Closed Bug 461053 Opened 11 years ago Closed 11 years ago

[FIX] Crash [@ nsXULDocument::SynchronizeBroadcastListener] with command

Categories

(Core :: DOM: Core & HTML, defect, critical)

defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla1.9.2a1

People

(Reporter: martijn.martijn, Assigned: smaug)

Details

(4 keywords, Whiteboard: [sg:investigate] post 1.8-branch)

Crash Data

Attachments

(3 files, 1 obsolete file)

See testcase, which crashes current trunk build and Firefox 3 within 100ms.

http://crash-stats.mozilla.com/report/index/69096ca8-9fbd-11dd-9496-001a4bd43e5c?p=1
0  	xul.dll  	nsXULDocument::SynchronizeBroadcastListener  	 content/xul/document/src/nsXULDocument.cpp:703
1 	xul.dll 	nsTArray_base::SwapArrayElements 	obj-firefox/xpcom/build/nsTArray.cpp:205
2 	xul.dll 	nsXULDocument::EndUpdate 	content/xul/document/src/nsXULDocument.cpp:3271
Attached file testcase
I'm having trouble determining the exploitability of this bug.  Here's a backtrace from the crash on a fresh Linux m-c debug build.
Flags: blocking1.9.1?
Assignee: nobody → Olli.Pettay
...and make sure the attribute still there in broadcaster before setting
it to listener.
Attachment #347769 - Flags: superreview?(neil)
Attachment #347769 - Flags: review?
Comment on attachment 347769 [details] [diff] [review]
create a list of to-be-broadcasted attributes before broadcasting

From whom did you intend review? ;-)
Attachment #347769 - Flags: superreview?(neil) → superreview+
Attachment #347769 - Flags: review? → review?(enndeakin)
Comment on attachment 347769 [details] [diff] [review]
create a list of to-be-broadcasted attributes before broadcasting

>-            const nsAttrName* attrName = broadcaster->GetAttrNameAt(count);
>+        nsTArray<nsAttrNameInfo> attributes(count);
>+        for (PRUint32 i = 0; i < count; ++i) {
>+            const nsAttrName* attrName = broadcaster->GetAttrNameAt(i);
>             PRInt32 nameSpaceID = attrName->NamespaceID();
>             nsIAtom* name = attrName->LocalName();
> 
>             // _Don't_ push the |id|, |ref|, or |persist| attribute's value!
>             if (! CanBroadcast(nameSpaceID, name))
>                 continue;
> 
>+            attributes.AppendElement(nsAttrNameInfo(attrName->NamespaceID(),
>+                                                    attrName->LocalName(),
>+                                                    attrName->GetPrefix()));

You should either use the temporary variables in both cases or neither.
>-                              mInitialLayoutComplete);
>+            if (broadcaster->GetAttr(nameSpaceID, name, value)) {
>+              listener->SetAttr(nameSpaceID, name, attributes[count].mPrefix,
>+                                value, mInitialLayoutComplete);
>+            }

What if the attribute has a value on the listener but not on the broadcaster? Is this creating different behaviour in some situation?
(In reply to comment #5)
> You should either use the temporary variables in both cases or neither.
Indeed, a left over from a previous (local) version. Fixing.

> What if the attribute has a value on the listener but not on the broadcaster?
> Is this creating different behaviour in some situation?
This is creating different behavior than currently only if someone 
modifies attribute using mutation listeners.
Note, if the element if removed (which if(GetAttr) checks), other code
should already remove the attribute from listener.
So this is IMO fixing the problem when removed attribute is recreated on
listener with empty value.
Attached patch v2Splinter Review
Attachment #347769 - Attachment is obsolete: true
Attachment #347850 - Flags: review?(enndeakin)
Attachment #347769 - Flags: review?(enndeakin)
Summary: Crash [@ nsXULDocument::SynchronizeBroadcastListener] with command → [FIX] Crash [@ nsXULDocument::SynchronizeBroadcastListener] with command
Attachment #347850 - Flags: review?(enndeakin) → review+
Looks like we have a reviewed patch here.  Can we get this landed?
Keywords: checkin-needed
The patch needs sr+, afaik.
Keywords: checkin-needed
Attachment #347850 - Flags: superreview?(neil) → superreview+
The patch still isn't ready for check-in, afaik.
This bug has to be blocking1.9.1+ or the patch needs to get approval1.9.1 or both.
Attachment #347850 - Flags: approval1.9.1?
Attachment #347850 - Flags: approval1.9.1? → approval1.9.1+
This is ready to go, not marking as a blocker.
Flags: blocking1.9.1? → blocking1.9.1-
Whiteboard: [needs-1.9.1-landing]
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Verified fixed, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20081204 Minefield/3.2a1pre
Status: RESOLVED → VERIFIED
Fixed on trunk and 1.9.1
Whiteboard: [needs-1.9.1-landing]
Keywords: fixed1.9.1
Verified on 1.9.1 using Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1b3pre) Gecko/20090204 Shiretoko/3.1b3pre

Martijn, can we add the testcase to the crashtest harness?
Flags: in-testsuite?
OS: Windows XP → All
Hardware: x86 → All
Target Milestone: --- → mozilla1.9.2a1
This is always a null deref in debug builds, but could it be uninitialized in optimized builds? Can't tell, let's just make sure it's fixed on 1.9.0
Flags: wanted1.9.0.x+
Flags: wanted1.8.1.x-
Flags: blocking1.9.0.8+
Whiteboard: [sg:investigate] post 1.8-branch
Olli: does this patch work for the 1.9.0 branch or will it require porting?
Comment on attachment 347850 [details] [diff] [review]
v2

Applies to 1.9.0 with some small fuzz
Attachment #347850 - Flags: approval1.9.0.8?
Comment on attachment 347850 [details] [diff] [review]
v2

Approved for 1.9.0.8, a=dveditz
Attachment #347850 - Flags: approval1.9.0.8? → approval1.9.0.8+
Keywords: fixed1.9.0.8
Checking in content/xul/document/src/nsXULDocument.cpp;
/cvsroot/mozilla/content/xul/document/src/nsXULDocument.cpp,v  <--  nsXULDocument.cpp
new revision: 1.831; previous revision: 1.830
done
Verified for 1.9.0.8 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.8pre) Gecko/2009031904 GranParadiso/3.0.8pre. Crashes cleanly in 1.9.0.7.
Group: core-security
Crash Signature: [@ nsXULDocument::SynchronizeBroadcastListener]
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.