Closed Bug 521760 Opened 15 years ago Closed 15 years ago

reproducable document.write() crash

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 519926

People

(Reporter: Dolske, Unassigned)

Details

Just hit this twice in a row with a current trunk nightly, and reproduced with my own build in a clean profile.

Crashing URL: http://apnews.myway.com/article/20091011/D9B8SUPO0.html

bp-7ea02950-2664-4c00-b0b5-4f62b2091012
bp-681c07cc-8a22-4435-9d13-6979d2091012

0  	XUL  	XUL@0x62c40  	
1 	XUL 	nsIDOMHTMLDocument_Write
2 	libmozjs.dylib 	js_Interpret
3 	libmozjs.dylib 	js_Execute
4 	libmozjs.dylib 	JS_EvaluateUCScriptForPrincipals
5 	XUL 	nsJSContext::EvaluateString
6 	XUL 	nsScriptLoader::EvaluateScript
7 	XUL 	nsScriptLoader::ProcessRequest
8 	XUL 	nsScriptLoader::ProcessScriptElement
9 	XUL 	nsScriptElement::MaybeProcessScript
10 	XUL 	nsHTMLScriptElement::MaybeProcessScript
11 	XUL 	HTMLContentSink::ProcessSCRIPTEndTag
12 	XUL 	SinkContext::CloseContainer
13 	XUL 	HTMLContentSink::CloseContainer
14 	XUL 	CNavDTD::CloseContainer

Frame 0 when crashing in my build is in
xpc_qsDOMString::xpc_qsDOMString...

722         *pval = STRING_TO_JSVAL(s);  // Root the new string.

pval, supplied by the caller, is null here. Though s->mLength is ~500m, so I'm not sure what's going on.

DumpJSStack() says the last JS frame is:

globHtmlHeader(obj = [object Object]) ["http://bfc.myway.com/script/bzHdr.js":59]
Do I want to know why they're doing document.write()?
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
> Though s->mLength is ~500m, so I'm not sure what's going on.

The 4 high bits of s->mLength are actually flag bits.
You need to log in before you can comment on or make changes to this bug.