Crash when page is loaded. Caused by evil JavaScript code?

VERIFIED DUPLICATE of bug 52397

Status

()

P3
critical
VERIFIED DUPLICATE of bug 52397
19 years ago
18 years ago

People

(Reporter: kleist, Assigned: gagan)

Tracking

({crash})

Trunk
x86
All
crash
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(2 attachments)

(Reporter)

Description

19 years ago
Build ID: 2000090908 / RH 6.2 + glibc-2.1.3-21
(Reporter)

Comment 1

19 years ago
Sorry, forgot talkback incident ID: TB17207107Y

Comment 2

19 years ago
Huge resource suckage due to webpage (which sadly is nothing to do with Monty
Python and more to do with trouser python) launching a truckload of windows.
Linux 2000091021

Comment 3

19 years ago
Browser, not engine. Will attach stack trace. Not sure which component is
responsible, so will assign to Browser-General for analysis of trace -
Assignee: rogerl → asa
Status: UNCONFIRMED → NEW
Component: Javascript Engine → Browser-General
Ever confirmed: true
QA Contact: pschwartau → doronr

Comment 4

19 years ago
Created attachment 14889 [details]
Linux stack trace of crash -

Comment 5

19 years ago
(Stack trace obtained using Linux debug tip build 2000-09-13, 12PM Pacific Time)
Crash also occurs on WinNT (Mozilla binary 2000091505); changing OS to "All"

NOTE: 
IE 4.7 has no problem with this URL. The mini-window that comes up travels 
left to right across the screen, and appears to the eye as just one window.
In Mozilla, however, you are aware of many, many windows being created.
Could this bug be considered a Security issue (denial-of-service attack)?


NN4.7 displays the page just as IE 4.7 does. To the eye, the child window 
appears as a single window moving left to right. However, if I reloaded 
the URL (note: this was on Linux), I kept getting a warning dialog box:


Netscape: subprocess diagnostics (stdout/stderr)

Warning: 
          Name: vscroll
          Class: XmScrollBar
          The scrollbar minimum value is greater than or equal to the 
          scrollbar maximum value.

Warning: 
          Name: vscroll
          Class: XmScrollBar
          Specified slider size is greater than the scrollbar maximum value 
          minus the scrollbar minimum value.
OS: Linux → All

Comment 6

19 years ago
updating component and setting default owner.
Assignee: asa → rayw
Component: Browser-General → XPCOM
QA Contact: doronr → rayw

Comment 7

19 years ago
Is there more info on how to dupe this problem simply in Mozilla, i.e. open 
Mozilla, retrieve the following URL...

Comment 8

19 years ago
Using Mozilla tip builds 2000-09-18 7 PM Pacific Time on WinNT, Linux.
To duplicate the problem: just open Mozilla and load the given URL:

                     http://www.pythonvideo.com/



On Linux: still crashes, just a few seconds after the URL loads
On WinNT: endless sequence of small windows opening; I did not wait to crash


Compare: with NN4.7, you get one small window moving left to right above 
         the main window of the URL. Not thousands of small windows opening
         and remaining open in the same spot. CPU does not get pegged, either.

 

Comment 9

19 years ago
I get the following JS errors, when running the script, which I think we need to 
deal with first as possibly contributing to the problem.

Enabling Quirk StyleSheet
Enabling Quirk StyleSheet
JavaScript strict warning:
 line 9: function onget does not always return a value

JavaScript strict warning:
 line 9: function onset does not always return a value

JavaScript strict warning:
chrome://navigator/content/navigator.js line 1970: reference to undefined 
property window._content.HTTPIndex

Document http://www.mozilla.org/ loaded successfully
JavaScript strict warning:
chrome://navigator/content/navigator.js line 1970: reference to undefined 
property window._content.HTTPIndex

JavaScript strict warning:
 line 84: reference to undefined property me.noDirectMatch

JavaScript strict warning:
 line 84: reference to undefined property me.noDirectMatch

JavaScript strict warning:
 line 84: reference to undefined property me.noDirectMatch

S_OK
S_OK
->>>>>>>>>>>>>> Write Clipboard to memory
->>>>>>>>>>>>>> Read Clipboard from memory
JavaScript strict warning:
 line 79: reference to undefined property me.menuOpen

JavaScript strict warning:
 line 179: reference to undefined property me.menuOpen

JavaScript strict warning:
 line 84: reference to undefined property me.noDirectMatch

JavaScript strict warning:
 line 84: reference to undefined property me.noDirectMatch

JavaScript strict warning:
 line 84: reference to undefined property me.noDirectMatch

JavaScript strict warning:
 line 179: reference to undefined property me.menuOpen

JavaScript strict warning:
 line 79: reference to undefined property me.menuOpen

JavaScript strict warning:
 line 79: reference to undefined property me.menuOpen

Enabling Quirk StyleSheet
WEBSHELL+ = 5
WEBSHELL+ = 6
Enabling Quirk StyleSheet
Enabling Quirk StyleSheet
JavaScript strict warning:
chrome://navigator/content/navigator.js line 1970: reference to undefined 
property window._content.HTTPIndex

