Closed
Bug 209098
Opened 21 years ago
Closed 20 years ago
[FIX] TestParser crashes inside nsLoggingSink
Categories
(Core :: DOM: HTML Parser, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: MatsPalmgren_bugz, Assigned: MatsPalmgren_bugz)
Details
(Keywords: crash, testcase, Whiteboard: [patch])
Attachments
(4 files, 2 obsolete files)
41.64 KB,
text/html
|
Details | |
1.77 KB,
text/plain
|
Details | |
1.04 KB,
text/plain
|
Details | |
1.41 KB,
patch
|
mrbkap
:
review+
peterv
:
superreview+
|
Details | Diff | Splinter Review |
TestParser crashes inside nsLoggingSink on some input. It doesn't occur on the regular regression tests under tests/html so maybe it isn't a major problem. It does occur for the file the I'm going to attach (which is a "wget pull" of http://www.travelocity.com/) though. The crash is 100% reproducable for me on that file.
Assignee | ||
Comment 1•21 years ago
|
||
Assignee | ||
Comment 2•21 years ago
|
||
Assignee | ||
Comment 3•21 years ago
|
||
There were a few assertions before the crash but they could be unrelated since this occurs frequently on other files as well (bug 180334).
Assignee | ||
Comment 5•21 years ago
|
||
The problem is that we are using uninitialized stack variables which are used as out-param for GetNewCString(...) - the problem is that this function does not always assign the out-param and we are continuing to nsMemory::Free(...) a random location. Here is GetNewCString: nsresult nsLoggingSink::GetNewCString(const nsAString& aValue, char** aResult) { nsresult result=NS_OK; nsAutoString temp; result=QuoteText(aValue,temp); if(NS_SUCCEEDED(result)) { if(!temp.IsEmpty()) { *aResult = ToNewCString(temp); } } return result; } I have checked all uses of this function and there were two places that did not initialize the out-param correctly (see patch). On the other hand, since QuoteText(...) unconditionally returns NS_OK, what has happened is that |temp.IsEmpty()| is true. I find it a bit odd that we expicitly avoid to assign |aResult| in this case. Is this really correct? Either way, the patch fixes the crash.
Assignee | ||
Updated•21 years ago
|
Attachment #125478 -
Flags: review?(harishd)
Comment on attachment 125478 [details] [diff] [review] Patch rev. 1 r=harishd
Attachment #125478 -
Flags: review?(harishd) → review+
Comment 7•21 years ago
|
||
GetNewCString is an accident waiting to happen still. It should guarantee that if it returns NS_OK, then it has also set its out parameter. /be
Assignee | ||
Comment 8•21 years ago
|
||
Agreed. I now set it to |nsnull| when |temp.IsEmpty()|
Attachment #125478 -
Attachment is obsolete: true
Assignee | ||
Updated•21 years ago
|
Attachment #125524 -
Flags: review?(harishd)
Comment on attachment 125524 [details] [diff] [review] Patch rev. 2 > if(NS_SUCCEEDED(result)) { >- if(!temp.IsEmpty()) { >- *aResult = ToNewCString(temp); >- } >+ *aResult = temp.IsEmpty() ? nsnull : ToNewCString(temp); IMO, regardless of whether result returned is NS_OK or not we should still initialize aResult. That is, something like: nsresult nsLoggingSink::GetNewCString(const nsAString& aValue, char** aResult) { NS_ENSURE_ARG_POINTER(aResult); *aResult = nsnull; nsAutoString temp; nsresult result = QuoteText(aValue, temp); if (NS_FAILED(result)) return result; if (!temp.IsEmpty()) { *aResult = ToNewCString(temp); NS_ENSURE_TRUE(*aResult, NS_ERROR_OUT_OF_MEMORY); } return NS_OK; } Since this a debug only code I don't really care. So, r=harishd
Attachment #125524 -
Flags: review?(harishd) → review+
Assignee | ||
Comment 10•21 years ago
|
||
I think "Patch rev. 2" is fine as it is. Can someone check this in for me? (I don't have cvs commit access.)
Status: NEW → ASSIGNED
Summary: TestParser crashes inside nsLoggingSink → [FIX] TestParser crashes inside nsLoggingSink
Whiteboard: [patch]
Severity: critical → normal
Comment 12•20 years ago
|
||
This is updated to trunk. I'm carrying forward harish's r= and requesting sr=. I'll check it in once it has sr=. peterv, this should basically just be a rubber-stamp sort of thing...
Attachment #125524 -
Attachment is obsolete: true
Attachment #168798 -
Flags: superreview?(peterv)
Attachment #168798 -
Flags: review+
Updated•20 years ago
|
Attachment #168798 -
Flags: superreview?(peterv) → superreview+
Comment 13•20 years ago
|
||
Fixed has been checked in.
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Updated•20 years ago
|
Severity: normal → critical
You need to log in
before you can comment on or make changes to this bug.
Description
•