(*** This bug was imported into bugs.kde.org ***) Package: kjs Version: KDE 3.0.0 Severity: normal Installed from: Compiled From Sources Compiler: gcc-2.96 OS: Linux OS/Compiler notes: Not Specified The following HTML page crashes Konqueror reliably. This seems to be due to the erroneous regexp (no character before the + sign). While the Regexp is incorrect it should still not crash the browser. <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <script> function crashme() { var s1 = "foo+bar"; alert(s1.replace(/+/g"%2B")); } </script> <title>Crash</title> </head> <body onload="crashme()"> <h1>Crash</h1> </body> </html> } Here's (part of) the stack trace: [New Thread 1024 (LWP 14379)] 0x413a5ca9 in __wait4 () from /lib/i686/libc.so.6 #0 0x413a5ca9 in __wait4 () from /lib/i686/libc.so.6 #1 0x414216b4 in __DTOR_END__ () from /lib/i686/libc.so.6 #2 0x412536f3 in waitpid (pid=14381 stat_loc=0x0 options=0) at wrapsyscall.c:172 #3 0x40766dc5 in KCrash::defaultCrashHandler () from /usr/local/kde3/lib/libkdecore.so.4 #4 0x41251a85 in pthread_sighandler (signo=11 ctx= {gs = 7 __gsh = 0 fs = 0 __fsh = 0 es = 43 __esh = 0 ds = 43 __dsh = 0 edi = 138616279 esi = 138616280 ebp = 3221208680 esp = 3221208524 ebx = 1102622948 edx = 138616280 ecx = 0 eax = 0 trapno = 14 err = 4 eip = 1102614436 cs = 35 __csh = 0 eflags = 66070 esp_at_signal = 3221208524 ss = 43 __ssh = 0 fpstate = 0xbfffbb50 oldmask = 2147483648 cr2 = 12}) at signals.c:97 #5 <signal handler called> #6 0x41b88fa4 in pcre_exec (external_re=0x0 external_extra=0x0 subject=0x8431dd8 "foo+bar" length=7 start_offset=0 options=0 offsets=0x84312d8 offsetcount=3) at pcre.c:4882 #7 0x41b584d6 in KJS::RegExp::match () from /usr/local/kde3/lib/libkjs.so.1 #8 0x41b5adb2 in KJS::StringProtoFuncImp::call () from /usr/local/kde3/lib/libkjs.so.1 #9 0x41b6b421 in KJS::Object::call () from /usr/local/kde3/lib/libkjs.so.1 #10 0x41b47f57 in KJS::FunctionCallNode::evaluate () from /usr/local/kde3/lib/libkjs.so.1 #11 0x41b47478 in KJS::ArgumentListNode::evaluateList () from /usr/local/kde3/lib/libkjs.so.1 #12 0x41b4768d in KJS::ArgumentsNode::evaluateList () from /usr/local/kde3/lib/libkjs.so.1 (Submitted via bugs.kde.org)
On 8 Apr 2002 ck@heise.de wrote: > The following HTML page crashes Konqueror reliably. This seems to be due to the erroneous regexp (no character before the + sign). I can confirm the crash on a system without PCRE support compiled in. An other one with that extended support it hangs. Both equally bad of course. > While the Regexp is incorrect it should still not crash the browser. Added as a testcase ("foo+bar".replace(/+/g"%2B");) to the JS test suite. Will look into fixing it later. Harri.
On 8 Apr 2002 ck@heise.de wrote: > alert(s1.replace(/+/g"%2B")); Fixed the crash together with another replace() bug for KDE 3.0.1. We still don't accept '+' as that character though but as an invalid regexp. Netscape 4.7 treats it differently. Thanks for the report Harri.