Closed Bug 269881 Opened 20 years ago Closed 20 years ago

Crash with malformed SVG if it has an onload

Categories

(Core :: SVG, defect)

x86
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: bzbarsky, Unassigned)

References

()

Details

(Keywords: crash)

Minimal testcase is in the URL field... #0 0x4008ba20 in nsQueryInterface::operator()(nsID const&, void**) const ( this=0xbfffdc3c, aIID=@0x40b298d4, answer=0xbfffdc34) at nsCOMPtr.cpp:47 #1 0x4008bbac in nsCOMPtr_base::assign_from_qi(nsQueryInterface, nsID const&) ( this=0xbfffdd50, qi={mRawPtr = 0x87ced18}, iid=@0x40b298d4) at nsCOMPtr.cpp:96 #2 0x40b14909 in nsCOMPtr<nsISupports>::operator=(nsQueryInterface) (this=0xbfffdd50, rhs={mRawPtr = 0x87ced18}) at nsCOMPtr.h:880 #3 0x40b0cfba in XPCWrappedNative::GetNewOrUsed(XPCCallContext&, nsISupports*, XPCWrappedNativeScope*, XPCNativeInterface*, XPCWrappedNative**) (ccx=@0xbfffde20, Object=0x87ced18, Scope=0x86ce1e8, Interface=0x80e8c08, resultWrapper=0xbfffddbc) at /home/bzbarsky/mozilla/xlib/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp:229 #4 0x40aed12a in XPCConvert::NativeInterface2JSObject(XPCCallContext&, nsIXPConnectJSObjectHolder**, nsISupports*, nsID const*, JSObject*, unsigned*) (ccx=@0xbfffde20, dest=0xbfffe080, src=0x87ced18, iid=0x4188e8e8, scope=0x8687aa0, pErr=0xbfffde1c) at /home/bzbarsky/mozilla/xlib/mozilla/js/src/xpconnect/src/xpcconvert.cpp:1056 #5 0x40ad1e6f in nsXPConnect::WrapNative(JSContext*, JSObject*, nsISupports*, nsID const&, nsIXPConnectJSObjectHolder**) (this=0x80e2d08, aJSContext=0x86cdf20, aScope=0x8687aa0, aCOMObj=0x87ced18, aIID=@0x4188e8e8, _retval=0xbfffe080) at /home/bzbarsky/mozilla/xlib/mozilla/js/src/xpconnect/src/nsXPConnect.cpp:568 #6 0x41516f48 in nsEventListenerManager::CompileEventHandlerInternal(nsIScriptContext*, nsISupports*, nsIAtom*, nsListenerStruct*, nsIDOMEventTarget*, unsigned) (this=0x87d1088, aContext=0x86cd640, aObject=0x87ced18, aName=0x815d098, aListenerStruct=0x87d10f0, aCurrentTarget=0x86cd584, aSubType=1) at /home/bzbarsky/mozilla/xlib/mozilla/content/events/src/nsEventListenerManager.cpp:1379 #7 0x415176eb in nsEventListenerManager::HandleEventSubType(nsListenerStruct*, nsIDOMEvent*, nsIDOMEventTarget*, unsigned, unsigned) (this=0x87d1088, aListenerStruct=0x87d10f0, aDOMEvent=0x87cede8, aCurrentTarget=0x86cd584, aSubType=1, aPhaseFlags=7) at /home/bzbarsky/mozilla/xlib/mozilla/content/events/src/nsEventListenerManager.cpp:1495 #8 0x41517b3e in nsEventListenerManager::HandleEvent(nsPresContext*, nsEvent*, nsIDOMEvent**, nsIDOMEventTarget*, unsigned, nsEventStatus*) (this=0x87d1088, aPresContext=0x87c79a0, aEvent=0xbfffe460, aDOMEvent=0xbfffe3b4, aCurrentTarget=0x86cd584, aFlags=7, aEventStatus=0xbfffe49c) at /home/bzbarsky/mozilla/xlib/mozilla/content/events/src/nsEventListenerManager.cpp:1602 #9 0x416f0ba4 in GlobalWindowImpl::HandleDOMEvent(nsPresContext*, nsEvent*, nsIDOMEvent**, unsigned, nsEventStatus*) (this=0x86cd558, aPresContext=0x87c79a0, aEvent=0xbfffe460, aDOMEvent=0xbfffe3b4, aFlags=7, aEventStatus=0xbfffe49c) at /home/bzbarsky/mozilla/xlib/mozilla/dom/src/base/nsGlobalWindow.cpp:906 #10 0x4146afd4 in DocumentViewerImpl::LoadComplete(unsigned) (this=0x8602100, aStatus=0) at /home/bzbarsky/mozilla/xlib/mozilla/content/base/src/nsDocumentViewer.cpp:889 #11 0x41ecba45 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, unsigned) ( this=0x86cd1f0, aProgress=0x86e1914, aChannel=0x8368e68, aStatus=0) at /home/bzbarsky/mozilla/xlib/mozilla/docshell/base/nsDocShell.cpp:4310 #12 0x41ef266d in nsWebShell::EndPageLoad(nsIWebProgress*, nsIChannel*, unsigned) ( this=0x86cd1f0, aProgress=0x86e1914, channel=0x8368e68, aStatus=0) at /home/bzbarsky/mozilla/xlib/mozilla/docshell/base/nsWebShell.cpp:747 (gdb) frame 0 #0 0x4008ba20 in nsQueryInterface::operator()(nsID const&, void**) const ( this=0xbfffdc3c, aIID=@0x40b298d4, answer=0xbfffdc34) at nsCOMPtr.cpp:47 47 status = mRawPtr->QueryInterface(aIID, answer); (gdb) whats mRawPtr 0x6e006c: Cannot access memory at address 0x6e006c (gdb) p *mRawPtr $4 = {_vptr.nsISupports = 0x6e006c} It looks like in nsEventListenerManager::HandleEventSubType the |jslistener|'s mTarget is a dead object... I couldn't reproduce this with HTML, but could this be a bug in the XML sink's actions on error? Or is this definitely an svg thing?
*** Bug 272025 has been marked as a duplicate of this bug. ***
Boris, I dont understand how 272025 is a dupe of this bug, that bug relates to not closing an element <switch>....<switch> ie a typo It's not clear to me, what 269881 relates to, the onload value possibly?
jonathan, this bug is about a crash when there is an onload on an <svg> and the XML is malformed (eg tags are not closed). That's exactly the situation in bug 269881, and that bug crashes at the same exact place as this one.
The patch on bug 252631 prevents the crash.
Depends on: 252631
Boris, thanks for the update ~:"
Keywords: crash
Looks like this was fixed by the checkin for bug 252631
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.