52061 - Crash when page is loaded. Caused by evil JavaScript code?

Status: VERIFIED DUPLICATE of bug 52397

(Core :: Networking, defect, P3)

Description

[Karl Johan Kleist]

Build ID: 2000090908 / RH 6.2 + glibc-2.1.3-21

Comment 1

[Karl Johan Kleist]

Sorry, forgot talkback incident ID: TB17207107Y

Comment 2

[Paul McGarry]

Huge resource suckage due to webpage (which sadly is nothing to do with Monty
Python and more to do with trouser python) launching a truckload of windows.
Linux 2000091021

Comment 3

[Phil Schwartau]

Browser, not engine. Will attach stack trace. Not sure which component is
responsible, so will assign to Browser-General for analysis of trace -

Comment 4

[Phil Schwartau]

Attachment: Linux stack trace of crash -

Comment 5

[Phil Schwartau]

(Stack trace obtained using Linux debug tip build 2000-09-13, 12PM Pacific Time)
Crash also occurs on WinNT (Mozilla binary 2000091505); changing OS to "All"

NOTE: 
IE 4.7 has no problem with this URL. The mini-window that comes up travels 
left to right across the screen, and appears to the eye as just one window.
In Mozilla, however, you are aware of many, many windows being created.
Could this bug be considered a Security issue (denial-of-service attack)?


NN4.7 displays the page just as IE 4.7 does. To the eye, the child window 
appears as a single window moving left to right. However, if I reloaded 
the URL (note: this was on Linux), I kept getting a warning dialog box:


Netscape: subprocess diagnostics (stdout/stderr)

Warning: 
          Name: vscroll
          Class: XmScrollBar
          The scrollbar minimum value is greater than or equal to the 
          scrollbar maximum value.

Warning: 
          Name: vscroll
          Class: XmScrollBar
          Specified slider size is greater than the scrollbar maximum value 
          minus the scrollbar minimum value.

Comment 6

[Asa Dotzler [:asa]]

updating component and setting default owner.

Comment 7

[Ray Whitmer]

Is there more info on how to dupe this problem simply in Mozilla, i.e. open 
Mozilla, retrieve the following URL...

Comment 8

[Phil Schwartau]

Using Mozilla tip builds 2000-09-18 7 PM Pacific Time on WinNT, Linux.
To duplicate the problem: just open Mozilla and load the given URL:

                     http://www.pythonvideo.com/



On Linux: still crashes, just a few seconds after the URL loads
On WinNT: endless sequence of small windows opening; I did not wait to crash


Compare: with NN4.7, you get one small window moving left to right above 
         the main window of the URL. Not thousands of small windows opening
         and remaining open in the same spot. CPU does not get pegged, either.

 

Comment 9

[Ray Whitmer]

I get the following JS errors, when running the script, which I think we need to 
deal with first as possibly contributing to the problem.

Enabling Quirk StyleSheet
Enabling Quirk StyleSheet
JavaScript strict warning:
 line 9: function onget does not always return a value

JavaScript strict warning:
 line 9: function onset does not always return a value

JavaScript strict warning:
chrome://navigator/content/navigator.js line 1970: reference to undefined 
property window._content.HTTPIndex

Document http://www.mozilla.org/ loaded successfully
JavaScript strict warning:
chrome://navigator/content/navigator.js line 1970: reference to undefined 
property window._content.HTTPIndex

JavaScript strict warning:
 line 84: reference to undefined property me.noDirectMatch

JavaScript strict warning:
 line 84: reference to undefined property me.noDirectMatch

JavaScript strict warning:
 line 84: reference to undefined property me.noDirectMatch

S_OK
S_OK
->>>>>>>>>>>>>> Write Clipboard to memory
->>>>>>>>>>>>>> Read Clipboard from memory
JavaScript strict warning:
 line 79: reference to undefined property me.menuOpen

JavaScript strict warning:
 line 179: reference to undefined property me.menuOpen

JavaScript strict warning:
 line 84: reference to undefined property me.noDirectMatch

JavaScript strict warning:
 line 84: reference to undefined property me.noDirectMatch

JavaScript strict warning:
 line 84: reference to undefined property me.noDirectMatch

JavaScript strict warning:
 line 179: reference to undefined property me.menuOpen

JavaScript strict warning:
 line 79: reference to undefined property me.menuOpen

JavaScript strict warning:
 line 79: reference to undefined property me.menuOpen

Enabling Quirk StyleSheet
WEBSHELL+ = 5
WEBSHELL+ = 6
Enabling Quirk StyleSheet
Enabling Quirk StyleSheet
JavaScript strict warning:
chrome://navigator/content/navigator.js line 1970: reference to undefined 
property window._content.HTTPIndex

WEBSHELL- = 5
WEBSHELL+ = 6
WEBSHELL+ = 7
Enabling Quirk StyleSheet
Setting content window
*** Pulling out the charset
JavaScript strict warning:
chrome://navigator/content/navigator.js line 433: reference to undefined 
property window.arguments

JavaScript strict warning:
chrome://navigator/content/navigator.js line 456: reference to undefined 
property window.arguments

in SetSecurityButton
WEBSHELL- = 6
WEBSHELL- = 5
WEBSHELL- = 4
WEBSHELL- = 3
WEBSHELL- = 2
Shut down app shell component {33e569b0-40f8-11d4-9a41-000064657374}, 
rv=0x00000000
Shut down app shell component {18c2f989-b09f-11d2-bcde-00805f0e1353}, 
rv=0x00000000

Reassigning to Javascript.

Comment 10

[Blake Ross]

*spam*

adding crash keyword...

Comment 11

[Phil Schwartau]

Using Mozilla tip builds 2000-09-21, on Linux and WinNT.
Using Mozilla binaries 2000092321 on Linux, 2000092320 on WinNT.


Current status: The page seems to load fine on both platforms now.
We now have the correct behavior for the child window: it moves from left
to right. The parent page loads without a crash, and when you dismiss the 
child window you do not crash. Good progress...

However, if you now hit "Reload", you crash on Linux (but not on WinNT).
Not getting the JavaScript errors in the console that Ray reported
I have javascript.options.strict set to false in bin/defaults/pref/all.js


Here is a Linux stack trace: 


#0  0x40a05714 in nsHTTPServerListener::OnDataAvailable (this=0x87e6878,
channel=0x85e5ad4, context=0x88c5948, 
    i_pStream=0x86d80f0, i_SourceOffset=0, i_Length=2697) at
nsHTTPResponseListener.cpp:467
#1  0x4099ae3f in nsOnDataAvailableEvent::HandleEvent (this=0x422026f8) at
nsAsyncStreamListener.cpp:400
#2  0x4099a0c7 in nsStreamListenerEvent::HandlePLEvent (aEvent=0x42202720) at
nsAsyncStreamListener.cpp:97
#3  0x4012718e in PL_HandleEvent (self=0x42202720) at plevent.c:575
#4  0x40126fac in PL_ProcessPendingEvents (self=0x80aa1c0) at plevent.c:508
#5  0x40128df9 in nsEventQueueImpl::ProcessPendingEvents (this=0x80aa198) at
nsEventQueue.cpp:356
#6  0x40c61a44 in event_processor_callback (data=0x80aa198, source=8,
condition=GDK_INPUT_READ) at nsAppShell.cpp:158
#7  0x40c6167f in our_gdk_io_invoke (source=0x8149998, condition=G_IO_IN,
data=0x8209ec8) at nsAppShell.cpp:58
#8  0x40e2852a in g_io_unix_dispatch () from /usr/lib/libglib-1.2.so.0
#9  0x40e29be6 in g_main_dispatch () from /usr/lib/libglib-1.2.so.0
#10 0x40e2a1a1 in g_main_iterate () from /usr/lib/libglib-1.2.so.0
#11 0x40e2a341 in g_main_run () from /usr/lib/libglib-1.2.so.0
#12 0x40d54209 in gtk_main () from /usr/lib/libgtk-1.2.so.0
#13 0x40c6213a in nsAppShell::Run (this=0x810ab10) at nsAppShell.cpp:335
#14 0x407493d4 in nsAppShellService::Run (this=0x80fc7d8) at
nsAppShellService.cpp:407
#15 0x805576f in main1 (argc=1, argv=0xbffffb54, nativeApp=0x0) at
nsAppRunner.cpp:958
#16 0x8055e3e in main (argc=1, argv=0xbffffb54) at nsAppRunner.cpp:1139



This involves Necko functions at the top; reassigning to Networking component.
Note similarity of this trace to those in bug 52949 and bug 52314.

Comment 12

[Darin Fisher]

Attachment: Patch for nsHTTPResponseListener.cpp

Comment 13

[Darin Fisher]

The patch posted above prevents this crash. However, it's likely that
something bigger is wrong, and my patch is probably not getting at the
real problem.

Comment 14

[Darin Fisher]

*** This bug has been marked as a duplicate of 52397 ***

Comment 15

[Tom Everingham]

verified dup