Closed
Bug 434035
Opened 16 years ago
Closed 16 years ago
Crash [@ nsGlobalWindow::FindInternal] when doing find on a deleted window
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
VERIFIED
FIXED
mozilla1.9.1b3
People
(Reporter: martijn.martijn, Assigned: martijn.martijn)
References
Details
(4 keywords, Whiteboard: [sg:dos] null deref)
Crash Data
Attachments
(3 files, 2 obsolete files)
359 bytes,
text/html
|
Details | |
1.05 KB,
patch
|
samuel.sidler+old
:
approval1.9.0.12+
|
Details | Diff | Splinter Review |
1.41 KB,
patch
|
martijn.martijn
:
review+
|
Details | Diff | Splinter Review |
See testcase, which crashes trunk and branch builds after 300ms. http://crash-stats.mozilla.com/report/index/c897db66-232e-11dd-8adc-001cc45a2ce4?p=1 0 xul.dll nsGlobalWindow::FindInternal mozilla/dom/src/base/nsGlobalWindow.cpp:6305 1 xul.dll nsGlobalWindow::Find mozilla/dom/src/base/nsGlobalWindow.cpp:6285 2 xul.dll NS_InvokeByIndex_P mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:101 3 xul.dll XPCWrappedNative::CallMethod mozilla/js/src/xpconnect/src/xpcwrappednative.cpp:2388
Assignee | ||
Comment 1•16 years ago
|
||
This patch adds a null check for this bug and bug 434037.
Attachment #321270 -
Flags: review?(jst)
Comment 2•16 years ago
|
||
Comment on attachment 321270 [details] [diff] [review] patch - In nsGlobalWindow::ShowModalDialog(): + if (!mDocShell) + return NS_ERROR_FAILURE; You could do this earlier than this, i.e. right after setting *aRetVal to null, and use NS_ENSURE_TRUE here as you do in the find code. r+sr=jst
Attachment #321270 -
Flags: superreview+
Attachment #321270 -
Flags: review?(jst)
Attachment #321270 -
Flags: review+
Assignee | ||
Comment 3•16 years ago
|
||
With review comments addressed.
Attachment #321270 -
Attachment is obsolete: true
Attachment #321335 -
Flags: superreview+
Attachment #321335 -
Flags: review+
Assignee | ||
Comment 4•16 years ago
|
||
Comment on attachment 321335 [details] [diff] [review] patchv2 I have no idea what to do with the patch. Tinderbox says I need to land it in trunk/Hg (?).
Attachment #321335 -
Flags: approval1.9?
Assignee | ||
Updated•16 years ago
|
Whiteboard: [RC2?]
Updated•16 years ago
|
Flags: blocking1.9.0.1?
Whiteboard: [RC2?] → [RC2-]
Updated•16 years ago
|
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.1?
Flags: blocking1.9.0.1-
Assignee | ||
Updated•16 years ago
|
Assignee: nobody → martijn.martijn
Keywords: checkin-needed
Comment 5•16 years ago
|
||
this should have landed a while ago. It would have also fixed 434037. martijn, can you land this if it get approved?
Flags: blocking1.9.1?
Updated•16 years ago
|
Attachment #321335 -
Flags: approval1.9? → approval1.9.1+
Comment 6•16 years ago
|
||
This is not a 1.9.1 blocker, but it's a trivial null check so there's no reason not to take it. I approved the patch, please land asap. Also opening this bug up to the public as this is simply a null dereference crash, so not an exploitable crash.
Group: core-security
Comment 8•16 years ago
|
||
The patch in dupe (434037) has another null check in it that we might as well incorporate here when landing this.
Updated•16 years ago
|
Flags: blocking1.9.1? → blocking1.9.1-
Updated•16 years ago
|
Whiteboard: [RC2-] → [c-n: wait for comment 8, or not ?]
Comment 9•16 years ago
|
||
Unbitrotted patch that includes the other null-check from bug 434037.
Attachment #321335 -
Attachment is obsolete: true
Comment 10•16 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/032320654a33
Status: NEW → RESOLVED
Closed: 16 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Whiteboard: [c-n: wait for comment 8, or not ?]
