Closed
Bug 339494
Opened 19 years ago
Closed 18 years ago
[FIX]Out of bounds and crash removing an attribute during a mutation event for its removal [@ nsAttrAndChildArray::RemoveAttrAt] [@ nsAttrName::ReleaseInternalName]
Categories
(Core :: DOM: Core & HTML, defect, P1)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
mozilla1.9alpha1
People
(Reporter: jruderman, Assigned: bzbarsky)
Details
(4 keywords, Whiteboard: [sg:critical?])
Crash Data
Attachments
(4 files, 1 obsolete file)
|
579 bytes,
application/xhtml+xml
|
Details | |
|
7.56 KB,
text/plain
|
Details | |
|
10.06 KB,
patch
|
Details | Diff | Splinter Review | |
|
10.47 KB,
patch
|
sicking
:
review+
sicking
:
superreview+
dveditz
:
approval1.8.0.9+
dveditz
:
approval1.8.1.1+
|
Details | Diff | Splinter Review |
Loading the testcase causes a crash in (trunk) nightlies and debug builds.
The testcase is similar to the one for bug 338391, but attributes take the place of nodes.
|
Reporter | |
Comment 1•19 years ago
|
||
|
|
Reporter | |
Updated•19 years ago
|
Group: security
|
|
Reporter | |
Comment 2•19 years ago
|
||
|
|
Reporter | |
Comment 3•19 years ago
|
||
Nomintating because this crash gets in the way of my testing.
Flags: blocking1.9a1?
|
Assignee | |
Comment 4•18 years ago
|
||
We could just unconditionally reget the attr index in the case when we fire a mutation event. I don't think it's worth adding this to the mutation guard....
|
|
Assignee | |
Comment 5•18 years ago
|
||
Though actually... per DOM spec we should be firing the event _after_ the attribute has changed. Why aren't we?
|
|
Assignee | |
Comment 6•18 years ago
|
||
We should be able to test that the attr has actually been unset by the time the mutation event fires....
Flags: in-testsuite?
|
|
Assignee | |
Comment 7•18 years ago
|
||
Attachment #244546 -
Flags: superreview?(bugmail)
Attachment #244546 -
Flags: review?(bugmail)
|
|
Assignee | |
Updated•18 years ago
|
Assignee: general → bzbarsky
OS: Mac OS X 10.4 → All
Priority: -- → P1
Hardware: Macintosh → All
Summary: Out of bounds and crash removing an attribute during a mutation event for its removal [@ nsAttrAndChildArray::RemoveAttrAt] [@ nsAttrName::ReleaseInternalName] → [FIX]Out of bounds and crash removing an attribute during a mutation event for its removal [@ nsAttrAndChildArray::RemoveAttrAt] [@ nsAttrName::ReleaseInternalName]
Target Milestone: --- → mozilla1.9alpha
|
||
Comment 8•18 years ago
|
||
(In reply to comment #6)
> We should be able to test that the attr has actually been unset by the time the
> mutation event fires....
Yes. The fixer of this bug should be able to write that test.
The examples in testing/mochitest/README.txt show exactly how to write such a test.
|
|
Assignee | |
Comment 9•18 years ago
|
||
I'll be happy to try to set the test up when I have the time to sort out how to run mochitest... That's not going to be for at least a week, though.
Having to do mozilla work in 20-30 minute chunks _really_ sucks.
Comment on attachment 244546 [details] [diff] [review]
Fixes bug, as expected
>Index: content/base/src/nsAttrAndChildArray.cpp
>+nsAttrAndChildArray::RemoveAttrAt(PRUint32 aPos, nsAttrValue& aValue)
> {
> NS_ASSERTION(aPos < AttrCount(), "out-of-bounds");
>+ NS_ASSERTION(aValue.IsEmptyString(), "Bogus aValue");
This seems like an unnecessary requirement, if there's a non-empty value there it'll simply be destroyed which I think would be expected behavior.
...
> aPos -= mapped;
>+ ATTRS(mImpl)[aPos].mValue.SwapValueWith(aValue);
> ATTRS(mImpl)[aPos].~InternalAttr();
I.e. this dtor will simply kill any old value.
>Index: content/xul/content/src/nsXULElement.cpp
>- rv = mAttrsAndChildren.RemoveAttrAt(index);
>- NS_ENSURE_SUCCESS(rv, rv);
>+ {
>+ nsAttrValue ignored;
>+ rv = mAttrsAndChildren.RemoveAttrAt(index, ignored);
>+ NS_ENSURE_SUCCESS(rv, rv);
>+ }
Nit: Why bother with the {}? I don't see a reason we're in a hurry to kill the value.
with that, r/sr=sicking
Attachment #244546 -
Flags: superreview?(bugmail)
Attachment #244546 -
Flags: superreview+
Attachment #244546 -
Flags: review?(bugmail)
Attachment #244546 -
Flags: review+
|
|
Assignee | |
Comment 11•18 years ago
|
||
> This seems like an unnecessary requirement,
Yeah... At some point I removed the dtor there, then realized that it's needed to destroy the nsAttrName anyway.
> I don't see a reason we're in a hurry to kill the value.
Just trying to not have it leak all over the function, since it's really not needed there... I guess I can remove the {}.
> > I don't see a reason we're in a hurry to kill the value.
>
> Just trying to not have it leak all over the function, since it's really not
> needed there... I guess I can remove the {}.
I'm fine either way, but IMHO it's more readable without the {} (especially if we were to do it more often)
|
|
Assignee | |
Comment 13•18 years ago
|
||
Attachment #244546 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 14•18 years ago
|
||
Is this not a problem on branch?
|
|
Assignee | |
Comment 15•18 years ago
|
||
This is in fact a problem on branch. This is basically the same patch, merged to the different indentation, different condition for firing mutation events, and different event dispatch methods that we have on branch...
Attachment #245306 -
Flags: superreview?(bugmail)
Attachment #245306 -
Flags: review?(bugmail)
Attachment #245306 -
Flags: approval1.8.1.1?
Attachment #245306 -
Flags: approval1.8.0.9?
|
|
Assignee | |
Comment 16•18 years ago
|
||
Fixed on trunk, and added tests to mochitest.
Status: NEW → RESOLVED
Closed: 18 years ago
Flags: in-testsuite?
Flags: in-testsuite+
Flags: blocking1.9a1?
Resolution: --- → FIXED
Attachment #245306 -
Flags: superreview?(bugmail)
Attachment #245306 -
Flags: superreview+
Attachment #245306 -
Flags: review?(bugmail)
Attachment #245306 -
Flags: review+
|
||
Comment 17•18 years ago
|
||
Please nominate patched security bugs as release blockers, we look at approval requests for blockers long before we get to the approval requests for non-blockers that are usually less important.
Flags: blocking1.8.1.1+
Flags: blocking1.8.0.9+
Whiteboard: [sg:critical?]
|
|
||
Comment 18•18 years ago
|
||
Comment on attachment 245306 [details] [diff] [review]
Branch version
approved for 1.8/1.8.0 branches, a=dveditz for drivers
Attachment #245306 -
Flags: approval1.8.1.1?
Attachment #245306 -
Flags: approval1.8.1.1+
Attachment #245306 -
Flags: approval1.8.0.9?
Attachment #245306 -
Flags: approval1.8.0.9+
|
||
Comment 20•18 years ago
|
||
using testcase verified that crash existed in 1.8.0.8 release build, confirmed that testcase did not crash current nightly builds for either 1.8.0.9 or 1.8.1.1.
verified 1.8.0.9
Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.9pre) Gecko/20061130 Firefox/1.5.0.9pre
verified 1.8.1.1
Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.1pre) Gecko/2006113003 BonEcho/2.0.0.1pre
|
|
||
Updated•18 years ago
|
Group: security
|
||
Updated•14 years ago
|
Crash Signature: [@ nsAttrAndChildArray::RemoveAttrAt]
[@ nsAttrName::ReleaseInternalName]
|
|
||
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•