Last Comment Bug 453278 - Crash [@ nsContentUtils::TriggerLink] with xlink stuff in display: none iframe
: Crash [@ nsContentUtils::TriggerLink] with xlink stuff in display: none iframe
Status: VERIFIED FIXED
[sg:nse dos] null-pointer access
: crash, testcase, verified1.8.1.19, verified1.9.0.4
Product: Core
Classification: Components
Component: XML (show other bugs)
: Trunk
: All All
: -- critical (vote)
: mozilla1.9.1b1
Assigned To: Mats Palmgren (vacation)
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2008-09-02 03:17 PDT by Martijn Wargers [:mwargers] (not working for Mozilla)
Modified: 2011-06-13 10:01 PDT (History)
8 users (show)
mats: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
xml file needed for testcase (121 bytes, text/xml)
2008-09-02 03:17 PDT, Martijn Wargers [:mwargers] (not working for Mozilla)
no flags Details
testcase (292 bytes, text/html)
2008-09-02 03:18 PDT, Martijn Wargers [:mwargers] (not working for Mozilla)
no flags Details
crashtest.diff (1.05 KB, patch)
2008-09-04 11:41 PDT, Mats Palmgren (vacation)
no flags Details | Diff | Splinter Review
Patch rev. 1 (867 bytes, patch)
2008-09-04 11:49 PDT, Mats Palmgren (vacation)
bzbarsky: review+
bzbarsky: superreview+
dveditz: approval1.9.0.4+
Details | Diff | Splinter Review
fix for 1.8 branch (681 bytes, patch)
2008-11-06 07:03 PST, Martin Stránský
bzbarsky: review+
dveditz: approval1.8.1.19+
asac: approval1.8.0.next+
Details | Diff | Splinter Review

Description Martijn Wargers [:mwargers] (not working for Mozilla) 2008-09-02 03:17:27 PDT
Created attachment 336460 [details]
xml file needed for testcase

See upcoming testcase, which crashes current trunk build.
It even crashes in Mozilla1.7, so no regression.

For some reason, I can't use a data url as the iframe content, it doesn't crash then.

http://crash-stats.mozilla.com/report/index/fc75e6bd-78d6-11dd-8ccb-001cc45a2c28?p=1
0  	xul.dll  	nsContentUtils::TriggerLink  	 content/base/src/nsContentUtils.cpp:3832
1 	xul.dll 	nsXMLElement::MaybeTriggerAutoLink 	content/xml/content/src/nsXMLElement.cpp:191
2 	xul.dll 	nsXMLContentSink::AddAttributes 	content/xml/document/src/nsXMLContentSink.cpp:1506
3 	xul.dll 	nsXMLContentSink::HandleStartElement 	content/xml/document/src/nsXMLContentSink.cpp:1038
4 	xul.dll 	storeAtts 	parser/expat/lib/xmlparse.c:3112
5 	xul.dll 	doContent 	parser/expat/lib/xmlparse.c:2464
Comment 1 Martijn Wargers [:mwargers] (not working for Mozilla) 2008-09-02 03:18:56 PDT
Created attachment 336461 [details]
testcase
Comment 2 Mats Palmgren (vacation) 2008-09-04 11:41:25 PDT
Created attachment 336886 [details] [diff] [review]
crashtest.diff
Comment 3 Mats Palmgren (vacation) 2008-09-04 11:49:26 PDT
Created attachment 336889 [details] [diff] [review]
Patch rev. 1

Add a null-check.
Comment 4 Boris Zbarsky [:bz] 2008-09-04 11:58:16 PDT
Comment on attachment 336889 [details] [diff] [review]
Patch rev. 1

Looks good, but please add a regression test.
Comment 6 Martijn Wargers [:mwargers] (not working for Mozilla) 2008-09-05 07:59:13 PDT
Verified fixed, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b1pre) Gecko/20080905031348 Minefield/3.1b1pre
Comment 7 Daniel Veditz [:dveditz] 2008-10-13 11:49:57 PDT
Comment on attachment 336889 [details] [diff] [review]
Patch rev. 1

Approved for 1.9.0.4, a=dveditz for release-drivers
Comment 8 Mats Palmgren (vacation) 2008-10-13 19:05:39 PDT
Landed on CVS trunk for 1.9.0.4:
mozilla/content/xml/content/src/nsXMLElement.cpp 	1.153
mozilla/content/xml/content/crashtest/453278-frame.xml 	1.1
mozilla/content/xml/content/crashtest/453278.html 	1.1
mozilla/content/xml/content/crashtest/crashtests.list 	1.2
Comment 9 Al Billings [:abillings] 2008-10-21 15:38:31 PDT
Verified for 1.9.0.4 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.4pre) Gecko/2008102104 GranParadiso/3.0.4pre.
Comment 10 Martin Stránský 2008-11-06 07:03:54 PST
Created attachment 346659 [details] [diff] [review]
fix for 1.8 branch
Comment 11 Martin Stránský 2008-11-06 07:04:36 PST
Comment on attachment 346659 [details] [diff] [review]
fix for 1.8 branch

Boris, can you please check this one?
Comment 12 Alexander Sack 2008-11-10 09:46:47 PST
Comment on attachment 346659 [details] [diff] [review]
fix for 1.8 branch

a=asac for 1.8.0 branch
Comment 13 Daniel Veditz [:dveditz] 2008-11-13 10:23:08 PST
Comment on attachment 346659 [details] [diff] [review]
fix for 1.8 branch

Approved for 1.8.1.18, a=dveditz for release-drivers
Comment 14 Daniel Veditz [:dveditz] 2008-11-19 00:32:13 PST
Checked into 1.8 branch
Comment 15 Al Billings [:abillings] 2008-11-25 16:11:10 PST
Verified for 1.8.1.19 with  Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.19pre) Gecko/2008112503 BonEcho/2.0.0.19pre.

Note You need to log in before you can comment on or make changes to this bug.