Closed Bug 44001 Opened 24 years ago Closed 24 years ago

Crash with <STYLE> tag and JS

Categories

(Core :: DOM: Core & HTML, defect, P1)

defect

Tracking

()

VERIFIED FIXED

People

(Reporter: security-bugs, Assigned: jst)

Details

(Keywords: crash, Whiteboard: [nsbeta2+][HAVE FIX][ETA 7/11])

Attachments

(1 file)

The following crashes at least builds 20000620 and 20000621 on Windows
98:
--------------------------------------------
<STYLE TYPE="text/css" ID="ST1">
</STYLE>
<SCRIPT>
function f(o)
{
for(var i in o) 
 s = o[i];
}
st=document.getElementById("ST1");
f(st.style);
</SCRIPT>
--------------------------------------------
Cathy, can you confirm this? I don't have Win98. Thanks. -MLS
confirmed, it crashes 6/21 build on NT also, the instruction at "0x60ce702c 
referenced memory at "0xffffffff". the memory could not be "read" 
Reassign to style
Assignee: mstoltz → pierre
Group: netscapeconfidential?
Component: Security: General → Style System
QA Contact: czhang → ckritzer
It crashes on the Mac because of a jump-to-nil. The stack trace points to the 
DOM. It looks like in GetCSSStyleDeclarationProperty(), the prop that we get from 
GetParentRule() and pass to nsJSUtils::nsConvertObjectToJSVal() isn't correct.

Reassigned to jst/DOM-Level-1
----

PowerPC illegal instruction at 00000008
 Calling chain using A6/R1 links
  Back chain  ISA  Caller
  00000000    PPC  0D2C0B8C  
  0E2E4700    PPC  0D2A6908  main+001AC
  0E2E4690    PPC  0D2A40FC  main1(int, char**, nsISupports*)+009C8
  0E2E4410    PPC  0CFD04B4  nsAppShellService::Run()+00054
  0E2E43C0    PPC  0CDC2874  nsAppShell::Run()+00040
  0E2E4380    PPC  0CDC3124  nsMacMessagePump::DoMessagePump()+00044
  0E2E4330    PPC  0CDC3830  nsMacMessagePump::DispatchEvent(int, EventRecord*)+
00090
  0E2E42E0    PPC  0CDC3B94  nsMacMessagePump::DoMouseDown(EventRecord&)+000F4
  0E2E41A0    PPC  0CDC46A4  nsMacMessagePump::DoMenu(EventRecord&, long)+000C0
  0E2E4050    PPC  0CDC49DC  
nsMacMessagePump::DispatchMenuCommandToRaptor(EventRecord&, long
)+00050
  0E2E4010    PPC  0CDBF49C  nsMacMessageSink::DispatchMenuCommand(EventRecord&, 
long)+00050
  0E2E3FD0    PPC  0CDB8C48  nsMacWindow::HandleMenuCommand(EventRecord&, long)+
00040
  0E2E3F90    PPC  0CDBA174  nsMacEventHandler::HandleMenuCommand(EventRecord&, 
long)+0018C
  0E2E3EB0    PPC  0CD90954  nsWindow::DispatchWindowEvent(nsGUIEvent&)+00028
  0E2E3E70    PPC  0CD9083C  nsWindow::DispatchEvent(nsGUIEvent*, nsEventStatus&
)+00098
  0E2E3E20    PPC  0CDAAAA4  nsMenuBar::MenuSelected(const nsMenuEvent&)+00190
  0E2E3D50    PPC  0CDA1D5C  nsMenu::MenuItemSelected(const nsMenuEvent&)+01000
  0E2E37E0    PPC  0CDB0230  nsMenuItem::MenuItemSelected(const nsMenuEvent&)+
00090
  0E2E37A0    PPC  0CDB0738  nsMenuItem::DoCommand()+00344
  0E2E3690    PPC  0CEF3F08  nsXULElement::HandleDOMEvent(nsIPresContext*, 
nsEvent*, nsIDOMEv
ent**, unsigned int, nsEventStatus*)+00728
  0E2E3450    PPC  0C6C9EC8  nsEventListenerManager::HandleEvent(nsIPresContext*, 
nsEvent*, n
sIDOMEvent**, nsIDOMEventTarget*, unsigned int, nsEventStatus*)+01EB8
  0E2E3210    PPC  0C6C7BBC  
nsEventListenerManager::HandleEventSubType(nsListenerStruct*, ns
IDOMEvent*, nsIDOMEventTarget*, unsigned int, unsigned int)+00878
  0E2E2FA0    PPC  0D10B9A0  nsJSEventListener::HandleEvent(nsIDOMEvent*)+002B0
  0E2E2E70    PPC  0D0863DC  nsJSContext::CallEventHandler(void*, void*, unsigned 
int, void*,
 int*, int)+0041C
  0E2E2D90    PPC  0EE7CE6C  JS_CallFunctionValue+00044
  0E2E2D50    PPC  0EE9C044  js_InternalInvoke+000D4
  0E2E2C90    PPC  0EE9BD98  js_Invoke+00770
  0E2E2B90    PPC  0EEA6480  js_Interpret+098C4
  0E2E27E0    PPC  0EE9BD38  js_Invoke+00710
  0E2E26E0    PPC  0D095920  WindowOpenDialog(JSContext*, JSObject*, unsigned 
int, long*, lon
g*)+000E4
  0E2E2680    PPC  0D0A9398  GlobalWindowImpl::OpenDialog(JSContext*, long*, 
unsigned int, ns
IDOMWindow**)+00040
  0E2E2640    PPC  0D0B44E4  GlobalWindowImpl::OpenInternal(JSContext*, long*, 
unsigned int, 
int, nsIDOMWindow**)+025F4
  0E2E2100    PPC  0CFF8868  nsChromeTreeOwner::ShowModal()+00020
  0E2E20C0    PPC  0CFDA84C  nsWebShellWindow::ShowModal()+00014
  0E2E2080    PPC  0CFFFEF8  nsXULWindow::ShowModal()+00538
  0E2E1F70    PPC  0CDC2D74  nsAppShell::DispatchNativeEvent(int, void*)+00040
  0E2E1F30    PPC  0CDC3950  nsMacMessagePump::DispatchEvent(int, EventRecord*)+
001B0
  0E2E1EE0    PPC  0CDE5374  Repeater::DoRepeaters(const EventRecord&)+0003C
  0E2E1E90    PPC  0CD930DC  nsMacNSPREventQueueHandler::RepeatAction(const 
EventRecord&)+000
14
  0E2E1E50    PPC  0CD93388  nsMacNSPREventQueueHandler::ProcessPLEventQueue()+
00244
  0E2E1DB0    PPC  0D1DC828  nsEventQueueImpl::ProcessPendingEvents()+00068
  0E2E1D40    PPC  0D256E28  PL_ProcessPendingEvents+00084
  0E2E1CF0    PPC  0D256F6C  PL_HandleEvent+00054
  0E2E1CB0    PPC  0CBEDAB4  nsStreamListenerEvent::HandlePLEvent(PLEvent*)+00050
  0E2E1C70    PPC  0CBEF6AC  nsOnDataAvailableEvent::HandleEvent()+000E8
  0E2E1C20    PPC  0CC876A4  nsFileChannel::OnDataAvailable(nsIChannel*, 
nsISupports*, nsIInp
utStream*, unsigned int, unsigned int)+00098
  0E2E1BD0    PPC  0C44246C  nsDocumentOpenInfo::OnDataAvailable(nsIChannel*, 
nsISupports*, n
sIInputStream*, unsigned int, unsigned int)+000A0
  0E2E1B80    PPC  0C4C950C  nsParser::OnDataAvailable(nsIChannel*, nsISupports*, 
nsIInputStr
eam*, unsigned int, unsigned int)+0034C
  0E2E1A70    PPC  0C4C86C4  nsParser::ResumeParse(int, int)+0016C
  0E2E1A10    PPC  0C4C8964  nsParser::BuildModel()+00094
  0E2E19C0    PPC  0C4A1F88  CNavDTD::BuildModel(nsIParser*, nsITokenizer*, 
nsITokenObserver*
, nsIContentSink*)+001C8
  0E2E18C0    PPC  0C4A274C  CNavDTD::HandleToken(CToken*, nsIParser*)+00368
  0E2E17B0    PPC  0C4A48F0  CNavDTD::HandleStartToken(CToken*)+00394
  0E2E1740    PPC  0C4A8C08  CNavDTD::AddHeadLeaf(nsIParserNode*)+0014C
  0E2E1630    PPC  0C4A87F0  CNavDTD::AddLeaf(const nsIParserNode*)+0005C
  0E2E15B0    PPC  0C60755C  HTMLContentSink::AddLeaf(const nsIParserNode&)+0015C
  0E2E1550    PPC  0C6119C0  HTMLContentSink::ProcessSCRIPTTag(const 
nsIParserNode&)+0139C
  0E2E0E60    PPC  0C60EF70  HTMLContentSink::EvaluateScript(nsString&, nsIURI*, 
int, const c
har*)+00490
  0E2E0CF0    PPC  0D084990  nsJSContext::EvaluateString(const nsString&, void*, 
nsIPrincipal
*, const char*, unsigned int, const char*, nsString&, int*)+009EC
  0E2E0B90    PPC  0EE7CC28  JS_EvaluateUCScriptForPrincipals+0008C
  0E2E0B40    PPC  0EE9C278  js_Execute+001B8
  0E2E0A90    PPC  0EEA5408  js_Interpret+0884C
  0E2E06E0    PPC  0EEB3A48  js_GetProperty+00414
  0E2E0640    PPC  0D11AFEC  GetCSSStyleDeclarationProperty(JSContext*, JSObject*
, long, long
*)+00218
  0E2E04B0    PPC  0D12CA10  nsJSUtils::nsConvertObjectToJSVal(nsISupports*, 
JSContext*, JSOb
ject*, long*)+00068
  0E2E0420    PPC  0D089FB0  NS_CreateScriptContext+01350
 Closing log
Assignee: pierre → jst
Component: Style System → DOM Level 1
QA Contact: ckritzer → gerardok
I just attached a fix for this crasher, this is trivial to fix so IMO we should
definitely check this in for nsbeta2, one less crash we'll need to worry about,
very low risk fix.
Status: NEW → ASSIGNED
Keywords: nsbeta2
Priority: P3 → P1
Whiteboard: [HAVE FIX]
Target Milestone: --- → M17
Putting on [nsbeta2+] radar for beta2 fix. 
Whiteboard: [HAVE FIX] → [nsbeta2+] [HAVE FIX]
Adding crash keyword
Keywords: crash
Whiteboard: [nsbeta2+] [HAVE FIX] → [nsbeta2+][HAVE FIX][ETA 7/11]
Fix checked in.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Verified with 2000-12-15.
Status: RESOLVED → VERIFIED
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: