Closed
Bug 157845
Opened 22 years ago
Closed 22 years ago
Crash involving document.open()
Categories
(Core :: DOM: Events, defect)
Tracking
()
VERIFIED
FIXED
mozilla1.0.1
People
(Reporter: jruderman, Assigned: joki)
References
Details
(Keywords: crash, Whiteboard: [adt2 RTM] [ETA 07/24])
Attachments
(2 files)
132 bytes,
text/html
|
Details | |
2.57 KB,
patch
|
saari
:
review+
jst
:
superreview+
chofmann
:
approval+
|
Details | Diff | Splinter Review |
To reproduce: 1. Load the testcase. 2. Type something into the text field. (Empty will not crash.) 3. Press enter. This is a scary crash. The top of the stack, equal to the EIP, is a bogus address. Changing the testcase changes the EIP. If I don't change the testcase, the EIP doesn't change. I don't know if I can make EIP be anything I want. The crash dialog says "The instruction at '0x51000024' referenced memory at '0x51000024'. The memory could not be 'read'." I am filing this bug as security-sensitive. The testcase is the simplest I could find: Move form onsubmit to input onkeyup no crash Don't type anything in the text field no crash Remove position:absolute style crash becomes unreliable or happens later Remove javascript error no crash Remove document.open no crash Replace document.open with location= no crash Talkbalk: 8386540, 8351815, 8385459 Top of the stack for original page (8351815): 0x51000024 nsEventStateManager::GetEventTargetContent [c:/builds/seamonkey/mozilla/content/events/src/nsEventStateManager.cpp, line 3515] nsDOMEvent::GetTarget [c:/builds/seamonkey/mozilla/content/events/src/nsDOMEvent.cpp, line 336] nsXULElement::HandleDOMEvent [c:/builds/seamonkey/mozilla/content/xul/content/src/nsXULElement.cpp, line 3411] nsXULElement::HandleChromeEvent [c:/builds/seamonkey/mozilla/content/xul/content/src/nsXULElement.cpp, line 4676] GlobalWindowImpl::HandleDOMEvent [c:/builds/seamonkey/mozilla/dom/src/base/nsGlobalWindow.cpp, line 741] NS_ScriptErrorReporter [c:/builds/seamonkey/mozilla/dom/src/base/nsJSEnvironment.cpp, line 187] js_ReportErrorAgain [c:/builds/seamonkey/mozilla/js/src/jscntxt.c, line 688] js_ReportUncaughtException [c:/builds/seamonkey/mozilla/js/src/jsexn.c, line 1056] Full stack for attached testcase (8386540): 0x0000078f nsEventStateManager::GetEventTargetContent [c:/builds/seamonkey/mozilla/content/events/src/nsEventStateManager.cpp, line 3515] nsDOMEvent::GetTarget [c:/builds/seamonkey/mozilla/content/events/src/nsDOMEvent.cpp, line 336] nsXULElement::HandleDOMEvent [c:/builds/seamonkey/mozilla/content/xul/content/src/nsXULElement.cpp, line 3411] nsXULElement::HandleChromeEvent [c:/builds/seamonkey/mozilla/content/xul/content/src/nsXULElement.cpp, line 4676] GlobalWindowImpl::HandleDOMEvent [c:/builds/seamonkey/mozilla/dom/src/base/nsGlobalWindow.cpp, line 741] NS_ScriptErrorReporter [c:/builds/seamonkey/mozilla/dom/src/base/nsJSEnvironment.cpp, line 187] js_ReportErrorAgain [c:/builds/seamonkey/mozilla/js/src/jscntxt.c, line 688] ReportError [c:/builds/seamonkey/mozilla/js/src/jscntxt.c, line 327] js_ReportErrorNumberVA [c:/builds/seamonkey/mozilla/js/src/jscntxt.c, line 645] JS_ReportErrorNumber [c:/builds/seamonkey/mozilla/js/src/jsapi.c, line 3706] js_ReportUncaughtException [c:/builds/seamonkey/mozilla/js/src/jsexn.c, line 1050] JS_CallFunctionValue [c:/builds/seamonkey/mozilla/js/src/jsapi.c, line 3433] nsJSContext::CallEventHandler [c:/builds/seamonkey/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1045] nsJSEventListener::HandleEvent [c:/builds/seamonkey/mozilla/dom/src/events/nsJSEventListener.cpp, line 184] nsEventListenerManager::HandleEventSubType [c:/builds/seamonkey/mozilla/content/events/src/nsEventListenerManager.cpp, line 1222] nsEventListenerManager::HandleEvent [c:/builds/seamonkey/mozilla/content/events/src/nsEventListenerManager.cpp, line 1832] nsGenericElement::HandleDOMEvent [c:/builds/seamonkey/mozilla/content/base/src/nsGenericElement.cpp, line 1819] nsHTMLFormElement::HandleDOMEvent [c:/builds/seamonkey/mozilla/content/html/content/src/nsHTMLFormElement.cpp, line 632] PresShell::HandleDOMEventWithTarget [c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 6240] nsHTMLInputElement::HandleDOMEvent [c:/builds/seamonkey/mozilla/content/html/content/src/nsHTMLInputElement.cpp, line 1610] PresShell::HandleEventInternal [c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 6192] PresShell::HandleEvent [c:/builds/seamonkey/mozilla/layout/html/base/src/nsPresShell.cpp, line 6115] nsViewManager::HandleEvent [c:/builds/seamonkey/mozilla/view/src/nsViewManager.cpp, line 2039] nsView::HandleEvent [c:/builds/seamonkey/mozilla/view/src/nsView.cpp, line 306] nsViewManager::DispatchEvent [c:/builds/seamonkey/mozilla/view/src/nsViewManager.cpp, line 1896] HandleEvent [c:/builds/seamonkey/mozilla/view/src/nsView.cpp, line 83] nsWindow::DispatchEvent [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 1037] nsWindow::DispatchWindowEvent [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 1054] nsWindow::DispatchKeyEvent [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 2832] nsWindow::OnChar [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 3002] nsWindow::ProcessMessage [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 3648] nsWindow::WindowProc [c:/builds/seamonkey/mozilla/widget/src/windows/nsWindow.cpp, line 1299] USER32.DLL + 0x1b60 (0x77e11b60) USER32.DLL + 0x1cca (0x77e11cca) USER32.DLL + 0x83f1 (0x77e183f1) nsAppShellService::Run [c:/builds/seamonkey/mozilla/xpfe/appshell/src/nsAppShellService.cpp, line 458] main1 [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1472] main [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1808] WinMain [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1826] WinMainCRTStartup() KERNEL32.DLL + 0xd326 (0x77e8d326)
Reporter | ||
Comment 1•22 years ago
|
||
Perhaps related to bug 135498?
