Closed Bug 461027 Opened 16 years ago Closed 16 years ago

Crash [@ nsContentUtils::ComparePosition] with binding

Categories

(Core :: XBL, defect)

Product:
Core
Component:
XBL
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: martijn.martijn, Assigned: smaug)

References

Details

(5 keywords, Whiteboard: [sg:critical?] post 1.8-branch)

Crash Data

Attachments

(2 files)

testcase
455 bytes, application/vnd.mozilla.xul+xml
Details
proposed patch
1.53 KB, patch
bzbarsky
: review+
bzbarsky
: superreview+
beltzner
: approval1.9.1+
dveditz
: approval1.9.0.6+
Details | Diff | Splinter Review
Attached file testcase
See testcase, which crashes in current trunk build. This regressed between 2008-06-22 and 2008-06-23: http://hg.mozilla.org/mozilla-central/pushloghtml?startdate=2008-06-22+04%3A00%3A00&enddate=2008-06-23+08%3A00%3A00 I think a regression from bug 344258. Stacktrace from debug build: gklayout.dll!nsContentUtils::GetContextForEventHandlers(nsINode * aNode=0x09af6478, nsIScriptContext * * aContext=0x00000004) Line 4354 + 0x3 bytes C++ > gklayout.dll!nsGenericElement::GetContextForEventHandlers(nsIScriptContext * * aContext=0x00000004) Line 346 + 0xd bytes C++ gklayout.dll!nsContentUtils::ComparePosition(nsINode * aNode1=0x0883bac8, nsINode * aNode2=0x09af6478) Line 1533 + 0xf bytes C++ gklayout.dll!nsContentUtils::PositionIsBefore(nsINode * aNode1=0x0883bac8, nsINode * aNode2=0x09af6478) Line 280 + 0xd bytes C++ gklayout.dll!nsIdentifierMapEntry::AddIdContent(nsIContent * aContent=0x0883bac8) Line 459 + 0xd bytes C++ gklayout.dll!nsDocument::UpdateIdTableEntry(nsIContent * aContent=0x0883bac8) Line 2272 C++ gklayout.dll!nsXULDocument::AddElementToDocumentPre(nsIContent * aElement=0x0883bac8) Line 1625 C++ gklayout.dll!nsXULDocument::AddSubtreeToDocument(nsIContent * aElement=0x0883bac8) Line 1705 + 0x12 bytes C++ gklayout.dll!nsXBLBinding::InstallAnonymousContent(nsIContent * aAnonParent=0x0883ba78, nsIContent * aElement=0x0997dd38) Line 371 C++ gklayout.dll!nsXBLBinding::GenerateAnonymousContent() Line 663 C++ gklayout.dll!nsXBLService::LoadBindings(nsIContent * aContent=0x0997dd38, nsIURI * aURL=0x095f2ee8, nsIPrincipal * aOriginPrincipal=0x087028e8, int aAugmentFlag=0, nsXBLBinding * * aBinding=0x0012eb5c, int * aResolveStyle=0x0012eb30) Line 631 C++ gklayout.dll!nsCSSFrameConstructor::ConstructFrameInternal(nsFrameConstructorState & aState={...}, nsIContent * aContent=0x0997dd38, nsIFrame * aParentFrame=0x095ff008, nsIAtom * aTag=0x012e38bc, int aNameSpaceID=6, nsStyleContext * aStyleContext=0x095ff0d0, nsFrameItems & aFrameItems={...}, int aXBLBaseTag=0) Line 7424 + 0x53 bytes C++ gklayout.dll!nsCSSFrameConstructor::ConstructFrame(nsFrameConstructorState & aState={...}, nsIContent * aContent=0x0997dd38, nsIFrame * aParentFrame=0x095ff008, nsFrameItems & aFrameItems={...}) Line 7379 + 0x35 bytes C++ gklayout.dll!nsCSSFrameConstructor::ProcessInlineChildren(nsFrameConstructorState & aState={...}, nsIContent * aContent=0x09945ef0, nsIFrame * aFrame=0x095ff008, int aCanHaveGeneratedContent=1, nsFrameItems & aFrameItems={...}, int * aKidsAllInline=0x0012ede4) Line 12618 + 0x3a bytes C++ gklayout.dll!nsCSSFrameConstructor::ConstructInline(nsFrameConstructorState & aState={...}, const nsStyleDisplay * aDisplay=0x095fecf0, nsIContent * aContent=0x09945ef0, nsIFrame * aParentFrame=0x095fe714, nsStyleContext * aStyleContext=0x095fefb8, int aIsPositioned=0, nsIFrame * aNewFrame=0x095ff008) Line 12390 + 0x21 bytes C++ gklayout.dll!nsCSSFrameConstructor::ConstructFrameByDisplayType(nsFrameConstructorState & aState={...}, const nsStyleDisplay * aDisplay=0x095fecf0, nsIContent * aContent=0x09945ef0, int aNameSpaceID=6, nsIAtom * aTag=0x012e38c8, nsIFrame * aParentFrame=0x095fe714, nsStyleContext * aStyleContext=0x095fefb8, nsFrameItems & aFrameItems={...}, int aHasPseudoParent=0) Line 6591 + 0x22 bytes C++ gklayout.dll!nsCSSFrameConstructor::ConstructFrameInternal(nsFrameConstructorState & aState={...}, nsIContent * aContent=0x09945ef0, nsIFrame * aParentFrame=0x095fe714, nsIAtom * aTag=0x012e38c8, int aNameSpaceID=6, nsStyleContext * aStyleContext=0x095fefb8, nsFrameItems & aFrameItems={...}, int aXBLBaseTag=0) Line 7558 + 0x34 bytes C++ gklayout.dll!nsCSSFrameConstructor::ConstructFrame(nsFrameConstructorState & aState={...}, nsIContent * aContent=0x09945ef0, nsIFrame * aParentFrame=0x095fe714, nsFrameItems & aFrameItems={...}) Line 7379 + 0x35 bytes C++ gklayout.dll!nsCSSFrameConstructor::ContentInserted(nsIContent * aContainer=0x05ce6050, nsIContent * aChild=0x09945ef0, int aIndexInContainer=0, nsILayoutHistoryState * aFrameState=0x05d58458) Line 8966 C++ gklayout.dll!nsCSSFrameConstructor::RecreateFramesForContent(nsIContent * aContent=0x09945ef0) Line 11087 + 0x25 bytes C++ gklayout.dll!nsCSSFrameConstructor::ProcessRestyledFrames(nsStyleChangeList & aChangeList={...}) Line 9825 C++ gklayout.dll!PresShell::RecreateFramesFor(nsIContent * aContent=0x09945ef0) Line 3374 + 0x12 bytes C++ gklayout.dll!nsXBLBindingRequest::DocumentLoaded(nsIDocument * aBindingDoc=0x09738080) Line 263 C++ gklayout.dll!nsXBLStreamListener::Load(nsIDOMEvent * aEvent=0x0964b250) Line 478 C++ gklayout.dll!DispatchToInterface(nsIDOMEvent * aEvent=0x0964b250, nsIDOMEventListener * aListener=0x097924d4, unsigned int (nsIDOMEvent *)* aMethod=0x045c3de0, const nsID & aIID={...}) Line 184 + 0xb bytes C++ gklayout.dll!nsEventListenerManager::HandleEvent(nsPresContext * aPresContext=0x00000000, nsEvent * aEvent=0x0012f624, nsIDOMEvent * * aDOMEvent=0x0012f59c, nsISupports * aCurrentTarget=0x09738080, unsigned int aFlags=6, nsEventStatus * aEventStatus=0x0012f5a0) Line 1182 + 0x22 bytes C++ gklayout.dll!nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor & aVisitor={...}, unsigned int aFlags=6) Line 212 C++ gklayout.dll!nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor & aVisitor={...}, unsigned int aFlags=6, nsDispatchingCallback * aCallback=0x00000000) Line 271 C++ gklayout.dll!nsEventDispatcher::Dispatch(nsISupports * aTarget=0x09738080, nsPresContext * aPresContext=0x00000000, nsEvent * aEvent=0x0012f624, nsIDOMEvent * aDOMEvent=0x00000000, nsEventStatus * aEventStatus=0x00000000, nsDispatchingCallback * aCallback=0x00000000) Line 479 + 0x12 bytes C++ gklayout.dll!nsXMLDocument::EndLoad() Line 580 + 0x15 bytes C++ gklayout.dll!nsXMLContentSink::DidBuildModel() Line 381 C++ gkparser.dll!nsExpatDriver::DidBuildModel(unsigned int anErrorCode=0, int aNotifySink=1, nsIParser * aParser=0x05dc1758, nsIContentSink * aSink=0x05cc6520) Line 1311 + 0xe bytes C++ gkparser.dll!nsParser::DidBuildModel(unsigned int anErrorCode=0) Line 1527 + 0x35 bytes C++ gkparser.dll!nsParser::ResumeParse(int allowIteration=1, int aIsFinalChunk=1, int aCanInterrupt=1) Line 2283 C++ gkparser.dll!nsParser::OnStopRequest(nsIRequest * request=0x097b3ca8, nsISupports * aContext=0x00000000, unsigned int status=0) Line 2916 + 0x17 bytes C++ gklayout.dll!nsXBLStreamListener::OnStopRequest(nsIRequest * request=0x097b3ca8, nsISupports * aCtxt=0x00000000, unsigned int aStatus=0) Line 380 + 0x28 bytes C++ necko.dll!nsBaseChannel::OnStopRequest(nsIRequest * request=0x097ddf80, nsISupports * ctxt=0x00000000, unsigned int status=0) Line 623 C++ necko.dll!nsInputStreamPump::OnStateStop() Line 577 C++ necko.dll!nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream * stream=0x0863dbc8) Line 401 + 0xb bytes C++ xpcom_core.dll!nsInputStreamReadyEvent::Run() Line 112 C++ xpcom_core.dll!nsThread::ProcessNextEvent(int mayWait=1, int * result=0x0012f848) Line 511 C++ xpcom_core.dll!NS_ProcessNextEvent_P(nsIThread * thread=0x012d3fe8, int mayWait=1) Line 227 + 0x16 bytes C++ gkwidget.dll!nsBaseAppShell::Run() Line 170 + 0xc bytes C++ tkitcmps.dll!nsAppStartup::Run() Line 182 + 0x1c bytes C++ xul.dll!XRE_main(int argc=1, char * * argv=0x003fffe0, const nsXREAppData * aAppData=0x012d0880) Line 3265 + 0x25 bytes C++ firefox.exe!NS_internal_main(int argc=1, char * * argv=0x003fffe0) Line 156 + 0x12 bytes C++ firefox.exe!wmain(int argc=1, unsigned short * * argv=0x003fa2e8) Line 87 + 0xd bytes C++ firefox.exe!__tmainCRTStartup() Line 583 + 0x19 bytes C firefox.exe!wmainCRTStartup() Line 403 C kernel32.dll!_BaseProcessStart@4() + 0x23 bytes
Flags: blocking1.9.1?
Not blocking, but this is an exploitable crash. Marking security sensitive.
Group: core-security
Flags: blocking1.9.1? → blocking1.9.1-
OS: Windows XP → All
Hardware: PC → All
Whiteboard: [sg:critical]
Flags: wanted1.9.1?
Flags: blocking1.9.2?
Assignee: nobody → Olli.Pettay
Component: DOM → XBL
QA Contact: general → xbl
Attached patch proposed patchSplinter Review
Attachment #353458 - Flags: superreview?(bzbarsky)
Attachment #353458 - Flags: review?(bzbarsky)
Comment on attachment 353458 [details] [diff] [review] proposed patch Looks ok, though it woud be even better to have a helper function that we call both here and in binding teardown (where we have to do the same thing, right?)
Attachment #353458 - Flags: superreview?(bzbarsky)
Attachment #353458 - Flags: superreview+
Attachment #353458 - Flags: review?(bzbarsky)
Attachment #353458 - Flags: review+
I'll file a followup to add a helper and to make sure we call undo install properly.
Blocks: 470491
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Verified fixed, using: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20081220 Minefield/3.2a1pre
Status: RESOLVED → VERIFIED
Do we need this fix in 3.0? bug 344258 was not landed on the 1.9.0 branch but the nsXBLBinding::GenerateAnonymousContent code this patch touches is the same.
Flags: wanted1.9.0.x?
Whiteboard: [sg:critical] → [sg:critical?]
I'll assume yes for now so we don't lose track.
Flags: wanted1.9.0.x?
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.6?
Attachment #353458 - Flags: approval1.9.1?
Comment on attachment 353458 [details] [diff] [review] proposed patch a191=beltzner
Attachment #353458 - Flags: approval1.9.1? → approval1.9.1+
Flags: wanted1.9.1?
Flags: blocking1.9.2?
Keywords: fixed1.9.1
Attachment #353458 - Flags: approval1.9.0.6?
Flags: blocking1.9.0.6? → blocking1.9.0.6+
Comment on attachment 353458 [details] [diff] [review] proposed patch Approved for 1.9.0.6, a=dveditz for release-drivers.
Attachment #353458 - Flags: approval1.9.0.6? → approval1.9.0.6+
The problem with this is to verify this on 1.9.0.x because the testcase is for 1.9.1.
Olli: Any way to make a 1.9.0 testcase? Regardless, if this makes us safer, we should take it.
Trying to create 1.9.0 testcase... Martijn, perhaps you have some suggestions?
Sorry, I don't know of a way to make it crash in 1.9.0, the original testcase doesn't crash in 1.9.0 either.
However I did find a new case that has a similar stacktrace as this bug, I filed bug 472212 for it.
Keywords: fixed1.9.0.6
1.9+ regression, not wanted on 1.8.
Flags: wanted1.8.1.x-
Flags: wanted1.8.0.x-
So there is no real way to verify this fix for 1.9.0.6? I double-checked and it doesn't crash in Firefox 3.0.5.
Yes, afaik, there is no way to verify this fix for 1.9.0.6.
Group: core-security
Whiteboard: [sg:critical?] → [sg:critical?] post 1.8-branch
Verified fixed on the 1.9.1 branch using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko/20090225 Firefox and Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b3pre) Gecko/20090225 Shiretoko/3.1b3pre.
Keywords: fixed1.9.1verified1.9.1
Crash Signature: [@ nsContentUtils::ComparePosition]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: