Crash with malformed SVG if it has an onload

RESOLVED FIXED

Status

()

Core
SVG
--
critical
RESOLVED FIXED
14 years ago
13 years ago

People

(Reporter: bz, Unassigned)

Tracking

({crash})

Trunk
x86
Linux
crash
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Minimal testcase is in the URL field...

#0  0x4008ba20 in nsQueryInterface::operator()(nsID const&, void**) const (
    this=0xbfffdc3c, aIID=@0x40b298d4, answer=0xbfffdc34) at nsCOMPtr.cpp:47
#1  0x4008bbac in nsCOMPtr_base::assign_from_qi(nsQueryInterface, nsID const&) (
    this=0xbfffdd50, qi={mRawPtr = 0x87ced18}, iid=@0x40b298d4) at nsCOMPtr.cpp:96
#2  0x40b14909 in nsCOMPtr<nsISupports>::operator=(nsQueryInterface)
(this=0xbfffdd50, 
    rhs={mRawPtr = 0x87ced18}) at nsCOMPtr.h:880
#3  0x40b0cfba in XPCWrappedNative::GetNewOrUsed(XPCCallContext&, nsISupports*,
XPCWrappedNativeScope*, XPCNativeInterface*, XPCWrappedNative**) (ccx=@0xbfffde20, 
    Object=0x87ced18, Scope=0x86ce1e8, Interface=0x80e8c08,
resultWrapper=0xbfffddbc)
    at
/home/bzbarsky/mozilla/xlib/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp:229
#4  0x40aed12a in XPCConvert::NativeInterface2JSObject(XPCCallContext&,
nsIXPConnectJSObjectHolder**, nsISupports*, nsID const*, JSObject*, unsigned*)
(ccx=@0xbfffde20, 
    dest=0xbfffe080, src=0x87ced18, iid=0x4188e8e8, scope=0x8687aa0,
pErr=0xbfffde1c)
    at /home/bzbarsky/mozilla/xlib/mozilla/js/src/xpconnect/src/xpcconvert.cpp:1056
#5  0x40ad1e6f in nsXPConnect::WrapNative(JSContext*, JSObject*, nsISupports*,
nsID const&, nsIXPConnectJSObjectHolder**) (this=0x80e2d08,
aJSContext=0x86cdf20, aScope=0x8687aa0, 
    aCOMObj=0x87ced18, aIID=@0x4188e8e8, _retval=0xbfffe080)
    at /home/bzbarsky/mozilla/xlib/mozilla/js/src/xpconnect/src/nsXPConnect.cpp:568
#6  0x41516f48 in
nsEventListenerManager::CompileEventHandlerInternal(nsIScriptContext*,
nsISupports*, nsIAtom*, nsListenerStruct*, nsIDOMEventTarget*, unsigned)
(this=0x87d1088, 
    aContext=0x86cd640, aObject=0x87ced18, aName=0x815d098,
aListenerStruct=0x87d10f0, 
    aCurrentTarget=0x86cd584, aSubType=1)
    at
/home/bzbarsky/mozilla/xlib/mozilla/content/events/src/nsEventListenerManager.cpp:1379
#7  0x415176eb in nsEventListenerManager::HandleEventSubType(nsListenerStruct*,
nsIDOMEvent*, nsIDOMEventTarget*, unsigned, unsigned) (this=0x87d1088,
aListenerStruct=0x87d10f0, 
    aDOMEvent=0x87cede8, aCurrentTarget=0x86cd584, aSubType=1, aPhaseFlags=7)
    at
/home/bzbarsky/mozilla/xlib/mozilla/content/events/src/nsEventListenerManager.cpp:1495
#8  0x41517b3e in nsEventListenerManager::HandleEvent(nsPresContext*, nsEvent*,
nsIDOMEvent**, nsIDOMEventTarget*, unsigned, nsEventStatus*) (this=0x87d1088, 
    aPresContext=0x87c79a0, aEvent=0xbfffe460, aDOMEvent=0xbfffe3b4, 
    aCurrentTarget=0x86cd584, aFlags=7, aEventStatus=0xbfffe49c)
    at
/home/bzbarsky/mozilla/xlib/mozilla/content/events/src/nsEventListenerManager.cpp:1602
#9  0x416f0ba4 in GlobalWindowImpl::HandleDOMEvent(nsPresContext*, nsEvent*,
nsIDOMEvent**, unsigned, nsEventStatus*) (this=0x86cd558,
aPresContext=0x87c79a0, aEvent=0xbfffe460, 
    aDOMEvent=0xbfffe3b4, aFlags=7, aEventStatus=0xbfffe49c)
    at /home/bzbarsky/mozilla/xlib/mozilla/dom/src/base/nsGlobalWindow.cpp:906
#10 0x4146afd4 in DocumentViewerImpl::LoadComplete(unsigned) (this=0x8602100,
aStatus=0)
    at /home/bzbarsky/mozilla/xlib/mozilla/content/base/src/nsDocumentViewer.cpp:889
#11 0x41ecba45 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, unsigned) (
    this=0x86cd1f0, aProgress=0x86e1914, aChannel=0x8368e68, aStatus=0)
    at /home/bzbarsky/mozilla/xlib/mozilla/docshell/base/nsDocShell.cpp:4310
#12 0x41ef266d in nsWebShell::EndPageLoad(nsIWebProgress*, nsIChannel*, unsigned) (
    this=0x86cd1f0, aProgress=0x86e1914, channel=0x8368e68, aStatus=0)
    at /home/bzbarsky/mozilla/xlib/mozilla/docshell/base/nsWebShell.cpp:747

(gdb) frame 0
#0  0x4008ba20 in nsQueryInterface::operator()(nsID const&, void**) const (
    this=0xbfffdc3c, aIID=@0x40b298d4, answer=0xbfffdc34) at nsCOMPtr.cpp:47
47                                      status = mRawPtr->QueryInterface(aIID,
answer);
(gdb) whats mRawPtr
0x6e006c:       Cannot access memory at address 0x6e006c
(gdb) p *mRawPtr
$4 = {_vptr.nsISupports = 0x6e006c}

It looks like in nsEventListenerManager::HandleEventSubType the |jslistener|'s
mTarget is a dead object...

I couldn't reproduce this with HTML, but could this be a bug in the XML sink's
actions on error?  Or is this definitely an svg thing?
*** Bug 272025 has been marked as a duplicate of this bug. ***

Comment 2

14 years ago
Boris,

I dont understand how 272025 is a dupe of this bug, that bug relates to not
closing an element <switch>....<switch>  ie a typo

It's not clear to me, what 269881 relates to, the onload value possibly?
jonathan, this bug is about a crash when there is an onload on an <svg> and the
XML is malformed (eg tags are not closed).  That's exactly the situation in bug
269881, and that bug crashes at the same exact place as this one.

Comment 4

14 years ago
The patch on bug 252631 prevents the crash.

Comment 5

14 years ago
Boris,

thanks for the update ~:"

Updated

14 years ago
Keywords: crash
Looks like this was fixed by the checkin for bug 252631
Status: NEW → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.