Closed
Bug 450385
Opened 16 years ago
Closed 15 years ago
NULL pointer [@ nsFragmentObserver::Notify] (potential memory corruption) FireFox 2.0.0.15 (build 2008062306) - AVR[0]@firefox.exe+245d32 #f88d022b
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: u315569, Unassigned)
References
()
Details
(Keywords: crash, testcase, Whiteboard: [sg:critical?] 1.8.1 branch only)
Crash Data
Attachments
(1 file)
354 bytes,
text/html
|
Details |
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; .NET CLR 1.1.4322) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.15) Looks like a variant of 450383, but apparently is not according to Bob Clary: <BODY></BODY> <SCRIPT> document.body.addEventListener("DOMCharacterDataModified", function () { document.body.innerHTML = ""; eventChild.appendChild(event.relatedNode); }, true); document.addEventListener("DOMNodeInserted", function () {}, true); document.body.innerHTML="]<kbd><small></kbd><base><optGroup></optGroup>"; </SCRIPT> Reproducible: Always Steps to Reproduce: 1. Load the HTML 2. 3. Actual Results: FireFox crashes Expected Results: FireFox renders the page correctly
Comment 1•16 years ago
|
||
From bug 450383, comment 3: " bonecho crashes, gran paradiso does not. Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 47185551587664 (LWP 23506)] 0x00002aea46b94cb2 in nsFragmentObserver::Notify (this=0x15ba3100) at /work/mozilla/builds/1.8.1/mozilla/content/base/src/nsGenericElement.cpp:3334 3334 NS_EVENT_FLAG_INIT, &status); " Fix range between 2005-09-23 and 2005-09-26: http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2005-09-23+04&maxdate=2005-09-26+07&cvsroot=%2Fcvsroot Fixed by bug 27382?
Summary: NULL pointer (potential memory corruption) FireFox 2.0.0.15 (build 2008062306) - AVR[0]@firefox.exe+245d32 #f88d022b → NULL pointer [@ nsFragmentObserver::Notify] (potential memory corruption) FireFox 2.0.0.15 (build 2008062306) - AVR[0]@firefox.exe+245d32 #f88d022b
Updated•16 years ago
|
Updated•16 years ago
|
Flags: wanted1.8.1.x?
Comment 2•16 years ago
|
||
peterv's bug 27382 seems likely, I further narrowed the "fix range" to 2005-09-24 through 2005-09-25. That's a big patch, seems unlikely we'd take all of that to fix this. Very similar assertions to bug 450383 including the ultimate null fp->dormantNext: ************************************************************ * Call to xpconnect wrapped JSObject produced this error: * [Exception... "'[JavaScript Error: "eventChild is not defined" {file: "http://skypher.com/SkyLined/Repro/FireFox/AVR%5B0 %5D@firefox.exe+245d32%20%23f88d022b/repro.html" line: 5}]' when calling method: [nsIDOMEventListener::handleEvent]" ns result: "0x80570021 (NS_ERROR_XPC_JAVASCRIPT_ERROR_WITH_DETAILS)" location: "JS frame :: http://skypher.com/SkyLined/Re pro/FireFox/AVR%5B0%5D@firefox.exe+245d32%20%23f88d022b/repro.html :: <TOP_LEVEL> :: line 8" data: yes] ************************************************************ ###!!! ASSERTION: element not in the document: 'doc', file c:/dev/ff2/mozilla/layout/base/nsChildIterator.cpp, line 57 ###!!! ASSERTION: aDocument must be current doc of aParent: '!aParent || (aParent->IsContentOfType(eXUL) && aDocument == nsnull) || aDocument == aParent->GetCurrentDoc()', file c:/dev/ff2/mozilla/content/base/src/nsGenericDOMDataNode.cpp, l ine 679 ###!!! ASSERTION: aDocument must be current doc of aParent: '!aParent || (aParent->IsContentOfType(eXUL) && aDocument == nsnull) || aDocument == aParent->GetCurrentDoc()', file c:/dev/ff2/mozilla/content/base/src/nsGenericDOMDataNode.cpp, l ine 679 ###!!! ASSERTION: aDocument must be current doc of aParent: '!aParent || (aParent->IsContentOfType(eXUL) && aDocument == nsnull) || aDocument == aParent->GetCurrentDoc()', file c:/dev/ff2/mozilla/content/base/src/nsGenericElement.cpp, line 1880 Assertion failure: !fp->dormantNext, at c:/dev/ff2/mozilla/js/src/jsapi.c:4425
Comment 3•16 years ago
|
||
The problem is a --NON--null fp->dormantNext, we're saving on top of one that isn't expected to be there. Looks like a lot of junk though. JS_Assert() Line 58 C JS_SaveFrameChain() Line 4425 C XPCJSContextStack::Push() Line 130 C++ nsXPCThreadJSContextStackImpl::Push() Line 339 C++ nsXPConnect::WillProcessEvents() Line 1611 C++ ListenerCaller::ListenerCaller() Line 77 C++ nsEventQueueImpl::ProcessPendingEvents() Line 434 C++ nsWindow::DispatchPendingEvents() Line 4419 C++ nsWindow::ProcessMessage() Line 4838 C++ nsWindow::WindowProc() Line 1507 C++
Updated•15 years ago
|
Whiteboard: [sg:critical?] 1.8 branch only
Comment 4•15 years ago
|
||
Updated•15 years ago
|
Whiteboard: [sg:critical?] 1.8 branch only → [sg:critical?] 1.8.1 branch only
Comment 5•15 years ago
|
||
We should add this testcase to the regression test suites and then WONTFIX this for the unsupported branches.
Flags: in-testsuite?
Comment 6•15 years ago
|
||
Crashtest checked in: http://hg.mozilla.org/mozilla-central/rev/45fd81ea3f4b
Group: core-security
Status: NEW → RESOLVED
Closed: 15 years ago
Flags: in-testsuite? → in-testsuite+
Resolution: --- → WONTFIX
Assignee | ||
Updated•13 years ago
|
Crash Signature: [@ nsFragmentObserver::Notify]
Assignee | ||
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•