Closed
Bug 1419751
Opened 7 years ago
Closed 7 years ago
Crash in nsHtml5TreeBuilder::appendToCurrentNodeAndPushElementMayFoster
Categories
(Core :: DOM: HTML Parser, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1414490
People
(Reporter: jcristau, Unassigned)
Details
(Keywords: crash, csectype-uaf, sec-high, Whiteboard: [adv-main58-])
Crash Data
This bug was filed from the Socorro interface and is report bp-82b64577-42d7-437d-a074-033120171122. ============================================================= Top 10 frames of crashing thread: 0 xul.dll nsHtml5TreeBuilder::appendToCurrentNodeAndPushElementMayFoster parser/html/nsHtml5TreeBuilder.cpp:4257 1 xul.dll nsHtml5TreeBuilder::startTag parser/html/nsHtml5TreeBuilder.cpp:1109 2 xul.dll nsHtml5Tokenizer::emitCurrentTagToken parser/html/nsHtml5Tokenizer.cpp:342 3 xul.dll nsHtml5Tokenizer::stateLoop<nsHtml5SilentPolicy> parser/html/nsHtml5Tokenizer.cpp:2329 4 xul.dll nsHtml5Tokenizer::tokenizeBuffer parser/html/nsHtml5Tokenizer.cpp:449 5 xul.dll nsHtml5Parser::Parse parser/html/nsHtml5Parser.cpp:388 6 xul.dll nsHTMLDocument::WriteCommon dom/html/nsHTMLDocument.cpp:2029 7 xul.dll nsHTMLDocument::WriteCommon dom/html/nsHTMLDocument.cpp:1917 8 xul.dll mozilla::dom::HTMLDocumentBinding::write dom/bindings/HTMLDocumentBinding.cpp:652 9 xul.dll mozilla::dom::GenericBindingMethod dom/bindings/BindingUtils.cpp:3040 ============================================================= This signature spikes in 58.0b4 and socorro shows a number of crashes at 0xffffffffe5e5e5e9, so filing as security sensitive.
|
||
Comment 1•7 years ago
|
||
Almost all the related urls start with "http://www.phimmoi.net".
|
||
Updated•7 years ago
|
Group: core-security → dom-core-security
|
|
||
Comment 2•7 years ago
|
||
(In reply to Julien Cristau [:jcristau] from comment #0) > This signature spikes in 58.0b4 and socorro shows a number of crashes at > 0xffffffffe5e5e5e9, so filing as security sensitive. And even more crash at 0xffffffffffffffff, and when you look at the registers in those usually r15 is 0xe5e5e5e5e5e5e5e5e5e5 -- also appears to be a use after free (though could be an uninitialized value allocated on reused memory?) (In reply to Calixte Denizet (:calixte) from comment #1) > Almost all the related urls start with "http://www.phimmoi.net". And of the handful that aren't most of the rest are also Vietnamese sites (plus one instance of www.mtv.fi and a couple aliexpress). I don't see anything changing in nsHtml5TreeBuilder between 58b3 and 58b4 except renaming nsIAtom to nsAtom, and hard to imagine that could cause a crash spike. But if the problem were with the site itself I'd expect to see a spike in Release crashes, too. Maybe something in the HTML parser that landed earlier in 58, plus a site change? [Tracking Requested - why for this release]: 800+ crashes in a week -- this will be a release blocker.
|
Reporter | |
Updated•7 years ago
|
|
||
Comment 3•7 years ago
|
||
Is this a dup of bug 1414490?
|
|
||
Comment 4•7 years ago
|
||
Based on crash-stat and stack trace, it looks like so.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
|
|
Reporter | |
Updated•7 years ago
|
Flags: needinfo?(hsivonen)
|
||
Updated•6 years ago
|
Whiteboard: [adv-main58-]
|
|
||
Updated•6 years ago
|
Group: dom-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•