Closed Bug 256981 Opened 21 years ago Closed 14 years ago

Crash FMR: Free memory read in nsHTMLDocument::GetPixelDimensions(nsIPresShell *,int *,int *) {1 occurrence}

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: timeless, Unassigned)

Details

(Keywords: crash)

Attachments

(1 file)

Testcase
1.39 KB, text/html
Details
confirmed by mcsmurf on: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8a3) Gecko/20040824 and by me using 2004081808 talkbackid: 657276 steps: 1. run mfcembed (under purify or normal) 2. load chrome://inspector/content 3. tools>web dev>js debugger 4. click venkman's stop button [I] Starting Purify'd R:\mozilla\rel-i586-pc-msvc.1\dist\bin\mfcembed.exe at 08/26/2004 03:06:31 [I] Starting main [W] UMC: Uninitialized memory copy in memcpy {6 occurrences} [W] UMC: Uninitialized memory copy in memcpy {3 occurrences} [W] UMC: Uninitialized memory copy in memcpy {2 occurrences} [I] Starting thread 0xe350: midMessage [W] UMR: Uninitialized memory read in nsScriptNameSpaceManager::RegisterDOMCIData(char const*,(*)(char const*),nsID const*,nsID const* *,UINT,int,nsID const*) {1 occurrence} [W] UMR: Uninitialized memory read in nsScanner::AppendToBuffer (Buffer::nsScannerBufferList *) {2 occurrences} [E] FMR: Free memory read in nsHTMLDocument::GetPixelDimensions (nsIPresShell *,int *,int *) {1 occurrence} Reading 4 bytes from 0x0ddeadf8 (4 bytes at 0x0ddeadf8 illegal) Address 0x0ddeadf8 is at the beginning of a 744 byte block Address 0x0ddeadf8 points to a C++ new block in heap 0x003d0000 Thread ID: 0xc284 Error location nsHTMLDocument::GetPixelDimensions(nsIPresShell *,int *,int *)+0xee [r:\mozilla\content\html\document\src\nshtmldocument.cpp:2498 ip=0x049b0f13] *aWidth = *aHeight = 0; FlushPendingNotifications(Flush_Layout); // Find the <body> element: this is what we'll want to use for the // document's width and height values. if (!mBodyContent && !GetBodyContent()) { return NS_OK; } nsCOMPtr<nsIContent> body = do_QueryInterface(mBodyContent); // Now grab its frame nsIFrame* frame; => nsresult rv = aShell->GetPrimaryFrameFor(body, &frame); if (NS_SUCCEEDED(rv) && frame) { nsSize size; nsIView* view = frame->GetView(); // If we have a view check if it's scrollable. If not, // just use the view size itself if (view) { nsIScrollableView* scrollableView = nsnull; CallQueryInterface(view, &scrollableView); if (scrollableView) { scrollableView->GetScrolledView(view); } nsHTMLDocument::GetHeight(int *)+0xba [r:\mozilla\content\html\document\src\nshtmldocument.cpp:2573 ip=0x049b1353] XPTC_InvokeByIndex+0x6e [r:\mozilla\xpcom\reflect\xptcall\src\md\win32 \xptcinvoke.cpp:101 ip=0x02559327] XPCWrappedNative::CallMethod(XPCCallContext&,CallMode::XPCWrappedNative) +0x122f [r:\mozilla\js\src\xpconnect\src\xpcwrappednative.cpp:2030 ip=0x03d1c6cc] XPC_WN_GetterSetter(JSContext *,JSObject *,UINT,long *,long *)+0x27c [r:\mozilla\js\src\xpconnect\src\xpcwrappednativejsops.cpp:1319 ip=0x03d22c82] js_Invoke+0xef0 [r:\mozilla\js\src\jsinterp.c:1280 ip=0x03e66757] Allocation location new(UINT)+0xc [f:\vs70builds\9466\vc\crtbld\crt\src\newop.cpp:10 ip=0x04bc821e] nsViewManager::new(UINT)+0x1c [r:\mozilla\view\src\nsviewmanager.h:96 ip=0x0499f5f2] NS_NewPresShell(nsIPresShell * *)+0x39 [r:\mozilla\layout\html\base\src\nspresshell.cpp:1602 ip=0x0470dc82] nsDocument::doCreateShell(nsPresContext *,nsIViewManager *,nsStyleSet *,nsCompatibility,nsIPresShell * *)+0x89 [r:\mozilla\content\base\src\nsdocument.cpp:1294 ip=0x048949e5] nsHTMLDocument::CreateShell(nsPresContext *,nsIViewManager *,nsStyleSet *,nsIPresShell * *)+0x3a [r:\mozilla\content\html\document\src\nshtmldocument.cpp:414 ip=0x0499f886] DocumentViewerImpl::InitPresentationStuff(int)+0x12a [r:\mozilla\content\base\src\nsdocumentviewer.cpp:636 ip=0x04888fc4] DocumentViewerImpl::InitInternal(nsIWidget *,nsIDeviceContext *,nsRect const&,int,int)+0x657 [r:\mozilla\content\base\src\nsdocumentviewer.cpp:857 ip=0x04889f82] DocumentViewerImpl::Init(nsIWidget *,nsIDeviceContext *,nsRect const&) +0x2b [r:\mozilla\content\base\src\nsdocumentviewer.cpp:623 ip=0x0488b4b1] nsDocShell::SetupNewViewer(nsIContentViewer *)+0xd81 [r:\mozilla\docshell\base\nsdocshell.cpp:4874 ip=0x054513b9] Free location memset+0x1d [f:\vs70builds\9466\vc\crtbld\crt\src\newaop.cpp ip=0x04bc82e8] PresShell::`vector deleting destructor'(UINT)+0x43 [R:\mozilla\rel-i586- pc-msvc.1\dist\bin\components\gklayout.dll ip=0x04711f89] PresShell::Release(void)+0x52 [r:\mozilla\layout\html\base\src\nspresshell.cpp:1636 ip=0x046fb9f1] nsCOMPtr_base::~nsCOMPtr_base(void)+0x31 [r:\mozilla\xpcom\glue\nscomptr.cpp:81 ip=0x02570c62] nsDocument::FlushPendingNotifications(mozFlushType)+0x398 [r:\mozilla\content\base\src\nsdocument.cpp:4070 ip=0x0489b7e9] doc->FlushPendingNotifications(aType); } } } PRInt32 i, count = mPresShells.Count(); for (i = 0; i < count; i++) { nsCOMPtr<nsIPresShell> shell = NS_STATIC_CAST(nsIPresShell*, mPresShells[i]); if (shell) { shell->FlushPendingNotifications(aType); } => } } nsHTMLDocument::FlushPendingNotifications(mozFlushType)+0x270 [r:\mozilla\content\html\document\src\nshtmldocument.cpp:1260 ip=0x049a68b3] } ++i; } } if (isSafeToFlush && mParser) { nsCOMPtr<nsIContentSink> sink = mParser->GetContentSink(); if (sink) { PRBool notify = ((aType & Flush_SinkNotifications) != 0); sink->FlushContent(notify); } } } => nsDocument::FlushPendingNotifications(aType); } nsHTMLDocument::GetPixelDimensions(nsIPresShell *,int *,int *) +0x6b [r:\mozilla\content\html\document\src\nshtmldocument.cpp:2486 ip=0x049b0e90] nsresult nsHTMLDocument::GetPixelDimensions(nsIPresShell* aShell, PRInt32* aWidth, PRInt32* aHeight) { *aWidth = *aHeight = 0; => FlushPendingNotifications(Flush_Layout); // Find the <body> element: this is what we'll want to use for the // document's width and height values. if (!mBodyContent && !GetBodyContent()) { return NS_OK; } nsCOMPtr<nsIContent> body = do_QueryInterface (mBodyContent); // Now grab its frame nsIFrame* frame; nsresult rv = aShell->GetPrimaryFrameFor(body, &frame); if (NS_SUCCEEDED(rv) && frame) { nsSize size; nsHTMLDocument::GetHeight(int *)+0xba [r:\mozilla\content\html\document\src\nshtmldocument.cpp:2573 ip=0x049b1353] XPTC_InvokeByIndex+0x6e [r:\mozilla\xpcom\reflect\xptcall\src\md\win32\xptcinvoke.cpp:101 ip=0x02559327] XPCWrappedNative::CallMethod (XPCCallContext&,CallMode::XPCWrappedNative)+0x122f [r:\mozilla\js\src\xpconnect\src\xpcwrappednative.cpp:2030 ip=0x03d1c6cc] XPC_WN_GetterSetter(JSContext *,JSObject *,UINT,long *,long *) +0x27c [r:\mozilla\js\src\xpconnect\src\xpcwrappednativejsops.cpp:1319 ip=0x03d22c82] js_Invoke+0xef0 [r:\mozilla\js\src\jsinterp.c:1280 ip=0x03e66757] [E] IPR: Invalid pointer read in nsHTMLDocument::GetPixelDimensions (nsIPresShell *,int *,int *) {1 occurrence} [E] EXU: Unhandled exception in nsHTMLDocument::GetPixelDimensions (nsIPresShell *,int *,int *) {1 occurrence} [I] Summary of all memory in use... {13277587 bytes, 217277 blocks} [I] Summary of all memory leaks... {2049923 bytes, 55808 blocks} [W] PAR: GetClassInfoExA(0x13e204) WNDCLASSEX structure size too small... {1 occurrence} [I] Exiting with code -1073741819 (0xc0000005) [I] Program terminated at 08/26/2004 03:34:06
Severity: normal → critical
Component: DOM: HTML → DOM: Core & HTML
QA Contact: ian → general
Looks like GetPixelDimensions was renamed to GetBodySize. It's now safe because it uses body->GetPrimaryFrame() which returns NULL if the frame was deleted by the Flush_Layout http://mxr.mozilla.org/mozilla-central/source/content/html/document/src/nsHTMLDocument.cpp#2339 -> WORKSFORME
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → WORKSFORME
Attached file Testcase
This would probably crash Firefox 2.x or older. http://mxr.mozilla.org/mozilla1.8/source/content/html/document/src/nsHTMLDocument.cpp#2638 the problem is that even though the code holds a strong ref on the shell, it's not safe to call GetPrimaryFrameFor() on it after it was Destroy()'ed. In 1.9.1 and 1.9.2 the shell is acquired after the Flush and early return if null.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: