If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

browser crashed on malformed <object> tag

VERIFIED FIXED

Status

()

Core
Plug-ins
--
critical
VERIFIED FIXED
16 years ago
16 years ago

People

(Reporter: Artiom Morozov, Assigned: Joe Chou)

Tracking

({crash, stackwanted})

Trunk
x86
Linux
crash, stackwanted
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

(Reporter)

Description

16 years ago
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.3) Gecko/20010801
BuildID:    2001080104

HTML found below effectively makes coredump from browser. Although it's
obvisouly written incorrectly (i mean HTML, of course =), that's probably not a
good reaction to be caused by syntax error.

ps to the code below - archive actually exists and could be reached
(unfortunately connection isn't stable) via
http://csp.org.by:1520/md/ns/jar/Upplet.jar

pps (and <applet archive="" code=""> doesn't work too =((( 

Reproducible: Always
Steps to Reproduce:
1. open browser
2. save HTML from below to a file
3. open a file. download java plugin and restart, if not installed yet, then
restart browser and re-open file.

Actual Results:  browser crash

Expected Results:  text between <obejct></object> should appear? i'm not sure
what w3c says about that

<html>
<head>
  <script>
    function loaded() {
    alert(document.upplet.sendMessage('foo'));
    }
  </script>
</head>
  <body onload="loaded()">
      
<!--<object codetype="application/java" archive="../ns/jar/Upplet.jar"
classid="java:com/musicdialog/Upplet" name="upplet" width=1 height=1>-->
<object codetype="application/java" classid="java:../ns/jar/Upplet.jar"
name="upplet" width=1 height=1>
  <param name="serverAddress" value="194.85.255.136">
  Applet failed to load! Java may not be enabled!
</object>

  </body>
</html>

Updated

16 years ago
Keywords: crash
Artiom Morozov: can you attach a stack trace?  Or submit a talkback and post the
ID number here?
Keywords: stackwanted
(Reporter)

Comment 2

16 years ago
hm... there's no talkback window appears. and i apologize - this particular
example doesn't produces coredump (who's core it was? =(

so it's just a log i can give you

[apm@cyan apm]$ /usr/local/mozilla_old/mozilla
/usr/local/mozilla_old/run-mozilla.sh /usr/local/mozilla_old/mozilla-bin
MOZILLA_FIVE_HOME=/usr/local/mozilla_old
 
LD_LIBRARY_PATH=/usr/local/mozilla_old:/usr/local/mozilla_old/plugins:/usr/local/qt/lib
    
LIBRARY_PATH=/usr/local/mozilla_old:/usr/local/mozilla_old/components:/usr/local/qt/lib
       SHLIB_PATH=/usr/local/mozilla_old
          LIBPATH=/usr/local/mozilla_old
       ADDON_PATH=/usr/local/mozilla_old
      MOZ_PROGRAM=/usr/local/mozilla_old/mozilla-bin
      MOZ_TOOLKIT=
        moz_debug=0
     moz_debugger=
 I am inside the initialize
 Hey : You are in QFA Startup 
(QFA)Talkback loaded Ok.
Plugin worker error: Success
Plugin: trouble with work request from child (5)
Plugin: Java VM process has died.
INTERNAL ERROR on Browser End: Pipe closed during read? State may be corrupt
System error?:: Bad file descriptor

Comment 3

16 years ago
Trying to confirm.  Linux 2001091022 freezes and must be killed on reading this
code:

<html>
<body onload="loaded()">
<!--<object codetype="application/java" archive="../ns/jar/Upplet.jar"
classid="java:com/musicdialog/Upplet" name="upplet" width=1 height=1>-->
<object codetype="application/java" classid="java:../ns/jar/Upplet.jar"
name="upplet" width=1 height=1>
<param name="serverAddress" value="194.85.255.136">
Applet failed to load! Java may not be enabled!
</object>
</body>
</html>


Console window displayed these errors:

LoadPlugin: failed to initialize shared library /usr/lib/mozilla/plugins/java2
[/usr/lib/mozilla/plugins/java2: cannot read file data: Is a directory]
LoadPlugin: failed to initialize shared library
/usr/lib/mozilla/plugins/ShockwaveFlash.class [
/usr/lib/mozilla/plugins/ShockwaveFlash.class: invalid ELF header]

Comment 4

16 years ago
plugins.
Assignee: asa → av
Status: UNCONFIRMED → NEW
Component: Browser-General → Plug-ins
Ever confirmed: true
QA Contact: doronr → shrir

Comment 5

16 years ago
The error message about ELF header is not relevant, we have a bug on this.

Reassinging to OJI.
Assignee: av → joe.chou
Component: Plug-ins → PICS
Component: PICS → Plug-ins

Comment 6

16 years ago
Reporter, I couldn't find Upplet.jar at
http://csp.org.by:1520/md/ns/jar/Upplet.jar. 
Would you please point the
new location of Upplet.jar ?
(Reporter)

Comment 7

16 years ago
here, i'm attaching it. some observations which may help you (done on
Mozilla/0.9.6):
- it seems bug doesn't depend on .jar contents, i tried it on a different one.
the same effect
- bug doesn't appear if you try to open HTML from local hard drive. path doesn't
matter. but if you put HTML even onto local HTTP server (apache 2.0.28 in my
case), mozilla crashes.
(Reporter)

Comment 8

16 years ago
Created attachment 60314 [details]
Upplet.jar that is referred to in bug description

Comment 9

16 years ago
First, as reporter mentioned html code is wrong. 
Crashing occurs inside java plugin and I think that is occurs
during running method createApplet of class JavaPluginInstance.
Actually plugin doesn't crash -- it makes 'exit'.
From another point of view crashing is not good behavior:
I tested Mozilla with JRE1.3.1 and JRE1.4.0. With former browser crashes
with latter java plugin throws exception that 'Upplet.jar class is not found'
and Mozilla doesn't crash.
Reporter, would you please test this bug with JRE1.4.0 and close this
bug either as FIXED or as INVALID.
(Reporter)

Comment 10

16 years ago
arrrgh... i've updated to JRE1.4 and got coredump on startup =( core attached.
JRE  itself behaves perfectly
(Reporter)

Comment 11

16 years ago
Created attachment 60343 [details]
core for comment #10
(Reporter)

Comment 12

16 years ago
so be it. JRE1.4 really fixes the problem

Status: NEW → RESOLVED
Last Resolved: 16 years ago
Resolution: --- → FIXED

Comment 13

16 years ago
v
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.