45975 - document.write in strict dtd crashes browser

Status: VERIFIED FIXED

(Core :: DOM: HTML Parser, defect, P3)

Description

[harishd]

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" 
"http://www.w3.org/TR/REC-html40/strict.dtd">
<HTML>
<HEAD>
<TITLE> Script in Strict DTD</TITLE>
<META http-equiv="Content-Script-Type" content="type">
<SCRIPT LANGUAGE="JavaScript" TYPE="text/javascript">
  document.write("<DIV>Hello</DIV>");
</SCRIPT>
</head>
<body>
<P>there</P>
</body>
</html>

The above test case would crash the browser.

Comment 1

[harishd]

We shouldn't crash no matter what.  Putting on beta2 radar.

Comment 2

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

Stack trace...hmmm:

#0  0x40bc5261 in SinkContext::CloseContainer (this=0x874df30, 
    aNode=@0x8832c70) at
/home/david/mozilla/src/mozilla/layout/html/document/src/nsHTMLContentSink.cpp:1421
#1  0x40bc9b53 in HTMLContentSink::CloseBody (this=0x8750360, aNode=@0x8832c70)
    at
/home/david/mozilla/src/mozilla/layout/html/document/src/nsHTMLContentSink.cpp:2795
#2  0x419ad2b7 in CHTMLElement::HandleEndToken (this=0x81deae0, 
    aNode=0x8832c70, aTag=eHTMLTag_body, aContext=0x87e4170, aSink=0x8750360)
    at /home/david/mozilla/src/mozilla/htmlparser/src/COtherElements.h:1827
#3  0x4196008e in COtherDTD::DidBuildModel (this=0x88306c0, anErrorCode=0, 
    aNotifySink=1, aParser=0x885b320, aSink=0x8750360)
    at /home/david/mozilla/src/mozilla/htmlparser/src/COtherDTD.cpp:513
#4  0x4196c122 in nsParser::DidBuildModel (this=0x885b320, anErrorCode=0)
    at /home/david/mozilla/src/mozilla/htmlparser/src/nsParser.cpp:1385
#5  0x4196d0d2 in nsParser::ResumeParse (this=0x885b320, allowIteration=1, 
    aIsFinalChunk=1)
    at /home/david/mozilla/src/mozilla/htmlparser/src/nsParser.cpp:1896
#6  0x4196de6f in nsParser::OnStopRequest (this=0x885b320, channel=0x8875d80, 
    aContext=0x0, status=0, aMsg=0x0)
    at /home/david/mozilla/src/mozilla/htmlparser/src/nsParser.cpp:2347
...

Comment 3

[Jay Patel [:jay]]

Putting on [nsbeta2-] radar. Not critical to beta2. Strict DTDs are a rare case. 
Due to this edge case PDT gives this a -.

Comment 4

[harishd]

Attachment: Proposed patch

Comment 5

[harishd]

Nominating for beta3.

Comment 6

[Pierre Saslawsky]

Putting back on nsbeta2 radar since we have a fix. The PDT estimate that "Strict 
DTDs are a rare case" is a bit of a joke.

Comment 7

[harishd]

Oops, I accidently changed nsbeta2 ( nominated by pierre ) to nsbeta3. Sorry 
about that.

Comment 8

[Jeffrey Baker]

Hrmm.  Please take a look at bug 46392 and decide if this is the same bug.

Comment 9

[Jay Patel [:jay]]

Putting on [NEED INFO] radar. PDT needs to know impact to user and risk of fix 
to make a call on this bug. David Baron, do you see this as critical for pr2?  
How frequently do you think this will happen in the real world?

Comment 10

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

How frequently it will happen depends on what we do about bug 42388.  Right now
I'd guess (based on the bugs marked duplicate of bug 42388) that we're using the
strict/transitional DTD on 1%-5% of the top100 and similar sites.

However, if my interpretation of Harish's patch is correct, the changes in the
patch *only* affect documents that trigger the Strict DTD.  Since all of the
code changes are within the strict DTD, fixing this serious a bug in the strict
DTD is a good thing to do.  If you don't care about pages triggering the strict
DTD, then this fix carries no risk since it only affects such pages.  If you do
care, then it should be a beta2 blocker.

Harish, is that correct?

Comment 11

[harishd]

Absolutely David.

Comment 12

[leger]

Per bug triage mtg, + to stop the crash.  See jst for code review please.

Comment 13

[harishd]

Attachment: Tentative patch ( for beta2 ) to fix the crash. r=jst

Comment 14

[harishd]

Fix landed on the branch and tip. Marking FIXED. Will open up a new bug for 
document.write() not working.

Comment 15

[Jan Carpenter]

verified
2000-08-04-04-M17 : Win98
2000-08-04-04-M17 : Mac
2000-08-03-04-M17 : Linux