WEBSHELL- = 5
WEBSHELL+ = 6
WEBSHELL+ = 7
Enabling Quirk StyleSheet
Setting content window
*** Pulling out the charset
JavaScript strict warning:
chrome://navigator/content/navigator.js line 433: reference to undefined 
property window.arguments

JavaScript strict warning:
chrome://navigator/content/navigator.js line 456: reference to undefined 
property window.arguments

in SetSecurityButton
WEBSHELL- = 6
WEBSHELL- = 5
WEBSHELL- = 4
WEBSHELL- = 3
WEBSHELL- = 2
Shut down app shell component {33e569b0-40f8-11d4-9a41-000064657374}, 
rv=0x00000000
Shut down app shell component {18c2f989-b09f-11d2-bcde-00805f0e1353}, 
rv=0x00000000

Reassigning to Javascript.
Assignee: rayw → rogerl
Component: XPCOM → Javascript Engine
QA Contact: rayw → pschwartau

Comment 10

19 years ago
*spam*

adding crash keyword...
Keywords: crash

Comment 11

19 years ago
Using Mozilla tip builds 2000-09-21, on Linux and WinNT.
Using Mozilla binaries 2000092321 on Linux, 2000092320 on WinNT.


Current status: The page seems to load fine on both platforms now.
We now have the correct behavior for the child window: it moves from left
to right. The parent page loads without a crash, and when you dismiss the 
child window you do not crash. Good progress...

However, if you now hit "Reload", you crash on Linux (but not on WinNT).
Not getting the JavaScript errors in the console that Ray reported
I have javascript.options.strict set to false in bin/defaults/pref/all.js


Here is a Linux stack trace: 


#0  0x40a05714 in nsHTTPServerListener::OnDataAvailable (this=0x87e6878,
channel=0x85e5ad4, context=0x88c5948, 
    i_pStream=0x86d80f0, i_SourceOffset=0, i_Length=2697) at
nsHTTPResponseListener.cpp:467
#1  0x4099ae3f in nsOnDataAvailableEvent::HandleEvent (this=0x422026f8) at
nsAsyncStreamListener.cpp:400
#2  0x4099a0c7 in nsStreamListenerEvent::HandlePLEvent (aEvent=0x42202720) at
nsAsyncStreamListener.cpp:97
#3  0x4012718e in PL_HandleEvent (self=0x42202720) at plevent.c:575
#4  0x40126fac in PL_ProcessPendingEvents (self=0x80aa1c0) at plevent.c:508
#5  0x40128df9 in nsEventQueueImpl::ProcessPendingEvents (this=0x80aa198) at
nsEventQueue.cpp:356
#6  0x40c61a44 in event_processor_callback (data=0x80aa198, source=8,
condition=GDK_INPUT_READ) at nsAppShell.cpp:158
#7  0x40c6167f in our_gdk_io_invoke (source=0x8149998, condition=G_IO_IN,
data=0x8209ec8) at nsAppShell.cpp:58
#8  0x40e2852a in g_io_unix_dispatch () from /usr/lib/libglib-1.2.so.0
#9  0x40e29be6 in g_main_dispatch () from /usr/lib/libglib-1.2.so.0
#10 0x40e2a1a1 in g_main_iterate () from /usr/lib/libglib-1.2.so.0
#11 0x40e2a341 in g_main_run () from /usr/lib/libglib-1.2.so.0
#12 0x40d54209 in gtk_main () from /usr/lib/libgtk-1.2.so.0
#13 0x40c6213a in nsAppShell::Run (this=0x810ab10) at nsAppShell.cpp:335
#14 0x407493d4 in nsAppShellService::Run (this=0x80fc7d8) at
nsAppShellService.cpp:407
#15 0x805576f in main1 (argc=1, argv=0xbffffb54, nativeApp=0x0) at
nsAppRunner.cpp:958
#16 0x8055e3e in main (argc=1, argv=0xbffffb54) at nsAppRunner.cpp:1139



This involves Necko functions at the top; reassigning to Networking component.
Note similarity of this trace to those in bug 52949 and bug 52314.

Assignee: rogerl → gagan
Component: Javascript Engine → Networking
QA Contact: pschwartau → tever

Comment 12

18 years ago
Created attachment 15990 [details] [diff] [review]
Patch for nsHTTPResponseListener.cpp

Comment 13

18 years ago
The patch posted above prevents this crash. However, it's likely that
something bigger is wrong, and my patch is probably not getting at the
real problem.

Comment 14

18 years ago

*** This bug has been marked as a duplicate of 52397 ***
Status: NEW → RESOLVED
Last Resolved: 18 years ago
Resolution: --- → DUPLICATE

Comment 15

18 years ago
verified dup
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.