If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Consider making nsDocument::GetTitleElement() not create a live nsNodeList

RESOLVED FIXED in Firefox 57

Status

()

Core
DOM
RESOLVED FIXED
a month ago
27 days ago

People

(Reporter: Ehsan, Assigned: Ehsan)

Tracking

(Blocks: 1 bug)

unspecified
mozilla57
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox57 fixed)

Details

(Whiteboard: [qf])

Attachments

(1 attachment)

See <https://searchfox.org/mozilla-central/rev/48ea452803907f2575d81021e8678634e8067fc2/dom/base/nsDocument.cpp#7033> called under this callstack:

#0  0x00007f0902d99477 in nsContentList::nsContentList(nsINode*, int, nsIAtom*, nsIAtom*, bool) (this=0x7f08dc440da0, aRootNode=0x7f08dc417000, aMatchNameSpaceId=3, aHTMLMatchAtom=0x7f08fbebfa20, aXMLMatchAtom=0x7f08fbebfa20, aDeep=<error reading variable: access outside bounds of object referenced via synthetic pointer>) at /home/ehsan/moz/src.1347035/dom/base/nsContentList.cpp:426
#1  0x00007f0902d99278 in NS_GetContentList(nsINode*, int, nsAString const&) (aRootNode=0x7f08dc417000, aMatchNameSpaceId=<optimized out>, aTagname=...)
    at /home/ehsan/moz/src.1347035/dom/base/nsContentList.cpp:301
#2  0x00007f0902dd4049 in nsDocument::GetTitleElement() (this=0x7f08dc417000)
    at /home/ehsan/moz/src.1347035/dom/base/nsDocument.cpp:7034
#3  0x00007f0902dd41f8 in nsDocument::GetTitle(nsString&) (this=0x7f08dc417000, aTitle=<gNullChar> u"") at /home/ehsan/moz/src.1347035/dom/base/nsDocument.cpp:7068
#4  0x00007f0902dd474e in nsDocument::DoNotifyPossibleTitleChange() (this=0x7f08dc417000)
    at /home/ehsan/moz/src.1347035/dom/base/nsDocument.cpp:7176
#5  0x00007f0902df9dc7 in mozilla::detail::RunnableMethodArguments<>::applyImpl<nsDocument, void (nsDocument::*)()>(nsDocument*, void (nsDocument::*)(), mozilla::Tuple<>&, mozilla::IndexSequence<>) (o=<optimized out>, m=<optimized out>, args=...)
    at /home/ehsan/moz/src.1347035/obj-ff-opt/dist/include/nsThreadUtils.h:1142
#6  0x00007f0902df9dc7 in mozilla::detail::RunnableMethodArguments<>::apply<nsDocument, void (nsDocument::*)()>(nsDocument*, void (nsDocument::*)()) (o=<optimized out>, m=<optimized out>, this=<optimized out>) at /home/ehsan/moz/src.1347035/obj-ff-opt/dist/include/nsThreadUtils.h:1148
#7  0x00007f0902df9dc7 in mozilla::detail::RunnableMethodImpl<nsDocument*, void (nsDocument::*)(), false, (mozilla::RunnableKind)0>::Run() (this=<optimized out>)
    at /home/ehsan/moz/src.1347035/obj-ff-opt/dist/include/nsThreadUtils.h:1192
#8  0x00007f0901d9f8f5 in mozilla::SchedulerGroup::Runnable::Run() (this=0x7f08dc6fa1c0)
    at /home/ehsan/moz/src.1347035/xpcom/threads/SchedulerGroup.cpp:387
#9  0x00007f0901dad3a8 in nsThread::ProcessNextEvent(bool, bool*) (this=0x7f08fbf1e8a0, aMayWait=<optimized out>, aResult=<optimized out>)
    at /home/ehsan/moz/src.1347035/xpcom/threads/nsThread.cpp:1040
#10 0x00007f0901dae73f in NS_ProcessNextEvent(nsIThread*, bool) (aThread=0x7f08dc440da0, aMayWait=<error reading variable: access outside bounds of object referenced via synthetic pointer>)
    at /home/ehsan/moz/src.1347035/xpcom/threads/nsThreadUtils.cpp:521
#11 0x00007f0902298de8 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) (this=0x7f09114d3c90, aDelegate=0x7ffc90066e60) at /home/ehsan/moz/src.1347035/ipc/glue/MessagePump.cpp:97
#12 0x00007f0902236c5b in MessageLoop::RunInternal() (this=0x7f08dc440da0)
    at /home/ehsan/moz/src.1347035/ipc/chromium/src/base/message_loop.cc:326
#13 0x00007f0902236c5b in MessageLoop::RunHandler() (this=<optimized out>)
    at /home/ehsan/moz/src.1347035/ipc/chromium/src/base/message_loop.cc:319
#14 0x00007f0902236c5b in MessageLoop::Run() (this=0x7f08dc440da0)
    at /home/ehsan/moz/src.1347035/ipc/chromium/src/base/message_loop.cc:299
#15 0x00007f09040d26d9 in nsBaseAppShell::Run() (this=0x7f08f60d99e0)
    at /home/ehsan/moz/src.1347035/widget/nsBaseAppShell.cpp:158
#16 0x00007f09057bbb84 in XRE_RunAppShell() ()
    at /home/ehsan/moz/src.1347035/toolkit/xre/nsEmbedFunctions.cpp:865
#17 0x00007f0902236c5b in MessageLoop::RunInternal() (this=0x7f08dc440da0)
    at /home/ehsan/moz/src.1347035/ipc/chromium/src/base/message_loop.cc:326
#18 0x00007f0902236c5b in MessageLoop::RunHandler() (this=<optimized out>)
    at /home/ehsan/moz/src.1347035/ipc/chromium/src/base/message_loop.cc:319

We should not use a live nodelist here...
Assignee: nobody → ehsan
Created attachment 8901534 [details] [diff] [review]
Avoid creating a live nsContentList in nsDocument::GetTitleElement()
Attachment #8901534 - Flags: review?(bugs)
Depends on: 1392891

Updated

29 days ago
Attachment #8901534 - Flags: review?(bugs) → review+

Comment 2

27 days ago
Pushed by eakhgari@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/5419f3e63cae
Avoid creating a live nsContentList in nsDocument::GetTitleElement(); r=smaug
https://hg.mozilla.org/mozilla-central/rev/5419f3e63cae
Status: NEW → RESOLVED
Last Resolved: 27 days ago
status-firefox57: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla57
You need to log in before you can comment on or make changes to this bug.