Closed
Bug 394337
Opened 17 years ago
Closed 17 years ago
Crash [@gklayout!nsBindingManager::GetNestedInsertionPoint]
Categories
(Core :: XBL, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: pvnick, Unassigned)
References
Details
(Keywords: crash, regression, verified1.8.1.12, Whiteboard: [sg:dupe 396613] null-deref)
Crash Data
Attachments
(1 file)
1.54 KB,
text/html
|
Details |
Firefox version: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070812 BonEcho/2.0.0.6 Details: eax=0012c8b8 ebx=7ffd6000 ecx=00000000 edx=00000000 esi=00000000 edi=00011970 eip=01c8e535 esp=0012c85c ebp=0012c870 iopl=0 nv up ei pl nz ac pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216 *** WARNING: Unable to verify checksum for C:\mozilla\mozilla\firefox-debug\dist\bin\components\gklayout.dll gklayout!nsBindingManager::GetNestedInsertionPoint+0x15: 01c8e535 8b11 mov edx,dword ptr [ecx] ds:0023:00000000=???????? Disassembly: gklayout!nsBindingManager::GetNestedInsertionPoint+0x15: 01c8e535 8b11 mov edx,dword ptr [ecx] 01c8e537 8b4d0c mov ecx,dword ptr [ebp+0Ch] 01c8e53a ff9298000000 call dword ptr [edx+98h] 01c8e540 3b4508 cmp eax,dword ptr [ebp+8] 01c8e543 7507 jne gklayout!nsBindingManager::GetNestedInsertionPoint+0x2c (01c8e54c) 01c8e545 33c0 xor eax,eax 01c8e547 e991000000 jmp gklayout!nsBindingManager::GetNestedInsertionPoint+0xbd (01c8e5dd) 01c8e54c 8d45f8 lea eax,[ebp-8] Stack trace: gklayout!nsBindingManager::GetNestedInsertionPoint( class nsIContent * aParent = 0x024323c0, class nsIContent * aChild = 0x00000000, class nsIContent ** aResult = 0x0012c8b8) gklayout!nsBindingManager::ContentAppended( class nsIDocument * aDocument = 0x034e88e8, class nsIContent * aContainer = 0x024323c0, int aNewIndexInContainer = 8) gklayout!nsDocument::ContentAppended( class nsIContent * aContainer = 0x024323c0, int aNewIndexInContainer = 8) gklayout!nsHTMLDocument::ContentAppended( class nsIContent * aContainer = 0x024323c0, int aNewIndexInContainer = 8) gklayout!doInsertChildAt( class nsIContent * aKid = 0x039dacd0, unsigned int aIndex = 8, int aNotify = 1, class nsIContent * aParent = 0x024323c0, class nsIDocument * aDocument = 0x034e88e8, class nsAttrAndChildArray * aChildArray = 0x024323d8) gklayout!nsGenericElement::InsertChildAt( class nsIContent * aKid = 0x039dacd0, unsigned int aIndex = 8, int aNotify = 1) gklayout!nsContentOrDocument::InsertChildAt( class nsIContent * aKid = 0x039dacd0, unsigned int aIndex = 8, int aNotify = 1, class nsAttrAndChildArray * aChildArray = 0x024323d8) gklayout!nsGenericElement::doReplaceOrInsertBefore( int aReplace = 0, class nsIDOMNode * aNewChild = 0x039dacec, class nsIDOMNode * aRefChild = 0x00000000, class nsIContent * aParent = 0x024323c0, class nsIDocument * aDocument = 0x034e88e8, class nsAttrAndChildArray * aChildArray = 0x024323d8, class nsIDOMNode ** aReturn = 0x0012cd1c) gklayout!nsGenericElement::InsertBefore( class nsIDOMNode * aNewChild = 0x039dacec, class nsIDOMNode * aRefChild = 0x00000000, class nsIDOMNode ** aReturn = 0x0012cd1c) gklayout!nsHTMLHeadElement::InsertBefore( class nsIDOMNode * aNewChild = 0x039dacec, class nsIDOMNode * aRefChild = 0x00000000, class nsIDOMNode ** aReturn = 0x0012cd1c) gklayout!nsGenericElement::AppendChild( class