Closed Bug 256981 Opened 20 years ago Closed 14 years ago

Crash FMR: Free memory read in nsHTMLDocument::GetPixelDimensions(nsIPresShell *,int *,int *) {1 occurrence}

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: timeless, Unassigned)

Details

(Keywords: crash)

Attachments

(1 file)

Testcase
1.39 KB, text/html
Details 
confirmed by mcsmurf on:
 Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8a3) Gecko/20040824
and by me using 2004081808 talkbackid: 657276

steps:
1. run mfcembed (under purify or normal)
2. load chrome://inspector/content
3. tools>web dev>js debugger
4. click venkman's stop button

    [I] Starting Purify'd R:\mozilla\rel-i586-pc-msvc.1\dist\bin\mfcembed.exe 
at 08/26/2004 03:06:31
    [I] Starting main
    [W] UMC: Uninitialized memory copy in memcpy {6 occurrences}
    [W] UMC: Uninitialized memory copy in memcpy {3 occurrences}
    [W] UMC: Uninitialized memory copy in memcpy {2 occurrences}
    [I] Starting thread 0xe350: midMessage
    [W] UMR: Uninitialized memory read in 
nsScriptNameSpaceManager::RegisterDOMCIData(char const*,(*)(char const*),nsID 
const*,nsID const* *,UINT,int,nsID const*) {1 occurrence}
    [W] UMR: Uninitialized memory read in nsScanner::AppendToBuffer
(Buffer::nsScannerBufferList *) {2 occurrences}
    [E] FMR: Free memory read in nsHTMLDocument::GetPixelDimensions
(nsIPresShell *,int *,int *) {1 occurrence}
        Reading 4 bytes from 0x0ddeadf8 (4 bytes at 0x0ddeadf8 illegal)
        Address 0x0ddeadf8 is at the beginning of a 744 byte block
        Address 0x0ddeadf8 points to a C++ new block in heap 0x003d0000
        Thread ID: 0xc284
        Error location
        nsHTMLDocument::GetPixelDimensions(nsIPresShell *,int *,int *)+0xee 
[r:\mozilla\content\html\document\src\nshtmldocument.cpp:2498 ip=0x049b0f13]
          *aWidth = *aHeight = 0;
        
          FlushPendingNotifications(Flush_Layout);
        
          // Find the <body> element: this is what we'll want to use for the
          // document's width and height values.
          if (!mBodyContent && !GetBodyContent()) {
            return NS_OK;
          }
        
          nsCOMPtr<nsIContent> body = do_QueryInterface(mBodyContent);
        
          // Now grab its frame
          nsIFrame* frame;
     =>   nsresult rv = aShell->GetPrimaryFrameFor(body, &frame);
          if (NS_SUCCEEDED(rv) && frame) {
            nsSize                    size;
            nsIView* view = frame->GetView();
        
            // If we have a view check if it's scrollable. If not,
            // just use the view size itself
            if (view) {
              nsIScrollableView* scrollableView = nsnull;
              CallQueryInterface(view, &scrollableView);
        
              if (scrollableView) {
                scrollableView->GetScrolledView(view);
              }
        
        nsHTMLDocument::GetHeight(int *)+0xba 
[r:\mozilla\content\html\document\src\nshtmldocument.cpp:2573 ip=0x049b1353]
        XPTC_InvokeByIndex+0x6e [r:\mozilla\xpcom\reflect\xptcall\src\md\win32
\xptcinvoke.cpp:101 ip=0x02559327]
        XPCWrappedNative::CallMethod(XPCCallContext&,CallMode::XPCWrappedNative)
+0x122f [r:\mozilla\js\src\xpconnect\src\xpcwrappednative.cpp:2030 
ip=0x03d1c6cc]
        XPC_WN_GetterSetter(JSContext *,JSObject *,UINT,long *,long *)+0x27c 
[r:\mozilla\js\src\xpconnect\src\xpcwrappednativejsops.cpp:1319 ip=0x03d22c82]
        js_Invoke+0xef0      [r:\mozilla\js\src\jsinterp.c:1280 ip=0x03e66757]
        Allocation location
        new(UINT)+0xc        [f:\vs70builds\9466\vc\crtbld\crt\src\newop.cpp:10 
ip=0x04bc821e]
        nsViewManager::new(UINT)+0x1c [r:\mozilla\view\src\nsviewmanager.h:96 
ip=0x0499f5f2]
        NS_NewPresShell(nsIPresShell * *)+0x39 
[r:\mozilla\layout\html\base\src\nspresshell.cpp:1602 ip=0x0470dc82]
        nsDocument::doCreateShell(nsPresContext *,nsIViewManager *,nsStyleSet 
*,nsCompatibility,nsIPresShell * *)+0x89 
[r:\mozilla\content\base\src\nsdocument.cpp:1294 ip=0x048949e5]
        nsHTMLDocument::CreateShell(nsPresContext *,nsIViewManager *,nsStyleSet 
*,nsIPresShell * *)+0x3a 
[r:\mozilla\content\html\document\src\nshtmldocument.cpp:414 ip=0x0499f886]
        DocumentViewerImpl::InitPresentationStuff(int)+0x12a 
[r:\mozilla\content\base\src\nsdocumentviewer.cpp:636 ip=0x04888fc4]
        DocumentViewerImpl::InitInternal(nsIWidget *,nsIDeviceContext *,nsRect 
const&,int,int)+0x657 [r:\mozilla\content\base\src\nsdocumentviewer.cpp:857 
ip=0x04889f82]
        DocumentViewerImpl::Init(nsIWidget *,nsIDeviceContext *,nsRect const&)
+0x2b [r:\mozilla\content\base\src\nsdocumentviewer.cpp:623 ip=0x0488b4b1]
        nsDocShell::SetupNewViewer(nsIContentViewer *)+0xd81 
[r:\mozilla\docshell\base\nsdocshell.cpp:4874 ip=0x054513b9]
        Free location
        memset+0x1d          [f:\vs70builds\9466\vc\crtbld\crt\src\newaop.cpp 
ip=0x04bc82e8]
        PresShell::`vector deleting destructor'(UINT)+0x43 [R:\mozilla\rel-i586-
pc-msvc.1\dist\bin\components\gklayout.dll ip=0x04711f89]
        PresShell::Release(void)+0x52 
[r:\mozilla\layout\html\base\src\nspresshell.cpp:1636 ip=0x046fb9f1]
        nsCOMPtr_base::~nsCOMPtr_base(void)+0x31 
[r:\mozilla\xpcom\glue\nscomptr.cpp:81 ip=0x02570c62]
        nsDocument::FlushPendingNotifications(mozFlushType)+0x398 
[r:\mozilla\content\base\src\nsdocument.cpp:4070 ip=0x0489b7e9]
                doc->FlushPendingNotifications(aType);
              }
            }
          }
        