Updated•22 years ago
|
Comment 3•22 years ago
|
||
Seems to me jst should be on the cc list, if not owning the bug. Jesse mentioned this bug to me yesterday, didn't remember to cc: me, so I'm adding myself. Setting keywords. /be
Keywords: mozilla1.0.1,
mozilla1.1
Reporter | ||
Comment 4•22 years ago
|
||
Original page in debug build (top of stack is *not* a bogus address): nsEventStateManager::GetEventTargetContent(nsEventStateManager * const 0x038046b8, nsEvent * 0x0012e4d0, nsIContent * * 0x0012df18) line 3516 + 33 bytes nsDOMEvent::GetTarget(nsDOMEvent * const 0x038b63d8, nsIDOMEventTarget * * 0x0012e294) line 333 + 54 bytes Testcase in debug build: cccccccc() nsEventStateManager::GetEventTargetContent(nsEventStateManager * const 0x03902bc8, nsEvent * 0x0012e438, nsIContent * * 0x0012de80) line 3517 Does the 0xcccccccc provide any hints?
Comment 5•22 years ago
|
||
Uninitialized variables on the stack (on Win32 at least) will have the value 0xCCCCCCCC in debug builds.
Comment 6•22 years ago
|
||
0xcc is also the opcode for software breakpoint on x86 (int 3 I think). Executing it on linux gives "Trace/breakpoint trap"
Comment 7•22 years ago
|
||
jst: is this one you should own, as brendan suggest? if so, can you pls take it from joki. thanks!
Blocks: 143047
Comment 8•22 years ago
|
||
This is looking like a false alarm to me, this crash is from us calling a method on a pointer to a deleted frame and I don't see how this would be any different from a security point of view from any other similar bugs that we have tons. I'm opening this up as a normal bug and I suggest that we don't worry about this for MachV. This crash is due to nsEventStateManager's mCurrentFrame pointing at a deleted frame, but I don't know why. I'm leaving this on joki's list since it's in his code, and he'd be the best person to look at this.
Group: security?
Summary: Scary crash involving document.open() → Crash involving document.open()
Comment 9•22 years ago
|
||
s/tons/tons of/
Assignee | ||
Comment 10•22 years ago
|
||
I agree with jst that this probably isn't a security issue. It is, however, a fairly important crash. I believe this issue as another topcrasher (bug 135498) that I've been trying to reproduce. This one reproduced easily and gave me a fix that may fix the topcrash as well.
Comment 11•22 years ago
|
||
Comment on attachment 92264 [details] [diff] [review] Proposed patch sr=jst Seems like this is a change that we should push in on the branch as well. This could fix other random crashes as well.
Attachment #92264 -
Flags: superreview+
Comment 12•22 years ago
|
||
Comment on attachment 92264 [details] [diff] [review] Proposed patch r=saari
Attachment #92264 -
Flags: review+
Comment 13•22 years ago
|
||
Comment on attachment 92264 [details] [diff] [review] Proposed patch a=chofmann for trunk and 1.0.1. add the fixed1.0.1 keyword after checking into branch.
Attachment #92264 -
Flags: approval+
Updated•22 years ago
|
Keywords: mozilla1.0.1 → mozilla1.0.1+
Comment 14•22 years ago
|
||
adt1.0.1+ (on ADT's behalf) approval for checkin to the 1.0 branch. pls check this in asap, then replace "mozilla1.0.1" with "fixed1.0.1". thanks!
Keywords: adt1.0.1+
Whiteboard: [adt2 RTM] [ETA Needed] → [adt2 RTM] [ETA 07/23]
Comment 15•22 years ago
|
||
joki/saari - would it be possible to get this landed today? thanks!
Whiteboard: [adt2 RTM] [ETA 07/23] → [adt2 RTM] [ETA 07/24]
Assignee | ||
Comment 16•22 years ago
|
||
Checked into trunk and branch.
Status: NEW → RESOLVED
Closed: 22 years ago
Keywords: mozilla1.0.1+ → fixed1.0.1
Resolution: --- → FIXED
Comment 17•22 years ago
|
||
verifying on 2002-08-01-08-trunk on linux red hat and 2002-07-25-14-trunk on win 2k
Status: RESOLVED → VERIFIED
Comment 18•22 years ago
|
||
vladimire: can you pls verify this as fixed for the 1.0 branch, as well, then replace "fixed1.0.1" with "verified1.0.1"? thanks!
Comment 19•22 years ago
|
||
verifying on 2002-08-07-08-1.0 branch on win 2k
Keywords: fixed1.0.1 → verified1.0.1
You need to log in
before you can comment on or make changes to this bug.
Description
•