Closed Bug 450385 Opened 16 years ago Closed 15 years ago

NULL pointer [@ nsFragmentObserver::Notify] (potential memory corruption) FireFox 2.0.0.15 (build 2008062306) - AVR[0]@firefox.exe+245d32 #f88d022b

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Version:
1.8 Branch
Platform:
x86
Windows Vista
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: u315569, Unassigned)

References

(
URL
)

Details

(Keywords: crash, testcase, Whiteboard: [sg:critical?] 1.8.1 branch only)

Crash Data

Attachments

(1 file)

crashes Firefox 2.0.0.20
354 bytes, text/html
Details 
User-Agent:       Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; .NET CLR 1.1.4322)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.15)

Looks like a variant of 450383, but apparently is not according to Bob Clary:
<BODY></BODY>
<SCRIPT>
document.body.addEventListener("DOMCharacterDataModified", function () {
	document.body.innerHTML = "";
	eventChild.appendChild(event.relatedNode);
}, true);
document.addEventListener("DOMNodeInserted", function () {}, true);
document.body.innerHTML="]<kbd><small></kbd><base><optGroup></optGroup>";
</SCRIPT>


Reproducible: Always

Steps to Reproduce:
1. Load the HTML
2.
3.
Actual Results:  
FireFox crashes

Expected Results:  
FireFox renders the page correctly
From bug 450383, comment 3:
"
bonecho crashes, gran paradiso does not.

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 47185551587664 (LWP 23506)]
0x00002aea46b94cb2 in nsFragmentObserver::Notify (this=0x15ba3100)
    at
/work/mozilla/builds/1.8.1/mozilla/content/base/src/nsGenericElement.cpp:3334
3334                                      NS_EVENT_FLAG_INIT, &status);

"

Fix range between 2005-09-23 and 2005-09-26:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2005-09-23+04&maxdate=2005-09-26+07&cvsroot=%2Fcvsroot
Fixed by bug 27382?
Summary: NULL pointer (potential memory corruption) FireFox 2.0.0.15 (build 2008062306) - AVR[0]@firefox.exe+245d32 #f88d022b → NULL pointer [@ nsFragmentObserver::Notify] (potential memory corruption) FireFox 2.0.0.15 (build 2008062306) - AVR[0]@firefox.exe+245d32 #f88d022b
Status: UNCONFIRMED → NEW
Component: General → DOM
Ever confirmed: true
Keywords: crash, testcase
Product: Firefox → Core
QA Contact: general → general
Version: unspecified → 1.8 Branch
Flags: wanted1.8.1.x?
peterv's bug 27382 seems likely, I further narrowed the "fix range" to 2005-09-24 through 2005-09-25. That's a big patch, seems unlikely we'd take all of that to fix this.

Very similar assertions to bug 450383 including the ultimate null fp->dormantNext:

************************************************************
* Call to xpconnect wrapped JSObject produced this error:  *
[Exception... "'[JavaScript Error: "eventChild is not defined" {file: "http://skypher.com/SkyLined/Repro/FireFox/AVR%5B0
%5D@firefox.exe+245d32%20%23f88d022b/repro.html" line: 5}]' when calling method: [nsIDOMEventListener::handleEvent]"  ns
result: "0x80570021 (NS_ERROR_XPC_JAVASCRIPT_ERROR_WITH_DETAILS)"  location: "JS frame :: http://skypher.com/SkyLined/Re
pro/FireFox/AVR%5B0%5D@firefox.exe+245d32%20%23f88d022b/repro.html :: <TOP_LEVEL> :: line 8"  data: yes]
************************************************************
###!!! ASSERTION: element not in the document: 'doc', file c:/dev/ff2/mozilla/layout/base/nsChildIterator.cpp, line 57
###!!! ASSERTION: aDocument must be current doc of aParent: '!aParent || (aParent->IsContentOfType(eXUL) && aDocument ==
 nsnull) || aDocument == aParent->GetCurrentDoc()', file c:/dev/ff2/mozilla/content/base/src/nsGenericDOMDataNode.cpp, l
ine 679
###!!! ASSERTION: aDocument must be current doc of aParent: '!aParent || (aParent->IsContentOfType(eXUL) && aDocument ==
 nsnull) || aDocument == aParent->GetCurrentDoc()', file c:/dev/ff2/mozilla/content/base/src/nsGenericDOMDataNode.cpp, l
ine 679
###!!! ASSERTION: aDocument must be current doc of aParent: '!aParent || (aParent->IsContentOfType(eXUL) && aDocument ==
 nsnull) || aDocument == aParent->GetCurrentDoc()', file c:/dev/ff2/mozilla/content/base/src/nsGenericElement.cpp, line
1880
Assertion failure: !fp->dormantNext, at c:/dev/ff2/mozilla/js/src/jsapi.c:4425

The problem is a --NON--null fp->dormantNext, we're saving on top of one that isn't expected to be there. Looks like a lot of junk though.

 	JS_Assert() Line 58	C
	JS_SaveFrameChain() Line 4425	C
 	XPCJSContextStack::Push() Line 130	C++
 	nsXPCThreadJSContextStackImpl::Push() Line 339	C++
 	nsXPConnect::WillProcessEvents() Line 1611	C++
 	ListenerCaller::ListenerCaller() Line 77	C++
 	nsEventQueueImpl::ProcessPendingEvents() Line 434	C++
 	nsWindow::DispatchPendingEvents() Line 4419	C++
 	nsWindow::ProcessMessage() Line 4838	C++
 	nsWindow::WindowProc() Line 1507	C++
Whiteboard: [sg:critical?] 1.8 branch only
Whiteboard: [sg:critical?] 1.8 branch only → [sg:critical?] 1.8.1 branch only
We should add this testcase to the regression test suites and then WONTFIX this
for the unsupported branches.
Flags: in-testsuite?
Crashtest checked in: http://hg.mozilla.org/mozilla-central/rev/45fd81ea3f4b
Group: core-security
Status: NEW → RESOLVED
Closed: 15 years ago
Flags: in-testsuite? → in-testsuite+
Resolution: --- → WONTFIX
Crash Signature: [@ nsFragmentObserver::Notify]
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: