NULL pointer [@ nsFragmentObserver::Notify] (potential memory corruption) FireFox 2.0.0.15 (build 2008062306) - AVR[0]@firefox.exe+245d32 #f88d022b

RESOLVED WONTFIX

Status

()

Core
DOM
--
critical
RESOLVED WONTFIX
9 years ago
7 years ago

People

(Reporter: u315569, Unassigned)

Tracking

({crash, testcase})

1.8 Branch
x86
Windows Vista
crash, testcase
Points:
---
Bug Flags:
wanted1.8.1.x ?
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?] 1.8.1 branch only, crash signature, URL)

Attachments

(1 attachment)

(Reporter)

Description

9 years ago
User-Agent:       Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; .NET CLR 1.1.4322)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.15)

Looks like a variant of 450383, but apparently is not according to Bob Clary:
<BODY></BODY>
<SCRIPT>
document.body.addEventListener("DOMCharacterDataModified", function () {
	document.body.innerHTML = "";
	eventChild.appendChild(event.relatedNode);
}, true);
document.addEventListener("DOMNodeInserted", function () {}, true);
document.body.innerHTML="]<kbd><small></kbd><base><optGroup></optGroup>";
</SCRIPT>


Reproducible: Always

Steps to Reproduce:
1. Load the HTML
2.
3.
Actual Results:  
FireFox crashes

Expected Results:  
FireFox renders the page correctly
From bug 450383, comment 3:
"
bonecho crashes, gran paradiso does not.

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 47185551587664 (LWP 23506)]
0x00002aea46b94cb2 in nsFragmentObserver::Notify (this=0x15ba3100)
    at
/work/mozilla/builds/1.8.1/mozilla/content/base/src/nsGenericElement.cpp:3334
3334                                      NS_EVENT_FLAG_INIT, &status);

"

Fix range between 2005-09-23 and 2005-09-26:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2005-09-23+04&maxdate=2005-09-26+07&cvsroot=%2Fcvsroot
Fixed by bug 27382?
Summary: NULL pointer (potential memory corruption) FireFox 2.0.0.15 (build 2008062306) - AVR[0]@firefox.exe+245d32 #f88d022b → NULL pointer [@ nsFragmentObserver::Notify] (potential memory corruption) FireFox 2.0.0.15 (build 2008062306) - AVR[0]@firefox.exe+245d32 #f88d022b

Updated

9 years ago
Status: UNCONFIRMED → NEW
Component: General → DOM
Ever confirmed: true
Keywords: crash, testcase
Product: Firefox → Core
QA Contact: general → general
Version: unspecified → 1.8 Branch
Flags: wanted1.8.1.x?
peterv's bug 27382 seems likely, I further narrowed the "fix range" to 2005-09-24 through 2005-09-25. That's a big patch, seems unlikely we'd take all of that to fix this.

Very similar assertions to bug 450383 including the ultimate null fp->dormantNext:

************************************************************
* Call to xpconnect wrapped JSObject produced this error:  *
[Exception... "'[JavaScript Error: "eventChild is not defined" {file: "http://skypher.com/SkyLined/Repro/FireFox/AVR%5B0
%5D@firefox.exe+245d32%20%23f88d022b/repro.html" line: 5}]' when calling method: [nsIDOMEventListener::handleEvent]"  ns
result: "0x80570021 (NS_ERROR_XPC_JAVASCRIPT_ERROR_WITH_DETAILS)"  location: "JS frame :: http://skypher.com/SkyLined/Re
pro/FireFox/AVR%5B0%5D@firefox.exe+245d32%20%23f88d022b/repro.html :: <TOP_LEVEL> :: line 8"  data: yes]
************************************************************
###!!! ASSERTION: element not in the document: 'doc', file c:/dev/ff2/mozilla/layout/base/nsChildIterator.cpp, line 57
###!!! ASSERTION: aDocument must be current doc of aParent: '!aParent || (aParent->IsContentOfType(eXUL) && aDocument ==
 nsnull) || aDocument == aParent->GetCurrentDoc()', file c:/dev/ff2/mozilla/content/base/src/nsGenericDOMDataNode.cpp, l
ine 679
###!!! ASSERTION: aDocument must be current doc of aParent: '!aParent || (aParent->IsContentOfType(eXUL) && aDocument ==
 nsnull) || aDocument == aParent->GetCurrentDoc()', file c:/dev/ff2/mozilla/content/base/src/nsGenericDOMDataNode.cpp, l
ine 679
###!!! ASSERTION: aDocument must be current doc of aParent: '!aParent || (aParent->IsContentOfType(eXUL) && aDocument ==
 nsnull) || aDocument == aParent->GetCurrentDoc()', file c:/dev/ff2/mozilla/content/base/src/nsGenericElement.cpp, line
1880
Assertion failure: !fp->dormantNext, at c:/dev/ff2/mozilla/js/src/jsapi.c:4425
The problem is a --NON--null fp->dormantNext, we're saving on top of one that isn't expected to be there. Looks like a lot of junk though.

 	JS_Assert() Line 58	C
	JS_SaveFrameChain() Line 4425	C
 	XPCJSContextStack::Push() Line 130	C++
 	nsXPCThreadJSContextStackImpl::Push() Line 339	C++
 	nsXPConnect::WillProcessEvents() Line 1611	C++
 	ListenerCaller::ListenerCaller() Line 77	C++
 	nsEventQueueImpl::ProcessPendingEvents() Line 434	C++
 	nsWindow::DispatchPendingEvents() Line 4419	C++
 	nsWindow::ProcessMessage() Line 4838	C++
 	nsWindow::WindowProc() Line 1507	C++
Whiteboard: [sg:critical?] 1.8 branch only
Created attachment 375901 [details]
crashes Firefox 2.0.0.20

Updated

8 years ago
Whiteboard: [sg:critical?] 1.8 branch only → [sg:critical?] 1.8.1 branch only
We should add this testcase to the regression test suites and then WONTFIX this
for the unsupported branches.
Flags: in-testsuite?

Comment 6

8 years ago
Crashtest checked in: http://hg.mozilla.org/mozilla-central/rev/45fd81ea3f4b
Group: core-security
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Flags: in-testsuite? → in-testsuite+
Resolution: --- → WONTFIX
(Assignee)

Updated

7 years ago
Crash Signature: [@ nsFragmentObserver::Notify]
You need to log in before you can comment on or make changes to this bug.