Target Milestone: --- → mozilla1.9.2a1
Updated•16 years ago
|
Keywords: checkin-needed
Comment 11•16 years ago
|
||
Comment on attachment 352983 [details] [diff] [review] What I am landing [Checkin: Comment 10 & 11] http://hg.mozilla.org/releases/mozilla-1.9.1/rev/b1c1991e4af0
Attachment #352983 -
Attachment description: What I am landing → What I am landing
[Checkin: Comment 10 & 11]
Updated•16 years ago
|
Keywords: checkin-needed → fixed1.9.1
Target Milestone: mozilla1.9.2a1 → mozilla1.9.1b3
Comment 12•16 years ago
|
||
verified fixed on the 1.9.1 branch using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b3pre) Gecko/20081222 Shiretoko/3.1b3pre. Adding verified keyword.
Keywords: fixed1.9.1 → verified1.9.1
Comment 13•16 years ago
|
||
Verified fixed on the trunk using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20081222 Minefield/3.2a1pre. No crash using testcase.
Status: RESOLVED → VERIFIED
Updated•15 years ago
|
Whiteboard: [sg:dos] null deref
Comment 15•15 years ago
|
||
Per bug 492980, this happens on Firefox 3.0.x as well. Is this something we should fix in a 1.9.0.x release?
Flags: blocking1.9.0.12?
Comment 16•15 years ago
|
||
It's a perfectly safe patch, so I wouldn't be worried about taking it, but it's also a non-exploitable crash, and a pretty rare one at that. So it's not strictly necessary for 1.9.0, but again, I'd be fine with taking it...
Updated•15 years ago
|
Flags: blocking1.9.0.12? → blocking1.9.0.12+
Comment 17•15 years ago
|
||
Comment on attachment 352983 [details] [diff] [review] What I am landing [Checkin: Comment 10 & 11] Approved for 1.9.0.12, a=dveditz for release-drivers
Attachment #352983 -
Flags: approval1.9.0.12?
Updated•15 years ago
|
Attachment #352983 -
Flags: approval1.9.0.12? → approval1.9.0.12+
Comment 18•15 years ago
|
||
Checking in dom/src/base/nsGlobalWindow.cpp; /cvsroot/mozilla/dom/src/base/nsGlobalWindow.cpp,v <-- nsGlobalWindow.cpp new revision: 1.1020; previous revision: 1.1019
Keywords: fixed1.9.0.12
Comment 19•15 years ago
|
||
Verified for 1.9.0.12 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.12pre) Gecko/2009070105 GranParadiso/3.0.12pre (.NET CLR 3.5.30729). Testcase no longer crashes as it does in 1.9.0.11.
Keywords: fixed1.9.0.12 → verified1.9.0.12
Comment 21•15 years ago
|
||
Adding patch for 1.8.0 version. Thanks for your review in advance.
Attachment #387409 -
Flags: review?(martijn.martijn)
Assignee | ||
Comment 22•15 years ago
|
||
Comment on attachment 387409 [details] [diff] [review] Patch for 1.8.0 version I haven't test the patch in a 1.8.1 build, but it seems fine to me. Don't you also need to use this part? + NS_ENSURE_TRUE(mDocShell, NS_ERROR_FAILURE); ..which the original patch has?
Attachment #387409 -
Flags: review?(martijn.martijn) → review+
Comment 23•15 years ago
|
||
(In reply to comment #22) > (From update of attachment 387409 [details] [diff] [review]) > I haven't test the patch in a 1.8.1 build, but it seems fine to me. > Don't you also need to use this part? > + NS_ENSURE_TRUE(mDocShell, NS_ERROR_FAILURE); > ..which the original patch has? Thanks. There's no nsGlobalWindow::ShowModalDialog method in 1.8.0 version so I skipped this code. I tried the test case and with the patch it's working well.
Assignee | ||
Comment 24•15 years ago
|
||
Ah, yeah, of course, that part of the patch was for bug 434037, which uses a feature that isn't on 1.8.1 branch, afaik.
Updated•13 years ago
|
Crash Signature: [@ nsGlobalWindow::FindInternal]
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•