nsDOMEvent needs to Init split from constructor to handle OOM [@ nsDOMEvent::nsDOMEvent]

RESOLVED INCOMPLETE

Status

()

Core
DOM: Events
--
critical
RESOLVED INCOMPLETE
13 years ago
2 years ago

People

(Reporter: Daniel de Wildt, Unassigned)

Tracking

({crash})

Trunk
x86
Windows XP
crash
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [ccbr][sg:dos], crash signature, URL)

(Reporter)

Description

13 years ago
A new "nsEvent" is created but the result is not verified, which results in a
crash if out of memory.
Yep... This needs to be split up into a constructor and an Init() method which
can return an error...
Keywords: helpwanted
Is bug 303561 a dupe of this one?

Comment 3

11 years ago
no.

fwiw, this isn't just potential. I actually hit it.

oom crash [@ nsDOMEvent::nsDOMEvent]

yes, it really is possible to crash in our code like this. i happen to be using vc8 which means my death is by throw, but it's ok, because had we gotten the null we wanted, we'd have crashed anyway.

First:
    mEvent = new nsEvent(PR_FALSE, 0);
^ this is what failed.
this is where we'll crash:
    mEvent->time = PR_Now();

later:
gklayout!nsXMLHttpRequest::StreamReaderFunc
  xmlHttpRequest->ChangeState(XML_HTTP_REQUEST_INTERACTIVE);
^ doesn't check rv. i'm not sure how good or bad that is.
  if (NS_SUCCEEDED(rv)) {
    *writeCount = count;
I think that the object is now corrupt and can no longer behave correctly since it probably has a contract about event sequencing.

Is it ok to have nsXMLHttpRequest::ChangeState on the stack more than once?


kernel32!RaiseException+0x53
MSVCR80D!_CxxThrowException(void * pExceptionObject = 0x0012e29c, struct _s__ThrowInfo * pThrowInfo = 0x103037e4)+0x50 [f:\rtm\vctools\crt_bld\self_x86\crt\prebuild\eh\throw.cpp @ 166]
MSVCR80D!operator new(unsigned int size = 0x28)+0x75 [f:\rtm\vctools\crt_bld\self_x86\crt\src\new.cpp @ 64]
gklayout!nsDOMEvent::nsDOMEvent(class nsPresContext * aPresContext = 0x00000000, class nsEvent * aEvent = 0x00000000)+0xb0 [c:\home\mozilla.org\mozilla\content\events\src\nsdomevent.cpp @ 117]
gklayout!NS_NewDOMEvent(class nsIDOMEvent ** aInstancePtrResult = 0x0012e394, class nsPresContext * aPresContext = 0x00000000, class nsEvent * aEvent = 0x00000000)+0x29 [c:\home\mozilla.org\mozilla\content\events\src\nsdomevent.cpp @ 1244]
gklayout!nsEventDispatcher::CreateEvent(class nsPresContext * aPresContext = 0x00000000, class nsEvent * aEvent = 0x00000000, class nsAString_internal * aEventType = 0x0012e34c, class nsIDOMEvent ** aDOMEvent = 0x0012e394)+0x332 [c:\home\mozilla.org\mozilla\content\events\src\nseventdispatcher.cpp @ 796]
gklayout!nsXMLHttpRequest::CreateEvent(class nsAString_internal * aType = 0x0012e380, class nsIDOMEvent ** aDOMEvent = 0x0012e394)+0x26 [c:\home\mozilla.org\mozilla\content\base\src\nsxmlhttprequest.cpp @ 871]
gklayout!nsXMLHttpRequest::ChangeState(unsigned int aState = 8, int aBroadcast = 1, int aClearEventListeners = 0)+0xe5 [c:\home\mozilla.org\mozilla\content\base\src\nsxmlhttprequest.cpp @ 1940]
gklayout!nsXMLHttpRequest::StreamReaderFunc(class nsIInputStream * in = 0x73cf7370, void * closure = 0x760c5758, char * fromRawSegment = 0x5620a314, unsigned int offset = 0xf000, unsigned int count = 0x1000, unsigned int * writeCount = 0x0012e424)+0x2f [c:\home\mozilla.org\mozilla\xpcom\io\nsinputstreamtee.cpp @ 102]
xpcom_core!nsPipeInputStream::ReadSegments(<function> * writer = 0x002ce080, void * closure = 0x5ccdf1f0, unsigned int count = 0x1000, unsigned int * readCount = 0x0012e474)+0x117 [c:\home\mozilla.org\mozilla\xpcom\io\nspipe3.cpp @ 762]
xpcom_core!nsInputStreamTee::ReadSegments(<function> * writer = 0x01726590, void * closure = 0x760c5758, unsigned int count = 0x10000, unsigned int * bytesRead = 0x0012e474)+0x78 [c:\home\mozilla.org\mozilla\xpcom\io\nsinputstreamtee.cpp @ 157]
gklayout!nsXMLHttpRequest::OnDataAvailable(class nsIRequest * request = 0x73c7f018, class nsISupports * ctxt = 0x00000000, class nsIInputStream * inStr = 0x5ccdf1f0, unsigned int sourceOffset = 0, unsigned int count = 0x10000)+0x86 [c:\home\mozilla.org\mozilla\content\base\src\nsxmlhttprequest.cpp @ 1240]
necko!nsStreamListenerTee::OnDataAvailable(class nsIRequest * request = 0x73c7f018, class nsISupports * context = 0x00000000, class nsIInputStream * input = 0x73cf7370, unsigned int offset = 0, unsigned int count = 0x10000)+0x1f0 [c:\home\mozilla.org\mozilla\netwerk\base\src\nsstreamlistenertee.cpp @ 97]
necko!nsHttpChannel::OnDataAvailable(class nsIRequest * request = 0x73cf7590, class nsISupports * ctxt = 0x00000000, class nsIInputStream * input = 0x73cf7370, unsigned int offset = 0, unsigned int count = 0x10000)+0x259 [c:\home\mozilla.org\mozilla\netwerk\protocol\http\src\nshttpchannel.cpp @ 4116]
necko!nsInputStreamPump::OnStateTransfer(void)+0x23d [c:\home\mozilla.org\mozilla\netwerk\base\src\nsinputstreampump.cpp @ 503]
necko!nsInputStreamPump::OnInputStreamReady(class nsIAsyncInputStream * stream = 0x73cf7370)+0x80 [c:\home\mozilla.org\mozilla\netwerk\base\src\nsinputstreampump.cpp @ 393]
xpcom_core!nsInputStreamReadyEvent::Run(void)+0x4a [c:\home\mozilla.org\mozilla\xpcom\io\nsstreamutils.cpp @ 112]
xpcom_core!nsThread::ProcessNextEvent(int mayWait = 1, int * result = 0x0012e600)+0x1a0 [c:\home\mozilla.org\mozilla\xpcom\threads\nsthread.cpp @ 483]
xpcom_core!NS_ProcessNextEvent_P(class nsIThread * thread = 0x00b6ef00, int mayWait = 1)+0x56 [c:\home\mozilla.org\mozilla\dbg-firefox-i686-pc-mingw32\xpcom\build\nsthreadutils.cpp @ 225]
appshell!nsXULWindow::ShowModal(void)+0x133 [c:\home\mozilla.org\mozilla\xpfe\appshell\src\nsxulwindow.cpp @ 402]
appshell!nsContentTreeOwner::ShowAsModal(void)+0x1b [c:\home\mozilla.org\mozilla\xpfe\appshell\src\nscontenttreeowner.cpp @ 503]
embedcomponents!nsWindowWatcher::OpenWindowJSInternal(class nsIDOMWindow * aParent = 0x07de5028, char * aUrl = 0x013fe048 "chrome://global/content/commonDialog.xul", char * aName = 0x013fea88 "_blank", char * aFeatures = 0x013fea64 "centerscreen,chrome,modal,titlebar", int aDialog = 1, class nsIArray * argv = 0x73c39ee8, int aCalledFromJS = 0, class nsIDOMWindow ** _retval = 0x0012eb5c)+0x1b47 [c:\home\mozilla.org\mozilla\embedding\components\windowwatcher\src\nswindowwatcher.cpp @ 898]
embedcomponents!nsWindowWatcher::OpenWindow(class nsIDOMWindow * aParent = 0x07de5028, char * aUrl = 0x013fe048 "chrome://global/content/commonDialog.xul", char * aName = 0x013fea88 "_blank", char * aFeatures = 0x013fea64 "centerscreen,chrome,modal,titlebar", class nsISupports * aArguments = 0x73c39e80, class nsIDOMWindow ** _retval = 0x0012eb5c)+0x385 [c:\home\mozilla.org\mozilla\embedding\components\windowwatcher\src\nswindowwatcher.cpp @ 415]
embedcomponents!nsPromptService::DoDialog(class nsIDOMWindow * aParent = 0x07de5028, class nsIDialogParamBlock * aParamBlock = 0x73c39e80, char * aChromeURL = 0x013fe048 "chrome://global/content/commonDialog.xul")+0x14d [c:\home\mozilla.org\mozilla\embedding\components\windowwatcher\src\nspromptservice.cpp @ 688]
embedcomponents!nsPromptService::ConfirmEx(class nsIDOMWindow * parent = 0x07de5028, unsigned short * dialogTitle = 0x73c388c0, unsigned short * text = 0x73c38bb0, unsigned int buttonFlags = 0, unsigned short * button0Title = 0x5cbea398, unsigned short * button1Title = 0x18093ca0, unsigned short * button2Title = 0x00000000, unsigned short * checkMsg = 0x73c38928, int * checkValue = 0x0012ef54, int * buttonPressed = 0x0012ef00)+0x4c1 [c:\home\mozilla.org\mozilla\embedding\components\windowwatcher\src\nspromptservice.cpp @ 346]
embedcomponents!nsPrompt::ConfirmEx(unsigned short * dialogTitle = 0x73c388c0, unsigned short * text = 0x73c38bb0, unsigned int buttonFlags = 0x7f7f, unsigned short * button0Title = 0x5cbea398, unsigned short * button1Title = 0x18093ca0, unsigned short * button2Title = 0x00000000, unsigned short * checkMsg = 0x73c38928, int * checkValue = 0x0012ef54, int * buttonPressed = 0x0012ef00)+0x8f [c:\home\mozilla.org\mozilla\embedding\components\windowwatcher\src\nsprompt.cpp @ 352]
gklayout!nsJSContext::DOMBranchCallback(struct JSContext * cx = 0x07de5248, struct JSScript * script = 0x07aabf08)+0xb54 [c:\home\mozilla.org\mozilla\dom\src\base\nsjsenvironment.cpp @ 837]
js3250!js_Interpret(struct JSContext * cx = 0x07de5248, unsigned char * pc = 0x07aabf79 "???", long * result = 0x0012f5a4)+0x9db [c:\home\mozilla.org\mozilla\js\src\jsinterp.c @ 2525]
js3250!js_Invoke(struct JSContext * cx = 0x07de5248, unsigned int argc = 1, unsigned int flags = 2)+0xbb2 [c:\home\mozilla.org\mozilla\js\src\jsinterp.c @ 1367]
xpc3250!nsXPCWrappedJSClass::CallMethod(class nsXPCWrappedJS * wrapper = 0x718e2a38, unsigned short methodIndex = 3, struct XPTMethodDescriptor * info = 0x0390dd08, struct nsXPTCMiniVariant * nativeParams = 0x0012f90c)+0xf7f [c:\home\mozilla.org\mozilla\js\src\xpconnect\src\xpcwrappedjsclass.cpp @ 1419]
xpc3250!nsXPCWrappedJS::CallMethod(unsigned short methodIndex = 3, struct XPTMethodDescriptor * info = 0x0390dd08, struct nsXPTCMiniVariant * params = 0x0012f90c)+0x41 [c:\home\mozilla.org\mozilla\js\src\xpconnect\src\xpcwrappedjs.cpp @ 531]
xpcom_core!PrepareAndDispatch(class nsXPTCStubBase * self = 0x3f824b38, unsigned int methodIndex = 3, unsigned int * args = 0x0012f9cc, unsigned int * stackBytesToPop = 0x0012f9bc)+0x323 [c:\home\mozilla.org\mozilla\xpcom\reflect\xptcall\src\md\win32\xptcstubs.cpp @ 114]
xpcom_core!SharedStub(void)+0x16 [c:\home\mozilla.org\mozilla\xpcom\reflect\xptcall\src\md\win32\xptcstubs.cpp @ 142]
gklayout!nsXMLHttpRequest::NotifyEventListeners(class nsCOMArray<nsIDOMEventListener> * aListeners = 0x3f824b38, class nsIDOMEvent * aEvent = 0x47811e38)+0xe7 [c:\home\mozilla.org\mozilla\content\base\src\nsxmlhttprequest.cpp @ 939]
gklayout!nsXMLHttpRequest::NotifyEventListeners(class nsCOMArray<nsIDOMEventListener> * aListeners = 0x0012fa30, class nsIDOMEvent * aEvent = 0x47811e38)+0xe7 [c:\home\mozilla.org\mozilla\content\base\src\nsxmlhttprequest.cpp @ 939]
gklayout!nsXMLHttpRequest::ChangeState(unsigned int aState = 0x10, int aBroadcast = 1, int aClearEventListeners = 1)+0x152 [c:\home\mozilla.org\mozilla\content\base\src\nsxmlhttprequest.cpp @ 1944]
gklayout!nsXMLHttpRequest::RequestCompleted(void)+0x14d [c:\home\mozilla.org\mozilla\content\base\src\nsxmlhttprequest.cpp @ 1472]
gklayout!nsXMLHttpRequest::OnStopRequest(class nsIRequest * request = 0x719288a0, class nsISupports * ctxt = 0x00000000, unsigned int status = 0)+0x204 [c:\home\mozilla.org\mozilla\content\base\src\nsxmlhttprequest.cpp @ 1414]
necko!nsHTTPCompressConv::OnStopRequest(class nsIRequest * request = 0x719288a0, class nsISupports * aContext = 0x00000000, unsigned int aStatus = 0)+0x23 [c:\home\mozilla.org\mozilla\netwerk\streamconv\converters\nshttpcompressconv.cpp @ 125]
necko!nsStreamListenerTee::OnStopRequest(class nsIRequest * request = 0x719288a0, class nsISupports * context = 0x00000000, unsigned int status = 0)+0xa8 [c:\home\mozilla.org\mozilla\netwerk\base\src\nsstreamlistenertee.cpp @ 66]
necko!nsHttpChannel::OnStopRequest(class nsIRequest * request = 0x719990c8, class nsISupports * ctxt = 0x00000000, unsigned int status = 0)+0x34e [c:\home\mozilla.org\mozilla\netwerk\protocol\http\src\nshttpchannel.cpp @ 4041]
necko!nsInputStreamPump::OnStateStop(void)+0xde [c:\home\mozilla.org\mozilla\netwerk\base\src\nsinputstreampump.cpp @ 572]
necko!nsInputStreamPump::OnInputStreamReady(class nsIAsyncInputStream * stream = 0x71998ea8)+0x90 [c:\home\mozilla.org\mozilla\netwerk\base\src\nsinputstreampump.cpp @ 396]
xpcom_core!nsInputStreamReadyEvent::Run(void)+0x4a [c:\home\mozilla.org\mozilla\xpcom\io\nsstreamutils.cpp @ 112]
xpcom_core!nsThread::ProcessNextEvent(int mayWait = 1, int * result = 0x0012fbc4)+0x1a0 [c:\home\mozilla.org\mozilla\xpcom\threads\nsthread.cpp @ 483]
xpcom_core!NS_ProcessNextEvent_P(class nsIThread * thread = 0x00b6ef00, int mayWait = 1)+0x56 [c:\home\mozilla.org\mozilla\dbg-firefox-i686-pc-mingw32\xpcom\build\nsthreadutils.cpp @ 225]
gkwidget!nsBaseAppShell::Run(void)+0x5d [c:\home\mozilla.org\mozilla\widget\src\xpwidgets\nsbaseappshell.cpp @ 153]
tkitcmps!nsAppStartup::Run(void)+0x6b [c:\home\mozilla.org\mozilla\toolkit\components\startup\src\nsappstartup.cpp @ 171]
xul!XRE_main(int argc = 3, char ** argv = 0x00b6b9c8, struct nsXREAppData * aAppData = 0x004036b4)+0x1da2 [c:\home\mozilla.org\mozilla\toolkit\xre\nsapprunner.cpp @ 2513]
firefox!main(int argc = 3, char ** argv = 0x00b6b9c8)+0x16 [c:\home\mozilla.org\mozilla\browser\app\nsbrowserapp.cpp @ 61]
firefox!__tmainCRTStartup(void)+0x1a6 [f:\rtm\vctools\crt_bld\self_x86\crt\src\crtexe.c @ 586]
firefox!mainCRTStartup(void)+0xd [f:\rtm\vctools\crt_bld\self_x86\crt\src\crtexe.c @ 403]
kernel32!BaseProcessStart+0x23
Severity: normal → critical

Comment 4

11 years ago
for people keeping score, i got 2 ooms from js before gecko bit the dust:

************************************************************
* Call to xpconnect wrapped JSObject produced this error:  *
[Exception... "[JavaScript Error: "out of memory" {file: "https://mail.google.com/mail/?view=page&name=m_base&ver=taiczj9cma4a" line: 9}]"  nsresult: "0x80570021 (NS_ERROR_XPC_JAVASCRIPT_ERROR_WITH_DETAILS)"  location: "JS frame :: https://mail.google.com/mail/?view=page&name=m_base&ver=taiczj9cma4a :: Gv :: line 9"  data: yes]
************************************************************
************************************************************
* Call to xpconnect wrapped JSObject produced this error:  *
[Exception... "[JavaScript Error: "out of memory" {file: "https://mail.google.com/mail/?view=page&name=m_base&ver=taiczj9cma4a" line: 30}]"  nsresult: "0x80570021 (NS_ERROR_XPC_JAVASCRIPT_ERROR_WITH_DETAILS)"  location: "JS frame :: https://mail.google.com/mail/?view=page&name=m_base&ver=taiczj9cma4a :: AF :: line 30" data: yes]
************************************************************
Assignee: events → nobody
QA Contact: ian → events
Summary: OOM check is missing [@nsDOMEvent::nsDOMEvent] → nsDOMEvent needs to Init split from constructor to handle OOM [@ nsDOMEvent::nsDOMEvent]
Whiteboard: [ccbr]
Keywords: testcase-wanted
Whiteboard: [ccbr] → [ccbr][sg:dos]
(Assignee)

Updated

6 years ago
Crash Signature: [@ nsDOMEvent::nsDOMEvent]
Said code no longer exists.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Keywords: helpwanted, testcase-wanted
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.