Closed Bug 460444 Opened 17 years ago Closed 16 years ago

Potential crash in ~nsXBLAttributeEntry(), ~nsXBLProtoImplField(), ~nsXBLPrototypeHandler() , ~nsXBLParameter(), ~nsXBLProtoImplMember(), ~nsXBLResource()

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla1.9.2a1

People

(Reporter: MatsPalmgren_bugz, Assigned: MatsPalmgren_bugz)

Details

(Keywords: crash, fixed1.9.1, Whiteboard: [sg:dos] too much stack recursion)

Attachments

(3 files)

zipped up testcase, using a lot of images in resources 17 years ago Martijn Wargers (dead) 5.38 KB, application/zip		Details
Patch rev. 1 16 years ago Mats Palmgren (inactive) 7.07 KB, patch	dbaron : review+ jst : review+ dbaron : superreview+	Details \| Diff \| Splinter Review
Patch rev. 2 (moved the #define to nsContentUtils.h) 16 years ago Mats Palmgren (inactive) 8.60 KB, patch	beltzner : approval1.9.1+	Details \| Diff \| Splinter Review

Mats Palmgren (inactive)

Assignee

Description

•

17 years ago

Like in bug 456196 I suspect this could cause a crash with a long list (mNext): http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/content/xbl/src/nsXBLPrototypeBinding.cpp&rev=1.163&mark=126#126

Mats Palmgren (inactive)

Assignee

Comment 1

•

17 years ago

Here are a few more to investigate: http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/./content/xbl/src/nsXBLProtoImplField.cpp&rev=1.26&root=/cvsroot&mark=74#68 http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/content/xbl/src/nsXBLPrototypeHandler.cpp&rev=1.142&root=/cvsroot&mark=159#149 http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/content/xbl/src/nsXBLProtoImplMethod.h&rev=1.20&root=/cvsroot&mark=62#59 http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/content/xbl/src/nsXBLProtoImplMember.h&rev=1.21&root=/cvsroot&mark=102#102 http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/content/xbl/src/nsXBLResourceLoader.h&rev=1.10&root=/cvsroot&mark=69#55

Summary: Potential crash in ~nsXBLAttributeEntry() → Potential crash in ~nsXBLAttributeEntry(), ~nsXBLProtoImplField(), ~nsXBLPrototypeHandler() , ~nsXBLParameter(), ~nsXBLProtoImplMember(), ~nsXBLResource()

Martijn Wargers (dead)

Comment 2

•

17 years ago

Attached file zipped up testcase, using a lot of images in resources — Details

Yeah, this is crashing. See zipped up testcase. This crashes with this stacktrace: http://crash-stats.mozilla.com/report/index/d4ec50c7-9c54-11dd-82a8-001cc4e2bf68?p=1 0 xul.dll nsXBLResource::~nsXBLResource content/xbl/src/nsXBLResourceLoader.h:67 1 xul.dll nsXBLResource::~nsXBLResource content/xbl/src/nsXBLResourceLoader.h:70 2 xul.dll nsXBLResource::~nsXBLResource content/xbl/src/nsXBLResourceLoader.h:70 3 xul.dll nsXBLResource::~nsXBLResource content/xbl/src/nsXBLResourceLoader.h:70 4 xul.dll nsXBLResource::~nsXBLResource content/xbl/src/nsXBLResourceLoader.h:70 5 xul.dll nsXBLResource::~nsXBLResource content/xbl/src/nsXBLResourceLoader.h:70 etc..

Martijn Wargers (dead)

Comment 3

•

17 years ago

I crashed sometimes with a lot of fields, but not reproducable: http://crash-stats.mozilla.com/report/index/b52f9dee-9c59-11dd-9586-001cc45a2ce4?p=1 0 mozcrt19.dll arena_dalloc_small obj-firefox/memory/jemalloc/src/jemalloc.c:4267 1 mozcrt19.dll arena_dalloc obj-firefox/memory/jemalloc/src/jemalloc.c:4390 2 mozcrt19.dll free obj-firefox/memory/jemalloc/src/jemalloc.c:6207 3 xul.dll nsXBLProtoImplField::~nsXBLProtoImplField content/xbl/src/nsXBLProtoImplField.cpp:73 4 xul.dll nsXBLProtoImplField::~nsXBLProtoImplField content/xbl/src/nsXBLProtoImplField.cpp:74 5 xul.dll nsXBLProtoImplField::~nsXBLProtoImplField content/xbl/src/nsXBLProtoImplField.cpp:74 6 xul.dll nsXBLProtoImplField::~nsXBLProtoImplField content/xbl/src/nsXBLProtoImplField.cpp:74 7 xul.dll nsXBLProtoImplField::~nsXBLProtoImplField content/xbl/src/nsXBLProtoImplField.cpp:74 etc..

