Closed Bug 209098 Opened 21 years ago Closed 20 years ago

[FIX] TestParser crashes inside nsLoggingSink

Categories

(Core :: DOM: HTML Parser, defect)

Product:
Core
Component:
DOM: HTML Parser
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: MatsPalmgren_bugz, Assigned: MatsPalmgren_bugz)

Details

(Keywords: crash, testcase, Whiteboard: [patch])

Attachments

(4 files, 2 obsolete files)

Testcase #1
41.64 KB, text/html
Details
GDB stack from the crash (Linux)
1.77 KB, text/plain
Details
Console output before the crash
1.04 KB, text/plain
Details
updated to tip
1.41 KB, patch
mrbkap
: review+
peterv
: superreview+
Details | Diff | Splinter Review 
TestParser crashes inside nsLoggingSink on some input.  It doesn't occur
on the regular regression tests under tests/html so maybe it isn't a major
problem.  It does occur for the file the I'm going to attach (which is a
"wget pull" of http://www.travelocity.com/) though.

The crash is 100% reproducable for me on that file.
Attached file Testcase #1 

    
    

    
  


  
There were a few assertions before the crash but they could be unrelated
since this occurs frequently on other files as well (bug 180334).

    
    

    
  
-> me - since I have a fix.
Assignee: harishd → mats.palmgren

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Patch rev. 1 (obsolete)
        — Splinter Review
      

    


  
The problem is that we are using uninitialized stack variables which
are used as out-param for GetNewCString(...)  -  the problem is that this
function does not always assign the out-param and we are continuing to
nsMemory::Free(...) a random location. Here is GetNewCString:

nsresult
nsLoggingSink::GetNewCString(const nsAString& aValue, char** aResult)
{
  nsresult result=NS_OK;
  nsAutoString temp;
  result=QuoteText(aValue,temp);
  if(NS_SUCCEEDED(result)) {
    if(!temp.IsEmpty()) {
      *aResult = ToNewCString(temp);
    }
  }
  return result;
}


I have checked all uses of this function and there were two places that
did not initialize the out-param correctly (see patch).

On the other hand, since QuoteText(...) unconditionally returns NS_OK, what
has happened is that |temp.IsEmpty()| is true.	I find it a bit odd that we
expicitly avoid to assign |aResult| in this case.
Is this really correct?  Either way, the patch fixes the crash.

    
  

        Attachment #125478 -
        Flags: review?(harishd)

    
    

    
  
Comment on attachment 125478 [details] [diff] [review]
Patch rev. 1

r=harishd

        Attachment #125478 -
        Flags: review?(harishd) → review+

    
    

    
  
GetNewCString is an accident waiting to happen still.  It should guarantee that
if it returns NS_OK, then it has also set its out parameter.

/be

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Patch rev. 2 (obsolete)
        — Splinter Review
      

    


  
Agreed.  I now set it to |nsnull| when |temp.IsEmpty()|

        Attachment #125478 -
        Attachment is obsolete: true

    
  

        Attachment #125524 -
        Flags: review?(harishd)

    
    

    
  
Comment on attachment 125524 [details] [diff] [review]
Patch rev. 2

>   if(NS_SUCCEEDED(result)) {
>-    if(!temp.IsEmpty()) {
>-      *aResult = ToNewCString(temp);
>-    }
>+    *aResult = temp.IsEmpty() ? nsnull : ToNewCString(temp);

IMO, regardless of whether result returned is NS_OK or not we should still
initialize aResult.

That is, something like:

nsresult
nsLoggingSink::GetNewCString(const nsAString& aValue, char** aResult)
{
  NS_ENSURE_ARG_POINTER(aResult);
  *aResult = nsnull;
  nsAutoString temp;
  nsresult result = QuoteText(aValue, temp);
  if (NS_FAILED(result))
    return result;
  if (!temp.IsEmpty()) {
    *aResult = ToNewCString(temp);
    NS_ENSURE_TRUE(*aResult, NS_ERROR_OUT_OF_MEMORY);
  }
  return NS_OK;
}

Since this a debug only code I don't really care. So, r=harishd

        Attachment #125524 -
        Flags: review?(harishd) → review+

    
    

    
  
I think "Patch rev. 2" is fine as it is.
Can someone check this in for me?  (I don't have cvs commit access.)
Status: NEW → ASSIGNED
Summary: TestParser crashes inside nsLoggingSink → [FIX] TestParser crashes inside nsLoggingSink
Whiteboard: [patch]

    
    

    
  
has this been checked in ?
Severity: normal → critical
Severity: critical → normal

    
    

    
  

      
      
      
      

        Attached patch
          
          
        updated to tipSplinter Review
      

    


  
This is updated to trunk. I'm carrying forward harish's r= and requesting sr=.
I'll check it in once it has sr=. peterv, this should basically just be a
rubber-stamp sort of thing...

        Attachment #125524 -
        Attachment is obsolete: true

        Attachment #168798 -
        Flags: superreview?(peterv)

        Attachment #168798 -
        Flags: review+

        Attachment #168798 -
        Flags: superreview?(peterv) → superreview+

    
    

    
  
Fixed has been checked in.
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED

    
  
Severity: normal → critical

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: