Comment 1•24 years ago
|
||
Cathy, can you confirm this? I don't have Win98. Thanks. -MLS
|
||
Comment 2•24 years ago
|
||
confirmed, it crashes 6/21 build on NT also, the instruction at "0x60ce702c referenced memory at "0xffffffff". the memory could not be "read"
|
|
Reporter | |
Comment 3•24 years ago
|
||
Reassign to style
Assignee: mstoltz → pierre
Group: netscapeconfidential?
Component: Security: General → Style System
QA Contact: czhang → ckritzer
|
||
Comment 4•24 years ago
|
||
It crashes on the Mac because of a jump-to-nil. The stack trace points to the DOM. It looks like in GetCSSStyleDeclarationProperty(), the prop that we get from GetParentRule() and pass to nsJSUtils::nsConvertObjectToJSVal() isn't correct. Reassigned to jst/DOM-Level-1 ---- PowerPC illegal instruction at 00000008 Calling chain using A6/R1 links Back chain ISA Caller 00000000 PPC 0D2C0B8C 0E2E4700 PPC 0D2A6908 main+001AC 0E2E4690 PPC 0D2A40FC main1(int, char**, nsISupports*)+009C8 0E2E4410 PPC 0CFD04B4 nsAppShellService::Run()+00054 0E2E43C0 PPC 0CDC2874 nsAppShell::Run()+00040 0E2E4380 PPC 0CDC3124 nsMacMessagePump::DoMessagePump()+00044 0E2E4330 PPC 0CDC3830 nsMacMessagePump::DispatchEvent(int, EventRecord*)+ 00090 0E2E42E0 PPC 0CDC3B94 nsMacMessagePump::DoMouseDown(EventRecord&)+000F4 0E2E41A0 PPC 0CDC46A4 nsMacMessagePump::DoMenu(EventRecord&, long)+000C0 0E2E4050 PPC 0CDC49DC nsMacMessagePump::DispatchMenuCommandToRaptor(EventRecord&, long )+00050 0E2E4010 PPC 0CDBF49C nsMacMessageSink::DispatchMenuCommand(EventRecord&, long)+00050 0E2E3FD0 PPC 0CDB8C48 nsMacWindow::HandleMenuCommand(EventRecord&, long)+ 00040 0E2E3F90 PPC 0CDBA174 nsMacEventHandler::HandleMenuCommand(EventRecord&, long)+0018C 0E2E3EB0 PPC 0CD90954 nsWindow::DispatchWindowEvent(nsGUIEvent&)+00028 0E2E3E70 PPC 0CD9083C nsWindow::DispatchEvent(nsGUIEvent*, nsEventStatus& )+00098 0E2E3E20 PPC 0CDAAAA4 nsMenuBar::MenuSelected(const nsMenuEvent&)+00190 0E2E3D50 PPC 0CDA1D5C nsMenu::MenuItemSelected(const nsMenuEvent&)+01000 0E2E37E0 PPC 0CDB0230 nsMenuItem::MenuItemSelected(const nsMenuEvent&)+ 00090 0E2E37A0 PPC 0CDB0738 nsMenuItem::DoCommand()+00344 0E2E3690 PPC 0CEF3F08 nsXULElement::HandleDOMEvent(nsIPresContext*, nsEvent*, nsIDOMEv ent**, unsigned int, nsEventStatus*)+00728 0E2E3450 PPC 0C6C9EC8 nsEventListenerManager::HandleEvent(nsIPresContext*, nsEvent*, n sIDOMEvent**, nsIDOMEventTarget*, unsigned int, nsEventStatus*)+01EB8 0E2E3210 PPC 0C6C7BBC nsEventListenerManager::HandleEventSubType(nsListenerStruct*, ns IDOMEvent*, nsIDOMEventTarget*, unsigned int, unsigned int)+00878 0E2E2FA0 PPC 0D10B9A0 nsJSEventListener::HandleEvent(nsIDOMEvent*)+002B0 0E2E2E70 PPC 0D0863DC nsJSContext::CallEventHandler(void*, void*, unsigned int, void*, int*, int)+0041C 0E2E2D90 PPC 0EE7CE6C JS_CallFunctionValue+00044 0E2E2D50 PPC 0EE9C044 js_InternalInvoke+000D4 0E2E2C90 PPC 0EE9BD98 js_Invoke+00770 0E2E2B90 PPC 0EEA6480 js_Interpret+098C4 0E2E27E0 PPC 0EE9BD38 js_Invoke+00710 0E2E26E0 PPC 0D095920 WindowOpenDialog(JSContext*, JSObject*, unsigned int, long*, lon g*)+000E4 0E2E2680 PPC 0D0A9398 GlobalWindowImpl::OpenDialog(JSContext*, long*, unsigned int, ns IDOMWindow**)+00040 0E2E2640 PPC 0D0B44E4 GlobalWindowImpl::OpenInternal(JSContext*, long*, unsigned int, int, nsIDOMWindow**)+025F4 0E2E2100 PPC 0CFF8868 nsChromeTreeOwner::ShowModal()+00020 0E2E20C0 PPC 0CFDA84C nsWebShellWindow::ShowModal()+00014 