Closed
Bug 502848
Opened 15 years ago
Closed 15 years ago
[HTML5] Crash [@ nsHtml5TreeOperation::Init] with document.write script removing window and span
Categories
(Core :: DOM: HTML Parser, defect)
Core
DOM: HTML Parser
Tracking
()
RESOLVED
FIXED
People
(Reporter: martijn.martijn, Unassigned)
References
Details
(Keywords: crash, testcase, Whiteboard: [sg:dos] null deref)
Crash Data
Attachments
(1 file)
|
592 bytes,
text/html
|
Details |
See testcase, to get this crash, you need to have the html5.enable pref set to true.
I don't know if this is related to the other html5 parser crashes, might be.
The iframe content is this: <script>document.write('<script>window.frameElement.parentNode.removeChild(window.frameElement)<'+'/script><span>');</script>
http://crash-stats.mozilla.com/report/index/e5e27f4d-8280-4cb8-8efb-23e3b2090707?p=1
0 xul.dll nsCOMPtr_base::assign_with_AddRef obj-firefox/xpcom/build/nsCOMPtr.cpp:88
1 xul.dll nsCOMPtr<nsIDOMNode>::operator= obj-firefox/dist/include/nsCOMPtr.h:640
2 xul.dll nsHtml5TreeOperation::Init parser/html/nsHtml5TreeOperation.h:72
3 xul.dll nsHtml5TreeBuilder::appendElement parser/html/nsHtml5TreeBuilderCppSupplement.h:170
4 xul.dll nsHtml5TreeBuilder::insertIntoFosterParent parser/html/nsHtml5TreeBuilder.cpp:3248
5 xul.dll nsHtml5TreeBuilder::appendToCurrentNodeAndPushElementMayFoster parser/html/nsHtml5TreeBuilder.cpp:3386
6 xul.dll nsHtml5TreeBuilder::startTag parser/html/nsHtml5TreeBuilder.cpp:1245
7 xul.dll nsHtml5Tokenizer::emitCurrentTagToken parser/html/nsHtml5Tokenizer.cpp:364
8 xul.dll nsHtml5Tokenizer::stateLoop parser/html/nsHtml5Tokenizer.cpp:596
9 xul.dll nsHtml5Tokenizer::tokenizeBuffer parser/html/nsHtml5Tokenizer.cpp:459
10 xul.dll nsHtml5Parser::Parse parser/html/nsHtml5Parser.cpp:378
11 xul.dll nsHTMLDocument::WriteCommon content/html/document/src/nsHTMLDocument.cpp:2172
12 xul.dll nsHTMLDocument::ScriptWriteCommon content/html/document/src/nsHTMLDocument.cpp:2250
13 xul.dll nsHTMLDocument::Write content/html/document/src/nsHTMLDocument.cpp:2256
14 xul.dll NS_InvokeByIndex_P xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:101
15 xul.dll XPCWrappedNative::CallMethod js/src/xpconnect/src/xpcwrappednative.cpp:2691
|
Reporter | |
Comment 1•15 years ago
|
||
|
||
Comment 2•15 years ago
|
||
Crash on mac, too, but not the same stack
bp-263ab4ae-68df-432c-9719-3e2972090727
OS: Windows XP → All
Hardware: x86 → All
|
|
||
Updated•15 years ago
|
Whiteboard: [sg:dos] null deref
|
||
Comment 3•15 years ago
|
||
Maybe a duplicate of bug 502869.
|
|
Reporter | |
Comment 4•15 years ago
|
||
Still crashes current trunk.
|
|
||
Comment 5•15 years ago
|
||
I'm interested to see if the patch from bug 503473 fixes this.
|
|
||
Comment 6•15 years ago
|
||
With everything in my queue up to and including bug 503473 applied, I don't see the crash on Mac in a debug build.
Depends on: 503473
|
|
||
Comment 7•15 years ago
|
||
I believe this was fixed together with bug 503473.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
|
Assignee | |
Updated•13 years ago
|
Crash Signature: [@ nsHtml5TreeOperation::Init]
You need to log in
before you can comment on or make changes to this bug.
Description
•