Bug 12941 - JavaScript hangs Safari (&nightly)
Summary: JavaScript hangs Safari (&nightly)
Status: RESOLVED INVALID
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 523.x (Safari 3)
Hardware: Mac (PowerPC) OS X 10.4
: P2 Critical
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-03-01 17:16 PST by Mike Fischer
Modified: 2007-03-02 09:58 PST (History)
0 users

See Also:


Attachments
Activity Monitor analysis of the hung nightly build (68.13 KB, text/plain)
2007-03-01 17:18 PST, Mike Fischer
no flags Details
Test data file loaded using XMLHttpRequest (2.44 KB, text/html)
2007-03-01 17:19 PST, Mike Fischer
no flags Details
Test case demonstrating the bug (1.10 KB, text/html)
2007-03-01 17:21 PST, Mike Fischer
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Mike Fischer 2007-03-01 17:16:24 PST
I have a HTML page where I use XMLHttpRequest to load a XHTML page generated by Analog 6.0 into a JS variable. (Any other way to load the data into the variable would probably work just as well though for demonstrating the bug.) I then proceed to use JS to replace certain text in the page source.

While I'm not sure my code should work to achieve my goal it definitly should not hang the browser, which unfortunatly it does.

This hang occurs in the latest nightly (<http://nightly.webkit.org/start/?current-revision=19919>) as well as the shipping 10.4.8 Safari Version 2.0.4 (419.3)

The offending line looks like this:
txt.replace(/^<\?xml .*?>/i,'');

I have included (will include) two files with a somewhat reduced test case: test.html is the file loaded via XMLHttpRequest and testhang.html is the file demonstrating the bug. To show the big place the wiles on a webserver into the same directory and open testhang.html in the browser. You should see one alert message from a point shortly before the hang happens. If you click ok then the browser will hang indefinitly.

I have also included an Activity Monitor report of the hung nightly build.
Comment 1 Mike Fischer 2007-03-01 17:18:33 PST
Created attachment 13444 [details]
Activity Monitor analysis of the hung nightly build
Comment 2 Mike Fischer 2007-03-01 17:19:54 PST
Created attachment 13445 [details]
Test data file loaded using XMLHttpRequest
Comment 3 Mike Fischer 2007-03-01 17:21:16 PST
Created attachment 13446 [details]
Test case demonstrating the bug

Place into the same directory on a webserver as test.html.
Comment 4 Alexey Proskuryakov 2007-03-01 21:48:49 PST
while(txt.indexOf('<'+'?xml ') != -1)
	txt.replace(/^<\?xml .*?>/i,'');

This replace() doesn't really remove the XML declaration, so it's an infinite loop. Firefox has the same behavior.

Now, Firefox has an ability to interrupt scripts with infinite loops, and Safari does not have it. This feature has been already implemented in WebKit back-end, but we are waiting for a Safari release that will enable it - this is why the problem still happens even with the nightlies.
Comment 5 Mike Fischer 2007-03-02 05:44:58 PST
(In reply to comment #4)
> while(txt.indexOf('<'+'?xml ') != -1)
>         txt.replace(/^<\?xml .*?>/i,'');
> 
> This replace() doesn't really remove the XML declaration, so it's an infinite
> loop. Firefox has the same behavior.

That may be, but single-stepping with Drosera never returns from the second line.

I'd have understood if I could see the the loop between the two lines while single-stepping. This way it just seems to go off to outer space inside the replace method. Might be a Drosera issue though.


> > Now, Firefox has an ability to interrupt scripts with infinite loops, and
> Safari does not have it. This feature has been already implemented in WebKit
> back-end, but we are waiting for a Safari release that will enable it - this is
> why the problem still happens even with the nightlies.

That would probably be a good idea to avoid DOS attacks from malicous websites.
Comment 6 Alexey Proskuryakov 2007-03-02 09:58:54 PST
(In reply to comment #5)
> I'd have understood if I could see the the loop between the two lines while
> single-stepping. This way it just seems to go off to outer space inside the
> replace method. Might be a Drosera issue though.

Must be so - I've tried adding an alert() call to the loop, and it did pop up repeatedly.