0E2E2080 PPC 0CFFFEF8 nsXULWindow::ShowModal()+00538 0E2E1F70 PPC 0CDC2D74 nsAppShell::DispatchNativeEvent(int, void*)+00040 0E2E1F30 PPC 0CDC3950 nsMacMessagePump::DispatchEvent(int, EventRecord*)+ 001B0 0E2E1EE0 PPC 0CDE5374 Repeater::DoRepeaters(const EventRecord&)+0003C 0E2E1E90 PPC 0CD930DC nsMacNSPREventQueueHandler::RepeatAction(const EventRecord&)+000 14 0E2E1E50 PPC 0CD93388 nsMacNSPREventQueueHandler::ProcessPLEventQueue()+ 00244 0E2E1DB0 PPC 0D1DC828 nsEventQueueImpl::ProcessPendingEvents()+00068 0E2E1D40 PPC 0D256E28 PL_ProcessPendingEvents+00084 0E2E1CF0 PPC 0D256F6C PL_HandleEvent+00054 0E2E1CB0 PPC 0CBEDAB4 nsStreamListenerEvent::HandlePLEvent(PLEvent*)+00050 0E2E1C70 PPC 0CBEF6AC nsOnDataAvailableEvent::HandleEvent()+000E8 0E2E1C20 PPC 0CC876A4 nsFileChannel::OnDataAvailable(nsIChannel*, nsISupports*, nsIInp utStream*, unsigned int, unsigned int)+00098 0E2E1BD0 PPC 0C44246C nsDocumentOpenInfo::OnDataAvailable(nsIChannel*, nsISupports*, n sIInputStream*, unsigned int, unsigned int)+000A0 0E2E1B80 PPC 0C4C950C nsParser::OnDataAvailable(nsIChannel*, nsISupports*, nsIInputStr eam*, unsigned int, unsigned int)+0034C 0E2E1A70 PPC 0C4C86C4 nsParser::ResumeParse(int, int)+0016C 0E2E1A10 PPC 0C4C8964 nsParser::BuildModel()+00094 0E2E19C0 PPC 0C4A1F88 CNavDTD::BuildModel(nsIParser*, nsITokenizer*, nsITokenObserver* , nsIContentSink*)+001C8 0E2E18C0 PPC 0C4A274C CNavDTD::HandleToken(CToken*, nsIParser*)+00368 0E2E17B0 PPC 0C4A48F0 CNavDTD::HandleStartToken(CToken*)+00394 0E2E1740 PPC 0C4A8C08 CNavDTD::AddHeadLeaf(nsIParserNode*)+0014C 0E2E1630 PPC 0C4A87F0 CNavDTD::AddLeaf(const nsIParserNode*)+0005C 0E2E15B0 PPC 0C60755C HTMLContentSink::AddLeaf(const nsIParserNode&)+0015C 0E2E1550 PPC 0C6119C0 HTMLContentSink::ProcessSCRIPTTag(const nsIParserNode&)+0139C 0E2E0E60 PPC 0C60EF70 HTMLContentSink::EvaluateScript(nsString&, nsIURI*, int, const c har*)+00490 0E2E0CF0 PPC 0D084990 nsJSContext::EvaluateString(const nsString&, void*, nsIPrincipal *, const char*, unsigned int, const char*, nsString&, int*)+009EC 0E2E0B90 PPC 0EE7CC28 JS_EvaluateUCScriptForPrincipals+0008C 0E2E0B40 PPC 0EE9C278 js_Execute+001B8 0E2E0A90 PPC 0EEA5408 js_Interpret+0884C 0E2E06E0 PPC 0EEB3A48 js_GetProperty+00414 0E2E0640 PPC 0D11AFEC GetCSSStyleDeclarationProperty(JSContext*, JSObject* , long, long *)+00218 0E2E04B0 PPC 0D12CA10 nsJSUtils::nsConvertObjectToJSVal(nsISupports*, JSContext*, JSOb ject*, long*)+00068 0E2E0420 PPC 0D089FB0 NS_CreateScriptContext+01350 Closing log
Assignee: pierre → jst
Component: Style System → DOM Level 1
QA Contact: ckritzer → gerardok
|
Assignee | |
Comment 5•24 years ago
|
||
|
|
Assignee | |
Comment 6•24 years ago
|
||
I just attached a fix for this crasher, this is trivial to fix so IMO we should definitely check this in for nsbeta2, one less crash we'll need to worry about, very low risk fix.
Status: NEW → ASSIGNED
Keywords: nsbeta2
Priority: P3 → P1
Whiteboard: [HAVE FIX]
Target Milestone: --- → M17
|
||
Comment 7•24 years ago
|
||
Putting on [nsbeta2+] radar for beta2 fix.
Whiteboard: [HAVE FIX] → [nsbeta2+] [HAVE FIX]
|
|
Assignee | |
Updated•24 years ago
|
Whiteboard: [nsbeta2+] [HAVE FIX] → [nsbeta2+][HAVE FIX][ETA 7/11]
|
|
Assignee | |
Comment 9•24 years ago
|
||
Fix checked in.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
|
||
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•