nsIDOMNode * aNewChild = 0x039dacec, class nsIDOMNode ** aReturn = 0x0012cd1c) gklayout!nsHTMLHeadElement::AppendChild( class nsIDOMNode * aNewChild = 0x039dacec, class nsIDOMNode ** aReturn = 0x0012cd1c) xpcom_core!XPTC_InvokeByIndex( class nsISupports * that = 0x024323dc, unsigned int methodIndex = 0x12, unsigned int paramCount = 2, struct nsXPTCVariant * params = 0x0012cd0c) xpc3250!XPCWrappedNative::CallMethod( class XPCCallContext * ccx = 0x0012ce88, XPCWrappedNative::CallMode mode = CALL_METHOD (0)) xpc3250!XPC_WN_CallMethod( struct JSContext * cx = 0x032e6ce8, struct JSObject * obj = 0x02b50de8, unsigned int argc = 1, long * argv = 0x039bee74, long * vp = 0x0012cfe8) js3250!js_Invoke( struct JSContext * cx = 0x032e6ce8, unsigned int argc = 1, unsigned int flags = 0) js3250!js_Interpret( struct JSContext * cx = 0x032e6ce8, unsigned char * pc = 0x03585887 ":", long * result = 0x0012db34) js3250!js_Invoke( struct JSContext * cx = 0x032e6ce8, unsigned int argc = 1, unsigned int flags = 2) xpc3250!nsXPCWrappedJSClass::CallMethod( class nsXPCWrappedJS * wrapper = 0x039e1598, unsigned short methodIndex = 3, class nsXPTMethodInfo * info = 0x02421268, struct nsXPTCMiniVariant * nativeParams = 0x0012ded4) xpc3250!nsXPCWrappedJS::CallMethod( unsigned short methodIndex = 3, class nsXPTMethodInfo * info = 0x02421268, struct nsXPTCMiniVariant * params = 0x0012ded4)
Comment 1•17 years ago
|
||
Fwiwi, this seems to have regressed on branch between 2006-04-19 and 2006-04-22: http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=MOZILLA_1_8_BRANCH&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2006-04-19+04&maxdate=2006-04-22+07&cvsroot=%2Fcvsroot
Component: General → XBL
QA Contact: general → xbl
Comment 2•17 years ago
|
||
I see a (short) mention of this crash in bug 343951. Maybe bug 343730 has also something to do with this?
Updated•17 years ago
|
Keywords: regression
Comment 3•17 years ago
|
||
This is a consistent null-deref crash. We should be able to un-hide this one, right?
Keywords: crash
Whiteboard: [sg:nse] null-deref
Comment 4•17 years ago
|
||
I think I could probably make this crash in nastier ways... That said, the fix for bug 396613 might help here.
Depends on: 396613
Reporter | ||
Comment 5•17 years ago
|
||
I haven't analyzed this bug too much so I don't know if it's exploitable, but keep http://download.watchfire.com/whitepapers/Dangling-Pointer.pdf in mind
Comment 6•17 years ago
|
||
The patch in bug 396613 does fix this.
Comment 7•17 years ago
|
||
Fixed on branch by checkin for bug 396613.
Updated•17 years ago
|
Flags: in-testsuite?
Comment 8•17 years ago
|
||
Verified in branch with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.12pre) Gecko/2008011803 BonEcho/2.0.0.12pre. No crash with testcase, which crashes 2.0.0.11.
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.1.12 → verified1.8.1.12
Updated•17 years ago
|
Whiteboard: [sg:nse] null-deref → [sg:dupe 396613] null-deref
Updated•17 years ago
|
Group: security
Assignee | ||
Updated•13 years ago
|
Crash Signature: [@gklayout!nsBindingManager::GetNestedInsertionPoint]
You need to log in
before you can comment on or make changes to this bug.
Description
•