Martijn Wargers (dead)

Comment 4

•

17 years ago

This one with a lot of constructors: http://crash-stats.mozilla.com/report/index/225d9cb3-9c5e-11dd-bfdf-0013211cbf8a?p=1 0 mozcrt19.dll arena_dalloc_small obj-firefox/memory/jemalloc/src/jemalloc.c:4257 1 mozcrt19.dll arena_dalloc obj-firefox/memory/jemalloc/src/jemalloc.c:4390 2 mozcrt19.dll free obj-firefox/memory/jemalloc/src/jemalloc.c:6207 3 xul.dll nsXBLProtoImplAnonymousMethod::`vector deleting destructor' 4 xul.dll nsXBLProtoImplAnonymousMethod::`vector deleting destructor' 5 xul.dll nsXBLProtoImplAnonymousMethod::`vector deleting destructor' 6 xul.dll nsXBLProtoImplAnonymousMethod::`vector deleting destructor' 7 xul.dll nsXBLProtoImplAnonymousMethod::`vector deleting destructor' etc.. The crash sometimes occurs when I close the testcase while it is still loading.

Mats Palmgren (inactive)

Assignee

Comment 5

•

17 years ago

I think we need to fix all of these... (see also bug 460461)

Assignee: nobody → mats.palmgren

Severity: normal → critical

Keywords: crash

Whiteboard: [sg:nse dos] too much stack recursion

Daniel Veditz [:dveditz]

Updated

•

16 years ago

Whiteboard: [sg:nse dos] too much stack recursion → [sg:dos] too much stack recursion

Daniel Veditz [:dveditz]

Updated

•

16 years ago

Status: UNCONFIRMED → NEW

Ever confirmed: true

Mats Palmgren (inactive)

Assignee

Comment 6

•

16 years ago

Attached patch Patch rev. 1 — Details — Splinter Review

Attachment #346668 - Flags: superreview?(dbaron)

Attachment #346668 - Flags: review?(dbaron)

David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)

Updated

•

16 years ago

Attachment #346668 - Flags: superreview?(dbaron)

Attachment #346668 - Flags: superreview+

Attachment #346668 - Flags: review?(jst)

Attachment #346668 - Flags: review?(dbaron)

Attachment #346668 - Flags: review+

David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)

Comment 7

•

16 years ago

Comment on attachment 346668 [details] [diff] [review] Patch rev. 1 r+sr=dbaron, although you probably want a content peer to say that it's ok to have this in nsINode.h

Johnny Stenback (:jst)

Updated

•

16 years ago

Attachment #346668 - Flags: review?(jst) → review+

Johnny Stenback (:jst)

Comment 8

•

16 years ago

Comment on attachment 346668 [details] [diff] [review] Patch rev. 1 Looks good to me.

Johnny Stenback (:jst)

Comment 9

•

16 years ago

Comment on attachment 346668 [details] [diff] [review] Patch rev. 1 ... though you could stick the definition of the macro in nsContentUtils.h rather than nsINode.h.

Mats Palmgren (inactive)

Assignee

Comment 10

•

16 years ago

Attached patch Patch rev. 2 (moved the #define to nsContentUtils.h) — Details — Splinter Review

Moved the #define to nsContentUtils.h, no other significant changes, I'll land this when the tree opens.

David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)

Comment 11

•

16 years ago

You'll need to request approval1.9? to land after beta 2; see beltzner's dev-planning post on November 13.

Mats Palmgren (inactive)

Assignee

Updated

•

16 years ago

Attachment #348691 - Flags: approval1.9.1?

Mike Beltzner [:beltzner, not reading bugmail]

Comment 12

•

16 years ago

Comment on attachment 348691 [details] [diff] [review] Patch rev. 2 (moved the #define to nsContentUtils.h) a191=beltzner

Attachment #348691 - Flags: approval1.9.1? → approval1.9.1+

Mats Palmgren (inactive)

Assignee

Comment 13

•

16 years ago

http://hg.mozilla.org/mozilla-central/rev/e085f7a2037c No test checked in since it's 2MB big and takes a couple of minutes to load on a relatively fast PC. -> FIXED

Status: NEW → RESOLVED

Closed: 16 years ago

Resolution: --- → FIXED

Target Milestone: --- → mozilla1.9.2a1

Mats Palmgren (inactive)

Assignee

Comment 14

•

16 years ago

Pushed to 1.9.1: http://hg.mozilla.org/releases/mozilla-1.9.1/rev/fe5e09ccc9cc

Keywords: fixed1.9.1

Daniel Veditz [:dveditz]

Comment 15

•

16 years ago

Do we want to fix this on the 1.9.0 branch?

Flags: wanted1.9.0.x?

timeless

Updated

•

16 years ago

Component: Content → DOM

QA Contact: content → general

Nobody; OK to take it and work on it

Updated

•

6 years ago

Component: DOM → DOM: Core & HTML

You need to log in before you can comment on or make changes to this bug.