Closed Bug 336994 Opened 19 years ago Closed 18 years ago

Crash when window gets destroyed on SVGZoom event

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: martijn.martijn, Assigned: smaug)

Details

(4 keywords, Whiteboard: [sg:critical?])

Attachments

(4 files)

testcase, crashes on load
1011 bytes, text/html
Details
Backtrace from debug build
5.18 KB, text/plain
Details
testcase2
1014 bytes, text/html
Details
proposed patch
1.23 KB, patch
tor
: review+
tor
: superreview+
dveditz
: approval1.8.1.4+
dveditz
: approval1.8.0.12+
Details | Diff | Splinter Review
See upcoming testcase, which crashes Mozilla on load. Also crashes in Firefox1.5.0.3. Marking security sensitive, just to be sure. Talkback ID: TB18394613W 0x00000000 nsSVGSVGElement::DidModifySVGObservable nsSVGValue::NotifyObservers nsSVGValue::DidModify XPTC_InvokeByIndex XPCWrappedNative::CallMethod
The iframe with the svg has this code: <script xmlns="http://www.w3.org/1999/xhtml"> window.addEventListener('SVGZoom', doe, true); function doe(e) { var x= parent.document.getElementsByTagName('iframe')[0]; x.parentNode.removeChild(x); } setTimeout(doe2, 1000); function doe2() { document.documentElement.currentScale = 2; } </script> </svg>
Attached file testcase2
Same crash seems to happen with SVGScroll event.
I don't think so. If it's just something that's hidden because of when the cycle collector happens to run or not run, that's not really good enough. In my opinion, of course. In any case, the fix for this bug is obvious. DO NOT hold a weak ref to an object you're dispatching an event on. Just don't do it. So fix nsSVGSVGElement::DidModifySVGObservable to hold a strong ref to the presshell. ;) And then probably audit the rest of the code that calls that method.
Flags: blocking1.9?
Whiteboard: [sg:critical?]
Attached patch proposed patchSplinter Review
Keep strong ref to presShell. Went quickly through the code and this really should be enough. The patch applies to branch and trunk.
Attachment #256027 - Flags: superreview?(tor)
Attachment #256027 - Flags: review?(tor)
Assignee: general → Olli.Pettay
Attachment #256027 - Flags: superreview?(tor)
Attachment #256027 - Flags: superreview+
Attachment #256027 - Flags: review?(tor)
Attachment #256027 - Flags: review+
Checked in
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Attachment #256027 - Flags: approval1.8.1.3?
Flags: blocking1.9?
Flags: blocking1.8.1.4?
Flags: blocking1.8.0.12?
Comment on attachment 256027 [details] [diff] [review] proposed patch Is this patch appropriate for 1.8.0 as well? Firefox 1.5.0.x is also affected by this bug.
Attachment #256027 - Flags: approval1.8.0.12?
Flags: blocking1.8.1.4?
Flags: blocking1.8.1.4+
Flags: blocking1.8.0.12?
Flags: blocking1.8.0.12+
Comment on attachment 256027 [details] [diff] [review] proposed patch approved for 1.8.0.12 and 1.8.1.4, a=dveditz for release-drivers
Attachment #256027 - Flags: approval1.8.1.4?
Attachment #256027 - Flags: approval1.8.1.4+
Attachment #256027 - Flags: approval1.8.0.12?
Attachment #256027 - Flags: approval1.8.0.12+
verified on the 1.8 branch using Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.4pre) Gecko/2007050804 BonEcho/2.0.0.4pre. No crash for me, but i do still see the iframe in the page. Martijn attributes that to a test case error. Adding branch fixed keyword.
Keywords: fixed1.8.1.4verified1.8.1.4
Group: security
The crashtest seems like a no-op to me: it finishes after 500ms, but the subframe doesn't do its dirty work until 1s after its code runs... So the test is not exercising the code.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: