Closed Bug 1430818 Opened 8 years ago Closed 8 years ago

Crash in URIUtils::ResetWithSource

Categories

(Core :: XSLT, defect, P2)

Product:
Core
Component:
XSLT
Version:
58 Branch
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla61
Tracking Flags:
Tracking Status
firefox-esr52 --- wontfix
firefox57 --- unaffected
firefox58 --- wontfix
firefox59 --- wontfix
firefox60 --- fixed
firefox61 --- fixed

People

(Reporter: philipp, Assigned: peterv)

References

(
URL
)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file, 1 obsolete file)

v1.1
6.07 KB, patch
bzbarsky
: review+
jcristau
: approval-mozilla-beta+
Details | Diff | Splinter Review
This bug was filed from the Socorro interface and is report bp-a4adffbb-8507-4c63-91b3-9fa440180115. ============================================================= Top 10 frames of crashing thread: 0 xul.dll URIUtils::ResetWithSource dom/xslt/base/txURIUtils.cpp:48 1 xul.dll txMozillaXSLTProcessor::notifyError dom/xslt/xslt/txMozillaXSLTProcessor.cpp:1122 2 xul.dll txMozillaXSLTProcessor::SetSourceContentModel dom/xslt/xslt/txMozillaXSLTProcessor.cpp:384 3 xul.dll nsXMLContentSink::DidBuildModel dom/xml/nsXMLContentSink.cpp:297 4 xul.dll nsParser::DidBuildModel parser/htmlparser/nsParser.cpp:491 5 xul.dll nsParser::ResumeParse parser/htmlparser/nsParser.cpp:1101 6 xul.dll nsParser::OnStopRequest parser/htmlparser/nsParser.cpp:1475 7 xul.dll nsDocumentOpenInfo::OnStopRequest uriloader/base/nsURILoader.cpp:357 8 xul.dll nsBaseChannel::OnStopRequest netwerk/base/nsBaseChannel.cpp:878 9 xul.dll nsInputStreamPump::OnStateStop netwerk/base/nsInputStreamPump.cpp:704 ============================================================= this is a low volume content crash signature newly appearing in 58.0b16 & 59.0a1.
Flags: needinfo?(peterv)
Might be a regressions from bug 1387427. Probably only happens with an error in an XSLT stylesheet.
Assignee: nobody → peterv
Blocks: CVE-2018-5097
Flags: needinfo?(peterv)
Priority: -- → P2
Attached patch v1 (obsolete) — Splinter Review
Attached patch v1.1Splinter Review
Attachment #8954675 - Attachment is obsolete: true
Attachment #8956751 - Flags: review?(bzbarsky)
Comment on attachment 8956751 [details] [diff] [review] v1.1 So the actual fix is redundant with the fix for bug 1436040, right? That is, that patch will fix this bug as well. All that's left here is the testcase and assert fix? r=me with the commit message adjusted accordingly. If this lands first, then the commit message should say "We want to create the source fragment before trying to use ...", I would think.
Attachment #8956751 - Flags: review?(bzbarsky) → review+
(In reply to Boris Zbarsky [:bz] (no decent commit message means r-) from comment #7) > So the actual fix is redundant with the fix for bug 1436040, right? That > is, that patch will fix this bug as well. All that's left here is the > testcase and assert fix? Well, actually, bug 1436040 applies on top of this.
Oh, I see. OK, then please adjust per something like the wording at the end of comment 7.
https://hg.mozilla.org/mozilla-central/rev/3c3dd78b460b
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox61: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
Should we uplift this to beta60?
status-firefox59: affectedwontfix
status-firefox60: --- → fix-optional
Flags: needinfo?(peterv)
Comment on attachment 8956751 [details] [diff] [review] v1.1 Approval Request Comment [Feature/Bug causing the regression]: bug 1387427 [User impact if declined]: crash [Is this code covered by automated tests?]: yes [Has the fix been verified in Nightly?]: yes [Needs manual test from QE? If yes, steps to reproduce]: no [List of other uplifts needed for the feature/fix]: none [Is the change risky?]: no [Why is the change risky/not risky?]: just makes sure we create an object before trying to use it [String changes made/needed]: none
Flags: needinfo?(peterv)
Attachment #8956751 - Flags: approval-mozilla-beta?
Comment on attachment 8956751 [details] [diff] [review] v1.1 crash fix, approved for 60.0b14
Attachment #8956751 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: