[Bug report] Reproductible crash with IE6 (all patches applied)

L

Lionel Fourquaux

Hi!

I'd like to report a bug in Internet Explorer 6 (plus all Windows
Update patches). I'm posting it here in the hope that someone
from Microsoft will read this and transmit it. If you know of a
better way to report it, please tell me.

Description:
The document.normalize() method can sometimes access nodes
that have already been deleted. A Perl script that generates an
HTML page that demonstrates the problem is appended to this
message. Opening the generated file with IE causes it to crash
with an access violation.

When does it happen?
The example HTML code uses replaceChild in a loop to
remove a large number of HTML tags, then calls
document.normalize() to concatenate the resulting text nodes.
This problem appears in the page
http://www.eleves.ens.fr:8080/home/madore/weblog/
where similar code is used to protect email addresses against
spam.

Thanks to:
David Madore, who told me about this problem and deduced
whar was causing it.


Please pass this bug report to whoever may fix the problem.

Thanks in advance!

-- Lionel Fourquaux



===== Perl script to generate the HTML code =====
print <<EOT;
<html>
<head>
<script language="javascript">
// <![CDATA[
function do_it()
{
var its = document.getElementsByTagName("i");
for (var i = 0 ; i < its.length ;)
{
var it = its.item(i);
it.parentNode.replaceChild(it.childNodes(0), it);
};
try
{
document.normalize();
}
catch (exn)
{
document.documentElement.normalize(); // IE doesn't support this for now
};
};
// ]]>
</script>
</head>
<body onload="do_it()">
EOT
for (my $i = 0 ; $i < 100 ; $i++)
{
print "<i>foo</i>\n";
}
print "</body></html>\n";
=====================================

========= Stack backtrace for IE ============
(298.cc0): Access violation - code c0000005 (first chance)

First chance exceptions are reported before any exception handling.

This exception may be expected and handled.

eax=00000000 ebx=0012a678 ecx=00000000 edx=00000015 esi=00000000 edi=00000000

eip=63737d7d esp=0012a5b4 ebp=0012a5fc iopl=0 nv up ei pl nz na po nc

cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010206

mshtml!CDOMTextNode::TearoffTextNode+b:

63737d7d ff7610 push dword ptr [esi+0x10] ds:0023:00000010=????????

0:000> kb

ChildEBP RetAddr Args to Child

0012a5fc 63738c4b 0012a6b0 0012a678 00e032b0 mshtml!CDOMTextNode::TearoffTextNode+0xb

0012a620 6373902f 001863c0 0012a6b0 0012a640 mshtml!CDocument::get_implementation+0x1c0

0012a6e8 636610d1 00e032b0 63649ed8 00e032b0 mshtml!CElement::normalize+0x89

0012a6f0 63649ed8 00e032b0 0032cae0 00e0eae0 mshtml!Method_void_void+0x14

0012a770 6364a418 00e032b0 80010458 636610bd mshtml!CBase::ContextInvokeEx+0x41f

0012a7a0 6365f295 00e032b0 80010458 00000409 mshtml!CElement::ContextInvokeEx+0x5e

*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\System32\jscript.dll -

0012a7d0 6b720f99 00e032b0 80010458 00000409 mshtml!CElement::ContextThunk_InvokeEx+0x2f

WARNING: Stack unwind information not available. Following frames may be wrong.

00329188 6b774a1c 6b774a08 6b7749f0 6b7749d8 jscript!DllGetClassObject+0x1069c

6b774a34 6b701147 6b70116c 6b710ff4 6b7216b3 jscript!DllRegisterServer+0x3a59c

6b7093d5 85561424 840f57ed 0002cc7c 18245c8b jscript+0x1147

6c8b5553 00000000 00000000 00000000 00000000 0x85561424

0:000> g

(298.cc0): Access violation - code c0000005 (!!! second chance !!!)

eax=00000000 ebx=0012a678 ecx=00000000 edx=00000015 esi=00000000 edi=00000000

eip=63737d7d esp=0012a5b4 ebp=0012a5fc iopl=0 nv up ei pl nz na po nc

cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000206

mshtml!CDOMTextNode::TearoffTextNode+b:

63737d7d ff7610 push dword ptr [esi+0x10] ds:0023:00000010=????????

=====================================
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top