          PRInt32 i, count = mPresShells.Count();
        
          for (i = 0; i < count; i++) {
            nsCOMPtr<nsIPresShell> shell =
              NS_STATIC_CAST(nsIPresShell*, mPresShells[i]);
        
            if (shell) {
              shell->FlushPendingNotifications(aType);
            }
     =>   }
        }
        
        nsHTMLDocument::FlushPendingNotifications(mozFlushType)+0x270 
[r:\mozilla\content\html\document\src\nshtmldocument.cpp:1260 ip=0x049a68b3]
                }
                ++i;
              }
            }
        
            if (isSafeToFlush && mParser) {
              nsCOMPtr<nsIContentSink> sink = mParser->GetContentSink();
              if (sink) {
                PRBool notify = ((aType & Flush_SinkNotifications) != 0);
                sink->FlushContent(notify);
              }
            }
          }
        
     =>   nsDocument::FlushPendingNotifications(aType);
        }
                    
                nsHTMLDocument::GetPixelDimensions(nsIPresShell *,int *,int *)
+0x6b [r:\mozilla\content\html\document\src\nshtmldocument.cpp:2486 
ip=0x049b0e90]
                    
                    nsresult
                    nsHTMLDocument::GetPixelDimensions(nsIPresShell* aShell,
                                                       PRInt32* aWidth,
                                                       PRInt32* aHeight)
                    {
                      *aWidth = *aHeight = 0;
                    
                 =>   FlushPendingNotifications(Flush_Layout);
                    
                      // Find the <body> element: this is what we'll want to 
use for the
                      // document's width and height values.
                      if (!mBodyContent && !GetBodyContent()) {
                        return NS_OK;
                      }
                    
                      nsCOMPtr<nsIContent> body = do_QueryInterface
(mBodyContent);
                    
                      // Now grab its frame
                      nsIFrame* frame;
                      nsresult rv = aShell->GetPrimaryFrameFor(body, &frame);
                      if (NS_SUCCEEDED(rv) && frame) {
                        nsSize                    size;
                nsHTMLDocument::GetHeight(int *)+0xba 
[r:\mozilla\content\html\document\src\nshtmldocument.cpp:2573 ip=0x049b1353]
                XPTC_InvokeByIndex+0x6e 
[r:\mozilla\xpcom\reflect\xptcall\src\md\win32\xptcinvoke.cpp:101 ip=0x02559327]
                XPCWrappedNative::CallMethod
(XPCCallContext&,CallMode::XPCWrappedNative)+0x122f 
[r:\mozilla\js\src\xpconnect\src\xpcwrappednative.cpp:2030 ip=0x03d1c6cc]
                XPC_WN_GetterSetter(JSContext *,JSObject *,UINT,long *,long *)
+0x27c [r:\mozilla\js\src\xpconnect\src\xpcwrappednativejsops.cpp:1319 
ip=0x03d22c82]
                js_Invoke+0xef0      [r:\mozilla\js\src\jsinterp.c:1280 
ip=0x03e66757]
    [E] IPR: Invalid pointer read in nsHTMLDocument::GetPixelDimensions
(nsIPresShell *,int *,int *) {1 occurrence}
    [E] EXU: Unhandled exception in nsHTMLDocument::GetPixelDimensions
(nsIPresShell *,int *,int *) {1 occurrence}
    [I] Summary of all memory in use... {13277587 bytes, 217277 blocks}
    [I] Summary of all memory leaks... {2049923 bytes, 55808 blocks}
    [W] PAR: GetClassInfoExA(0x13e204) WNDCLASSEX structure size too small... 
{1 occurrence}
    [I] Exiting with code -1073741819 (0xc0000005)
    [I] Program terminated at 08/26/2004 03:34:06
Severity: normal → critical
Component: DOM: HTML → DOM: Core & HTML
QA Contact: ian → general
Looks like GetPixelDimensions was renamed to GetBodySize.
It's now safe because it uses body->GetPrimaryFrame()
which returns NULL if the frame was deleted by the Flush_Layout
http://mxr.mozilla.org/mozilla-central/source/content/html/document/src/nsHTMLDocument.cpp#2339

-> WORKSFORME
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → WORKSFORME
Attached file Testcase 
This would probably crash Firefox 2.x or older.
http://mxr.mozilla.org/mozilla1.8/source/content/html/document/src/nsHTMLDocument.cpp#2638
the problem is that even though the code holds a strong ref
on the shell, it's not safe to call GetPrimaryFrameFor() on
it after it was Destroy()'ed.
In 1.9.1 and 1.9.2 the shell is acquired after the Flush
and early return if null.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: