Closed Bug 386018 Opened 18 years ago Closed 17 years ago

ReadAV with appendChild, decreasefontsize (memory corruption)

Categories

(Core :: DOM: Editor, defect)

Product:
Core
Component:
DOM: Editor
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: pvnick, Unassigned)

References

Details

(Whiteboard: [sg:dupe 382778] fuzz-based testcase)

Attachments

(1 file)

testcase
2.75 KB, text/html
Details
Attached file testcase
EIP becomes corrupted -> critical > 00000236() firefox.exe!0079e3e1() [Frames below may be incorrect and/or missing, no symbols loaded for firefox.exe] firefox.exe!0079c37f() firefox.exe!0080e514() firefox.exe!00787d6b() firefox.exe!00787fad() For some reason, this bug also only crashes on my windows machine, which leads me to believe that it might be similar to bugs 385715 and 382778, in which it might be fixed by Peter's patch for bug 382778. Would someone who runs a mac (I need to get me one of those) enlighten me as to the stacktrace with symbols? Yes I know FF can debug properly on windows - I'm working on that :-/
Attachment #269991 - Attachment mime type: text/plain → text/html
Doesn't crash in linux/trunk
Crashes in nsEditor::InsertNode, so quite possibly. Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_INVALID_ADDRESS (0x0001) at 0x5590c3d1 Thread 0 Crashed: 0 libgklayout.dylib 0x1935b999 nsEditor::InsertNode(nsIDOMNode*, nsIDOMNode*, int) + 247 (nsEditor.cpp:1435) 1 libgklayout.dylib 0x19362fdd nsEditor::InsertContainerAbove(nsIDOMNode*, nsCOMPtr<nsIDOMNode>*, nsAString_internal const&, nsAString_internal const*, nsAString_internal const*) + 649 (nsEditor.cpp:1713) 2 libgklayout.dylib 0x194c9dfe nsHTMLEditor::RelativeFontChangeOnNode(int, nsIDOMNode*) + 902 (nsHTMLEditorStyle.cpp:1813) 3 libgklayout.dylib 0x194c9f7b nsHTMLEditor::RelativeFontChangeOnNode(int, nsIDOMNode*) + 1283 (nsHTMLEditorStyle.cpp:1834) 4 libgklayout.dylib 0x194c9f7b nsHTMLEditor::RelativeFontChangeOnNode(int, nsIDOMNode*) + 1283 (nsHTMLEditorStyle.cpp:1834) 5 libgklayout.dylib 0x194c9f7b nsHTMLEditor::RelativeFontChangeOnNode(int, nsIDOMNode*) + 1283 (nsHTMLEditorStyle.cpp:1834) 6 libgklayout.dylib 0x194c9f7b nsHTMLEditor::RelativeFontChangeOnNode(int, nsIDOMNode*) + 1283 (nsHTMLEditorStyle.cpp:1834) 7 libgklayout.dylib 0x194caa91 nsHTMLEditor::RelativeFontChange(int) + 2697 (nsHTMLEditorStyle.cpp:1590) 8 libgklayout.dylib 0x194caf1d nsHTMLEditor::DecreaseFontSize() + 25 (nsHTMLEditorStyle.cpp:1456) 9 libcomposer.dylib 0x3c9eef29 nsDecreaseFontSizeCommand::DoCommand(char const*, nsISupports*) + 91 (nsComposerCommands.cpp:1408) 10 libembedcomponents.dylib 0x180e835c nsControllerCommandTable::DoCommand(char const*, nsISupports*) + 212 (nsControllerCommandTable.cpp:191) 11 libembedcomponents.dylib 0x180e38c7 nsBaseCommandController::DoCommand(char const*) + 317 (nsBaseCommandController.cpp:169) 12 libembedcomponents.dylib 0x180e6507 nsCommandManager::DoCommand(char const*, nsICommandParams*, nsIDOMWindow*) + 279 (nsCommandManager.cpp:272) 13 libgklayout.dylib 0x192180ac nsHTMLDocument::ExecCommand(nsAString_internal const&, int, nsAString_internal const&, int*) + 756 (nsHTMLDocument.cpp:4111) 14 libxpcom_core.dylib 0x0136c762 NS_InvokeByIndex_P + 98 (xptcinvoke_unixish_x86.cpp:179) 15 libxpconnect.dylib 0x12a43ce6 XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) + 5178 (xpcwrappednative.cpp:2240) 16 libxpconnect.dylib 0x12a4b7b8 XPC_WN_CallMethod(JSContext*, JSObject*, unsigned, long*, long*) + 398 (xpcwrappednativejsops.cpp:1467) 17 libmozjs.dylib 0x0105eb2b js_Invoke + 2768 (jsinterp.c:1306) 18 libmozjs.dylib 0x0106ff61 js_Interpret + 64306 (jsinterp.c:3992) 19 libmozjs.dylib 0x0105f527 js_Execute + 885 (jsinterp.c:1567) 20 libmozjs.dylib 0x0101db2e JS_EvaluateUCScriptForPrincipals + 158 (jsapi.c:4792) 21 libgklayout.dylib 0x192dfe66 nsJSContext::EvaluateString(nsAString_internal const&, void*, nsIPrincipal*, char const*, unsigned, unsigned, nsAString_internal*, int*) + 1052 (nsJSEnvironment.cpp:1381) 22 libgklayout.dylib 0x19309855 nsGlobalWindow::RunTimeout(nsTimeout*) + 1415 (nsGlobalWindow.cpp:6838) 23 libgklayout.dylib 0x19309ef2 nsGlobalWindow::TimerCallback(nsITimer*, void*) + 54 (nsGlobalWindow.cpp:7191) 24 libxpcom_core.dylib 0x0135f3da nsTimerImpl::Fire() + 892 (nsTimerImpl.cpp:384) 25 libxpcom_core.dylib 0x0135f587 nsTimerEvent::Run() + 191 (nsTimerImpl.cpp:458) 26 libxpcom_core.dylib 0x0135b63e nsThread::ProcessNextEvent(int, int*) + 556 (nsThread.cpp:483)
Paul, does this still crash on trunk now that bug 382778 is fixed? How about branch (2.0.0.6 or branch nightlies)?
This appears to be fixed on trunk and on a current 2.0.0.11 build.
Status: NEW → RESOLVED
Closed: 17 years ago
Depends on: 382778
Resolution: --- → WORKSFORME
Whiteboard: [sg:dupe 382778] fuzz-based testcase
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: