Closed Bug 420429 Opened 14 years ago Closed 14 years ago
Crash [@ ns
Content List::Populate With] with mutation event listener on window, cloned XML PI
Loading the testcase triggers a crash. It appears exploitable. The crash only happens if the mutation event listener is on |window|. If it's on |document|, there is no crash. The mutation event listener does not appear to be called, but it has to be installed in order to trigger the bug. Sometimes, this assertion shows up before the crash: ###!!! ASSERTION: tearoff not empty in dtor: '!(GetInterface()||GetNative()||GetJSObject())', file /Users/jruderman/trunk/mozilla/js/src/xpconnect/src/xpcinlines.h, line 662
The nsXMLProcessingInstruction constructor calls SetData(): http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/content/xml/content/src/nsXMLProcessingInstruction.cpp&rev=1.77&root=/cvsroot&mark=84#78 which calls SetTextInternal() with aNotify=PR_TRUE but since we do this from the constructor there is no strong ref yet so when the nsMutationEvent object is destroyed when we leave the scope here http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/content/base/src/nsGenericDOMDataNode.cpp&rev=3.250&root=/cvsroot&mark=486#440 'this' is deleted. The first stack shows the call to free(), the second the crash stack.
Assignee: nobody → mats.palmgren
Status: NEW → ASSIGNED
Don't notify when setting the value from within the ctor. (and mute a warning)
Alternative patch that still uses SetData() that notifies, but doing it in a separate step after we have NS_ADDREF'ed the object.
On the 1.8 branch I don't crash, I just get WARNING: waaah!, file c:/dev/ff2/mozilla/content/xul/document/src/nsXULPrototypeDocument.cpp, line 862
Whiteboard: [sg:critical] → [sg:critical] post 1.8-branch
I sort of want to do both patch versions. I see no reason to notify as there can't be anything yet that listens to the notification. But it's in general a nice code cleanup to not have the "clonetext" argument. Though now isn't really the time for cleanups, so maybe we should just take the rev 1 patch for now and land the other once we've branched for FF3.
This patch is ready to be landed, right?
Flags: blocking1.9? → blocking1.9+
Priority: -- → P2
Summary: Crash [@ nsContentList::PopulateWith] with mutation event listener on window → Crash [@ nsContentList::PopulateWith] with mutation event listener on window, cloned XML PI
Patch rev.1 + crashtest landed: mozilla/content/base/src/nsCommentNode.cpp 3.89 mozilla/content/xml/content/src/nsXMLProcessingInstruction.cpp 1.78 mozilla/content/xml/content/crashtest/420429.xul 1.1 mozilla/content/xml/content/crashtest/crashtests.list 1.1 mozilla/testing/crashtest/crashtests.list 1.32 Filed bug 421034 on the parameter cleanup. -> FIXED
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Attachment #306980 - Attachment is obsolete: true
verified fixed using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9b5pre) Gecko/2008031704 Minefield/3.0b5pre as well as the Win XP nighty. No crash using the testcase.
Status: RESOLVED → VERIFIED
Crash Signature: [@ nsContentList::PopulateWith]
You need to log in before you can comment on or make changes to this bug.