Closed Bug 307839 Opened 19 years ago Closed 19 years ago

MathML/DOM crash [@ nsMathMLContainerFrame::GetType]

Categories

(Core :: MathML, defect)

Product:
Core
Component:
MathML
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: jruderman, Assigned: rbs)

References

Details

(Keywords: crash, testcase, verified1.8)

Crash Data

Attachments

(3 files)

reduced testcase
405 bytes, application/xhtml+xml
Details
fix
4.23 KB, patch
bzbarsky
: review+
bzbarsky
: superreview+
asa
: approval1.8b5+
Details | Diff | Splinter Review
Testcase2
648 bytes, application/xhtml+xml
Details 
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.9a1) Gecko/20050908
Firefox/1.6a1

TB9203727M
Attached file reduced testcase 

    
    

    
  
Assuming this crash is due to calling GetType on a deleted frame, bz thinks this
isn't an exploitable crash in opt builds, because frames are arena-allocated and
the arena isn't recycled until the page goes away.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        fixSplinter Review
      

    


  
Move the null checks inside functions. This way we can take away the early
returns in the other codes and give them a chance to continue updating the
remaing states of the frames, even when the underlying markup is invalid.

        Attachment #195691 -
        Flags: superreview?(bzbarsky)

        Attachment #195691 -
        Flags: review?(bzbarsky)

        Attachment #195691 -
        Flags: superreview?(bzbarsky)

        Attachment #195691 -
        Flags: superreview+

        Attachment #195691 -
        Flags: review?(bzbarsky)

        Attachment #195691 -
        Flags: review+

    
  

        Attachment #195691 -
        Flags: approval1.8b5?

    
    

    
  

      
      
      
      

        Attached file
          
        Testcase2
      

    


  
With this testcase, I get approximately crashes with the same stacktrace:
TB9278959K TB9278831M
So this is probably also fixed with the patch.

    
    

    
  
Checked in the trunk yesterday. So today's builds now have the fix.
Status: NEW → RESOLVED
Closed: 19 years ago
OS: MacOS X → All
Hardware: Macintosh → All
Resolution: --- → FIXED

    
    

    
  
Yup, verified with 2005-09-12 build.
Status: RESOLVED → VERIFIED

    
  

        Attachment #195691 -
        Flags: approval1.8b5? → approval1.8b5+

    
    

    
  
Checked in the 1.8 branch.
Keywords: fixed1.8

    
    

    
  
v.fixed on branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b5)
Gecko/20050928 Firefox/1.4, testcases don't crash and no crashes since 9/12 in
Talkback data.
Keywords: fixed1.8verified1.8

    
    

    
  
Crashtests checked in.
Flags: in-testsuite+
Crash Signature: [@ nsMathMLContainerFrame::GetType]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: